1 / 16

Privacy of Information (Securing Personal Data)

Privacy of Information (Securing Personal Data). Casualty Actuarial Society May 16, 2005 John B. Storey, cissp. Securing Data Is No Monkey Business. Public Concerns for Personal Data. The “Big Brother” image Identity theft on the rise and a sense of helplessness prevails

sapphire-ilithya
Télécharger la présentation

Privacy of Information (Securing Personal Data)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Privacy of Information(Securing Personal Data) Casualty Actuarial Society May 16, 2005 John B. Storey, cissp

  2. Securing Data Is No Monkey Business

  3. Public Concerns for Personal Data • The “Big Brother” image • Identity theft on the rise and a sense of helplessness prevails • Are corporations and the government doing enough to protect Personally Identifiable Information (PII) in their custody? • Identification numbers are attached to almost every transactional activity in our lives and history • Balancing the good and bad uses of information about an individual • Our need for access to many data sources has created a need for quick response • Securing PII and Personal Health Information (PHI) is a federal mandate

  4. FBI Annual Report • Over $65 Billion is lost as a result of identity theft each year • There are over 10 million incidents of identity theft each year • Many people who suffer a loss don’t make a report • Consumers have spent over 300 million hours in dealing with clearing their credit reports • Many don’t get through the process for years • Others have been unjustly denied job opportunities

  5. The Need for Data Repositories • “Everyone wants to know it now and fast” • The ease of access to information for quick decisions • Large data repositories for fraud detection • Are criminals exploiting our system? • Are people impersonating others? • Analytical data models and the almost perfect degree of accuracy required • Creating the fair balance with scores • Risk analysis in a business transactions

  6. Recent Publicized Personal Data Dilemmas • Choice Point • 145,000 names, addresses and social security numbers obtained by false customers and used in an identity theft ring • DSW Shoe Warehouse • 1.4 million credit card and drivers-license numbers • Time Warner • 600,000 employee and customer social security numbers misplaced by the SEFETY vault • Bank of America • 1.2 million customers social security numbers misplaced in transit • LexisNexis • 310,000 social security and drivers-license numbers

  7. Inadvertent Disclosure Data • Viruses can be used to obtain passwords • Search randomly or specifically for password files • Inadvertent disclosure and theft of data • Phishing uses creative “bait and hook” • Deception and coercion lure the unsuspecting Internet user into disclosing sensitive information • Trojan Horses – the silent listener • Get into a computer system in many ways • Could be used to intercept sensitive information • Social Engineering • Don’t be tricked into giving sensitive information to the wrong individual • Employees and contractors • Beware of the opportunist and safeguard sensitive information by strictly applying the “need to know” rules • 83% of companies surveyed experienced a security breach in 2004 • 2004 Deloitte Global Security Survey

  8. Protecting Data in your Custody • Are data custodians aware of stored or shared PII data? • Who is using the data and for what purpose? • Is the data available for viewing on the Internet? • Is encryption used? • Is the Customer or viewer properly credentialed? • What type of logs or electronic footprints are kept to meet regulatory requirements? • Where is it stored and for how long? • Inherent security controls must be in place consistently as long as the data is stored and used • Are adequate data disposal controls in place?

  9. The Cost of Security Breaches • 2001 ChoicePoint paid $1.3 million for sending drivers license information over the Internet • 2003 Acxiom experienced a hacking activity that resulted in information loss • The cost for the Privacy breach was approximately $12 million • 2005 ChoicePoint had a privacy breach • The approximate cost to date is $15 - $20 million in loss of potential business

  10. Protecting Data with an effective Security Program Develop risk management methodologies to quantify technology risks for informed decision processes, based on industry standards such as OCTAVE and NIST Risk Management. Risk Mgt. Develop policies and best practices to safeguard ISO and Subsidiaries electronic information. Policies and best practices must be Third Party validated standards such as ISO17799 and BS7799-2. Policies, Procedures and Best Practices Awareness & Training Educate and raise awareness among employees of your company Monitor, quantify, and report violations of access controls Monitoring & Reporting

  11. Severe events experienced by industries per 10,000 events 10 7.8 8 6.2 6.1 5.4 5.1 6 Severe events 3 4 2.7 2.5 2.4 1.9 2 0 Mfg. Telco Nonprofit High-Tech Media/Ent Healthcare E-commerce Power & Energy Business Services Financial Services Industries Statisticssource: Symantec/MSS 2003(20,000 sensors deployed in over 180 countries)

  12. The Cost of Security vulnerabilities • Sophisticated attacks • Tools from password sniffing to self-propagating malicious software (malware) • Speed of attacks from 3 years (i.e., boot sector) to 4 days (i.e., Melissa) to minutes (i.e., Beagle worm) • Financial loss worldwide of $2 billion in August 2003 due to 3 worms in 12 days (Blaster, Welchia, and Sobig.F) • Increased number of software and system vulnerabilities • From 171 vulnerabilities in 1995 to 3,784 in 2003 (source: CERT/CC) • Average of 10 vulnerabilities per day • 70% of vulnerabilities are classified as EASY TO EXPLOIT (source: Symantec) • Open computing environment attacks • i.e., remote access, PDA, wireless, etc.

  13. Federal and State Electronic Information Protection • Federal • Graham-Leach-Bliley Act (GLBA) • Health Insurance Portability and Accountability Act (HIPAA) • Sarbanes-Oxley (COSO and COBIT) • Fair Credit Reporting Act (FCRA) • State • NYS Department of Health Cyber Security • could follow California regulations on protecting employees and overseas outsourced arrangements • NYS276 • Additional privacy requirements on GLBA • CA1386 • Strict security control requirements information • other states could follow

  14. Summary • Implement security controls consistent with industry standards for adherence to regulatory • Businesses and Technology must work together to protect the privacy of data • Adhere to regulatory security controls requirements • Safeguard your Corporation’s Intellectual Property and investments • Use prudent measures to safeguard your Corporation from internal exposures

  15. Elements of a Privacy Checklist • What data is stored on your systems and does it require encryption? • What privacy elements are contained in the data? • How long will the data be stored on your systems? • Are adequate security access controls in place? • Is sensitive information transmitted unencrypted? • Do you have a way to determine if data is out of date? • Are security controls in place to prevent tampering? • Are you complying with privacy regulations

  16. Thank You

More Related