Copyright © 2006 Quest Software

Privacy, Security and Reality

Paul Christman

National Sales Director, Public Sector

Paul.Christman@quest.com

2

“Veterans Angered By Scandal”

• Department of Veterans Affairs reports the personal records of 26.5 MILLION veterans were compromised

• An employee routinely took these records home on his laptop for work purposes

• His laptop was stolen during a burglary– Identity theft was probably not the thief’s objective

• VA upper management was not notified for two weeks• High level resignations

• $2,000 laptop theft will cost $100,000,000+ to remedy

Source: Washington Post, May 2006

3

Was this a breach of Security or Privacy?

4Source: Privacy Rights Clearinghouse, www.privacyrights.org

More than 104,405,000privacy breaches have been reported

since the ChoicePoint incident onFebruary 15, 2005

5

19,420 breach of privacy grievances have been filed with the Federal

Government since HIPAA regulations went into effect 36 months ago.

Source: Washington Post, June 5, 2006

6

3,000,000 DNA “fingerprints”are on file with the FBI

80,000 new records areadded every month

Every newborn child could beadded to this database

Source: Washington Post, June 5, 2006

7

PA Senate Bill 712The Breach of Personal Information Notification Act

“Breach of the security of the system” is defined as:

The unauthorized access and acquisition of computerized data that MATERIALLY compromises the security or confidentiality of personal information maintained by the entity.....”

Source: General Assembly of Pennsylvania, December 6, 2005

8

Privacy

• Access to information only as needed to conduct an authorized transaction

• Privacy may be voluntarily sacrificed in exchange for perceived benefits.

• Unfortunately, privacy is becoming the exception rather than the rule

• Privacy deals with the use of data

9

Security

• The control of access to a resource– Physical: facilities, paper records and machines that hold electronic

records

– Electronic: control of the data files regardless of physical access

• Appropriate access by authorized individuals– Who decides “appropriate” and “authorized”?

• Security deals with the control of data

10

0 10,000,000 20,000,000 30,000,000 40,000,000 50,000,000 60,000,000 70,000,000

Why Identities are Compromised

Source: Privacy Rights Clearinghouse, www.privacyrights.org

6,000 Document Theft

3,073,463 Exposed Online

19,077,925Dishonest Insider

65,444,764Stolen or Lost Hardware/Tape

43,303,499Hackers/Identity Thieves

11

PA LAW: Affected Individuals and Businesses Must be NOTIFIED by the keepers of the Data

• Would you know if there was a breach?

• How would you know what was accessed?

• Could you determine if data was encrypted or not?

• Could you figure out who breached the system?

• Would you know who to notify?

12

The first step to getting better is admitting that you have a problem…

13

12 Steps to Wellness1. Install and maintain a firewall to protect data

2. Do not use vendor-supplied defaults for passwords or security configurations

3. Protect stored data

4. Encrypt transmission of data across public networks

5. Use and regularly update anti-virus software

6. Develop and maintain secure systems and applications

7. Restrict access to data by business need-to-know

8. Assign a unique ID to each person with computer access

9. Restrict physical access to sensitive or privileged data

10. Track and monitor all access to network resources and data

11. Regularly test security systems and procedures

12. Maintain a policy that addresses information security

Source: Payment Card Industry Data Security Standard, December 2004

14

#8: Assign a Unique ID to each person

• This ensures that actions taken on critical data and systems are performed by, and can be traced to, known and authorized users

• Implies “role based” access and regular activity reporting

• Roles may need to be changed in times of emergency

• This can be done with current technology

15

#8: Assign a Unique ID to each person

• Identify all users with a unique username before granting access

• Employ passwords, tokens or biometrics in addition to unique identification to authenticate all users

• Implement a 2-factor authentication for remote access

• Encrypt passwords in transmission and storage

• Create authentication and password management for all users and administrators on all system components

– Verify user identity prior to password resets– Control the provisioning and de-provisioning of users– Remove inactive user accounts every 90 days– Limit repeated access attempts and revoke access after x tries– Password control screen savers

16

#10: Regularly Monitor and Test Networks

• Link all access to system components to an individual user – no generic shared administrator id’s

• Implement audit trails to trap/report suspicious activities

• Secure the audit logs so they can be proven to be accurate and un-altered

• Review logs daily for suspicious activities

• Retain logs for the appropriate length of time to satisfy internal and external requirements

– Usually at least 1 year of activity with last 90 days available online

17

NASCIO Best Practices

• Have a Incident Response Plan!– 35% of CIOs have had a security or privacy breach– 25% do not have a response plan; 41% have a plan; 34% don’t know

• Every project must have a privacy review, impact statement & incident response plan with threshold triggers

• Set clear expectations of privacy (or not) when anyone provides data inbound or outbound

• Investigate your “partners” to determine their security and privacy standards – you are accountable for them!

• THINK AHEAD: Pay now or 10x later

18

DataFlows

VeryQuickly!

19

The links in the chain

• Privacy requires Security

• Security requires Control

• Control requires Authentication

Where is your weakest link?

20

Reference Materials

NASCIO: www.nascio.org or nascio_privacy@listserv.amrms.com

For a complete list of federal and state privacy and security regulations

IAPP: www.privacyassociation.org

International Assoc. of Privacy Professionals

PA PowerPort privacy policy: www.state.pa.us/papower/cwp/view.asp?a=3&q=414879

Contact Brenda Orth at borth@state.pa.us

Quest Software solutions for IdM and Compliancehttp://www.quest.com/quest_solutions/

Copyright © 2006 Quest Software

Discussion and Questions

Paul Christman

National Sales Director, Public Sector

Paul.Christman@quest.com