Security 101 for Privacy Practitioners

IAPP Canada Privacy Symposium 2012

May 10, 2012

Security 101 for Privacy Practitioners

IAPP Canada Privacy Symposium

May 10, 2012

Agenda

• Legal Environment

• Security Concepts

• Security Principles

• Security Objectives

• How to use Security to push the Privacy agenda

Security 101 for Privacy Practitioners

IAPP Canada Privacy Symposium

May 10, 2012

Privacy vs Security

• Privacy

An individual right to be left alone

• No Privacy without Security

Security 101 for Privacy Practitioners

IAPP Canada Privacy Symposium

May 10, 2012

Is the legislation of any help?

Security 101 for Privacy Practitioners

IAPP Canada Privacy Symposium

May 10, 2012

The Canadian legislation

• Defines what is a Private Information

• You shall be secure

• Your security should be reasonable

• An Act Respecting the Protection of Personal

Information in the Private Sector (Québec)

• Personal Information Protection Act (Alberta & BC)

• Personal Health Information Protection Act (Ontario)

Security 101 for Privacy Practitioners

IAPP Canada Privacy Symposium

May 10, 2012

So the legislation gives us the What, but

not the How.

Security 101 for Privacy Practitioners

IAPP Canada Privacy Symposium

May 10, 2012

Misconceptions

• Security only concerns IT

Security 101 for Privacy Practitioners

IAPP Canada Privacy Symposium

May 10, 2012

True Story – the location

Hattiesburg Cycles (Hattiesburg, Mississippi)

Security 101 for Privacy Practitioners

IAPP Canada Privacy Symposium

May 10, 2012

True Story – the facts

Two persons enter the store and select merchandise

worth almost $8,000. They hand a credit card to the

cashier who then swipe the card. The card is rejected

by the cash register’s computer. The card holder

indicates that the rejection was expected and that the

casher should contact the credit card company by

phone to receive a payment approval confirmation

code. The card holder gives the credit company’s

phone number to the clerk who calls the company.

The company approves the purchase and provides a

confirmation code. The merchant was never paid.

Security 101 for Privacy Practitioners

IAPP Canada Privacy Symposium

May 10, 2012

Misconceptions

• Security only concerns IT

NO, Security is NOT ONLY an IT problem.

It is mainly a business issue

Protection of the critical assets

Security 101 for Privacy Practitioners

IAPP Canada Privacy Symposium

May 10, 2012

Misconceptions

• Security only concerns IT

• Security is a technical issue

NO. “Security is a process, not a product”

Security 101 for Privacy Practitioners

IAPP Canada Privacy Symposium

May 10, 2012

Misconceptions

• Security only concerns IT

• Security is a technical issue

• Security is a recipe to follow

NO. Security must be risk based

Security 101 for Privacy Practitioners

IAPP Canada Privacy Symposium

May 10, 2012

Risk Management

1. Risk Assessment

• Risk Analysis

Threat + Vulnerability

• Risk Evaluation

Likelihood x Impact

2. Risk Treatment

• Mitigate

• Avoid

• Transfer

• Accept

Security 101 for Privacy Practitioners

IAPP Canada Privacy Symposium

May 10, 2012

Risk Base Approach

• Security is a trade-off

• Always residual risks

• Never assume something is impossible

• Information Classification (ISPC for the OPS)

• Threat Risk Assessment

Security 101 for Privacy Practitioners

IAPP Canada Privacy Symposium

May 10, 2012

Misconceptions

• Security only concerns IT

• Security is a technical issue

• Security is a recipe to follow

• Security is a set for the long term

Security 101 for Privacy Practitioners

IAPP Canada Privacy Symposium

May 10, 2012

Plan / Do / Check / Act

Plan

Do Check

Act

Security 101 for Privacy Practitioners

IAPP Canada Privacy Symposium

May 10, 2012

Misconceptions

• Security only concerns IT

• Security is a technical issue

• Security is a recipe to follow.

• Security is a set for the long term.

NO. Must be reassess on a regular basis

Plan / Do / Check / Act (ISO terminology)

Living process

Security 101 for Privacy Practitioners

IAPP Canada Privacy Symposium

May 10, 2012

Concepts

• Security is not only an IT problem

• “Security is a process, not a product”

• Security must be risk based

• Security is a living process

Security 101 for Privacy Practitioners

IAPP Canada Privacy Symposium

May 10, 2012

Security 101 for Privacy Practitioners

IAPP Canada Privacy Symposium

May 10, 2012

Security Practice

Security 101 for Privacy Practitioners

IAPP Canada Privacy Symposium

May 10, 2012

Security Principles

• Need to know

• Least privilege

• Segregation of duties

Security 101 for Privacy Practitioners

IAPP Canada Privacy Symposium

May 10, 2012

So what is the objective?

It is the preservation of:

• Confidentiality

• Integrity

• Availability

… in order to protect the organizations critical assets

So we cannot have Privacy without Security

… but we can have Security without Privacy

Security 101 for Privacy Practitioners

IAPP Canada Privacy Symposium

May 10, 2012

Confidentiality

• User management

• Access Control

• Encryption

Security 101 for Privacy Practitioners

IAPP Canada Privacy Symposium

May 10, 2012

Access Control

• Identification

• Authentication

• Authorization

Security 101 for Privacy Practitioners

IAPP Canada Privacy Symposium

May 10, 2012

N-Factors

• Something you know

• Something you have

• Something you are

Security 101 for Privacy Practitioners

IAPP Canada Privacy Symposium

May 10, 2012

Encryption

• Symmetric

• 1 single key

• Asymmetric

• 2 keys (one Private / one Public)

Security 101 for Privacy Practitioners

IAPP Canada Privacy Symposium

May 10, 2012

Integrity

• Asset Inventory

• Hashing

• Non-repudiation

Security 101 for Privacy Practitioners

IAPP Canada Privacy Symposium

May 10, 2012

Availability

• Backups

• Duplication

• Do not forget the personnel

Security 101 for Privacy Practitioners

IAPP Canada Privacy Symposium

May 10, 2012

Summary

• Privacy

An individual right to be left alone

• Security

The Protection of critical assets

• No Privacy without Security…

But can have Security without Privacy

• What to secure and how to secure it

Privacy determines the what

Security determines the how

Security 101 for Privacy Practitioners

IAPP Canada Privacy Symposium

May 10, 2012

Summary

• Concepts

• Security is not only an IT problem

• “Security is a process, not a product”

• Security must be risk based

• Security is a living process

• Principles

• Objectives

• Security should not be front and center

Thank you

Gilles Fourchet, CIPP/IT, CISSP, PMP

Information Privacy & Security Specialist

Government of Ontario

gilles.fourchet@gmail.com

www.linkedin.com/in/gillesfourchet