![Page 1: Security 101 for Privacy Practitioners · Security 101 for Privacy Practitioners IAPP Canada Privacy Symposium 2012 May 10, 2012](https://reader034.vdocument.in/reader034/viewer/2022051920/600d158de7ed0065bf18bee3/html5/thumbnails/1.jpg)
Security 101 for Privacy Practitioners
IAPP Canada Privacy Symposium 2012
May 10, 2012
![Page 2: Security 101 for Privacy Practitioners · Security 101 for Privacy Practitioners IAPP Canada Privacy Symposium 2012 May 10, 2012](https://reader034.vdocument.in/reader034/viewer/2022051920/600d158de7ed0065bf18bee3/html5/thumbnails/2.jpg)
Security 101 for Privacy Practitioners
IAPP Canada Privacy Symposium
May 10, 2012
Agenda
• Legal Environment
• Security Concepts
• Security Principles
• Security Objectives
• How to use Security to push the Privacy agenda
![Page 3: Security 101 for Privacy Practitioners · Security 101 for Privacy Practitioners IAPP Canada Privacy Symposium 2012 May 10, 2012](https://reader034.vdocument.in/reader034/viewer/2022051920/600d158de7ed0065bf18bee3/html5/thumbnails/3.jpg)
Security 101 for Privacy Practitioners
IAPP Canada Privacy Symposium
May 10, 2012
Privacy vs Security
• Privacy
An individual right to be left alone
• No Privacy without Security
![Page 4: Security 101 for Privacy Practitioners · Security 101 for Privacy Practitioners IAPP Canada Privacy Symposium 2012 May 10, 2012](https://reader034.vdocument.in/reader034/viewer/2022051920/600d158de7ed0065bf18bee3/html5/thumbnails/4.jpg)
Security 101 for Privacy Practitioners
IAPP Canada Privacy Symposium
May 10, 2012
Is the legislation of any help?
![Page 5: Security 101 for Privacy Practitioners · Security 101 for Privacy Practitioners IAPP Canada Privacy Symposium 2012 May 10, 2012](https://reader034.vdocument.in/reader034/viewer/2022051920/600d158de7ed0065bf18bee3/html5/thumbnails/5.jpg)
Security 101 for Privacy Practitioners
IAPP Canada Privacy Symposium
May 10, 2012
The Canadian legislation
• Defines what is a Private Information
• You shall be secure
• Your security should be reasonable
• An Act Respecting the Protection of Personal
Information in the Private Sector (Québec)
• Personal Information Protection Act (Alberta & BC)
• Personal Health Information Protection Act (Ontario)
![Page 6: Security 101 for Privacy Practitioners · Security 101 for Privacy Practitioners IAPP Canada Privacy Symposium 2012 May 10, 2012](https://reader034.vdocument.in/reader034/viewer/2022051920/600d158de7ed0065bf18bee3/html5/thumbnails/6.jpg)
Security 101 for Privacy Practitioners
IAPP Canada Privacy Symposium
May 10, 2012
So the legislation gives us the What, but
not the How.
![Page 7: Security 101 for Privacy Practitioners · Security 101 for Privacy Practitioners IAPP Canada Privacy Symposium 2012 May 10, 2012](https://reader034.vdocument.in/reader034/viewer/2022051920/600d158de7ed0065bf18bee3/html5/thumbnails/7.jpg)
Security 101 for Privacy Practitioners
IAPP Canada Privacy Symposium
May 10, 2012
Misconceptions
• Security only concerns IT
![Page 8: Security 101 for Privacy Practitioners · Security 101 for Privacy Practitioners IAPP Canada Privacy Symposium 2012 May 10, 2012](https://reader034.vdocument.in/reader034/viewer/2022051920/600d158de7ed0065bf18bee3/html5/thumbnails/8.jpg)
Security 101 for Privacy Practitioners
IAPP Canada Privacy Symposium
May 10, 2012
True Story – the location
Hattiesburg Cycles (Hattiesburg, Mississippi)
![Page 9: Security 101 for Privacy Practitioners · Security 101 for Privacy Practitioners IAPP Canada Privacy Symposium 2012 May 10, 2012](https://reader034.vdocument.in/reader034/viewer/2022051920/600d158de7ed0065bf18bee3/html5/thumbnails/9.jpg)
Security 101 for Privacy Practitioners
IAPP Canada Privacy Symposium
May 10, 2012
True Story – the facts
Two persons enter the store and select merchandise
worth almost $8,000. They hand a credit card to the
cashier who then swipe the card. The card is rejected
by the cash register’s computer. The card holder
indicates that the rejection was expected and that the
casher should contact the credit card company by
phone to receive a payment approval confirmation
code. The card holder gives the credit company’s
phone number to the clerk who calls the company.
The company approves the purchase and provides a
confirmation code. The merchant was never paid.
![Page 10: Security 101 for Privacy Practitioners · Security 101 for Privacy Practitioners IAPP Canada Privacy Symposium 2012 May 10, 2012](https://reader034.vdocument.in/reader034/viewer/2022051920/600d158de7ed0065bf18bee3/html5/thumbnails/10.jpg)
Security 101 for Privacy Practitioners
IAPP Canada Privacy Symposium
May 10, 2012
Misconceptions
• Security only concerns IT
NO, Security is NOT ONLY an IT problem.
It is mainly a business issue
Protection of the critical assets
![Page 11: Security 101 for Privacy Practitioners · Security 101 for Privacy Practitioners IAPP Canada Privacy Symposium 2012 May 10, 2012](https://reader034.vdocument.in/reader034/viewer/2022051920/600d158de7ed0065bf18bee3/html5/thumbnails/11.jpg)
Security 101 for Privacy Practitioners
IAPP Canada Privacy Symposium
May 10, 2012
Misconceptions
• Security only concerns IT
• Security is a technical issue
NO. “Security is a process, not a product”
![Page 12: Security 101 for Privacy Practitioners · Security 101 for Privacy Practitioners IAPP Canada Privacy Symposium 2012 May 10, 2012](https://reader034.vdocument.in/reader034/viewer/2022051920/600d158de7ed0065bf18bee3/html5/thumbnails/12.jpg)
Security 101 for Privacy Practitioners
IAPP Canada Privacy Symposium
May 10, 2012
Misconceptions
• Security only concerns IT
• Security is a technical issue
• Security is a recipe to follow
NO. Security must be risk based
![Page 13: Security 101 for Privacy Practitioners · Security 101 for Privacy Practitioners IAPP Canada Privacy Symposium 2012 May 10, 2012](https://reader034.vdocument.in/reader034/viewer/2022051920/600d158de7ed0065bf18bee3/html5/thumbnails/13.jpg)
Security 101 for Privacy Practitioners
IAPP Canada Privacy Symposium
May 10, 2012
Risk Management
1. Risk Assessment
• Risk Analysis
Threat + Vulnerability
• Risk Evaluation
Likelihood x Impact
2. Risk Treatment
• Mitigate
• Avoid
• Transfer
• Accept
![Page 14: Security 101 for Privacy Practitioners · Security 101 for Privacy Practitioners IAPP Canada Privacy Symposium 2012 May 10, 2012](https://reader034.vdocument.in/reader034/viewer/2022051920/600d158de7ed0065bf18bee3/html5/thumbnails/14.jpg)
Security 101 for Privacy Practitioners
IAPP Canada Privacy Symposium
May 10, 2012
Risk Base Approach
• Security is a trade-off
• Always residual risks
• Never assume something is impossible
• Information Classification (ISPC for the OPS)
• Threat Risk Assessment
![Page 15: Security 101 for Privacy Practitioners · Security 101 for Privacy Practitioners IAPP Canada Privacy Symposium 2012 May 10, 2012](https://reader034.vdocument.in/reader034/viewer/2022051920/600d158de7ed0065bf18bee3/html5/thumbnails/15.jpg)
Security 101 for Privacy Practitioners
IAPP Canada Privacy Symposium
May 10, 2012
Misconceptions
• Security only concerns IT
• Security is a technical issue
• Security is a recipe to follow
• Security is a set for the long term
![Page 16: Security 101 for Privacy Practitioners · Security 101 for Privacy Practitioners IAPP Canada Privacy Symposium 2012 May 10, 2012](https://reader034.vdocument.in/reader034/viewer/2022051920/600d158de7ed0065bf18bee3/html5/thumbnails/16.jpg)
Security 101 for Privacy Practitioners
IAPP Canada Privacy Symposium
May 10, 2012
Plan / Do / Check / Act
Plan
Do Check
Act
![Page 17: Security 101 for Privacy Practitioners · Security 101 for Privacy Practitioners IAPP Canada Privacy Symposium 2012 May 10, 2012](https://reader034.vdocument.in/reader034/viewer/2022051920/600d158de7ed0065bf18bee3/html5/thumbnails/17.jpg)
Security 101 for Privacy Practitioners
IAPP Canada Privacy Symposium
May 10, 2012
Misconceptions
• Security only concerns IT
• Security is a technical issue
• Security is a recipe to follow.
• Security is a set for the long term.
NO. Must be reassess on a regular basis
Plan / Do / Check / Act (ISO terminology)
Living process
![Page 18: Security 101 for Privacy Practitioners · Security 101 for Privacy Practitioners IAPP Canada Privacy Symposium 2012 May 10, 2012](https://reader034.vdocument.in/reader034/viewer/2022051920/600d158de7ed0065bf18bee3/html5/thumbnails/18.jpg)
Security 101 for Privacy Practitioners
IAPP Canada Privacy Symposium
May 10, 2012
Concepts
• Security is not only an IT problem
• “Security is a process, not a product”
• Security must be risk based
• Security is a living process
![Page 19: Security 101 for Privacy Practitioners · Security 101 for Privacy Practitioners IAPP Canada Privacy Symposium 2012 May 10, 2012](https://reader034.vdocument.in/reader034/viewer/2022051920/600d158de7ed0065bf18bee3/html5/thumbnails/19.jpg)
Security 101 for Privacy Practitioners
IAPP Canada Privacy Symposium
May 10, 2012
![Page 20: Security 101 for Privacy Practitioners · Security 101 for Privacy Practitioners IAPP Canada Privacy Symposium 2012 May 10, 2012](https://reader034.vdocument.in/reader034/viewer/2022051920/600d158de7ed0065bf18bee3/html5/thumbnails/20.jpg)
Security 101 for Privacy Practitioners
IAPP Canada Privacy Symposium
May 10, 2012
Security Practice
![Page 21: Security 101 for Privacy Practitioners · Security 101 for Privacy Practitioners IAPP Canada Privacy Symposium 2012 May 10, 2012](https://reader034.vdocument.in/reader034/viewer/2022051920/600d158de7ed0065bf18bee3/html5/thumbnails/21.jpg)
Security 101 for Privacy Practitioners
IAPP Canada Privacy Symposium
May 10, 2012
Security Principles
• Need to know
• Least privilege
• Segregation of duties
![Page 22: Security 101 for Privacy Practitioners · Security 101 for Privacy Practitioners IAPP Canada Privacy Symposium 2012 May 10, 2012](https://reader034.vdocument.in/reader034/viewer/2022051920/600d158de7ed0065bf18bee3/html5/thumbnails/22.jpg)
Security 101 for Privacy Practitioners
IAPP Canada Privacy Symposium
May 10, 2012
So what is the objective?
It is the preservation of:
• Confidentiality
• Integrity
• Availability
… in order to protect the organizations critical assets
So we cannot have Privacy without Security
… but we can have Security without Privacy
![Page 23: Security 101 for Privacy Practitioners · Security 101 for Privacy Practitioners IAPP Canada Privacy Symposium 2012 May 10, 2012](https://reader034.vdocument.in/reader034/viewer/2022051920/600d158de7ed0065bf18bee3/html5/thumbnails/23.jpg)
Security 101 for Privacy Practitioners
IAPP Canada Privacy Symposium
May 10, 2012
Confidentiality
• User management
• Access Control
• Encryption
![Page 24: Security 101 for Privacy Practitioners · Security 101 for Privacy Practitioners IAPP Canada Privacy Symposium 2012 May 10, 2012](https://reader034.vdocument.in/reader034/viewer/2022051920/600d158de7ed0065bf18bee3/html5/thumbnails/24.jpg)
Security 101 for Privacy Practitioners
IAPP Canada Privacy Symposium
May 10, 2012
Access Control
• Identification
• Authentication
• Authorization
![Page 25: Security 101 for Privacy Practitioners · Security 101 for Privacy Practitioners IAPP Canada Privacy Symposium 2012 May 10, 2012](https://reader034.vdocument.in/reader034/viewer/2022051920/600d158de7ed0065bf18bee3/html5/thumbnails/25.jpg)
Security 101 for Privacy Practitioners
IAPP Canada Privacy Symposium
May 10, 2012
N-Factors
• Something you know
• Something you have
• Something you are
![Page 26: Security 101 for Privacy Practitioners · Security 101 for Privacy Practitioners IAPP Canada Privacy Symposium 2012 May 10, 2012](https://reader034.vdocument.in/reader034/viewer/2022051920/600d158de7ed0065bf18bee3/html5/thumbnails/26.jpg)
Security 101 for Privacy Practitioners
IAPP Canada Privacy Symposium
May 10, 2012
Encryption
• Symmetric
• 1 single key
• Asymmetric
• 2 keys (one Private / one Public)
![Page 27: Security 101 for Privacy Practitioners · Security 101 for Privacy Practitioners IAPP Canada Privacy Symposium 2012 May 10, 2012](https://reader034.vdocument.in/reader034/viewer/2022051920/600d158de7ed0065bf18bee3/html5/thumbnails/27.jpg)
Security 101 for Privacy Practitioners
IAPP Canada Privacy Symposium
May 10, 2012
Integrity
• Asset Inventory
• Hashing
• Non-repudiation
![Page 28: Security 101 for Privacy Practitioners · Security 101 for Privacy Practitioners IAPP Canada Privacy Symposium 2012 May 10, 2012](https://reader034.vdocument.in/reader034/viewer/2022051920/600d158de7ed0065bf18bee3/html5/thumbnails/28.jpg)
Security 101 for Privacy Practitioners
IAPP Canada Privacy Symposium
May 10, 2012
Availability
• Backups
• Duplication
• Do not forget the personnel
![Page 29: Security 101 for Privacy Practitioners · Security 101 for Privacy Practitioners IAPP Canada Privacy Symposium 2012 May 10, 2012](https://reader034.vdocument.in/reader034/viewer/2022051920/600d158de7ed0065bf18bee3/html5/thumbnails/29.jpg)
Security 101 for Privacy Practitioners
IAPP Canada Privacy Symposium
May 10, 2012
Summary
• Privacy
An individual right to be left alone
• Security
The Protection of critical assets
• No Privacy without Security…
But can have Security without Privacy
• What to secure and how to secure it
Privacy determines the what
Security determines the how
![Page 30: Security 101 for Privacy Practitioners · Security 101 for Privacy Practitioners IAPP Canada Privacy Symposium 2012 May 10, 2012](https://reader034.vdocument.in/reader034/viewer/2022051920/600d158de7ed0065bf18bee3/html5/thumbnails/30.jpg)
Security 101 for Privacy Practitioners
IAPP Canada Privacy Symposium
May 10, 2012
Summary
• Concepts
• Security is not only an IT problem
• “Security is a process, not a product”
• Security must be risk based
• Security is a living process
• Principles
• Objectives
• Security should not be front and center
![Page 31: Security 101 for Privacy Practitioners · Security 101 for Privacy Practitioners IAPP Canada Privacy Symposium 2012 May 10, 2012](https://reader034.vdocument.in/reader034/viewer/2022051920/600d158de7ed0065bf18bee3/html5/thumbnails/31.jpg)
![Page 32: Security 101 for Privacy Practitioners · Security 101 for Privacy Practitioners IAPP Canada Privacy Symposium 2012 May 10, 2012](https://reader034.vdocument.in/reader034/viewer/2022051920/600d158de7ed0065bf18bee3/html5/thumbnails/32.jpg)
Thank you
Gilles Fourchet, CIPP/IT, CISSP, PMP
Information Privacy & Security Specialist
Government of Ontario
www.linkedin.com/in/gillesfourchet