security 101 for privacy practitioners · security 101 for privacy practitioners iapp canada...

Security 101 for Privacy Practitioners

IAPP Canada Privacy Symposium 2012

May 10, 2012

IAPP Canada Privacy Symposium

May 10, 2012

Agenda

• Legal Environment

• Security Concepts

• Security Principles

• Security Objectives

• How to use Security to push the Privacy agenda

May 10, 2012

Privacy vs Security

• Privacy

An individual right to be left alone

• No Privacy without Security

May 10, 2012

Is the legislation of any help?

May 10, 2012

The Canadian legislation

• Defines what is a Private Information

• You shall be secure

• Your security should be reasonable

• An Act Respecting the Protection of Personal

Information in the Private Sector (Québec)

• Personal Information Protection Act (Alberta & BC)

• Personal Health Information Protection Act (Ontario)

May 10, 2012

So the legislation gives us the What, but

not the How.

May 10, 2012

Misconceptions

• Security only concerns IT

May 10, 2012

True Story – the location

Hattiesburg Cycles (Hattiesburg, Mississippi)

May 10, 2012

True Story – the facts

Two persons enter the store and select merchandise

worth almost $8,000. They hand a credit card to the

cashier who then swipe the card. The card is rejected

by the cash register’s computer. The card holder

indicates that the rejection was expected and that the

casher should contact the credit card company by

phone to receive a payment approval confirmation

code. The card holder gives the credit company’s

phone number to the clerk who calls the company.

The company approves the purchase and provides a

confirmation code. The merchant was never paid.

May 10, 2012

Misconceptions

NO, Security is NOT ONLY an IT problem.

It is mainly a business issue

Protection of the critical assets

May 10, 2012

Misconceptions

• Security is a technical issue

NO. “Security is a process, not a product”

May 10, 2012

Misconceptions

• Security is a recipe to follow

NO. Security must be risk based

May 10, 2012

Risk Management

1. Risk Assessment

• Risk Analysis

Threat + Vulnerability

• Risk Evaluation

Likelihood x Impact

2. Risk Treatment

• Mitigate

• Avoid

• Transfer

• Accept

May 10, 2012

Risk Base Approach

• Security is a trade-off

• Always residual risks

• Never assume something is impossible

• Information Classification (ISPC for the OPS)

• Threat Risk Assessment

May 10, 2012

Misconceptions

• Security is a recipe to follow

• Security is a set for the long term

May 10, 2012

Plan / Do / Check / Act

Do Check

May 10, 2012

Misconceptions

• Security is a recipe to follow.

• Security is a set for the long term.

NO. Must be reassess on a regular basis

Plan / Do / Check / Act (ISO terminology)

Living process

May 10, 2012

Concepts

• Security is not only an IT problem

• “Security is a process, not a product”

• Security must be risk based

• Security is a living process

May 10, 2012

Security Practice

May 10, 2012

Security Principles

• Need to know

• Least privilege

• Segregation of duties

May 10, 2012

So what is the objective?

It is the preservation of:

• Confidentiality

• Integrity

• Availability

… in order to protect the organizations critical assets

So we cannot have Privacy without Security

… but we can have Security without Privacy

May 10, 2012

Confidentiality

• User management

• Access Control

• Encryption

May 10, 2012

Access Control

• Identification

• Authentication

• Authorization

May 10, 2012

N-Factors

• Something you know

• Something you have

• Something you are

May 10, 2012

Encryption

• Symmetric

• 1 single key

• Asymmetric

• 2 keys (one Private / one Public)

May 10, 2012

Integrity

• Asset Inventory

• Hashing

• Non-repudiation

May 10, 2012

Availability

• Backups

• Duplication

• Do not forget the personnel

May 10, 2012

Summary

• Privacy

An individual right to be left alone

• Security

The Protection of critical assets

• No Privacy without Security…

But can have Security without Privacy

• What to secure and how to secure it

Privacy determines the what

Security determines the how

May 10, 2012

Summary

• Concepts

• Security is not only an IT problem

• “Security is a process, not a product”

• Security must be risk based

• Security is a living process

• Principles

• Objectives

• Security should not be front and center

Thank you

Gilles Fourchet, CIPP/IT, CISSP, PMP

Information Privacy & Security Specialist

Government of Ontario

gilles.fourchet@gmail.com

www.linkedin.com/in/gillesfourchet

security 101 for privacy practitioners · security 101 for privacy practitioners iapp canada...

Documents

1 phipa impact on health care practitioners ann cavoukian,...

united states department of justice privacy for...

hipaa 101 privacy - nchica · 14 sanctions for violators...

hipaa 101 basic privacy and security hipaa training

101 blockchains virtual events · 2020-05-22 · 101...

information technology services privacy 101 information...

practitioners’ perspective on 101 as applied to biotech...

privacy-by-design for the security practitioner · lead...

intellectual property and online privacy doman’s csci 101...

wioa 101 - national skills coalition · 4/30/2015 · wioa...

privacy 101: an introduction to the privacy act · privacy...

unclaimed property 101: a primer for a-p...

perceptions of ict practitioners regarding software privacy

leads employment services - privacy law 101

secrecy, surveillance, privacy, and international...

privacy technical assistance center (ptac) 101 · 8/19/2013...

hipaa 101 basic privacy and security hipaa training

privacy for practitioners—real case studies illustrating...

hipaa privacy 101, part 1 - nchica · 2018-08-11 · hipaa...

ignite your data privacy program with rsa archer suite ·...