protecting privacy in state government basic privacy & security training for state of ohio...
TRANSCRIPT
Protecting Privacy in State Government
Basic Privacy & Security Training
for State of Ohio Employees
2
Objectives & Agenda Overview: privacy & security
What is privacy?Privacy and security, what is the difference?Defining sensitive data
Why protect privacy?Best Practice Perspectives
Good information-handling practices Security incident response Privacy Quiz
3
What is Privacy? “The right to be left alone -- the most
comprehensive of rights, and the right most valued by civilized men.” ~ Louis Brandeis
“Privacy is the claim of individuals, groups or institutions to determine for themselves when, how, and to what extent information about them is communicated to others” ~ Alan Westin
“You have no privacy, get over it.” ~ Scott McNealy
4
What is Privacy: That was Then & This is Now
Then Practical Obscurity
No internet; no cell phones; marketing less pervasive; sense of “ain’t nobody’s business”
Now Information Age
More data gathering across government & business Smart phones, Camera phones Mobile & wireless computing 24/7 access Technological Developments (surveillance cameras
& software, RFID, biometrics)
Changing Threat Landscape 1997
• Amateur hackers
• Web site defacement
• Viruses
• Infrequent attacks
2007
• Organized crime
• SQL Injections
• Identity theft
• Constant threat
+• Amateur hackers • Web site defacement• Viruses
342 data breaches in the first half of 2008: more than 69% greater than the same time period in 2007
6
Privacy and Security, what is the difference? Privacy & Security are flipsides of a coin
Privacy Broadly speaking, how data is defined and used
Laws, regulations, and policies that define and classify data and date usage
SecuritySecuring the data, both physically
and technologically, per its definition to ensure its
Confidentiality (limited access) Integrity (authentic & complete)Availability (accessible)
7
Defining Sensitive Data
Personally Identifiable Information (PII) Broad definition: any information that is maintained by an
entity that identifies or describes an individual. Sensitive PII
Name, when associated with: Social Security number Financial Health & Medical ID Card (driver’s, state identification card) Biometric
8
Defining Sensitive Data (con’t.)
Sensitive data is more than PII, it is also information your organization classifies as sensitive Data mandated by law to be confidential Case numbers Security plans & reports Intellectual property Economic forecasts Passwords
9
Sensitive Data = Money
Handle Handle sensitive data sensitive data like cash!like cash!
October 10, 2007 10
Why Protect Privacy? – World View
AustraliaFederal Privacy Amendment Bill State Privacy Bills in Victoria, New South Wales and Queensland, new email spam and privacy regulations
CaliforniaSB 1, SB 1386, SB 27, AB 1950
South AfricaElectronic Communications and Transactions Act
US FederalHIPAA, GLBA Safeguards Rule, COPPA,
Hong KongPersonal Data Privacy Ordinance
CanadaPIPEDA
JapanPersonal Information Protection Act, METI Guidelines
ChileLaw for the Protection of Private Life
South KoreaAct on Promotion of Information and Communications Network Utilization and Data Protection
IndiaLaw pending currently under discussion
New ZealandPrivacy Act
ArgentinaPersonal Data Protection Law, Confidentiality of Information Law
PhilippinesData Privacy Law proposed by ITECCTaiwan
Computer-Processed Personal Data Protection Law
European UnionEU Data Protection Directive and Member States, Safe Harbor Principles
11
Why Protect Privacy? - Public Trust Citizens have no option to shop around –
they are required to provide personal information to government.
We have an obligation to protect the information entrusted to us.
12
Why protect privacy? – U.S. Federal Laws
HIPAA, GLBA, COPPA, FERPA, FCRA, genetic privacy, and more laws in works
State Data Breach notification Credit freeze PII in public records Biometrics RFID
13
Why protect privacy? - Ohio It’s a best practice and rapidly becoming statewide law
and policy! Executive Order 13S (2007): Improving State Agency Data
Privacy and Security Ohio IT Bulletin ITB-2007.02: Data Encryption and Securing
Sensitive Data ITP-B.11: Data Classification Policy HB 104: Data Breach Notification Law HB13: No SSN - Vehicle Registration Renewal Notice HB 46: Credit Freeze & SSN Redaction And more to come…
14
Why protect privacy? (con’t.)
Increasing citizen & consumer sensitivitySecurity breaches
Almost daily occurrence Data Breaches Hit 8.3 Million Records in First
Quarter 2008* 167 data breaches First Quarter 2008 448 incidents in 2007
Identity theft Low-risk, high-reward crime Becoming more and more organized
*Source - The Identity Theft Resource Center
Identity Theft
What It is and Its Impact
15
What is identity theft? A crime to intentionally use another person’s
identifying information to fraudulently obtain credit, property or services. Ohio Rev. Code Ann. §2913.49
Types: Financial
Access to existing accounts Creation of new accounts
Services: Employment, Medical Criminal
16
Incidence & Impact of Identity Theft
8.1 million incidents (2007)3.6% of adults
Out-of-pocket costs (2007)Average $691
Time spent recovering (2006)Average 25 hours
Source: Javelin, 2/07 & 2/0817
Impact of ID Theft on Economy
Total cost of identity theft in U.S. in 2007
$45 Billion
Source: Javelin, 2/08 18
19
Beware of Social Engineering Schemes
Identity thieves may try to trick employees into disclosing personal informationPhishing e-mails, phone calls
Verify identity and authority of anyone requesting sensitive data
Basic Data Handling for State Employees
20
21
Public Records and Sensitive DataMost records agencies handle are public records, but they may also contain sensitive information. Employees must employ protective measures to ensure the information is not improperly released.
The Ohio’s Public Records Act is based upon the concept that records produced by government are the people’s records.
Other laws require state government to protect sensitive information.
22
Basic Privacy Principles1. Minimization/Collection Limitation: only collect that data for which you have a
business need.
2. Notice/Awareness: clear and complete disclosure to individuals on the specifics of how the data they submit is to be collected, used, and shared with other organizations, in addition to the steps taken to preserve the data’s confidentiality, integrity, and quality.
3. Choice/Consent: where applicable, give individuals the choice of what data they submit, how it can be used, and with whom it can be shared.
4. Access: where applicable, give reasonable access to an individual’s personal data for review, modification, correction, and, where appropriate, deletion.
5. Integrity/Security: ensure that personal information is relevant, accurate, and consistent throughout the enterprise; and that reasonable security precautions are taken to protect data from unauthorized use, access, or transfer
6. Accountability/Enforcement: specify an individual(s) to ensure the integrity and security of the data, and to enforce applicable law and policy.
23
International Privacy Principles1. Openness: There should be a general policy of openness about the practices and policies with respect
to personal information.
2. Purpose Specification: The purposes for which personal information is collected should be specified at the time of collection. Further uses should be limited to those purposes.
3. Collection Limitation: Minimize the data you collect. Only the data necessary for the stated purpose should be collected. Personal information should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the individual.
4. Data Quality: Personal information should be accurate, complete and kept up-to-date, and relevant to the purposes for which it is to be used, .
5. Use Limitation: Personal information should not be used for purposes other than those specified, except with the consent of the data subject or by the authority of law.
6. Individual Participation: Individuals should have the right to inspect and correct their personal information
7. Security Safeguards: Personal information should be protected by reasonable security safeguards against such risks as loss, unauthorized access, destruction, use, modification or disclosure.
8. Accountability: Someone in the organization should be accountable for compliance with the organization’s privacy policies.
~Based on the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (www.oecd.org)~
October 10, 2007 24
The Life Cycle of Sensitive DataData is an asset. The value associated with a piece of data is determined by its attributes, context within the agency, and associated risk…all are key factors in data classification.
Data LifeCycle
Collection Storage Use Sharing Destruction
AttributesAttributes ContextContext RiskRisk
Data ValueData Value
25
Handling Sensitive Data - Overview Take stock
What is PII & Other Sensitive Data Where is it in your organization
Scale down Only collect what you need
Lock it Secure, encrypt, protect
Proper Disposal Securely dispose of documents per your retention
schedule – remember the Sunshine Laws! Plan ahead
Know your security incident response procedure
26
Take Stock
Know Where Sensitive Data Lives Learn where sensitive data is stored in your office
and systems PCs, workstation file drawers, laptops, BlackBerrys, and
other portable devices Sensitive PII: Employee data, as well as data of
citizens/consumers, licensees, and others Other data classified as sensitive
HB 46 calls for all agencies to engage in Privacy Impact Assesments for new data systems.
Data Minimization is Your Friend – less is more Data quantity (only take what is necessary for a particular
function) Access Levels (only give access to those that need it)
1. Everything you take is something you have to retain2. Everything you retain is something that can be
breached3. Everything that can be breached is something for which
you are liable4. Less data collected = less liability
REMEMBER: Comply with Ohio Sunshine laws and your agency’s records
retention policy 27
Scale Down
Scale Down (cont.) Collect & Retain only what you need and keep it
only for the time you need it. Regularly purge documents with sensitive data from
individual file folders (unless required to keep per public records law)
Avoid downloading sensitive data unless necessary. Regularly cleanse sensitive data from PCs, laptops, other
portable devices.
REMEMBER: Comply with Ohio Sunshine laws and your
agency’s records retention policy
29
Lock It
Protect Sensitive Data from Unauthorized AccessLimit access to sensitive data (especially PII)
to those who need to use it to perform their duties
Minimum necessary accessPasswords & other access controls
30
Lock It - Desks
Protect Sensitive Data on Your Desk“Clean-desk policy”
Don’t leave documents with sensitive data out when away from your workstation
Lock up documents w/ sensitive data overnight and on weekends
Lock PC when away from your workstation
31
Lock It – Workstations
Protect Sensitive Data in WorkstationsMake sure you have a timed lock-outDon’t download “free” software onto PC – it
may contain spyware or other malwareAngle your monitor away from prying eyes or
ask for a “privacy screen” for your monitor if you enter sensitive data in a public place
32
Lock It - Passwords Your password is like your toothbrush - Don’t share it!
Password “Don’ts” Do not reveal your password over the phone Do not send your password in an e-mail message Do not reveal your password to a supervisor or manager Do not talk about your password in front of others Do not hint at the format of your password (e.g., "my family name") Do not reveal your password on questionnaires or security forms Do not share your password with family members Do not reveal your password to co-workers while on vacation
Use strong passwords 8+ characters, including numerals and symbols
Ohio IT Policy ITB-B.3: Password-PIN Security
33
Lock It – Laptops & Sensitive Data
All laptops must be encrypted.
Do not place sensitive data on portable devices (thumb drives and other portable devices), unless the placement has been authorized following agency policy and procedures, and the device is encrypted.
34
Lock It – E-mail & Mail Don’t send or receive sensitive data – SSN,
DL number, financial account number, medical info – via email (in text or via attachments) unless allowed by agency and it is encrypted
Mail securelyDon’t leave incoming or outgoing mail in
unlocked or unattended receptaclesMake sure mailings are not exposing sensitive
data CalPERS & State of Wisconsin
Lock It - Faxes & Voicemail Don’t send sensitive data by fax
unless security procedures are usedConfirm accuracy of number before
keying inArrange for and confirm prompt pick-up
Don’t leave sensitive data in voice mail messages
36
Lock It – At Home?
Do Not Take State Sensitive Data Home
‘NUFF SAID
37
Dispose of Records Safely
Shred documents with sensitive data and other confidential info before throwing away CDs and floppy disks too
Have computers and hard drives properly “wiped” or overwritten when discarding
REMEMBER:Comply with Ohio Sunshine laws and record
retention policy
38
Handling Sensitive Data – Bottom Line Take stock Scale down Lock it Proper Disposal Plan ahead
Remember the Sunshine Laws
How would you want someone handling your data?
Incident Response
39
40
Report Info Security Incidents
KNOW YOUR ORGANIZATIONS SECURITY INCIDENT RESPONSE POLICY AND PROCEDURE
Reportable incidents might include: Loss or theft of laptop, BlackBerry, disk, etc. Loss or theft of paper records Unauthorized acquisition of protected info Unauthorized release, modification, or destruction of
protected info Interfering with state computers or data systems Any activity involving illegal activity or serious wrongdoing
What is an Incident? Viruses E-mail viruses E-mail harassment Worms Other malicious code Denial of service
attacks Intrusions Stolen hardware Network or system
sabotage Website defacements
Stolen Sensitive Data
Unauthorized access to files or systems
Loss of system availability
Misuse of service, systems or information
Physical damage to computer systems, networks, or storage media
Illegal Activity Serious Wrongdoing
42
Incident Response Guidance Ohio HB 104: Data Breach Notification
http://www.legislature.state.oh.us/bills.cfm?ID=126_HB_104
ITP – B.7: Security Incident Response http://www.oit.ohio.gov/IGD/policy/pdfs_policy/ITP-B.7.pdf
OIT IT Bulletin No: ITB-2007.02 http://oit.ohio.gov/IGD/policy/pdfs_bulletins/ITB-2007.02.pdf
Governor’s Memo on Illegal Activity & Serious Wrongdoing http://www.governor.ohio.gov/GovernorsOffice/Policies/SuspectedWrongdoing/
tabid/800/Default.aspx
Incident Response Management Guide http://privacy.ohio.gov/resources/OITIncidentResponseGuide.doc
Incident Response Training Presentation http://privacy.ohio.gov/resources/Incident_Response_Training.ppt
43
Why Protect Privacy? - Public Trust Citizens have no option to shop around –
they are required to provide personal information to government.
We have an obligation to protect the information entrusted to us.
44
Privacy Protection: Bottom Line
Privacy and security are everyone’s responsibility
45
(Some) Privacy Resources Ohio Privacy & Security Information Center
http://www.privacy.ohio.gov/ Federal Citizen Information Privacy Resources
http://www.pueblo.gsa.gov/privacy_resources.htm Federal Trade Commission Privacy Initiatives
http://www.ftc.gov/privacy/index.html Onguard Online
http://onguardonline.gov/index.html Identity Theft Resource Center
http://www.idtheftcenter.org/ Center for Democracy & Technology
http://www.cdt.org/privacy/
Privacy Quiz
Just for Fun – Test Your Knowledge
46
Quiz Question 1
If you believe that incoming mail containing sensitive data has been stolen from your office, where should you report it?
47
Options for Q1
a) To your mailroom supervisor.
b) To your department’s information security point of contact, supervisor, legal office, director’s office
c) To the U.S. Postal Inspection Service.
d) To the local police department.
48
Correct Answer to Q1
b) To your department’s information security point of contact, supervisor, legal office, director’s office
49
Quiz Question 2
Which of the following is the strongest – most secure – password for access to your PC?
50
Options for Q2
a) FLUFFY
b) 9151950
c) ERICKSON
d) HmW1cWC&
51
Correct Answer to Q2d) HmW1cWC&
5 steps for a a strong, memorable password
1. Think of a sentence that you can remember. This will be the basis of your strong password or pass phrase. Use a memorable sentence, such as "My dog Steve is three years old.“
2. If the computer or online system does not support pass phrases, convert it to a password. Take the first letter of each word of the sentence that you've created to create a new, nonsensical word. Using the example above, you'd get: “mdsityo".
3. Add complexity by mixing uppercase and lowercase letters and numbers. It is valuable to use some letter swapping or misspellings as well. This might yield a password like “MdSi3yo".
4. Finally, substitute some special characters and/or add back some characters. You can use symbols that look like letters, combine words (remove spaces) and other ways to make the password more complex. Using these tricks, you create a password (using the first letter of each word) "Md$i3y0ld".
5. Test your new password with a Password Checker (http://www.microsoft.com/protect/yourself/password/checker.mspx). Password Checker is a non-recording feature on Microsoft provides that helps determine your password's strength as you type.
52
Quiz Question 3
Which of the following is the most secure way to get the SSNs of seven people to a co-worker, who is on a business trip, is authorized to have the information, and needs it to do his job?
53
Options for Q3
a) Send the information in an e-mail.b) Call your co-worker and give him the
information over the phone.c) Leave the information in a voice mail
message on your co-worker’s cell phone.d) Fax the information to your co-worker at
his hotel.
54
Correct Answer to Q3
b) Call your co-worker and give him the information over the phone.
55
Quiz Question 4
TRUE OR FALSE: If you delete files from your PC – and empty the recycle bin – that means the data in the files is erased.
56
Correct Answer to Q4
FALSE
57
Quiz Question 5
Which of the following would NOT be an information security incident that needs to be reported?
58
Options for Q5
a) Loss of a laptop containing unencrypted sensitive data.
b) Accidental mailing of an individual’s medical records to the wrong person.
c) Theft of your purse, which contained a CD with state data on it.
d) Theft of a state-owned computer monitor.
59
Correct Answer to Q5
d) Theft of a state-owned computer monitor.• This is a trick question - remember the
Gov’s Memo on Illegal Activity & Serious Wrongdoing. Report this to your Chief Legal Counsel!
60
Quiz Question 6
Which of the following should you do before leaving your workstation for a meeting?
61
Options for Q6
a) Put documents, disks, other records containing personal information in a locked drawer or otherwise out of sight.
b) Hit “control-alt-delete” and lock your computer.
c) Call your best friend and have a long chat.
d) Both a and b.
62
Correct Answer to Q6
d) Both a and b above. Put documents, disks, other records
containing personal information (including your purse) in a drawer or otherwise out of sight.
Hit “control-alt-delete” and lock your computer.
63