Security 101 for Privacy Practitioners IAPP Canada Privacy Symposium 2012 May 10, 2012
Security 101 for Privacy Practitioners
IAPP Canada Privacy Symposium 2012
May 10, 2012
Security 101 for Privacy Practitioners
IAPP Canada Privacy Symposium
May 10, 2012
Agenda
• Legal Environment
• Security Concepts
• Security Principles
• Security Objectives
• How to use Security to push the Privacy agenda
Security 101 for Privacy Practitioners
IAPP Canada Privacy Symposium
May 10, 2012
Privacy vs Security
• Privacy
An individual right to be left alone
• No Privacy without Security
Security 101 for Privacy Practitioners
IAPP Canada Privacy Symposium
May 10, 2012
Is the legislation of any help?
Security 101 for Privacy Practitioners
IAPP Canada Privacy Symposium
May 10, 2012
The Canadian legislation
• Defines what is a Private Information
• You shall be secure
• Your security should be reasonable
• An Act Respecting the Protection of Personal
Information in the Private Sector (Québec)
• Personal Information Protection Act (Alberta & BC)
• Personal Health Information Protection Act (Ontario)
Security 101 for Privacy Practitioners
IAPP Canada Privacy Symposium
May 10, 2012
So the legislation gives us the What, but
not the How.
Security 101 for Privacy Practitioners
IAPP Canada Privacy Symposium
May 10, 2012
Misconceptions
• Security only concerns IT
Security 101 for Privacy Practitioners
IAPP Canada Privacy Symposium
May 10, 2012
True Story – the location
Hattiesburg Cycles (Hattiesburg, Mississippi)
Security 101 for Privacy Practitioners
IAPP Canada Privacy Symposium
May 10, 2012
True Story – the facts
Two persons enter the store and select merchandise
worth almost $8,000. They hand a credit card to the
cashier who then swipe the card. The card is rejected
by the cash register’s computer. The card holder
indicates that the rejection was expected and that the
casher should contact the credit card company by
phone to receive a payment approval confirmation
code. The card holder gives the credit company’s
phone number to the clerk who calls the company.
The company approves the purchase and provides a
confirmation code. The merchant was never paid.
Security 101 for Privacy Practitioners
IAPP Canada Privacy Symposium
May 10, 2012
Misconceptions
• Security only concerns IT
NO, Security is NOT ONLY an IT problem.
It is mainly a business issue
Protection of the critical assets
Security 101 for Privacy Practitioners
IAPP Canada Privacy Symposium
May 10, 2012
Misconceptions
• Security only concerns IT
• Security is a technical issue
NO. “Security is a process, not a product”
Security 101 for Privacy Practitioners
IAPP Canada Privacy Symposium
May 10, 2012
Misconceptions
• Security only concerns IT
• Security is a technical issue
• Security is a recipe to follow
NO. Security must be risk based
Security 101 for Privacy Practitioners
IAPP Canada Privacy Symposium
May 10, 2012
Risk Management
1. Risk Assessment
• Risk Analysis
Threat + Vulnerability
• Risk Evaluation
Likelihood x Impact
2. Risk Treatment
• Mitigate
• Avoid
• Transfer
• Accept
Security 101 for Privacy Practitioners
IAPP Canada Privacy Symposium
May 10, 2012
Risk Base Approach
• Security is a trade-off
• Always residual risks
• Never assume something is impossible
• Information Classification (ISPC for the OPS)
• Threat Risk Assessment
Security 101 for Privacy Practitioners
IAPP Canada Privacy Symposium
May 10, 2012
Misconceptions
• Security only concerns IT
• Security is a technical issue
• Security is a recipe to follow
• Security is a set for the long term
Security 101 for Privacy Practitioners
IAPP Canada Privacy Symposium
May 10, 2012
Plan / Do / Check / Act
Plan
Do Check
Act
Security 101 for Privacy Practitioners
IAPP Canada Privacy Symposium
May 10, 2012
Misconceptions
• Security only concerns IT
• Security is a technical issue
• Security is a recipe to follow.
• Security is a set for the long term.
NO. Must be reassess on a regular basis
Plan / Do / Check / Act (ISO terminology)
Living process
Security 101 for Privacy Practitioners
IAPP Canada Privacy Symposium
May 10, 2012
Concepts
• Security is not only an IT problem
• “Security is a process, not a product”
• Security must be risk based
• Security is a living process
Security 101 for Privacy Practitioners
IAPP Canada Privacy Symposium
May 10, 2012
Security 101 for Privacy Practitioners
IAPP Canada Privacy Symposium
May 10, 2012
Security Practice
Security 101 for Privacy Practitioners
IAPP Canada Privacy Symposium
May 10, 2012
Security Principles
• Need to know
• Least privilege
• Segregation of duties
Security 101 for Privacy Practitioners
IAPP Canada Privacy Symposium
May 10, 2012
So what is the objective?
It is the preservation of:
• Confidentiality
• Integrity
• Availability
… in order to protect the organizations critical assets
So we cannot have Privacy without Security
… but we can have Security without Privacy
Security 101 for Privacy Practitioners
IAPP Canada Privacy Symposium
May 10, 2012
Confidentiality
• User management
• Access Control
• Encryption
Security 101 for Privacy Practitioners
IAPP Canada Privacy Symposium
May 10, 2012
Access Control
• Identification
• Authentication
• Authorization
Security 101 for Privacy Practitioners
IAPP Canada Privacy Symposium
May 10, 2012
N-Factors
• Something you know
• Something you have
• Something you are
Security 101 for Privacy Practitioners
IAPP Canada Privacy Symposium
May 10, 2012
Encryption
• Symmetric
• 1 single key
• Asymmetric
• 2 keys (one Private / one Public)
Security 101 for Privacy Practitioners
IAPP Canada Privacy Symposium
May 10, 2012
Integrity
• Asset Inventory
• Hashing
• Non-repudiation
Security 101 for Privacy Practitioners
IAPP Canada Privacy Symposium
May 10, 2012
Availability
• Backups
• Duplication
• Do not forget the personnel
Security 101 for Privacy Practitioners
IAPP Canada Privacy Symposium
May 10, 2012
Summary
• Privacy
An individual right to be left alone
• Security
The Protection of critical assets
• No Privacy without Security…
But can have Security without Privacy
• What to secure and how to secure it
Privacy determines the what
Security determines the how
Security 101 for Privacy Practitioners
IAPP Canada Privacy Symposium
May 10, 2012
Summary
• Concepts
• Security is not only an IT problem
• “Security is a process, not a product”
• Security must be risk based
• Security is a living process
• Principles
• Objectives
• Security should not be front and center
Thank you
Gilles Fourchet, CIPP/IT, CISSP, PMP
Information Privacy & Security Specialist
Government of Ontario
www.linkedin.com/in/gillesfourchet