implementing an information security program
DESCRIPTION
The basics of implementing an Information Security Program .TRANSCRIPT
Implementing an Information Security Program
Raymond K. Cunningham, Jr. CRM, CA, CIPPUniversity of Illinois Foundation
Session TU3-517
Security Breaches
It is not a matter of if… but when.
Topics to be Discussed
Security and PrivacyStandards for Information SecurityImplementing a Security Program The University of Illinois
Foundation Security Program
Security and Privacy What is the difference?
Security is an action and a process - you implement security to insure privacy
Security is a strategy, privacy is the outcome
Enterprise privacy and security management must be integrated
Security maintains confidentiality and privacy
Information Security It is not a technical issue
Often Security is viewed as a technical issue
Many information breaches occur in the paper world
Information Privacy It is not a Legal issue
Often viewed as a legal issue handed to legal counsel as a compliance issue
While many privacy officers report to legal, it is not strictly a legal issue
Privacy is a concern of all and should be a priority of any organization
Records Managers should be leaders in the Security and Privacy Arena
RIM should be central in the security and privacy arena
Records Managers possess a better knowledge of the assets to be protected, usage statistics and an understanding of access to records
IT manages the machines and software, RIM manages the records throughout the life cycle
Standards for Information Security
General Trends
Information Management Law is moving from the general to the specific
What was formerly ethical is now being required by law
Penalties are being strengthened and cases of theft/misuse are higher profile
The ethics of information management are evolving
Security and Privacy
Canada – PIPEDA Personal Information and Electronic Documents Act 200
EU Directive 95/46/EC US – 38 States now have disclosure laws for
the loss of information, based on California 1386
Financial Modernization Act 1999 – Gramm Leach Bliley (GLBA)
Gramm-Leach-Bliley What is it and why does it matter?
Financial Modernization Act 1999 Applicable to Financial Institutions Higher education was included in 2003 GLBA security provisions are enforced by the
FTC and are becoming a basic standard for protection of information in the USA
Gramm-Leach-Bliley Act 1999
GLBA provides for the protection of personal financial information
Records containing financial information are to be protected.– Financial Institutions are to make disclosures
regarding their privacy policies and release to third parties
– Criminalizes certain practices of data collection services: obtaining financial and personal information by misrepresenting their right to such information
Gramm-Leach-Bliley Act 1999
Financial Privacy Rule – governs the collection and disclosure of personal financial information. It applies to those who receive such information.
Pretexting Provisions – covers using false pretenses for obtaining personal financial information
Safeguards Rule – requires all financial institutions to design, implement and maintain safeguards to protect customer information
GLBA - Privacy
GLBA protects consumers’ non-public information. Private information includes “personally identifiable financial information”
ORGANIZATIONAFFILIATE
AGENCY
GLBA Pretexting
GLBA Safeguards Rule
The Safeguards Rule requires financial institutions to develop a written information security plan that describes their program to protect customer information. – Designate one or more employees to coordinate
the safeguards– Identify and assess the risks to customer
information relevant to the company’s operation
GLBA – Safeguards Rule Compliance
Select service providers that can maintain appropriate safeguards
Evaluate and adjust the program in light of relevant circumstances including changes in business or the results of security testing
Customer data stored at any off-site location
GLBA – Safeguards Rule Compliance
Check references on employees before hiring who have access to customer information
Sign a confidentiality agreement or NDA Limiting access to customer information
based on business need Develop specific policies for the appropriate
use of laptops, PDAs, cell phones
GLBA – Safeguards Rule Compliance
Confidentiality training is requiredEncrypting information when it is
transmittedReporting suspicious attempts to obtain
customer informationDispose of customer information
according to the FTC Disposal Rule
Comparison of Legislative Mandates
Mandate Processes and Risk
Management
Records Management
Data Security and Privacy
Training
Sarbanes-Oxley
X X X X
HIPAA X X XCalifornia Bill 1386
X X
Gramm-Leach-Bliley
X X
FOIA X XUSA Patriot Act
X X X
Payment Card Industry (PCI)Digital Security Standard (DSS)
Visa, Master Card, Amex have enacted a DSS for merchants
This is a direct extension of the GLBA safeguard standards
The PCI DSS are over 170 specific standards divided into 12 areas
These are very specific for users of payment cards
State Personal Information LawsIllinois
HB 1633 (PA 94-36) Effective January 1, 2006
Personal information is defined as: SSN, driver’s license number or State ID card, account number, credit card number
Breach of security should be made in the most expedient time possible without delay
Illinois State Law
Illinois law more broadly applicable than California statute – data collectors provisions are more broad – includes public and private corporations, universities, financial institutions.
Violation of the law is Consumer Fraud under Deceptive Business Practices Act
Implementing a Security Program
Beginning a Security Program
Lay the groundwork – Gain support at the C level
Make the case for information security The program is for all information regardless
of format, not just information on servers or in record centers
Six steps for creating a Security Program
Information Asset InventoryRisk Assessment Policy Review Develop Policies and PracticesConduct trainingMonitoring
Asset Management
Understand your information assets - inventory
Locate and identify what is to be protected
Differentiate between the “owner” and “user”
Record Retention Schedules – business need or regulatory requirements
Asset Classification
Assets should be evaluated as to sensitivity and confidentiality, potential liability, intelligence value and criticality to the business
Classify assets – Confidential, Proprietary, Internal Use Only, Public
Map the Organizational Data Flow
Map points of data collection – examine web forms, email collection, call centers, POS, Contests, Surveys, chat rooms, marketing lists
How does data move through the system? Is the data held in-house or is storage
outsourced? Is any PII collected from outside the US?
Risk Assessment
What are the risks with your storage practices?
What are the physical storage requirements?
Are personnel tasked with the protection of the information?
Vulnerabilities
Recycling – paper, computers, any information storage device
Shredding – What are you sending? Terminated employees with access to both
servers and physical facilities Off site storage Printing of electronic confidential records Who is tasked with security?
Vulnerabilities - Solutions
Training – train your employees and tell them what is expected of them NO EXCEPTIONS
Recycling – Monitor recycling closely. Have each storage device wiped
Watch the trash Shredding – inspect your vendor and examine your
in-house shredding, use local shredders Secure physical storage Test your off site vendor
Conduct a Policy Review
Develop the principles that will guide your strategy
Involve stakeholders, senior management and legal – Get Everyone on Board!
This is not an IT ProblemReview all applicable regulatory
requirements particular to your industry
Training
Training is one of the most often neglected piece of the program, yet it is one of the most important
Train your employees prior to exposure to information systems – supply handouts
Train employees to report information breaches - contacts
Train employees annually on your policies and compliance issues
Develop an ethical culture
Monitor Compliance
Conduct audits of security procedures
Review systems annuallyConduct incident response
drills – convene your incident response team
How the University of Illinois Foundation implemented a
Security Program
What was at stake?
Donor information on 700,000 people and corporations, including SSNs, credit card numbers, bank account numbers, medical information and other personal information
A loss of this information could seriously compromise our ability to solicit donors during a $2 billion campaign
We are all subject to information breaches
How the University of Illinois Foundation implemented a program
The UIF serves three campuses in Chicago, Champaign-Urbana and Springfield and over 700 users of confidential information
Motivating factors: Fear, a review of present practices, audit findings, PCI DSS requirements, regulatory environment
In 2004 I began to ask why SSNs were used in fundraising
How the University of Illinois Foundation implemented a program
In 2005 I secured all stakeholders in agreeing to remove SSNs from the donor database
During the summer and fall of 2006 I conducted sessions in information law
In March 2007 I certified as an IPP (IAPP) A review of policies and job descriptions showed
no one was in charge of security Working with IT we began reviewing assets Training became the core of our program
How the University of Illinois Foundation implemented a program
Working with all stakeholders we drafted new security requirements, including confidentiality agreements and notice to all donors
We lobbied to make security training mandatory before users log into systems
We revised security procedures including a revision of our retention schedules
Conclusions
Ray’s Recommendations for Building and Information Security Program
Gain the Support of Senior Management Encourage a culture of confidentiality Have a policy in place and enforce it Be specific on roles within the organization Have mechanisms in place to sign on and
sign off users efficiently Train all users before log-on in confidentiality
and security
Ray’s Recommendations
Monitor users Create an incident response group and
provide a way for employees to report data loss
Tell customers what you are doing with their data
Dump SSNs where not needed Monitor Third Party Contracts
Ray’s Recommendations
Have background checks on hires Integrate security with your retention
schedules – have a page for privacy and security inventorying the private information held and showing the access to the information
Ray’s Recommendations
Prepare for information loss through an information breach response group
Think of this as similar to the Disaster Response Group
Members are typically from IT, HR, Financial, Communications and Records Management
Learn from other’s breaches: www.privacyrights.org/ar/ChronDataBreaches.htm
Resources
International Association of Privacy Professionals IAPP www.privacyassociation.org
Kahn, Randolph Privacy Nation 2006 ISO 17799 International Organization for
Standardization www.iso.org PCI www.pcisecuritystandards.org
Contact information
Raymond K. Cunningham, Jr. Manager of Records Services University of Illinois Foundation Urbana IL 61801 [email protected] 217 244-0658