sispo arizona digital government summit security and privacy in a see-through world may 27, 2009...
TRANSCRIPT
SISPO
Arizona Digital Government SummitSecurity and Privacy in a See-Through World
May 27, 2009
Mary Beth Joublanc
State Chief Privacy Officer and HIPAA Coordinator
[email protected](602) 364-4537
SISPO
SISPO CISO AND MANAGER
James (Jim) Ryan
State Chief Information Security Officer and Manager of [email protected](602) 364-4771
SISPO
SISPO TEAM
James (Jim) RyanManager and [email protected](602) 364-4771
James DzierzanowskiInformation Security [email protected](602) 364-3583
Mary Beth Joublanc, [email protected](602) 364-4537
Sherri EshkibokSISPO Operations [email protected](602) 364-4779
SISPO
GOVERNMENT INFORMATION TECHNOLOGY AGENCYA.R.S. 41-3501
GITA’s Roles and Responsibilities Strategic oversight of State IT infrastructure Establish Statewide IT Policies & Standards Develop & Implement a Statewide IT Plan
• Evaluate agency IT plans• Inventory State IT Assets • Coordinate IT projects
Oversight of Agency IT Projects ($25k - $1M+)• Project Investment Justification (PIJ)• Approve / Disapprove / Suspend• Information Technology Authorization Committee (ITAC)
– If project is $1M or more, ITAC must approve
http://www.azgita.gov/
SISPO
STATEWIDE INFORMATION SECURITY AND PRIVACY OFFICE (aka: SISPO)
A.R.S. 41-3507
SISPO’s Roles and Responsibilities
Strategic planning & coordination Individual budget units continue operations Compliance plan for InfoSec & Privacy
Temporarily suspend information infrastructure Agency required to report incidents
• Coordinate• Review• Mitigation
Training & Awareness Program Web based e-Learning Leverage programs already in place
http://www.azgita.gov/sispo
SISPO
American Recovery and Reinvestment Act (aka: Stimulus Bill)
Emphasizes Accountability & Transparency
• Enhanced Transparency
– Normal Reporting to Federal Grantor Agency
– Recovery.gov and Azrecovery.gov (individual agencies, too)
– Reporting• Federal AgencyAgency• State and Local Recipients• Individual Recipients
SISPO
ARRA Reporting –Requirements
• Governor’s Office of Economic Recovery, ADOA and GITA have teamed up to implement a reporting system that will track:
– Who spent the stimulus funds
– How much was spent
– When was it spent
– Where was the money spent
– Key criteria as required by the federal government
SISPO
Transparency vs Public Information Acts
• Transparency in Government Act of 2008– Applies to Congress and Executive Branch– Focus on timely and online information to public– Nine Titles, including transparency, public access, data classes– http://www.publicmarkup.org/bill/transparency-government-act-2
008
• Memorandum for the Heads of Executive Departments and Agenecies -- Transparency and Open Government (Jan 21, 2009) – Government should be transparent and promote
accountability– Government should be participatory– Government should be collaborative – foster use of online
tools
SISPO
Arizona Ombudsman – Citizens’ AidePublic Records Laws
• All officers and public bodies must maintain records reasonably necessary to provide an accurate accounting of their official activities and of any government funded activities
• An officer is any person elected or appointed to hold office of a public body or any chief, administrative officer, head, director, superintendent or chairman of any public body. Public bodies include the state, counties, cities, towns, school districts, political subdivisions, or special taxing districts and any branch, department, board, bureau, commission, council, or committee
• Every citizen in Arizona has the right to access public records upon request. Access to a public record is deemed denied if a custodian fails to promptly respond.
• Publications:
Ombudsman Booklet AZ Agency Handbook - Chapter 6 Public Access Newsletter - April 2009
http://www.azleg.gov/ombudsman/public_records.asp
SISPO
Data Life Cycle Management
• Data life-cycle management (DLM):– Policy-based approach to managing the flow of an
information system's data throughout its life cycle– From creation and initial storage to the time to deletion– Must include transition from hardcopy to electronic
formats (e.g. scanning to digitize information for posting to websites or adding to data bases)
• Considerations:– Keep public what is public– Avoid inadvertently exposing non-public information to a
public site or using for a public purpose
SISPO
Data Life Cycle – Key Points
• Know the agency’s authority to collect, use, disclose (third parties) and dispose of information
• Identify applicable privacy laws – Authority laws
• State: http://azleg.gov/ArizonaRevisedStatutes.asp• Federal: http://www.gpoaccess.gov/nara/index.html
– Administrative rules• State:
http://www.azsos.gov/public_services/intro_material/Title_Index.htm• Federal: http://www.gpoaccess.gov/nara/index.html
– HIPAA Privacy Rule: http://www.hhs.gov/ocr/privacy/index.html – HIPAA Security Rule: http://www.cms.hhs.gov/SecurityStandard/
» NIST: http://csrc.nist.gov/publications/nistpubs/800-66-Rev1/SP-800-66-Revision1.pdf (National Institute of Standards and Technology)
SISPO
How to Protect Non-Public Information?
KNOW THY DATA!!!!
• Information Control Process – GITA Project Investment Justification (new projects)
• http://www.azgita.gov/nav/pij.htm – GITA Data Classification Policy and Standard (P740 -
S741, Classification and Categorization of Data Standard)
• http://www.azgita.gov/policies_standards/pdf/P740-S741%20Classification%20of%20Data%20Standard.pdf
SISPO
GITA Data Classification Standard
DATA/INFORMATION CLASSIFICATIONS
Confidential Data/Information: Personal and sensitive data/information
Personal information: any state information that may be used toidentify an individual, including, but not limited to his/her name,photograph, social security number, physical description, race, ethnic
origin,sexual orientation, income, blood type, DNA code, fingerprints, maritalstatus, religion, home address, home telephone number, education,
financialmatters, and medical or employment history readily identifiable to a
specificindividual.
Sensitive information: may be prejudicial or harmful to the state and its citizens.
Public Information: Data/information that generally does not need custodian/owner approval and has not been explicitly and not classified as confidential
SISPO
GITA Data Classification Standard Matrix
• Categorization of data/information and software application systems includes risk levels of confidentiality, integrity and availability. The following 3 tables summarize the security objectives and their risk levels:
Potential Impact
Security Objective Low Moderate High
Confidentiality
Preserving authorized restriction on information access and disclosure, including means for protecting personal privacy and proprietary information.
The unauthorized disclosure of information could be expected to have
a limited adverse effect on budget unit operations, budget unit assets, or individuals.
The unauthorized disclosure of information could be expected to have a serious adverse effect on budget unit operations, budget unit assets, or individuals.
The unauthorized disclosure of information could be expected to have a severe or catastrophic adverse effect on budget unit operations, budget unit assets, or individuals.
SISPO
Integrity
Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.
The unauthorized modification or destruction of information could be expected to havea limited adverse effect on budget unit operations, budget unit assets, or individuals.
The unauthorized modification or destruction of information could be expected to have a serious adverse effect on budget unit operations, budget unit assets, or individuals.
The unauthorized modification or destruction of information could be expected to havea severe or catastrophic adverse effect on budget unit operations, budget unit assets, or individuals.
Potential Impact
Security Objective Low Moderate High
GITA Data Classification Standard Matrix (2)
SISPO
Ensuring timely and reliable access to and use of information.
The disruption of access to or use of information or an information system could be expected to havea limited adverse effect on budget unit operations, budget unit assets, or individuals.
The disruption of access to or use of information or an information system could be expected to have a serious adverse effect on budget unit operations, budget unit assets, or individuals.
The disruption of access to or use of information or an information system could be expected to have a severe or catastrophic adverse effect on budget unit operations, budget unit assets, or individuals.
GITA Data Classification Standard Matrix (3)
Potential Impact
Security Objective Low Moderate High
Availability
Source: FIPS PUB 199, Categorization of Information and Information Systems
http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf
SISPO
State of Ohio – Data Classification Tool Kit
Table of Figures
Figure 1: Classification Process......................................................................................3 Figure 2: Data Classification Activity Worksheet.............................................................5 Figure 3: Incident Impact Scale.......................................................................................7 Figure 4: ITP-B.11, State IT Policy Confidentiality Labels...............................................8 Figure 5: ITP-B.11, State IT Policy Criticality Labels.......................................................8 Figure 6: Data Classification Process Diagram...............................................................9 Figure 7: Establish Confidentiality Subprocess Diagram...............................................10 Figure 8: Establish Criticality Subprocess Diagram.......................................................11 Figure 9: Data Classification Meta Data Manager Startup Screen................................16 Figure 10: Data Classification Meta Data Manager Data Entry Screen.........................16
The next two slides show sample pages from the Tool Kit: A data inventory and classification worksheet Assessment guide for meta data
http://oit.ohio.gov/IGD/policy/pdfs_policy/Data_Classification_Resource_Kit.pdf
SISPO
SISPO
SISPO
Solutions to INFORMATION Classification
• Classify when designing new process • Revisit classification when revising a process• Approach as a “life cycle” and not an isolated use• Build privacy into technology: Privacy by Design©
– Information Privacy Commission of Ontario Canada, Commissioner • Ann Cavoukian, Ph.D• http://www.ipc.on.ca/english/Home-Page/
– Identify information needs and design safeguards at project start
• Use of TRUST Tools – bridge business policy and technology– Code of Conduct – Authorized User Agreements– Confidentiality Statements– Awareness and ongoing training
• Compliance monitoring—validates confidence in enterprise-wide information life cycle management and actual practice
SISPO
RISK ASSESSMENTS: INFORMATION SECURITY AND PRIVACY
HOW TO KNOW THY DATA!
SISPO
Summary of Findings
• Both the security and privacy assessments revealed similar issues
• Summary of findings:– Marked benefits of 3rd party assessments, immediate issues were
resolved, mid to long term issues raised to management, sets a compliance baseline for periodic follow up, priorities established
– Identified boundary layer issues with 3rd party providers, firmed up R&R and reduce ambiguity
– Validated Policy, Standards and Practices harmonization key stone (Data Domain) that will drive Business/Program compliance & enforcement
– The need for a Total Quality Management (TQM) approach to operational issues for large and small agencies identified
– A statewide privacy framework is necessary with emphasis on data breach (paper and electronic), data classification and 3rd party policy enforcement
SISPO
Privacy Assessment – Privacy Domains
• Organization and Management
• Notice
• Choice and Consent
• Collection
• Data Use
• Data Retention and Destruction
• Disclosure to Third Parties
• Access
• Data Security for Privacy
• Information Quality
• Monitoring and Enforcement
SISPO
Arizona Statutes: Enterprise-wide Information Security and Privacy Focus
• Information Identifying Eligible Persons, ARS 39-123 – http://azleg.gov/FormatDocument.asp?inDoc=/ars/39/00123.htm&Title=39&DocT
ype=ARS [See definition in F(4)]
• Obligation of State Agencies Obtaining Information Online, ARS 41-4151 and 41-4152
– http://azleg.gov/FormatDocument.asp?inDoc=/ars/41/04151.htm&Title=41&DocType=ARS [ARS 41-4151]
– http://azleg.gov/FormatDocument.asp?inDoc=/ars/41/04152.htm&Title=41&DocType=ARS [ARS 41-4152]
• Anti-identification Procedures, ARS 41-4171, 41-4172 and 13-2001
– http://azleg.gov/FormatDocument.asp?inDoc=/ars/41/04171.htm&Title=41&DocType=ARS [ARS 41-4171]
– http://azleg.gov/FormatDocument.asp?inDoc=/ars/41/04172.htm&Title=41&DocType=ARS [ARS 41-4172]
– http://azleg.gov/FormatDocument.asp?inDoc=/ars/13/02001.htm&Title=13&DocType=ARS [ARS 13-2001, see definitions 4 and 10]
SISPO
Arizona Statutes: Enterprise-wide Information Security and Privacy Focus (2)
• Statewide Information Security and Privacy Office, ARS 41-3507– http://azleg.gov/FormatDocument.asp?inDoc=/ars/
41/03507.htm&Title=41&DocType=ARS
• Restricted Use of Social Security Numbers, ARS 44-1373 through 44-1373.03– http://azleg.gov/FormatDocument.asp?inDoc=/ars/
44/01373.htm&Title=44&DocType=ARS [ARS 44-1371]
– http://azleg.gov/FormatDocument.asp?inDoc=/ars/
44/01373-01.htm&Title=44&DocType=ARS [ARS 44-1373.01]
– http://azleg.gov/FormatDocument.asp?inDoc=/ars/44/01373-02.htm&Title=44&DocType=ARS [ARS 44-1373.02]
– http://azleg.gov/FormatDocument.asp?inDoc=/ars/
44/01373-03.htm&Title=44&DocType=ARS [ARS 44-1373.03]
SISPO
Notification of Breach of Security System, ARS 44-7501
http://azleg.gov/FormatDocument.asp?inDoc=/ars/44/07501.htm&Title=44&DocType=ARS
Discarding and Disposing of Records Containing Personal Identifying Information, ARS 44-7601
http://azleg.gov/FormatDocument.asp?inDoc=/ars/44/07601.htm&Title=44&DocType=ARS
Mitigating cyber Security Threats, State of Arizona Executive Order 2008-10
http://azgovernor.gov/dms/upload/EO%202008-10_v2.pdf
Arizona Statutes: Enterprise-wide Information Security and Privacy Focus (3)
SISPO
High Level Agency Totals by Privacy Category
0
20
40
60
80
100
120
Org &Mngt
Notice Choice &Consent
Collection Data Use Data Ret& Dest
Disclosureto 3rd
Access DataSecurity
InfoQuality
Monitor &Enforce
Privacy Principal
Fre
qu
ency Statute
Low
Med
High
SISPO
High Level Privacy Observations
• SISPO in Collaboration with Agencies must focus on Policy Development, Guidance and Tools that Address:
– Incident Identification and Reporting
– Compliance with Breach Notification Statutes
– Response to Non-electronic Breach Incidents
– Integration of ARRA Provisions into Breach Notification Requirements
– Information Inventory and Classification, including what is a workable approach for Defining and Classifying what is Personal Identifying Information
– Privacy Awareness and Training Methodologies
SISPO
Information Security Assessment Methodology
• The assessment included 16 representative executive branch agencies, 7 significant application and selected wireless
• Starting with external testing viewpoint examining:
– Network assets, web applications, and wireless access points
– For network assets, discovery, enumeration and vulnerability scanning was performed followed by manual verification of vulnerabilities on target systems provided by agencies
– Included was review of configurations of servers, workstations, and physical security
• High level web security testing was performed against public facing Internet applications– Testing conformed to standards established by the Open Web
Application Security Project (www.owasp.org)
SISPO
Security Metrics - DREAD
DREAD Model quantifies risk:
• Damage Potential – Level of damage and exposure that could be caused in a vulnerability were exploited
• Reproducibility – Level of difficulty in reproducing an attack
• Exploitability – Ease with which the attack could be launched
• Affected Users – Volume of users and assets that are affected in a successful attack scenario
• Discoverability – Level of difficulty involved in enumerating the vulnerability
Criteria Used to Score Risk:
• High – Requires immediate review and remediation by organization and high likelihood of occurrence of a negative event
• Medium – Requires review and resolution within a short time frame with a medium likelihood of a negative event
• Low – Observation needs consideration for review and resolution once the high and medium risks have been addressed
• Informational – Risk notation presents no direct risk to the data or systems supporting the environment
Source: www.microsoft .com
SISPO
High Level Agency Totals by Security Category
0
20
40
60
80
100
120
140
Strategic External Internal Architecture Physical Host Network Policy Application
Security Category
Fre
qu
ency
Informational
Low
Medium
High
SISPO
High Level Security Observations
• The identified issues are consistent regardless of G1 or G2 status, are viewed as Enterprise, Web Implementation and Customer Facing risks are consistent
• Perhaps this finding is counter to a common belief, thinking G1’s have the staff to handle the risks, the problems are the same
• Findings for security and privacy were consistent when viewed as strategic oriented management and organizational issues
Summary of Findings Categorization:1. Management Oversight and TQM2. Architecture3. Operational – Int/Ext Technical & Administrative
SISPO
American Recovery and Reinvestment Act (ARRA) and HIPAA
• HEALTH INFORMATION TECHNOLOGY FOR ECONOMIC AND CLINICAL HEALTH
HITECH PROVISIONS OF THE ARRA(additional material discussed but not in presentation slides)
SISPO
The American Recovery & Reinvestment Act of 2009HITECH Provisions
• Health Information Technology for Economic and Clinical Health Act (“HITECH”)
– Creates Incentives to Adopt Electronic Health Records (EHR) &
Grants for Health Information Exchanges (HIE)
– Changes HIPAA Privacy and Security Provisions
– Enacts Federal Breach Notification Law
– Enhances Enforcement of HIPAA
– Expands HIPAA Compliance to Business Associates and PHR vendors
– Provides for Multiple Effective Dates with Some Tied to Future Rulemaking
SISPO
Key Provisions of the HITECH
• Federal Breach Notification Law – Applies to HIPAA compliance
– Effective 30 days after publication of rule (August 16, 2009)
– Amends Arizona Breach Notification Law (ARS 44-7501)• HIPAA covered entities (CE) will now need to report; not “account”• Expands definition of PII to any “unsecured” protected health
information• Threshold is “has been” or “reasonably believed by CE” to have been
accessed, acquired or disclosed due to a “breach”• Applicable to hardcopy PHI???
– Applies to CE that: access, maintain, retain, modify, record, store, destroy or otherwise hold, use or disclose “unsecured PHI”
– Includes Business Associates (BA may report; CE must report)
SISPO
HITECH and Breach Notification
• Breach– Unauthorized acquisition, access, use or disclosure of PHI– Compromises security or privacy of the information– Limited exceptions for inadvertent disclosures with no redisclosure
• Notice – Timing: Without unreasonable delay and no later than 60 days from
discovery by CE or BA (varies from AZ law)– Manner: First class mail; substitute notice (e.g. out of date contact
info.); conspicuous posting on website or broadcast media (10 or more individuals)
– Media: Notify prominent media outlets if 500 or more state residents– HHS: Self-disclosure to HHS if 500 or more residents; if less than 500,
log the breach and disclose to HHS in CE’s annual report (new)
SISPO
HITECH and Breach Notification Continued
• Content of Notice– Description of what occurred– What unsecured PHI involved– What steps the individuals can take to protect themselves– What CE is doing to investigate, mitigate and prevent further
occurrences– Contact information at CE
• HHS Guidance for Securing PHI – Published April 17, 2009– Technologies and methodologies that render PHI “unusable,
unreadable or indecipherable to unauthorized individuals and is develop or endorsed by a standards developing organization accredited by the American National Standards Institute (ANSI)”
– ANSI standards will prevail if HHS does not publish– Requires annual HHS guidance for technical safeguards (Feb
2010)
SISPO
Other Provisions of HITECH
• Applies Privacy and Security provisions to Business Associates including government enforcement (Feb 2010)
• HIEs and Regional Health Information Organizations (RHIO) are defined as Business Associates
• Enhance guidance on definitions for “limited data set” and “minimum necessary” (Feb 2010)
• Expands Accounting for Disclosures to treatment, payment and operations disclosures for CEs with EHRs (now only 3 years accounting; not six)– EHR implemented prior to 2009, effective date Feb 2014– EHR implemented after 2009, effective date by Feb 2011
• Expands right to Restrict Disclosures to a health plan for self-pay situations
• Gives right to access information in electronic format• Adds limits on use of PHI for marketing; prohibits sale of PHI• Establishes committee to study PHR issues and recommend
appropriate rules
SISPO
HITECH Penalties and Enforcement Provisions
• State attorneys general have enforcement ability if no correction of violation by CE or BA within 30 days (Feb. 17 2009)– Statutory damages = number of violations x $100 (and up to
$25,000) for each identical violation– State can seek attorney fees
• Increased civil penalties from $100 to $50,000 (up from $100 to $25,000) for each violation up to a total of $25,000 to $1.5 million (inconsistent with AG penalty amounts)
• Individuals can face criminal prosecution (unclear before)
• Tiered penalties: “did not know”, “reasonable cause”, “willful neglect”
SISPO
What Does This All Mean???
• Public information access will continue to increase
• We are stewards of very usable data: share often but maintain safeguards
• Protect individual identifying information up front
• We MUST maintain business processes and ITS systems – Protect the Confidentiality, Integrity and Availability of information– Safeguard at rest, in transit and at end of life (disposal/destruction)– Understand the methods that protect information: encryption,
redaction, consistent retention guidelines and proper disposal methods
Above all – KNOW THY DATA AND WHOSE DATA IT IS!
SISPO
SISPO TEAM – Contact Us!
James (Jim) RyanManager and [email protected](602) 364-4771
James DzierzanowskiInformation Security
[email protected](602) 364-3583
Mary Beth Joublanc, [email protected](602) 364-4537
Sherri EshkibokSISPO Operations [email protected](602) 364-4779
Advise, Help and Create Value Together
SISPO
QUESTIONS ????