1 / 39

Security vs. Privacy

Security vs. Privacy. The Protection of Personal Information. Organization of the Presentation. The Purpose and Goals of this presentation Background The Roles and Responsibilities of VA Personnel in Security and Privacy

abiola
Télécharger la présentation

Security vs. Privacy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security vs. Privacy The Protection of Personal Information

  2. Organization of the Presentation • The Purpose and Goals of this presentation • Background • The Roles and Responsibilities of VA Personnel in Security and Privacy • An Extensive Interactive Discussion Session will follow the presentation

  3. Purpose and Goals • To Define Security and Privacy • To Explain the Relationship of the Two • To Describe the Requirements for Both in Federal Law and Guidance • To Help You Understand Your Responsibilities

  4. Differences and Similarities What is Security? Security applies to the spectrum of physical, technical & administrative safeguards that are put in place to protect the integrity, availability and confidentiality of information (in all media) and information systems.

  5. Differences and Similarities What is Privacy? Privacy refers to the right of each individual to control their personal information and to not have it disclosed or used by others against their wishes.

  6. You Can Have Security Without Privacy, But You Cannot Have Privacy Without Security

  7. Protect the Security and Privacy of Privacy-protected Data • Malicious or Accidental Use of VA Privacy-protected Data Could Cause Harm to Veterans or VA Personnel. • Malicious Use, Disclosure or Alteration of VA Privacy-protected Data or Access to VA Networks Could be in Breach of the Law.

  8. Veterans and VA Personnel at Risk • Veterans Infected with HIV or Suffering from Sickle-Cell Anemia • These Veterans are Protected by Specific Federal Laws and Regulations • Identity Theft Could Happen at VA

  9. Why Is It Necessary to Protect Personally Identifiable Information Data?

  10. Because Uncle Sam Requires You To

  11. Federal Laws and RegulationsSuch As: • Health Insurance Portability & Accountability Act (HIPAA) • The Privacy Act • The E-Gov Act

  12. Why Is It Important to Protect Personally Identifiable Information?

  13. Because It Can Cause Great Heartache and Griefif the Security of this Information is Compromised Example: Are You Really Who You Think You Are? !

  14. Identity Theft: • Has happened at VA • Is facilitated by the sharing of personal information, or the lack of protection of personal information

  15. Identity Theft • Identify theft is a crime and it is on the rise • An estimated 500,000 or more persons are becoming victims each year • It can happen to anyone

  16. What Do Thieves Steal? • Social Security numbers • Driver license numbers • Credit card numbers • ATM cards • Telephone calling cards

  17. The Consequences of Identity Theft • Your credit rating will be ruined • You can be arrested for a crime that someone else committed using your name • You can be refused job opportunities • You can be refused education benefits

  18. Do not share privacy-protected data unless required by VA Protect the security and privacy of personal information using guidance provided by OCIS and the privacy service How to Prevent Identity Theft

  19. Threats to Privacy-protected Data Require: • Network administrators, ISO’s, & PO’s to become more aware of privacy-protected information • What it is • Where it is • Rigorous access controls to privacy-protected information on VA networks

  20. Access Controls and Authentication Procedures are the Two Most Important Information Security Measures for the Protection of PII Confidentiality:Preserving authorized restrictions on information access and disclosure. Integrity:Guarding against improper information modification or destruction: includes information non-repudiation and authenticity. Availability: Ensuring timely and reliable access to and use of information. Privacy and Security are Interrelated

  21. VA Roles in Protecting the Privacy and Security of VA Data • ISO • Privacy Officer • System Administrators

  22. You Are Required to Protect the Privacy and Secure the Personal Information of VA Personnel and Veterans

  23. Federal Law and Guidance Mandate That All Information Is to Be Secured and That the Privacy of Personal Information Is to Be Protected

  24. E-Government Act: Purpose • To enhance citizen access to Federal Information by requiring interconnectivity & Interoperability • Provides for the development of a Federal Bridge Authority for digital signatures and the use of digital signature technology

  25. E-Government Act:Privacy Impact Assessment (PIA) • Each system that contains Privacy-protected Data will have to do a Risk Assessment • The CIO has the authority to determine the acceptable level of risk to Privacy-protected Data

  26. E-Government Act:Privacy Impact Assessment (PIA) • New Systems, Systems Under Development, or Systems Undergoing Major Modifications are Required to Complete a PIA • The Privacy Officer, the System Owner, System Developers, and ISO’s Must Work Together to Complete the PIA. • The Privacy Service will Provide Guidance.

  27. Health Insurance Portability and Accountability Act (HIPAA) Federal Requirements for the Security of Privacy-protected Data • Privacy Rule [§160, §162] • Security Rule [§164]

  28. HIPAA Security Rule • Access Control – implementing policies and procedures to control & limit access by persons or software programs to Electronic Personal Health Information (EPHI) • Audit Controls - implementing hardware, software, and/or procedural mechanisms to detect any malicious behaviors

  29. HIPAA Security Rule (cont.) • Integrity - Protection of EPHI from improper modification or destruction. • Person or Entity Authentication - Procedures to verify that persons or entities seeking access to EPHI are who or what they claim to be. • Transmission Security- Implementing Security Measures to prevent Unauthorized Access to EPHI that is being transmitted.

  30. The Privacy Act: 5 U.S.C. § 552A • Security Requirements of the Privacy Act: • Require that administrative, technical and physical safeguards are in place to protect data • Rules of conduct must be in place for persons involved in the design, development, operation, or maintenance of any system of records, or in maintaining any record

  31. VA Information Security • VA is Required by Federal Law and Guidance to Provide Adequate Security Measures for Privacy-protected Data • VA OCIS has Implemented Various Security Controls: • Digital Signatures • Certification and Accreditation • Access Controls • Authentication

  32. VA Directive 6502: “Privacy Program” • Signature Policy of the Privacy Service • This policy requires: • Privacy Review • Privacy Rules of Behavior • Privacy Role-based Training

  33. The Roles and Responsibilities of VA Personnel in Security and Privacy • Daily Actions to Maintain Privacy and Security of VA Privacy-protected Data • Passwords • Logging off your computer • Sharing data • Lockdown of Your Workstation • Proper Storage and Disposal of Media

  34. Privacy Roles for Information Security Officers • Participate in Various VA Security Processes to Secure Privacy-protected Data • Risk Assessment of Systems Containing Privacy-protected Data • PIA’s of Systems Containing Privacy-protected Data • Certification and Accreditation of New and Existing Systems that Contain Privacy-protected Data

  35. Privacy Roles for Information Security Officers (cont.) • Federal Information Security Management Act (FISMA) Remediation • Designing and Implementing Access Controls & Authentication Procedures during the System Development Lifecycle (SDLC) • Enforcing the Security and Privacy of VA Privacy-protected Data

  36. Security Roles for Privacy Officers • Ensure that all Privacy-protected Information is: • Protected from Unauthorized Access • Accessed Only by Users who have been Properly Authenticated • Disposed of in a Secure Manner

  37. The Roles of Network Administrators & Program Managers • PIA • Certification and Accreditation • Monitoring Access to Networks • Implementing Access Controls to Privacy-protected Data • Auditing of VA Networks • Establishing and Monitoring the Use of Authentication Procedures

  38. VA Personnel Working Together The VA Privacy Service provides oversight, guidance, and understanding in the preservation of the security and privacy of personal information

  39. Useful Websites CIO website www.cio.gov OMB Website www.whitehouse.gov/omb/inforeg/infopoltech.html#pg VA OCIS Website www.infosec.va.gov/main/index.asp

More Related