reinforcement of information privacy and security nowadays
TRANSCRIPT
Image courtesy of Business Insider
INTRODUCTION
Image courtesy of: parade.condenast.com
Presenter Profile • 16 years of working experience with exposure in IT advisory, consulting,
audit, training and education and project management
• Advisor at six companies
• ISACA International Subject Matter Expert (COBIT 5 Configuration Management, COBIT 5 Enabling Information, Risk Scenarios with COBIT 5 for Risk, Big Data Privacy Risk and Control)
• ISACA International Certification Exam and QAE Developer for CISA, CISM, CGEIT, and CRISC
• Reviewer Panel at three international journals: AECT TechTrends, BJET and ISACA Journals
• Have audited and consulted 30+ companies
• More than 65 international certifications under his belt
• Has been delivering and hosting 200+ sessions with 7,000+ attendees and 5000+ hours of training, lecture, conference, workshop, seminar across Indonesia and outside the country for 70+ organizations
• Writes, reviews and edits 300+ articles, encyclopedia entries, manuscripts and white paper concerning ICT, management and business on more than 20 media, publications, organizations, journals and conferences.
May 2014 3
First-off, Information Privacy
May 2014 4
Image courtesy of lerablog.org
Getting Familiar with the Taxonomy
May 2014 5
Courtesy of emeraldinsight.com
Okay, Let’s Put it this Way
Information Privacy is the relationship
between collection and
dissemination of:
• Information
• Technology
•Personal and public expectations
• Laws and regulations surrounding
them
May 2014 6
What does Privacy Mean Now?
• In the past: Privacy is about secrecy.
• These days: Privacy is all about control. People's relationship with privacy is socially
complicated
Agree or Disagree?
May 2014 7
Primary Concerns
• The act of data collection: Legal versus Illegal
• Improper access (Authentication)
• Unauthorized use (Authorization)
May 2014 8
Image courtesy of: City Caucus Image courtesy of:ngshire
Implications and Consequences
May 2014 9
Image courtesy of rcw-it.com
How Big Consumer Data is
• In 1996 E-commerce revenue in 1996:
US$600M
• In 2015 E-commerce revenue expected
to hit US$995B
•Big Bang of Social Networks: 1 billion
Facebook, 800 million Google+, 400
million Twitter, and 250 million LinkedIn
users.
May 2014 10
In Regards to Expectations
• Individuals would expect reasonable
measures on:
• Technical
• Physical
• Administrative
• Privacy (and Information Security) professionals in
organizations handle compliance with privacy promises
• No such thing as Perfect Privacy, just acceptable levels
of risk
May 2014 11
Wide Range of Information
• Healthcare records
• Criminal justice investigations
• Financial institutions and
transactions
• Residence and geographic
records
• Invisible traces of our presence
• Data trails
• Credit Card Databases
• Phone Company Databases
• Customer Databases
May 2014 12
Web Data Collection
• Personal/profile
• Other types of info
• Device information
• Cookies
• Log information
• User communications
• Location
• Software
• Application
• Behavior
May 2014 13
Image courtesy of NBCNews
Government
• Edward Snowden,
Hero or Traitor (?)
Company
• Data and information collection
• Revenue lost and recovery costs
• Security awareness
• Protect users’ data and information (from hacking, cracking and phreaking activities)
• Safeguard the service-remote storage service “Cloud”
• Image/Credibility
• Legal charge/fine
Costs for Information Privacy
May 2014 14
Image courtesy of Wikipedia
Consumer
• Time to learn (learning
curve)
• Credibility/Reputation
• Opportunity/revenue
loss
• Recovery costs
Costs of Information Privacy (cont’d)
May 2014 15
Image courtesy of smh.com.au
Challenges in the Future
• What is “private” information by now?
• Make information more accessible
• Evolve systems to prevent breaches
May 2014 16
Image courtesy of theinspirationroom.com
Moving Forward to Information Security
May 2014 17
Image courtesy of BBInsurance.com
ISACA Says…
Information shall be protected against disclosure to unauthorized users (confidentiality), improper modification (integrity) and non-access when required (availability).
Explicitly, it says to us on what to do:
• Confidentiality: preserving authorized restrictions on access and disclosure to protect privacy and proprietary information
• Integrity: guarding against improper modification or destruction, and ensuring information non-repudiation and authenticity
• Availability: making sure timely and reliable access and use of information
May 2014 18
Information Security Principles
According to Information Systems Security Certification Consortium
A. Support the business
• Focus on the business functions and processes
• Deliver quality and value to stakeholders
• Comply to law and regulation requirements
• Provide timely and accurate information
• Evaluate existing and future information threats
• Improve information security continuously
May 2014 19
Information Security Principles (cont’d)
B. Secure the organization
• Adopt a risk-based approach
• Protect classified information
• Focus on critical business processes
• Develop systems securely
C. Promote information security
• Attain responsible behavior
• Act in professional and ethical manner
• Foster information security positive culture
May 2014 20
Information Security Standards
International wide named ‘ISO/IEC 27001’
Best practice recommendations for initiating,
developing, implementing, and maintaining Information
Security Management Systems (ISMS) with:
• Risk Assessment
• Security Policy
• Asset Management
• Physical/Environmental Security
• Access Control
• And many others
May 2014 21
Constraints and Challenges
May 2014 22
Business Priorities as Interpreted by IT
May 2014 23
Courtesy of DataCenterJournal
What Takes Priority with IT Teams?
May 2014 24
Courtesy of DataCenterJournal
How to Overcome?
May 2014 25
Image courtesy of DigitalTrends.com
How it Applies Country to Country
“No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honor and reputation. Everyone has
the right to the protection of the law against such interference or attacks.”
—Universal Declaration of Human Rights, Article 12
May 2014 26
Laws by Countries
• The U.S.
• HIPAA
• Electronic Communications Privacy Act
• PATROIT Act
• The Children’s Online Privacy Protection
Act
• European Union (EU)
• Data Protection Directive
• European Data Protection Regulation
May 2014 27
For Indonesia? We Have UU #14 Year of 2008
Keterbukaan Informasi Publik (Disclosure of Public Information)
“Setiap Badan Publik berkewajiban membuka akses bagi setiap
pemohon informasi publik untuk memperoleh informasi publik,
kecuali beberapa informasi tertentu”
• 8 years of development and 64 clauses that regulates:
1. Menjamin hak warga negara untuk mengetahui rencana
pembuatan kebijakan publik, program kebijakan publik, dan
proses pengambilan keputusan publik, serta alasan
pengambilan suatu keputusan publik;
2. Mendorong partisipasi masyarakat dalam proses
pengambilan kebijakan publik;
3. Meningkatkan peran aktif masyarakat dalam pengambilan
kebijakan publik dan pengelolaan Badan Publik yang baik;
May 2014 28
UU No. 14 Year of 2008 (cont’d)
4. Mewujudkan penyelenggaraan negara yang
baik, yaitu yang transparan, efektif dan efisien,
akuntabel serta dapat dipertanggungjawabkan;
5. Mengetahui alasan kebijakan publik yang
memengaruhi hajat hidup orang banyak;
6. Mengembangkan ilmu pengetahuan dan
mencerdaskan kehidupan bangsa;
7. Meningkatkan pengelolaan dan pelayanan
informasi di lingkungan Badan Publik untuk
menghasilkan layanan informasi yang berkualitas.
May 2014 29
UU #14 Year of 2008 (cont’d)
Definition of undisclosed information :
1. Informasi Publik yang apabila dibuka dan diberikan kepada Pemohon Informasi Publik dapat menghambat proses penegakan hukum;
2. Informasi Publik yang apabila dibuka dan diberikan kepada Pemohon Informasi Publik dapat mengganggu kepentingan perlindungan hak atas kekayaan intelektual dan perlindungan dari persaingan usaha tidak sehat;
3. Informasi Publik yang apabila dibuka dan diberikan kepada Pemohon Informasi Publik dapat membahayakan pertahanan dan keamanan negara;
4. Informasi Publik yang apabila dibuka dan diberikan kepada Pemohon Informasi Publik dapat mengungkapkan kekayaan alam Indonesia;
May 2014 30
UU #14 Year of 2008 (cont’d)
5. Informasi Publik yang apabila dibuka dan diberikan dapat merugikan ketahanan ekonomi nasional;
6. Informasi Publik yang apabila dibuka dan diberikan dapat merugikan kepentingan hubungan luar negeri;
7. Informasi Publik yang apabila dibuka dapat mengungkapkan isi akta otentik yang bersifat pribadi dan kemauan terakhir ataupun wasiat seseorang;
8. Informasi Publik yang apabila dibuka dan diberikan dapat mengungkap rahasia pribadi;
9. Memorandum atau surat-surat antar Badan Publik atau intra Badan Publik, kecuali atas putusan Komisi Informasi atau pengadilan;
10. Informasi yang tidak boleh diungkapkan berdasarkan Undang-Undang.
May 2014 31
State-Owned Companies Must Provide
• Nama dan tempat kedudukan, maksud dan tujuan serta jenis
kegiatan usaha, jangka waktu pendirian, dan permodalan,
• Nama lengkap pemegang saham, anggota direksi, dan
anggota Dewan Komisaris perseroan;
• Laporan tahunan, laporan keuangan, neraca laporan laba rugi,
dan laporan tanggung jawab sosial perusahaan yang telah
diaudit;
• Hasil penilaian oleh auditor eksternal, lembaga pemeringkat
kredit dan lembaga pemeringkat lainnya;
• Sistem dan alokasi dana remunerasi anggota komisaris/dewan
pengawas dan direksi;
• Mekanisme penetapan direksi dan komisaris/dewan pengawas;
May 2014 32
State-Owned Companies Must Provide (cont’d)
• Kasus hukum yang berdasarkan Undang-Undang terbuka sebagai Informasi Publik;
• Pedoman pelaksanaan tata kelola perusahaan yang baik berdasarkan prinsip-prinsip transparansi, akuntabilitas, pertanggungjawaban, kemandirian, dan kewajaran;
• Pengumuman penerbitan efek yang bersifat utang;
• Penggantian akuntan yang mengaudit perusahaan;
• Perubahan tahun fiskal perusahaan;
• Kegiatan penugasan pemerintah dan/atau kewajiban pelayanan umum atau subsidi;
• Mekanisme pengadaan barang dan jasa;
• Informasi lain yang ditentukan oleh Undang-Undang yang berkaitan dengan BUMN dan BUMD
May 2014 33
By Utilizing Such Framework and or Standard
Reduce complexity of activities and processes
Deliver better understanding of information
security
Attain cost-effectiveness in managing privacy
and security
Enhance user satisfaction with the
arrangements and outcomes
Improve integration of information security
May 2014 34
By Utilizing Such Framework and or Standard (cont’d)
Inform risk decisions and risk awareness
Enhance prevention, detection and
recovery
Reduce probability and impact of
security incidents
Leverage support for organization
innovation and competitiveness
May 2014 35
ISACA Framework on Information Security
May 2014 36
ISMS: Information Security Management Systems
R: Responsible; A: Accountable; C: Coordinate; I: Informed
Lessons Learned on IP and IS
May 2014 37
Image courtesy of businesscomputingworld.co.uk
Highlight these and Give Them A Boom!
Having IS policies, procedures, and
technologies in place to prevent and
deal with Information Privacy issues is
a MUST.
Negligence in IS and maintaining PII
can have damaging effects on the
customer satisfaction and employee
relationship.
May 2014 38
For Individuals, Here is the Takeaways
• One user, one device (PC, notebook, mobile)
• One user, one account (email, social media, social network and others)
• Password safety, complexity and routines
• Do periodic back-up and put it off-site
• If shared, be mindful to be at your own risk
• Your information, your privacy
• Your privacy, your security
May 2014 39
May 2014 40
Image: parade.condenast.com