1 / 35

The Importance of Security In Protecting Client Data

The Importance of Security In Protecting Client Data. David Lynas, FBCS. We Will Discuss. What does “security” really mean? What value is security to the program and mission? What does “risk” really mean? How does risk information help decision making?

codi
Télécharger la présentation

The Importance of Security In Protecting Client Data

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Importance of Security In Protecting Client Data David Lynas, FBCS

  2. We Will Discuss • What does “security” really mean? • What value is security to the program and mission? • What does “risk” really mean? • How does risk information help decision making? • Security theory versus real-world practicality • Fit-for-purpose security • How do we know if we have enough • Industry ‘best practice’ & case studies • How can these be applied to HMIS? • What are the special considerations for non-profits? • Making it easy & making it work September 18-19, 2006 - Denver, Colorado Sponsored by the U.S. Department of Housing and Urban Development

  3. A Legacy of Business Constraint • Don’t understand our mission • ‘Badge, gun & guard-dog’ attitude • More passwords • More rules • More limitations on access • More firewalls & barriers • More difficulties • “No, you can’t do that!” September 18-19, 2006 - Denver, Colorado Sponsored by the U.S. Department of Housing and Urban Development

  4. Computer Privacy Availability Accountability Privacy Privacy Integrity Privacy Integrity Integrity Physical Non-repudiation Confidentiality People Confidentiality Confidentiality Confidentiality Integrity Auditability Information Risk Free Process Continuous Compliance Security Can Be Difficult To Define September 18-19, 2006 - Denver, Colorado Sponsored by the U.S. Department of Housing and Urban Development

  5. Dynamic Contextual Interpretation September 18-19, 2006 - Denver, Colorado Sponsored by the U.S. Department of Housing and Urban Development

  6. What’s In It For Me? • “Security exists to provide confidence & assurance” • we can depend upon and trust our technologies • we are not exposed to unacceptable risk • we can meet our objectives and grasp opportunities • “Security exists to protect business assets” • technology and are our use of it is ‘secure’ • information and our use of it is ‘secure’ • “Security exists to support our mission” • what is our mission? • what are our success factors? • how does security actually help our program? September 18-19, 2006 - Denver, Colorado Sponsored by the U.S. Department of Housing and Urban Development

  7. Security Links To Stakeholder Success Factors Safe Private Stable Responsive Culture Sensitive Targeted Clients Universal DV HIV Program Youth HIPAA Employable Mainstream resource Safe housing Stable housing Privacy Mental & Physical needs are met Continuous Effective Accountable Comprehensive Sustainable Accessible Service Providers CoC Outreach Shelter Service Only Housing Mainstream Software Reduced mortality rate Housing obtained / maintained Client income increased Client employment increased HMIS coverage Accurate Reliable Timely Complete Cost-effective Governable Policy Makers Federal State Local Eliminate homelessness Shelter / beds provided Coverage Cost of service Public Accountability September 18-19, 2006 - Denver, Colorado Sponsored by the U.S. Department of Housing and Urban Development

  8. Security As An Adjective/Property/Attribute • Relative to a specific business context • There is no absolute scale • ‘Secure’ has no intrinsic interpretation • What do you mean by ‘secure’? • What are you trying to protect? • Against what? • What would be the impact? • Are you vulnerable? • How much risk do you want to take? September 18-19, 2006 - Denver, Colorado Sponsored by the U.S. Department of Housing and Urban Development

  9. Risk What Is Risk? • Relative to the things we value (assets) • Impact – damage to or destruction of assets • Threat – potential event that could cause impact • Vulnerability – an operational or technical weakness that permits the threat event to happen and so cause impact Assets Likelihood Threat Vulnerability Impact September 18-19, 2006 - Denver, Colorado Sponsored by the U.S. Department of Housing and Urban Development

  10. Risk Analysis (Providing Information for Decision Making) • Identifying and valuing assets • Identifying threats • Quantifying business impacts • Identifying vulnerabilities • Applying suitable metrics • Ranking the risks in relative priority order • Providing a basis for risk management decisions • Identifying where additional controls are required September 18-19, 2006 - Denver, Colorado Sponsored by the U.S. Department of Housing and Urban Development

  11. Risk Management(Making the Decisions) • Reduce or mitigate the risk by increasing the level of control • Transfer the risk to another party • Avoid the risk by avoiding that business activity • Delay the risk until another time • Compensate for the risk by offsetting against other benefits associated with it • Spread the risk • Accept the risk (there is always a residual level of risk that must be accepted) September 18-19, 2006 - Denver, Colorado Sponsored by the U.S. Department of Housing and Urban Development

  12. Security Controls In The Right Place At The Right Time September 18-19, 2006 - Denver, Colorado Sponsored by the U.S. Department of Housing and Urban Development

  13. What’s The Point? Risk Adjusted Costing Total Cost Cost of Controls Increasing Cost Optimal Operating Point Cost of Losses Increasing Level of Control September 18-19, 2006 - Denver, Colorado Sponsored by the U.S. Department of Housing and Urban Development

  14. What’s The Point? Information for Prioritized Decision Making Likelihood High C B A Medium C B B Low D C C Low Med High Impact September 18-19, 2006 - Denver, Colorado Sponsored by the U.S. Department of Housing and Urban Development

  15. The Trouble With Computers • Credibility of likelihood statements • Immature measures • Understanding and awareness of threats • Scaremongering & hype • “You could do what?” • Dynamic, ever-changing environment • We don’t know what the future holds • Complexity of vulnerabilities September 18-19, 2006 - Denver, Colorado Sponsored by the U.S. Department of Housing and Urban Development

  16. Human Intelligence The Trouble With Computers CPU data courtesy Intel Corp. 2005: CPUs exceed 1 billion transistors 100 90 90 80 80 70 70 60 60 50 Operating Systems Millions of Lines of Code in Microsoft Millions of Transistors in Intel CPUs   50 40 40 30 30 20 20 10 10 0 0 1992 1993 2001 2002 1994 1995 1996 1997 1998 1999 2000 September 18-19, 2006 - Denver, Colorado Sponsored by the U.S. Department of Housing and Urban Development

  17. Real World Risk Management • Focused largely on “Impact” • Much broader view of the program goals - not just the identifiable assets • Allows priorities to be established • Focuses attention on “business critical” and “mission critical” risks • Uses language that is understood by stakeholders and participants • Measurable in dynamic but simple terms • How much money constitutes “high” impact? • How much disclosure constitutes “high” impact? • How much life constitutes “high” impact? • Speed, cost, usability • Involves the risk owners in the process September 18-19, 2006 - Denver, Colorado Sponsored by the U.S. Department of Housing and Urban Development

  18. What is Risk Ownership? • “It’s my risk!” • “I have no choice” • “The buck stops here” September 18-19, 2006 - Denver, Colorado Sponsored by the U.S. Department of Housing and Urban Development

  19. Risk Stewardship & Custody • Sometimes the risk owner is: • Unqualified or inexperienced • Vulnerable • Not in a position to make the best decision for self-preservation • Risk Stewards & Custodians • Responsible for evaluating the risk on behalf of the owner • Responsible for mitigating the risk on behalf of the owner • It’s a big responsibility! September 18-19, 2006 - Denver, Colorado Sponsored by the U.S. Department of Housing and Urban Development

  20. Simple Guide To Meeting The Responsibility • Follow the rules, standards & regulations… • Even if I don’t know why • Do unto others… • If this were my information, how would I want it to be treated? • A computer doesn’t change the rules… • It just changes the environment • Identify non-computer parallels… • With which I can identify • When faced with a risk that I can’t control… • Check that someone else is controlling it • Report it September 18-19, 2006 - Denver, Colorado Sponsored by the U.S. Department of Housing and Urban Development

  21. Rejoice – you’ve got standards, many don’t Wide scope Legitimate use, public access Authentication, virus control, firewalls Data storage, transmission, disposal Systems & applications Hard copy & electronic Feedback control loop HMIS Standards & Best Practice Comparisons System Calls for new parameter settings Control Sub-System Decision Sub-System Affects state of system Monitoring & Measurement Sub-System Reports new state of system September 18-19, 2006 - Denver, Colorado Sponsored by the U.S. Department of Housing and Urban Development

  22. The Weakest Link Theory September 18-19, 2006 - Denver, Colorado Sponsored by the U.S. Department of Housing and Urban Development

  23. The Process Links The People Links Security Architecture The Technology Links The Weakest Link Reality September 18-19, 2006 - Denver, Colorado Sponsored by the U.S. Department of Housing and Urban Development

  24. Security & Risk Interactions In The Big Picture Operational Dependency Operational Risks Interact Supply Chain Facilities Client Comms I.T. Service Provider Power September 18-19, 2006 - Denver, Colorado Sponsored by the U.S. Department of Housing and Urban Development

  25. Good Security Needs An Architected Holistic System September 18-19, 2006 - Denver, Colorado Sponsored by the U.S. Department of Housing and Urban Development

  26. Case Study • The following case study is reproduced with permission from the Australian Electoral Commission and with thanks to Tim Evans, Assistant Commissioner • All content has been sanitized • Methodology extracted from SABSA • ref www.sabsa.org September 18-19, 2006 - Denver, Colorado Sponsored by the U.S. Department of Housing and Urban Development

  27. AEC Attributes Taxonomy Core Values Stakeholders Impartiality Integrity Respect Service Transparency Electors Candidates Scrutineers Media Privacy Secrecy of the Vote Transparency Accessibility & Deliberation Confidence & Perception Timeliness of the Result Senior Management Governability Auditability Reputation Compliance Financial Viability Equity Availability Accuracy Operations Staff Reliability Anonymity Future & Legacy Sensitivity Authentication Integrity Modularity Verifiability September 18-19, 2006 - Denver, Colorado Sponsored by the U.S. Department of Housing and Urban Development

  28. Risk Information in Support of Business Mission • SABSA Attributes-driven Risk Management database • Periodic and real-time information • Acceptable impact metrics / performance targets set for each asset • Used for vendor evaluation • Mandated for all IT Projects • Multi-use by wide variety of stakeholders September 18-19, 2006 - Denver, Colorado Sponsored by the U.S. Department of Housing and Urban Development

  29. Mission Attributes Impartiality Attributes Respect Attributes Secrecy of the Vote Privacy Reputation Compliance Equity September 18-19, 2006 - Denver, Colorado Sponsored by the U.S. Department of Housing and Urban Development

  30. Mission Attributes Impartiality Attributes Respect Attributes Secrecy of the Vote Privacy 59% 41% 30% 14% 56% Reputation Compliance 100% 37% 63% Equity 30% 22% 50% September 18-19, 2006 - Denver, Colorado Sponsored by the U.S. Department of Housing and Urban Development

  31. Privacy Privacy Green Field 55% 36% 9% Privacy Privacy Post- Baseline 32% 68% Post-Special Treatments Privacy Privacy 100% Risk High Proportional Risk September 18-19, 2006 - Denver, Colorado Sponsored by the U.S. Department of Housing and Urban Development

  32. Implementation of Real-Time Control Feedback Loop • Risk database phase 2 • Solution to ‘boiled frog syndrome’ • Real-time risk console • Immediate notification of required action • Tracking of progress • Status at any time at any level • Executive corporate summary • Project manager • System specific at engineer level September 18-19, 2006 - Denver, Colorado Sponsored by the U.S. Department of Housing and Urban Development

  33. The Conclusion • In theory there is no difference between theory and practice • In practice there is September 18-19, 2006 - Denver, Colorado Sponsored by the U.S. Department of Housing and Urban Development

  34. The Conclusion • Security and the program mission are inherently linked • Good security & risk management will aid the delivery of information for decision making • Good security is challenging (even for the richest of organizations) but it is achievable if people, processes and technology are adequately integrated • Security is everyone’s responsibility • Security is to everyone’s benefit September 18-19, 2006 - Denver, Colorado Sponsored by the U.S. Department of Housing and Urban Development

  35. Thank You for the Privilege For further information please contact dlynas@cosac.fsnet.co.uk September 18-19, 2006 - Denver, Colorado Sponsored by the U.S. Department of Housing and Urban Development

More Related