Embed Size (px)
Citation preview
1
Dan Steinberg, JDPortland, ORMay 4, 2011
Speaking Notes
Privacy and Security for Research Repositories
Please do not reuse or republish without attribution.
2
Current models of the relationship between privacy and security are misleading or are altogether inaccurate.
“You can have security without privacy, but you can’t have privacy without security.”
Fair Information Principles: Notice • Access • Choice • Redress • Security
3
A better view of the relationship between privacy and security acknowledges that there are a large number of topics that are both privacy and security issues.
Individual
Notice
Access
Redress
Choice
PRIVACY
Safeguarding a individual’s personally identifiable information
SECURITY
IntellectualProperty
NationalSecurity
PhysicalAssets andResources
TradeSecrets
Ways of DoingBusiness
Institution
4
Risk Management is fundamental to information privacy and security.
The six steps in the Risk Management FrameworkFIGURE 2-2: RISK MANAGEMENT FRAMEWORK
Step 1CATEGORIZE
Information System
Step 2SELECT
Security Controls
Step 3IMPLEMENT
Security Controls
Step 6MONITOR
Security Controls
Step 5AUTHORIZE
Information SystemStep 4
ASSESSSecurity Controls
RISK MANAGEMENT FRAMEWORK
PROCESS OVERVIEW
Starting pointARCHITECTURE DESCRIPTION
Architecture Reference ModelsSegment and Solution Architectures
Mission and Business ProcessesInformation System Boundaries
ORGANIZATIONAL INPUTSLaws, Directives, Policy Guidance
Strategic Goals and ObjectivesPriorities and Resource Availability
Supply Chain Considerations
Adapted from NIST Special Publication 800-37, Rev. 1, Guide for Applying the RiskManagement Framework to
Federal Information Systems.
5
Some, but not all, components of a robust security program:
Risk Analysis
Policies and Procedures
Training and Awareness
Information Access Management
Identity Management
Privacy Controls
Incident Procedures
Contingency Planning
Physical Controls
Transmission Security
Integrity Controls
Disposal Controls
Evaluation
