Presentation is loading. Please wait.

Presentation is loading. Please wait.

Considerations in an Outsourced / Cloud World ARMA Information Management Symposium Bill Wilson, Chief Privacy Technologist.

Published byDwight Gravette Modified over 10 years ago

Similar presentations

Presentation on theme: "Considerations in an Outsourced / Cloud World ARMA Information Management Symposium Bill Wilson, Chief Privacy Technologist."— Presentation transcript:

1 Considerations in an Outsourced / Cloud World ARMA Information Management Symposium Bill Wilson, Chief Privacy Technologist

2 ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World

3 ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World

4 ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World

5 ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World The times, they are a-changin 40 years ago – truck full of paper 30 years ago – crates of floppy disks 10 years ago – hard drives Today, same information can fit on a single DVD or a thumb drive!

6 ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World Cybercrime Fraud-related offences are now thought to be as profitable as drug-related offences, estimated at between $10 and $30 billion annually in Canada by the RCMPs Commercial Crime Branch. The majority of these crimes arent committed by kids at their computers, 80% or more of the work is conducted by criminal organizations.

7 ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World Identity Fraud Victims of identity theft or fraud can experience financial loss and difficulty obtaining credit or restoring their "good name". In 2009 the average data breach cost the affected business $6.75 million, up from $6.65 million in 2008, according to a Ponemon Institute study.

8 ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World What your information could be used for: Criminals can use your stolen or reproduced personal or financial information to: access your bank accounts open new bank accounts transfer bank balances apply for loans, credit cards and other goods and services make purchases hide their criminal activities obtain passports or receive government benefits

9 ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World

10 ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World

11 ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World Threat Landscape - Trends Top threat events involved external hacking/malware on servers Increase in all forms of attacks by all actors Industrialization of attacks Targeting weak points in the financial system Top three industries targeted – Hospitality, Retail, Financial

12 ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World Threat Landscape - Trends Market Segmentation –Organization size –Geographic location –Industry Low risk, automated attacks against vulnerable systems Sophisticated attacks targeted at intellectual property

13 ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World Defences Understand the threat landscape for your business Assess the risks –Vulnerabilities –What are you seeing –Regulatory requirements –Industry requirements

14 ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World Legislation Personal Information Protection and Electronic Documents Act (PIPEDA) Key elements to cloud computing: –Consent –Collection –Use –Disclosure –Retention –Safeguards

15 ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World Personal Information Personal information includes any factual or subjective information, recorded or not, about an identifiable individual. This includes information in any form Personal information does not include the name, title, business address or telephone number of an employee of an organization

16 ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World Cloud Computing Models Infrastructure as a Service (IaaS) Platform as a Service (PaaS) Platform as a Service (PaaS) Software as a Service (SaaS) Software as a Service (SaaS) Private Public Partner Deployment ModelsService Models Cost Liability Assurance Risks vary by deployment and service model

17 ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World Considerations Ceding of control to the cloud/outsource provider and related impact on governance Cloud computing is new – standards are still being developed, supporting technologies being enhanced and little to no case law.

18 ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World Considerations Amalgamation of existing technologies; risks in cloud/outsourced computing can be: –Existing risks inherent in the technologies used –Magnification of existing risks –New risks Consumer-focused cloud services may present greater risks to data security and privacy due to click-through terms.

19 ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World Jurisdiction Location of the cloud/outsource provider, their infrastructure and your data Some countries may be considered higher- risk Does the cloud/outsource provider outsource any of its services to other providers in other jurisdictions

20 ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World Trans Border Data Flows PIPEDA does not prohibit the transfer of Personal Information (PI) –But does establish rules Sharing of information to service provider is considered a use –Additional consent is not required Accountability is not transferred –The buck stops with you

21 ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World Trans Border Data Flows Data protection formalized in a contract –Contract cannot override laws Assess the risks –Dont jeopardize the integrity, security and confidentiality of customer personal information Transparency and notification –Advise customers

22 ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World Lawful Access What laws apply to the data both in transit and at rest –Does the host country have lawful access to your data? i.e. US Patriot Act –Un-lawful access? Shared storage - consider implications if a physical device is seized

23 ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World Compliance Maintaining compliance with required regulations –PIPEDA, Sarbanes-Oxley, or industry- requirements such as PCI-DSS Maintaining compliance with certifications –ISO 27001 Breach reporting –Does the providers breach reporting policy and procedure align with your requirements

24 ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World Data Ownership Must be clearly defined –Explicitly state what data the provider has access to and what they can do with the data What happens to the data on contract termination –By you –By them –Other reasons, i.e. failure of the vendor

25 ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World Data Handling Data classification and labelling –Prerequisite –Drives requirements for data handling in SLA –Encryption or additional controls for sensitive data Understand providers data handling practices

26 ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World Processing and creation of new data Understand what is happening to your data in the cloud/service provider –What is your service provider doing with the data? Data matching Creation of new data

27 ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World Data Permanence Proper disposal of data must be addressed –redundancy images –backups Proof of disposal –Certification of Disposal

28 ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World Security Existing risks inherent to the technologies used –Virtualization, web New risks –Lack of isolation, Magnification of existing risks inherent to your processes

29 ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World Security Implications of multi-tenant, shared resources Availability and segmentation of audit logs Authentication and identity management Access control Management and monitoring of privileged access Security incident response capability

30 ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World Security Providers provision for handling conflicting requirements between customers on shared infrastructure Clear division of security responsibilities and liabilities between the customer and the provider Cloud/outsourcing can provide benefits, mostly related to economies of scale –Small business may benefit

31 ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World Summary Risk assessment Transparency by the provider on approach to privacy and security Certifications Contract review, including SLA and any related/reference Terms of Service Contract monitoring

32

Download ppt "Considerations in an Outsourced / Cloud World ARMA Information Management Symposium Bill Wilson, Chief Privacy Technologist."

Similar presentations

Data Privacy and Security in the Cloud Presented by Robert J. Scott Managing Partner Scott & Scott, LLP www.ScottandScottllp.com.

Data Privacy and Security in the Cloud Presented by Robert J. Scott Managing Partner Scott & Scott, LLP
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY.

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY.
Property Inventory Valuation Replacement Cost Value The amount it would take to replace property with like property of the same quality and construction.

Property Inventory Valuation Replacement Cost Value The amount it would take to replace property with like property of the same quality and construction.
Pros and Cons of Cloud Computing Professor Kam-Fai Wong Faculty of Engineering The Chinese University of Hong Kong.

Pros and Cons of Cloud Computing Professor Kam-Fai Wong Faculty of Engineering The Chinese University of Hong Kong.
University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.

University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.
Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.

Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.
HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
The Gathering Cloud computing - Legal considerations David Goodbrand, Partner 28 February 2013 Aberdeen Edinburgh Glasgow.

The Gathering Cloud computing - Legal considerations David Goodbrand, Partner 28 February 2013 Aberdeen Edinburgh Glasgow.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Security, Privacy and the Cloud Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services.

Security, Privacy and the Cloud Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services.
Massachusetts privacy law and your business  Jonathan Gossels, President, SystemExperts Corporation  Moderator: Illena Armstrong  Actual Topic: Intersecting.

Massachusetts privacy law and your business  Jonathan Gossels, President, SystemExperts Corporation  Moderator: Illena Armstrong  Actual Topic: Intersecting.
The Third International Forum on Financial Consumer Protection & Education “Fostering Greater Consumer Protection & Education” Preventing Identity Theft.

The Third International Forum on Financial Consumer Protection & Education “Fostering Greater Consumer Protection & Education” Preventing Identity Theft.
Information Security Jim Cusson, CISSP. Largest Breaches 110,000 2009-11-27 NorthgateArinso, Verity Trustees 6,400 2009-11-25 Aurora St. Luke's Medical.

Information Security Jim Cusson, CISSP. Largest Breaches 110, NorthgateArinso, Verity Trustees 6, Aurora St. Luke's Medical.
Auditor General’s Office One key audit focus area – Compliance with Laws and Regulations.

Auditor General’s Office One key audit focus area – Compliance with Laws and Regulations.
Peter Brudenall & Caroline Evans- Simmons & Simmons Marsh Technology Conference 2005 Zurich, Switzerland. Managing the Security Landscape – Legal and Risk.

Peter Brudenall & Caroline Evans- Simmons & Simmons Marsh Technology Conference 2005 Zurich, Switzerland. Managing the Security Landscape – Legal and Risk.
Security Controls – What Works

Security Controls – What Works
On Privacy-aware Information Lifecycle Management (ILM) in Enterprises: Setting the Context Marco Casassa Mont Hewlett-Packard.

On Privacy-aware Information Lifecycle Management (ILM) in Enterprises: Setting the Context Marco Casassa Mont Hewlett-Packard.
Developing a Records & Information Retention & Disposition Program:

Developing a Records & Information Retention & Disposition Program:
Government Databases and You or How I Learned to Stop Worrying and Love Information Loss. By Patrick Fahey Mis 304.

Government Databases and You or How I Learned to Stop Worrying and Love Information Loss. By Patrick Fahey Mis 304.

Similar presentations

Ads by Google