Security Threat Risk Assessment: the final key piece of the PIA puzzle Curtis Kore, Information Security Analyst Angela Swan, Director, Information Security
Agenda Introduction Current issues The value of assessment Assessment stages and focus areas Incorporating security assessment into the PIA Processes and catch points Q&A 2
Current Issues The yes/no impact assessment Is the personal information adequately protected? Yes Yes, it is stored on a computer in an office with a locked door Yes, with a password that we all share Trying to convey reasonable security arrangements to Business Units and IT departments Lack of systems understanding in PIA review Log files Instant messaging 3
Current Issues Accountability for personal information protection Privacy Information Security Information Technology Business Unit Project Team 4
The value of security assessment Gets to the facts of the proposed implementation or change Provides a detailed analysis of the risks Allows for consistent risk ranking and for consistent recommendations Provides an opportunity for input from the Business Units and IT teams Ideally, requires sign-off at a senior level 5
Get past creative wording and into the facts The system requires user authentication, access to unique software, authorization and the use of an SSL connection. 6
Know what information actually matters 7
Understand the proposed system 8 8
Objectives of security assessment Identify what needs to be protected Assess the value to the organization Identify the threats and vulnerabilities Identify the impact that a security breach or failure would have Identify the likelihood of a security breach or failure occurring Assign a level of risk 9
Impact Probability x Impact = Risk Probability Rare Unlikely Possible Likely Almost Certain The risk may only be realized in exceptional circumstances with a less than 5% likelihood of occurrence The risk is not expected but it could occur at some time with a 5% to 30% likelihood of occurrence The risk may occur at some time with a 30% to 60% likelihood of occurrence The risk will probably occur in many circumstances with a greater than 95% likelihood of occurrence The risk is expected to occur in most circumstances with a greater than 95% likelihood of occurrence Minor 2 4 6 8 10 Low Moderate 3 6 9 12 15 Medium Major 4 8 12 16 20 High Catastrophic 5 10 15 20 25 Critical 10
The stages of security assessment Scope Data Collection Analysis of Policies and Procedures Threat Analysis Vulnerability Analysis Correlation and assessment of Risk Acceptability 11
Scope of assessment Identify the boundaries of the system being assessed Identify the components of the system and the layers that need to be reviewed Understand that the assessment is a point in time and will need to be reviewed throughout the project and post-implementation 12
Applicable standards and legislation BC s Freedom of Information and Protection of Privacy Act Reasonable security Storage and access must be in Canada Some exceptions apply Other standards and legislation may also apply Payment Card Industry Data Security Standard 13
Architecture of the system and information flows 14
Identification of risks Access Control Network Operating System Database Application Business Continuity and Disaster Recovery Physical Security 15
Access control Authentication vs. Authorization Who you are What you can do 16
Factors of authentication Something you know Something you have 17 Something you are Note that the same factor twice is not two-factor authentication.
Biometrics Unique to an individual Getting harder to spoof Trade-off between false positives and false negatives 100% match is not a good thing Security benefits need to be balanced with employee privacy 18
Role-based access control What access the user needs to perform the assigned job duties and nothing more Requires a detailed understanding of business processes Requires organizational roles to be defined As opposed to the old model just give the new guy the same access that Ted in Finance has Designed to avoid permission-creep 19
User context access control Access control based on not only the role, but the specific activity that the user is performing Robert Smith 428 Canada Way Burnaby BC 604-555-1212 DOB: 04/08/65 SIN: 123123123 Existing benefits 20
Challenges with access control Keeping current Employee moves Departmental changes New hires Terminations Managing access across multiple systems Managing access for vendors and business partners 21
Networks Defense in depth Security zones Identify direction and types of traffic Ensure personal information is encrypted when traversing security zones 22
Layered network defenses 23
Firewall Border guard for a networks or applications Assesses traffic based on rules and criteria Network, application or host based Performs network address translation (NAT) 24
Wireless Common for contractor and mobile employee access in the Enterprise Lower cost to implement than physical cabling WEP and WPA1 encryption no longer acceptable for transmitting sensitive information Technology and standards are rapidly changing 802.11ac, 802.11w, WPA2, etc Security controls dependant on the application and use 25
Wireless INTERNET 26
Virtual private network (VPN) A private network that communicates over a public network to connect users or sites to one another Less expensive and more flexible than leased lines Guarantees confidentiality and integrity of communications over the internet INTERNET Remote office 27 Remote worker Head office
Cloud Computing As a service Software as a Service (SaaS) Platform as a Service (PaaS) Infrastructure as a Service (IaaS) 28
Cloud Computing Characteristics Available on-demand Network accessible Pooled resources Flexible scalability Measured services 29
Considerations in the Cloud Administrative access Service provider personnel Levels of access Access audits Internal access to logs Reporting of inappropriate access Basic controls Password, two-factor, or... IP address restrictions Encryption in transit Encryption in storage Separation of client data 30
Servers Encryption Patching and patch management Security configuration Auditing and logging configuration Anti-Virus Vulnerability scan or penetration test 31
Databases Require strong authentication Encrypt and restrict client connections Maintain patching Secure zone or firewalled Change management Auditing and monitoring 32
BCP/DRP May be outsourced or 3rd party handling your PI Encryption still required Review backup and restore procedures Patching and patch management Server configuration Security controls 33
Physical Security 34
Security testing Performed internally or by an independent third party Internal for low-sensitivity systems or those that do not require third-party attestation Be aware of allowing teams to test the systems that they have configured or developed Vulnerability scanning versus penetration testing Check references for testing companies 35
Recommendations How to fix issues found Demonstrate an understanding of the business and operational requirements Be reasonable Timeframes Requirements commensurate to the risk Discuss with the business unit to be sure they understand the risks and the reasoning behind the recommendations 36
Business Response What recommendations will be implemented and by what date What, if any, recommendations will not be implemented and why not 37
Residual Risks After the recommendations are implemented, what if any risks will remain Are the residual risks acceptable or is further mitigation necessary 38
Acknowledgement and acceptance Business sign-off on the assessment Acknowledgement of the work performed Confirmation that the risks are understood Acceptance of risks that will not be mitigated Acceptance of residual risks Verification that the agreed upon recommendations will be implemented 39
Approval to proceed Go / no-go from Privacy and Information Security Almost always a Go In the case of a No-go decision, must have justification and will likely be escalated to top management 40
41
Bringing security assessment into the PIA process PIA assessment of reasonable security is no longer a short set of questions The Information Security Assessment (ISA) is a required part of all PIAs Conversely, the ISA asks if FIPPA applies so that a security review adequately accounts for Personal Information stored within the system 42 PIAs and ISAs are signed by the Business Owner and the Director of Information Privacy and Security
Bringing technology, privacy and security together In April of 2013, the Privacy team and the Information Security team amalgamated Information Security benefits from greater knowledge and understanding of Privacy legislation Privacy benefits from greater technical knowledge and understanding of how systems operate and communicate 43
Processes and catch points Privacy - an assessment is required for all new systems to determine if a PIA is necessary even when it is not, Information Security is advised of the new system Information Security all system changes require an information security assessment prior to implementation Privacy is advised if Personal Information is impacted in any way Purchasing catches new systems and services and informs Privacy and Information Security 44
The end Curtis Kore Information Security Analyst BCLC (250) 852-5256 Angela Swan Director, Information Privacy & Security BCLC (250) 828-5615 45