Presentation on theme: "Privacy and IT Security American Society of Access Professionals"— Presentation transcript:
1Privacy and IT Security American Society of Access Professionals Presented bySamuel P. Jenkins, Director, Defense Privacy OfficeFebruary 2010
2Privacy and IT Security Agenda:Fair Information Practice PrinciplesLaws and Statutes of Privacy and SecurityPrivacy DefinedIT Security DefinedAnnual FISMA Reporting Chief Information Officer QuestionsPIA/SORN Essential Elements CrosswalkConclusion - The Way Ahead
3Privacy and IT Security Fair Information Practice Principles
4Privacy and IT Security –Fair Information Practice Principles DescriptionCollection limitationThe collection of personal information should be limited, should be obtained by lawful and fair means, and, where appropriate, with the knowledge or consent of the individual.Data qualityPersonal information should be relevant to the purpose for which it is collected, and should be accurate, complete, and current as needed for that purpose.Purpose specificationThe purposes for the collection of personal information should be disclosed before collection and upon any change to that purpose, and its use should be limited to those purposes and compatible purposes.Use limitationPersonal information should not be disclosed or otherwise used for other than a specified purpose without consent of the individual or legal authority.GAO (May 2008)“Alternatives Exist for Enhancing Protection of Personally Identifiable Information”
5Privacy and IT Security –Fair Information Practice Principles DescriptionSecurity safeguardsPersonal information should be protected with reasonable security safeguards against risks such as loss or unauthorized access, destruction, use, modification, or disclosure.OpennessThe public should be informed about privacy policies and practices, and individuals should have ready means of learning about the use of personal information.Individual participationIndividuals should have the following rights: to know about the collection of personal information, to access that information, to request correction, and to challenge the denial of those rights.AccountabilityIndividuals controlling the collection or use of personal information should be accountable for taking steps to ensure the implementation of these principles.GAO (May 2008)“Alternatives Exist for Enhancing Protection of Personally Identifiable Information”.
6Privacy and IT Security Laws and Statutes of Privacy and Security
7Privacy and IT Security Origin of Federal Information Security Management Act (FISMA):From The E-Government Act of 2002 (Section 208 of Public Law ) passed by the 107th Congress and signed into law by the President on 17 December 2002.Recognized the importance of information security to the economic and national security interests of the United States.
8Privacy and IT Security E-Government Act of 2002, Public Law Section 208Requirements. Agencies are required to:conduct privacy impact assessments for electronic information systems and collections and, in general, make them publicly available (see Section II of this Guidance),Federal Agency PIA RequirementsSection 208 of the E-Government Act of 2002 requires all agencies to conduct PIAs for all new or substantially changed information systems that collect, maintain, or disseminate PII on the public.
9Privacy and IT Security Title III of the E-Government Act, entitled the FederalInformation Security Management Act of 2002 (FISMA) requires:each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.FISMA, along with the Paperwork Reduction Act of 1995 and the Information Technology Management Reform Act of 1996 (Clinger-Cohen Act), explicitly emphasizes a risk-based policy for cost-effective security.
10Privacy and IT Security Federal Information Security Management Act (FISMA), Title III of the E-Government Act of 2002Agencies must:Develop information security plans that are based on assessments of risk/magnitude of harm that could result from unauthorized use, access, etc.Develop security awareness training to inform employees of these plansPeriodic testing and evaluation of the effectiveness of IT security policies, procedures and practices.Procedures for detecting, reporting and responding to security incidents
11Privacy and IT Security Office of Management and Budget (OMB).In support of and reinforcing this legislation, OMB through Circular A-130, Appendix III, Security of Federal Automated Information Resources, requires executive agencies within the federal government to:Plan for securityEnsure that appropriate officials are assigned security responsibilityPeriodically review the security controls in their information systemsAuthorize system processing prior to operations and, periodically, thereafter
12Privacy and IT Security National Institute of Standards and Technology (NIST)Several NIST publications help agencies to implement FISMA requirements:Federal Information Processing Standards Publication (FIPS PUB) 199 Standards for Security Categorization of Federal Information and Information SystemsFIPS PUB 200 Minimum Security Requirements for Federal Information and Information Systems
13Privacy and IT Security From Report GAO INFORMATION SECURITY, “Despite Reported Progress, Federal Agencies Need to Address Persistent Weaknesses ,“ July 2007.ASAP Conference
15Privacy and IT Security Privacy DefinedSamuel D. Warren, a Boston attorney, and Louis D. Brandeis, a justice of the United States Supreme Court published in the Harvard Law Review their paper titled “The Right To Privacy” (December 1890)“… the right to be let alone.”Personal control over the collection, use and disclosure of any recorded information about an identifiable individualThe organization's responsibility for data protection and safeguarding personal information in its custody or control
16Privacy and IT Security Privacy Defined (Continued)A right of privacy has been based in the U.S. Supreme Court's examination of the Constitution. Case law has interpreted the U.S Constitution to protect personal freedoms, such as the right to privacy under the 14th amendment.The 1st, 4th, and 5th Amendments also provide some protection of privacy, although in all cases the right is narrowly defined.There is also the statutory right of privacy which limits access to personal information.The right of privacy must be balanced against the agency’s need to collect, use, maintain and disseminate information about a person and that person’s expectation of privacy
17Privacy and IT Security - Definitions for Privacy & Security Privacy is the right of an individual tocontrol your own personal information, andnot have it disclosed or used by others without permission.Confidentiality is the obligation of another party to respect privacy byprotecting personal information they receive, andpreventing it from being used or disclosed without the subject’s knowledge and permission.Security is the means used to protect the confidentiality of personal information throughphysical, technical and administrative safeguards
18Privacy and IT Security Information Technology (IT) Security Defined
19Privacy and IT Security Information TechnologyInformation technology has been defined as:"Any equipment, or interconnected system(s) or subsystem(s) of equipment used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the agency.”
20Privacy and IT Security Computer Security: A Practical DefinitionDefining “Computer (IT) security" is not trivial. The difficulty lies in developing a definition that is broad enough to be valid regardless of the system being described, yet specific enough to describe what security really is. In a generic sense, security is "freedom from risk or danger."In the context of computer science, security is the prevention of, or protection against,access to information by unauthorized recipients, andintentional but unauthorized destruction or alteration of that informationthis can be re-stated: “Security is the ability of a system to protect information and system resources with respect to confidentiality and integrity." Note that the scope of this second definition includes system resources, which include CPUs, disks, and programs, in addition to information.
21Privacy and IT Security Computer security is not restricted to the three broad concepts.Additional ideas that are often considered part of the characteristics of computer security include:Access control -- Ensuring that users access only those resources and services that they are entitled to access and that qualified users are not denied access to services that they legitimately expect to receiveNon-repudiation -- Ensuring that the originators of messages cannot deny that they in fact sent the messages
22Privacy and IT Security Computer security characteristics include:Availability -- Ensuring that a system is operational and functional at a given moment, usually provided through redundancy; loss of availability is often referred to as "denial-of-service"Privacy -- Ensuring that individuals maintain the right to control what information is collected about them, how it is used, who has used it, who maintains it, and what purpose it is used for
23Privacy and IT Security Computer Security, A Functional ViewAnalyzing security by function can be a valuable part of the security planning process addressing the following five areas:Risk avoidance -- A security fundamental that starts with questions:Does my organization or business engage in activities that are too risky? Do we really need an unrestricted Internet connection?Do we really need to computerize that secure business process?Should we standardize a desktop operating system with no access control fundamentals?Deterrence -- Reduces the threat to information assets through fear. Can consist of communication strategies designed to impress potential attackers of the likelihood of getting caught.
24Privacy and IT Security Computer Security A Functional View (Continued)Prevention -- The traditional core of computer security. Consists of implementing safeguards and tools. Absolute prevention is theoretical, since there's a vanishing point where additional preventative measures are no longer cost-effective.Detection -- Works best in conjunction with preventative measures. When prevention fails, detection should kick in, preferably while there's still time to prevent damage. Includes log-keeping and auditing activitiesRecovery -- When all else fails, be prepared to pull out backup media and restore from scratch, or cut to backup servers and net connections, or fall back on a disaster recovery facility. Arguably, this function should be attended to before the others starting with recovery.
25Privacy and IT Security In Summary, Security Plus PrivacyPrivacy is the right of individuals to control what information is:collected about themwho maintains ithow it is used,who has used it, andwhat purpose it is used for �Security is the ability of a system to protect information and system resources with respect to:authenticationdata-integrityconfidentialitynon-repudiationdata protection
26Privacy and IT Security Annual FISMA Reporting Chief Information Officer Questions
27Question 1: System Inventory Privacy and IT Security -FISMA Reporting Chief Information Officer Questions FY 2009Question 1: System InventoryIdentify the number of agency and contractors systems by component and FIPS 199 impact level (low, moderate, high).Please also identify the number of systems that are used by your agency but owned by another federal agency (i.e., ePayroll, etc.) by component and FIPS 199 impact level."
28Privacy and IT Security -FISMA Reporting Chief Information Officer Questions FY 2009 Source: FIPS 199
29Privacy and IT Security -FISMA Reporting Chief Information Officer Questions FY 2009 Question 2: Certification and Accreditation (C&A), Security Controls Testing, and Contingency Plan Testing.For the Total Number of Systems identified by Component/Bureau and FIPS System Impact Level in the table for Question 1, identify the number and percentage of systems which have: a current certification and accreditation, security controls tested and reviewed within the past year, and a contingency plan tested within in accordance with policy.Please identify all systems reported as not having a C&A. You will need to provide the System Name, and Unique Project Identifier (UPI).
30Privacy and IT Security - FISMA Reporting Chief Information Officer Questions FY 2009 Question 3: Annual Testing and Continuous Monitoring.What tools and techniques do you use for continuous monitoring?
31Privacy and IT Security - FISMA Reporting Chief Information Officer Questions FY 2009 Question 4: Incident Detection, Monitoring, and Response Capabilities.What tools, techniques, technologies, etc., does the agency use for incident detection?How often does the agency log and monitor activities involving access to and modification of critical information? (Answer will be a range in percentages)What percentage of systems maintain audit trails that provide a trace of user actions?Does the agency maintain an incident handling and response capability?What tools, techniques, technologies, etc. does the agency use for incident handling and response?
32Privacy and IT Security - FISMA Reporting Chief Information Officer Questions FY 2009 Question 5: Security Awareness Training.Federal agencies and organizations cannot protect the confidentiality, integrity, and availability of information in today’s highly networked systems environment without ensuring that all people involved in using and managing IT:Understand their roles and responsibilities related to the organizational mission;Understand the organization’s IT security policy, procedures, and practices; andHave at least adequate knowledge of the various management, operational, and technical controls required and available to protect the IT resources for which they are responsible.
33Privacy and IT Security - FISMA Reporting Chief Information Officer Questions FY 2009 Question 6: Peer-to-Peer File SharingDoes the agency explain policies regarding the use of peer-to-peer file sharing in information security awareness training, ethics training, or any other agency-wide training?
34Privacy and IT Security - FISMA Reporting Chief Information Officer Questions FY 2009 Interesting Peer-to-Peer FactsThere are 150 million + users of peer-to-peer software. (Internetfilterreview.com)Students years old make up 41% of American P2P users. (Recording Industry Association of America)56% of files found using innocent search terms were pornographic. (House committee on GovernmentReform and General Accounting Office)Understanding Peer-to-Peer Networking i-SAFE America Inc.
35Privacy and IT Security - FISMA Reporting Chief Information Officer Questions FY 2009 1What is file sharing?File sharing involves using technology that allows internet users to share files that are housed on their individual computers. Peer-to-peer (P2P) applications, such as those used to share music files, are some of the most common forms of file-sharing technology.However, P2P applications introduce security risks that may put your information or your computer in jeopardy.1 From US-CERT Cyber Security Tip ST05-007, produced by Mindi McDowell, Brent Wrisley, Will Dormann, Carnegie Mellon University, 2005, 2008.
36Privacy and IT Security - FISMA Reporting Chief Information Officer Questions FY 2009 1What risks does file-sharing technology introduce?Installation of malicious code - When you use P2P applications, it is difficult, if not impossible, to verify that the source of the files is trustworthy.Exposure of sensitive or personal information - By using P2P applications, you may be giving other users access to personal information.Susceptibility to attack - Some P2P applications may ask you to open certain ports on your firewall to transmit the files.Denial of service - Downloading files causes a significant amount of traffic over the network.Prosecution - Files shared through P2P applications may include pirated software, copyrighted material, or pornography. If you download these, even unknowingly, you may be faced with fines or other legal action.
37Privacy and IT Security - FISMA Reporting Chief Information Officer Questions FY 2009 1How can you minimize these risks?The best way to eliminate these risks is to avoid using P2P applications. However, if you choose to use this technology, you can follow some good security practices to minimize your risk:use and maintain anti-virus software - Anti-virus software recognizes and protects your computer against most known viruses.install or enable a firewall - Firewalls may be able to prevent some types of infection by blocking malicious traffic before it can enter your computer.1 From US-CERT Cyber Security Tip ST05-007, produced by Mindi McDowell, Brent Wrisley, Will Dormann, Carnegie Mellon University, 2005, 2008.
38Privacy and IT Security - FISMA Reporting Chief Information Officer Questions FY 2009 Question 7: Configuration ManagementIs there an agency wide security configuration policy? Yes or No.If "Yes" is selected, then agency will enter systems/platforms/applications for which configuration policies exist and give status of implementation of policies.What tools, techniques is your agency using for monitoring compliance?Indicate the status of the implementation of FDCC at your agencyAgency has documented deviations from FDCC standard configuration. Yes/No
39Privacy and IT Security - FISMA Reporting Chief Information Officer Questions FY 2009 Question 7: Configuration ManagementFederal Acquisition Regulation language, which modified "Part 39—Acquisition of Information Technology", is included in all contracts related to common security settings. Yes or No.7c.3 will be eliminatedFederal Acquisition Regulation (Part 24, Protection of Privacy and Freedom of Information)Privacy Act NotificationPrivacy Act
40Privacy and IT Security - FISMA Reporting Chief Information Officer Questions FY 2009 Question 8: Incident Reporting*How often does the agency follow documented policies and procedures for identifying and reporting incidents internally?How often does the agency comply with documented policies and procedures for timelines of reporting to US-CERT?How often does the agency follow documented policies and procedures for reporting to law enforcement?*All answers are a percentage range
41Privacy and IT Security - FISMA Reporting Chief Information Officer Questions FY 2009 Question 9: Performance Metrics for Security Policies and ProceduresIT security metrics provide a practical approach to measuring information security. Metrics related roles and responsibilities are dispersed throughout an organization. Many IT security metrics can be created to measure each aspect of the organization’s IT security. Provide three (3) outcome/output-based performance metrics your agency uses to measure the effectiveness or efficiency of security policies and procedures.
42Privacy and IT Security - FISMA Reporting Chief Information Officer Questions FY 2009 Question 10: Homeland Security Presidential Directive (HSPD-12)Policy for a Common Identification Standard for Federal Employees and ContractorsNumber of FISMA applications in which federal employees and contractors are using HSPD-12 Personal Identity Verification credentials for access.
43Privacy and IT Security Privacy Impact Assessments (PIA)
44Privacy and IT Security What is a PIA?A “Privacy Impact Assessment (PIA)--is an analysis of how information is handled:to ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy,to determine the risks and effects of collecting, maintaining and disseminating information in identifiable form in an electronic information system, andto examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks.”OMB (9/26/2003), EGOV 208(b)
45Privacy and IT Security When is a PIA Required?When PII is collected, a PIA is required for:Existing information systems and electronic collections where a PIA has not previously been completed to include systems that collect PII about Federal personnel and contractors.New information systems or electronic collections:Prior to developing or purchasing, andwhen converting paper-based records to electronic systems.
46Privacy and IT Security When is a PIA not Required?When the information system or electronic collection:Does not collect, maintain or disseminate personal identifying informationIs a National Security System (including systems that process classified information)
47Privacy and IT Security PIA/SORN Essential ElementsCrosswalk
48Privacy and IT Security Privacy Impact Assessment (PIA)/ System of Record Notice (SORN) Essential Elements CrosswalkPIASORNWhat privacy information is collectedCategories of Records in the SystemWhy the information is collectedAuthority/Purpose(s)What the intended uses are for the informationPurposes(s)With whom the information is sharedRoutine UsesWhat opportunities individuals have to decline to provide PIIPrivacy Act Statement/Notification procedureHow information is securedSafeguardsWhat privacy risks need to be addressedNarrative Statement/Probable or potential effects on the privacy of individuals.Whether a System of Records Notice (SORN) exists(Not applicable)
49Privacy and IT Security Privacy Impact Assessment (PIA)/ System of Record Notice (SORN) Essential Elements CrosswalkPIASORNWhat privacy information is collected?Nature of the informationScope of the informationCategories of Records in the SystemDescribe the types of individually identifiable information maintained in the system, e.g., social security number, date of birth, patient medical history, school applications
50Privacy and IT Security Privacy Impact Assessment (PIA)/ System of Record Notice (SORN) Essential Elements CrosswalkPIASORNWhy is the information collected?Describe the purpose of the collection, e.g., verification, identification, authentication, data matchingAuthorityDescribe the specific legal authority (citation and descriptive title) for maintenance of the system. Only a statute or Executive Order of the President may be cited.
51Privacy and IT Security Privacy Impact Assessment (PIA)/ System of Record Notice (SORN) Essential Elements CrosswalkPIASORNWhat are the intended uses for the information?How will the information be used to fulfill the purpose previously stated?Purpose(s)Describe the purpose for which the system of records was established and uses of the information internal to the organization.
52Privacy and IT Security Privacy Impact Assessment (PIA)/ System of Record Notice (SORN) Essential Elements CrosswalkPIASORNWith whom is the information shared?Within the AgencyWith another Federal AgencyState or local agencyContractor(s)Routine UsesDescribe routine uses of the information outside the organization which are authorized for records in the system. Each individual routine use should identifythe third party to whom disclosure is authorized,the type of information to be disclosed andthe purpose of the disclosure
53Privacy and IT Security Privacy Impact Assessment (PIA)/ System of Record Notice (SORN) Essential Elements CrosswalkPIASORNWhat opportunities will individuals have to decline to provide PII?Is this collection statutorily mandated?If voluntary, how can individuals grant or withhold consent?Privacy Act Statement/Notification procedureDoes the Privacy Act Statement accurately reflect the essential elements of the data collection?Provide the title and office to which the individual would write to determine whether or not the system contains a record about the individual, how they access their record, and what information the individual needs to provide to verify their identity.
54Privacy and IT Security Privacy Impact Assessment (PIA)/ System of Record Notice (SORN) Essential Elements CrosswalkPIASORNHow is information secured?Physical Controls, e.g., security guards, locks, closed circuit TV, safeTechnical Controls, e.g., firewall, public key infrastructure (PKI) Certificates, encryption, biometricsAdministrative Controls, e.g., backups, periodic security audits, methods to ensure only authorized persons access PIISafeguardsDescribe all measures in place to minimize the risk of unauthorized access to or disclosure of records in the system. Identify the categories of employees who are authorized to have access to the records.
55Privacy and IT Security Privacy Impact Assessment (PIA)/ System of Record Notice (SORN) Essential Elements CrosswalkPIASORNWhat privacy risks need to be addressed?How do information handling practices at each stage of the “information life cycle” (i.e., collection, use, retention, processing, disclosure and destruction) affect individuals’’ privacy?For existing information systems or electronic collections, what measures have been put in place to address identified privacy risks?For new information systems or collections, what measures are planned for implementation to address identified privacy risks?Narrative Statement/Probable or potential effects on the privacy of individuals.What is/could be the impact on the individual as a result of this compilation of information?What impact would a breach of this information have on the individual?
56Privacy and IT Security Privacy Impact Assessment (PIA)/ System of Record Notice (SORN) Essential Elements CrosswalkPIASORNDoes a SORN exist to correspond with the collection documented in the PIA?Does/Do PIA(s) exist to correspond with the data collection represented by the SORN?
57Privacy and IT Security PRIVACY IMPACT ASSESSMENT (PIA)DoD Information System/Electronic Collection Name:DoD Component Name:SECTION 4: REVIEW AND APPROVAL SIGNATURESPrior to the submission of the PIA for review and approval, the PIA must be coordinated by the Program Manager or designee through the Information Assurance Manager and Privacy Representative at the local level.Program Manager or Other Official Signature(to be used at Component discretion)Component Senior Information Assurance Officer Signatureor DesigneeComponent Privacy Officer SignatureComponent CIO Signature(Reviewing Official)Source: DD Form 2930
59Privacy and IT Security Lessons in Privacy and Security, can they exist together?Quote: “The thing I think should never be lost in our discussion, is the discussion about privacy…I’ve said for along time, privacy and security are two sides of the same coin. Very clearly, without security, we have no privacy. As I was going through and discussing with leadership coming into this position, I always made sure we had a discussion about privacy.”Also spoke about privacy, security and innovation, an often challenged viewpoint by security people.Howard Schmidt, January 29, 2010 in first speech as White House Cybersecurity coordinator in a speech about privacy, security and innovation.
60Privacy and IT Security Important Lessons: What Can Be DoneOrganizations should implement goals and consider the following:Update privacy and security policiesBe aware of how and what personal information is collected, transmitted, and processedAll need to understand their specific information environment to control and protect it.A Privacy official needs to understand Security, and a Security official needs to understand PrivacyNeed top-down commitment to implement successful data protection programs.
61Privacy and IT Security Conclusion-What important lessons should we learn?IT/Security staff need to have a basic understanding of privacy protection laws (especially the Privacy Act)Privacy staff needs to understand security lawsWhich should lead to positive, transparent relationshipsInclude records managementEnsure the information is promptly disposed of in accordance with approved records control schedules.Could reduce potential breachesDon’t look at security issues and privacy issues in a vacuum, they are often interrelated
62Privacy and IT Security Critical Privacy – Security InterfacePRIVACYSECURITYFocused on meeting the information requirements of the Agency while ensuring the protection of the rights of the individual in the collection, use and dissemination ofPII.Focused on protecting the information and information systems supporting the operations and assets of an organization.Privacy’s success is dependent on establishment of basic foundation for information security.NIST Draft Guide to Protecting the Confidentiality of (PII) (1/09)