Overview. What are operational policies? Development, adoption, implementation



Similar documents
Strategic Activities to Support Sustainability of Canada s Geospatial Data Infrastructure

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

Cloud Computing: Legal Risks and Best Practices

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Security Issues in Cloud Computing

CLOUD STORAGE SECURITY INTRODUCTION. Gordon Arnold, IBM

EXECUTIVE BRIEF SPON. File Synchronization and Sharing Market Forecast, Published May An Osterman Research Executive Brief

STORAGE SECURITY TUTORIAL With a focus on Cloud Storage. Gordon Arnold, IBM

Best practices and guidelines for the development of SDI

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium

Cloud Computing Contracts. October 11, 2012

How To Protect Your Cloud Computing Resources From Attack

Security Controls What Works. Southside Virginia Community College: Security Awareness

08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview

Orchestrating the New Paradigm Cloud Assurance

Cloud Computing. Cloud Computing An insight in the Governance & Security aspects

The Changing IT Risk Landscape Understanding and managing existing and emerging risks

The Challenges of Geospatial Analytics in the Era of Big Data

Assessing Risks in the Cloud

Information Technology Internal Audit Report

ISO Controls and Objectives

Information Security Program Management Standard

Data Protection: From PKI to Virtualization & Cloud

Things You Need to Know About Cloud Backup

Information security due diligence

Analyzing HTTP/HTTPS Traffic Logs

Cloud Computing Questions to Ask

Data Storage Security, Cloud Computing and Virtualization

Cloud Security and Managing Use Risks

The Protection Mission a constant endeavor

Best Practices for Choosing a Content Control Solution

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

SERENA SOFTWARE Serena Service Manager Security

Cloud Security. DLT Solutions LLC June #DLTCloud

CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES:

Practice Resource. Cloud computing checklist. Introduction

(Instructor-led; 3 Days)

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

DATA LEAKAGE PREVENTION IMPLEMENTATION AND CHALLENGES

IT Privacy Certification Outline of the Body of Knowledge (BOK) for the Certified Information Privacy Technologist (CIPT)

3rd Party Assurance & Information Governance outlook IIA Ireland Annual Conference Straightforward Security and Compliance

HIPAA/HITECH Compliance Using VMware vcloud Air

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus

Cloud Computing Governance & Security. Security Risks in the Cloud

PII Compliance Guidelines

ACOT WEBSITE PRIVACY POLICY

Cloud Computing: Risks and Auditing

Negotiating EHR Acquisition Contracts

Cloud Computing Security Considerations

Annex 1. Contract Checklist for Cloud-Based Genomic Research Version 1.0, 21 July 2015

INCIDENT RESPONSE CHECKLIST

Information security controls. Briefing for clients on Experian information security controls

Article 29 Working Party Issues Opinion on Cloud Computing

Cloud Computing and Records Management

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

Managing for the Long Term: Keys to Securing, Troubleshooting and Monitoring a Private Cloud

LEGAL ISSUES IN CLOUD COMPUTING

ISO27001 Controls and Objectives

I. Introduction to Privacy: Common Principles and Approaches

External Supplier Control Requirements

Residual risk. 3 Compliance challenges (i.e. right to examine, exit clause, privacy acy etc.)

White paper Reaping Business Value from a Hybrid Cloud Strategy

Enterprise Key Management: A Strategic Approach ENTERPRISE KEY MANAGEMENT A SRATEGIC APPROACH. White Paper February

STATE OF NEW JERSEY Security Controls Assessment Checklist

Protecting Official Records as Evidence in the Cloud Environment. Anne Thurston

Cloud Security Introduction and Overview

National Cyber Security Policy -2013

University of Pittsburgh Security Assessment Questionnaire (v1.5)

Bellevue University Cybersecurity Programs & Courses

Auditing Cloud Computing. A Security and Privacy Guide. Wiley Corporate F&A

TRENDS AND DEVELOPMENTS IN INFORMATION GOVERNANCE AND RECORDS MANAGEMENT. Key Concepts Defined. Key Concepts Defined 4/30/2015

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

RECORD AND INFORMATION MANAGEMENT FRAMEWORK FOR ONTARIO SCHOOL BOARDS/AUTHORITIES

Virginia Government Finance Officers Association Spring Conference May 28, Cloud Security 101

Safeguarding the cloud with IBM Dynamic Cloud Security

Legal Cloud Computing: Concepts and Ramifications

Data In The Cloud: Who Owns It, and How Do You Get it Back?

Cloud Essentials for Architects using OpenStack

Key Considerations of Regulatory Compliance in the Public Cloud

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015

Page 1 of 15. VISC Third Party Guideline

Intel Enhanced Data Security Assessment Form

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

---Information Technology (IT) Specialist (GS-2210) IT Security Competency Model---

Audit Report. Effectiveness of IT Controls at the Global Fund Follow-up report. GF-OIG-15-20b 26 November 2015 Geneva, Switzerland

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Transcription:

Practical Geospatial Policies: Resolving Operational Issues to Optimize Your SDI Ed Kennedy Hickling Arthurs Low Corporation and Cynthia Mitchell and Simon Riopel Division, Natural Resources Canada Overview and the CGDI Objectives Activities Geospatial Operational Policies What are operational policies? Development, adoption, implementation Recent Outputs Volunteered Geographic Information (VGI) Policy Implications Conclusions 2 1

and the CGDI 3 Program The program is a national initiative, led by Natural Resources Canada, designed to facilitate access to and use of authoritative geospatial information in Canada. Program Objectives: Create increased awareness of the benefits of using geospatial data and tools to achieve goals for social, economic and environmental priorities. Facilitate the integration and use of geospatial data to support effective decision making. Coordinate the development of national policies, standards and mechanisms and support their implementation to ensure maintenance and updating of geospatial data and compatibility with global standards. Keep Canada at the leading edge of accessing, sharing and using geospatial information via the Internet. 4 2

Program Key Program Activities: Geospatial Strategy and Leadership continued coordination of geomatics activities in Canada, requiring the development and implementation of long-term national geomatics strategies and policies, in partnership with stakeholders. Canadian Geospatial Data Infrastructure (CGDI) work with the geomatics community to advance the operational policies and standards needed to complete the CGDI and support the use of geospatial information. 5 Canadian Geospatial Data Infrastructure (CGDI) What is the CGDI? The CGDI is an online network of resources that improves the sharing, use and integration of information tied to geographic locations in Canada. In essence, the CGDI is the convergence of policies, standards, technologies, and framework data necessary to harmonize all of Canada s location-based information. Through the CGDI, Canadians can discover, access, visualize, integrate, apply and share quality location-based information. The CGDI allows citizens to gain new perspectives into social, economic, and environmental issues and make effective decisions. 6 3

and the CGDI What is the connection? is working on integrating the components of the CGDI ensuring that the infrastructure is comprehensive, usable, high-performing, relevant and poised for future growth and development. A complete CGDI includes a comprehensive suite of geospatial operational policies, fully supported and available for adoption and implementation by CGDI s national stakeholders. 7 Geospatial Operational Policies 8 4

Geospatial Operational Policies What are Geospatial Operational Policies? Operational Policies address topics related to the lifecycle of geospatial data (i.e. collection, management, dissemination, use). They apply to the day-to-day business of organizations. They include guidelines, directives, procedures and manuals that help facilitate access to and use of geospatial information. They support the development, operation and use of the CGDI. They are distinct from Strategic Policies, which address high level strategic issues and set high level directions for organizations. supports the integration and use of the CGDI and is working to advance the development of geospatial operational policies needed to complete the CGDI, and facilitate their adoption and implementation. 9 CGDI Operational Policy Roadmap 2012 2015 Outreach, consultation and awareness Intensify outreach and awareness activities to promote policies, Adoption processes and showcase policy implementations SUPPORT CO-ORDINATE DEVELOP Consensus and common policy for F/P/T Smart, clear guidance and best practices Implementation Support and enable broad implementation and integration of geospatial operational policies Adoption Develop practical adoption processes to ease organizational integration and implementation of common geospatial policy Research and Development Monitor trends, perform research and consultation, develop geospatial operational policies, guidelines, best practices Privacy Licensing Intellectual Property Security Data Quality Data Integration Data Archiving Open Data Confidentiality Digital Rights Management Imagery 5

Needs for Operational Policies Key policy topics that impact spatial data infrastructure Legal/Administrative Ethical Legal Practices Confidentiality, Security, and Sensitive Information Privacy Intellectual Property Copyright Licensing Data Sharing Liability Archiving and Preservation Data Quality Technological/Trends Open Data Volunteered Geographic Information (VGI) Open Source Web 2.0 and the GeoWeb Cloud Computing Mobile and Location-based Services High Resolution Imagery Mass Market Geomatics Data Integration 11 Introduction to Geospatial Operational Policies Example Studies and Guides Privacy Public Opinion Research on Geospatial Privacy International Comparative Analysis of Geospatial Privacy Geospatial Privacy Awareness and Risk Management Guide for Federal Agencies Confidential and Sensitive Information and Security Best Practices for Sharing Sensitive Environmental Geospatial Data A Guide to Improved Emergency Management Confidential Business Information (i.e. Critical Infrastructure) 12 6

Introduction to Geospatial Operational Policies Example Studies and Guides Geospatial Data Policy Inventory and Classification Intellectual Property and Licensing IP Law Backgrounder Review of IP Law and Instruments (Copyright, Licensing) in the Context of Geospatial data The Dissemination of Government Geographic Data in Canada: Guide to Best Practices, Version 2 Geospatial Data Archiving and Preservation Archiving, Management and Preservation of Geospatial Data report Volunteered Geographic Information Volunteered Geographic Information (VGI) Primer 13 Introduction to Geospatial Operational Policies Example Studies and Guides Data Sharing and Integration Guide to Anonymizing Geospatial Public Health Information A Managers Guide to Public Health Geomatics Good Practices Guide - Success in building and keeping an Aboriginal mapping program Framework Data Guide Good Practices in Regional-Scale Information Integration How to Share Geospatial Data Cloud Computing 14 7

Volunteered Geographic Information (VGI) Primer 15 Volunteered Geographic Information (VGI) Primer 16 8

Volunteered Geographic Information (VGI) Primer Introduces key issues in geospatial operational policy, imperative to the success of any venture into VGI. Discusses the emerging trend of VGI and areas of related operational policy. Draws on good practices and lessons learned from Internet research and three Case Studies of VGI in use. 17 Volunteered Geographic Information (VGI) Primer Introduction to VGI 18 9

Volunteered Geographic Information (VGI) Primer Issues to address in quality benchmarking (Coleman et al, 2009) How to assess the credibility of a contributor How to assess the accuracy of VGI contributions (e.g., in-house quality assurance, a moderated on-line community, or the public) The best and quickest means of delivering credible input The control over content and quality given to contributors Decision-making on acceptability of updates Factors to help determine contributors credibility Location of contributed data versus location of contributor s IP address Timing of data contributions versus independent information (e.g., timing of the contribution of a new road feature compared to independent road construction reports) The degree of conformity between the same data element or attribute that has been submitted by multiple contributors 19 Volunteered Geographic Information (VGI) Primer Lessons learned regarding professional vs. amateur VGI contributors (Case Studies) In densely populated areas, contributions from amateurs produce data of equal quality to professionally produced data Using data custodians to vet VGI-notified changes can greatly enhance data quality Benchmarking VGI performance can improve throughput and help to isolate problem areas Patterns of individual user behaviour can be accessed if necessary for investigating malicious users who are damaging the quality of data Proper data preservation and archival methods (Case Studies) In data model design, use persistent identifiers for all features, so that feature changes over time can be easily tracked Store full details of each addition, deletion or change of features that is derived from VGI, including the identity of the contributor Ensure that data is fully backed up, either in singular offsite facilities or across multiple site locations, and can be accessed in the long term 20 10

Volunteered Geographic Information (VGI) Primer Ways to mitigate the risks of legal problems Require VGI contributors to confirm that they have the rights to contributed data and that they will indemnify the organization for any damages arising from law suits relating to the data Recognize contributions by posting names of contributors, while protecting privacy by not linking specific contributions to names Ensure that contributor and user license terms are consistent Rapidly remove any content that may potentially infringe copyright or privacy 21 22 11

23 Intended to assist CGDI stakeholders to better understand the emerging trend of cloud computing (CC) and areas of related operational policy. Policy areas include: security, privacy and confidentiality, copyright and licensing, legal/liability, archiving and preservation, and regulation and standards. Involved Internet research and two case studies of current, realworld instances of CC, to identify lessons learned and good practices in geospatial operational policies that help enable CC. 24 12

Cloud Computing Deployment Options The figure below illustrates the types deployments and their associated levels of trust, from a data privacy and security perspective, and the relative cost/complexity levels. Solutions on the left are Internet-based, and those on the right reflect an increasing reliance on private or dedicated Intranet implementations. 25 Abuse and Nefarious Use of Cloud Computing Insecure Application Programming Interfaces Malicious Insiders Shared Technology Vulnerabilities Data Loss/Leakage Kinds of Security Risks in the Cloud Account, Service & Traffic Hijacking Complexity Delegation of Authority Encryption Challenges Unknown Risk Profile In a Trend Micro survey of 1,200 decision makers in May 2011, 43% globally (38% in Canada) who were using a cloud computing service reported a data security lapse or issue that year. 26 13

Security Risk Mitigation Good Practices Opt for private clouds behind firewalls, on-premises, to control privacy, security and authentication issues. Insist that data not be stored on servers located in jurisdictions where there are concerns about security breaches. Implement security everywhere (e.g., encrypted transport into the cloud, secure coding and access control inside applications, etc.), rather than the normal perimeter approach to security. Ensure that all APIs and data sources are checked with penetration tests and thoroughly analyzed. Develop a policy statement and training materials covering the types of information allowed on CC services, and establish a process for conducting security reviews according to the policy. Strip off attributes related to sensitive data before sending geospatial data to the cloud. 27 Privacy and Confidentiality Risks in the Cloud Terms of service and privacy policy can vary significantly depending upon the CC provider. Disclosure of information to a cloud provider privacy and confidentiality rights, obligations, and status may change with disclosure. Legal status and protections disclosure and remote storage may have adverse consequences for personal or business information. Location of information in the cloud may have significant effects on information privacy and confidentiality protections and on privacy obligations. Legal obligations cloud providers may be required to examine user records for evidence of criminal activity and other matters. Legal uncertainties assessing the status of information in the cloud, as well as the privacy and confidentiality protections available to users, is difficult. Creation of new data streams CC providers may not use data for purposes beyond those for which consent was originally given. Intrusions into individuals data CC providers or cloud-based applications may be able to access, mine or otherwise commoditize the data they hold. 28 14

Privacy and Confidentiality Risk Mitigation Good Practices Ensure that privacy staff are involved early in the process, to make certain that the privacy rights of individuals are identified and recognized and the potential risks when using cloud computing are addressed. Involve privacy staff in the evaluation of information moving to the cloud, the proposed service delivery model, the CC provider s proposal before a contract award takes place, and other areas of concern with specific legislation. Employ technologies to ensure privacy protection Data encryption prior to uploading to the cloud Hardware-based security initiatives such as the Trusted Platform Module Privacy verification services such as TRUSTe 29 Potential Legal/Liability Issues With Cloud Computing Contracts CC providers are notoriously inflexible on changes to their standard terms and conditions of service. SLAs often use vague language and narrow definitions regarding service guarantees, access to service quality statistics, dispute resolution, etc. Key issues with CC contracts: Cloud Contracting Issues Data ownership and access Loss of data Data integrity Data retention Licenses Privacy Representations, warranties and limitations Audits, certifications and inspections Indemnities Security Jurisdiction Contract changes ediscovery and Computer Forensics Dispute resolution 30 15

The choice of cloud model may be influenced by regulatory compliance considerations, such as: Business continuity and disaster recovery Security standards (e.g., ISO 27001) Logs and audit trails Payment Card Industry (PCI) and Health Insurance Portability and Accountability Act (HIPAA) in the US PIPEDA in Canada Compliancy requirements may limit organizations to hybrid or community cloud solutions, losing the full benefits of cloud use. Lack of CC standards presently may result in vendor lock-in. Recognition of the importance of standards has resulted in an array of cloud computing standards setting activities and bodies. 31 Implications of CC for SDI Benefits Emergence of geospatial CC will increase technology adoption and generate increased demand for high quality data. As the market continues to shift from prominence of professional users to non-professional users, web services access to data will replace data download as the primary consumption mode. SDI organizations are well-positioned to address this demand. Risks Operational policy challenges are relevant for SDI use of CC (especially security, and protection of personal, confidential and sensitive data). SDIs weak in providing data access via web services will not be able to meet growing demand in geospatial CC solutions for temporary use of data. Lack of CC standards may pose problems for SDI operations (i.e., vendor lock-in and interoperability issues). 32 16

Conclusions Canada has an operational SDI which is being used to support organizational operations and decision-making. Emphasis has now shifted to addressing some of the key challenges to the use of the CGDI and geospatial information more generally, and the impacts of emerging technologies, through the development of operational policies. During the next year, efforts will be directed to outreach and engagement with CGDI stakeholders and assistance with operational policy adoption and implementation. This presentation has provided a brief glimpse into operational policy work by highlighting the contents of two guidance documents. 33 For information on evolving Geospatial Operational Policy development, contact: Division Mapping Information Branch Natural Resources Canada 615 Booth Street Ottawa, Ontario K1A 0E9 E-mail: info@geoconnections.nrcan.gc.ca Tel: 1-877-221-6213 Fax: 613-947-2410 www.geoconnections.nrcan.gc.ca 34 17

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information