Javier Salido [email protected] Microsoft, Trustworthy Computing Session Objectives and Takeaways Session Objective(s): Review common privacy issues Understand how Data Governance can provide answers The Information Lifecycle.
Download ReportTranscript Javier Salido [email protected] Microsoft, Trustworthy Computing Session Objectives and Takeaways Session Objective(s): Review common privacy issues Understand how Data Governance can provide answers The Information Lifecycle.
Javier Salido [email protected] Microsoft, Trustworthy Computing Session Objectives and Takeaways Session Objective(s): Review common privacy issues Understand how Data Governance can provide answers The Information Lifecycle allows organizations to better understand how data is used The Microsoft Technology Framework helps in identifying suitable privacy controls Microsoft provides tools and guidance to assist you in your Data Governance efforts Agenda Privacy Review of privacy concerns in today’s world Statutory and Regulatory landscape Standards Data Governance Data Governance for Privacy Data Governance Technology Framework Data Lifecycle The four focus areas of the framework Action Plan Summary What is Privacy? UK Calcutt Committee: “the right of the individual to be protected against intrusion into his personal life or affairs, or those of his family, by direct physical means or by publication of information” Security is necessary for privacy, but privacy is not guaranteed with security Privacy Concerns are Increasing Organizations are accumulating unprecedented amounts of data on individuals Data can be stolen, lost or misused Inappropriate or careless use of technology puts Privacy at risk Software designed to identify and profile individuals for monetary gain Poor software design and implementation Most software does not consider privacy aspects Weak or non-existent security controls Top of Mind Data Breaches in 2008 Average cost of an incident was $6.6 million US, a 2.5% increase over 2007 Largest percentage of incidents (35%) is due to lost or stolen laptops or media Average customer churn attributable to Data Breaches was 3.6% 6% for financial services industry Source: Ponemon study, “Cost of a Data Breach”, Feb 2009 http://www.encryptionreports.com/ Top of Mind Data Retention Accidental misuse of data in violation of privacy policies and legislation E-Discovery in civil litigation cases Loss or theft of data No breaches on data you don’t keep 66% of Data Breaches in 2008 involved data that was not known to reside on the affected system at the time of the incident Source: “2008 Verizon Data Breach Investigations Report. http://www.verizonbusiness.com/resources/security/repor ts/2009_databreach_rp.pdf ” And if That was not Enough ….. Customer’s trust in online business is eroding Inefficient use of the organization’s data assets Industrial espionage, theft of intellectual property Need to comply with an increasingly complex regulatory environment: Governance, Risk and Compliance (GRC) Agenda Privacy Review of privacy concerns in today’s world Statutory and Regulatory landscape Standards Data Governance Data Governance for Privacy Data Governance Technology Framework Data Lifecycle The four focus areas of the framework Action Plan Summary Statutory & Regulatory Landscape In EU privacy is a fundamental right Concept of personal data defined in 95/46/EC 95/46/EC defines rules for transfer of personal data across member states’ borders Data cannot be transported outside of EU unless citizens give consent, or there is a legal framework in place, e.g. Safe Harbor Data Protection Administrators in member states enforce laws and rules, and prosecute violators Statutory & Regulatory Landscape In US privacy is not a fundamental right US Supreme Court justices have said that privacy is not in Constitution, Bill of Rights, or subsequent amendments Privacy is offered through a patchwork of federal and state legislation Where legislation does not exist the FTC can protect consumers through Section 5 of the FTC Act Privacy in US focuses on concept of personally identifiable information (PII) Information which can be used to distinguish or trace an individual's identity (Office of Management and Budget) Statutory & Regulatory Landscape In Latin America some countries have adopted EU-style data protection legislation In Asia there are growing calls for legislation Association of Southeast Asian Nations (ASEAN) leaning towards using the Organization for Economic Cooperation and Development (OECD) privacy guidelines on protection of privacy Agenda Privacy Review of privacy concerns in today’s world Statutory and Regulatory landscape Standards Data Governance Data Governance for Privacy Data Governance Technology Framework Data Lifecycle The four focus areas of the framework Action Plan Summary Privacy Standards ISO/IEC CD 29100 Information technology – Security techniques – Privacy framework NIST SP 800-122 (Draft) – Guide to Protecting the Confidentiality of Personally Identifiable Information Security Standards ISO/IEC 27002 (formerly ISO/IEC 17799) 15.1.4 Data protection and privacy of personal information Control: Data protection and privacy should be ensured as required in relevant legislation, regulations, and, if applicable, contractual clauses Implementation guidance: An organizational data protection and privacy policy should be developed and implemented. This policy should be communicated to all persons involved in the processing of personal information Agenda Privacy Review of privacy concerns in today’s world Statutory and Regulatory landscape Standards Data Governance Data Governance for Privacy Data Governance Technology Framework Data Lifecycle The four technical areas of the framework Action Plan Summary Data Governance Is the exercise of decision-making and authority for data-related matters Encompasses the people, processes, and IT required for consistent and proper handling of data across the enterprise Why Organizations look at DG? Maximize benefit from data assets Compliance Risk Management Increases consistency and confidence in decision making Improve data quality, reliability and availability Establish common data definitions across the enterprise Establishes accountability for information quality Meet existing compliance obligations Ensure quality of compliance data Provide the company flexibility to respond to new compliance requirements Protection of data assets and intellectual property Safeguard customer data and organizational prestige Establish appropriate personal data use to optimally balance ROI and risk exposure Agenda Privacy Review of privacy concerns in today’s world Statutory and Regulatory landscape Standards Data Governance Data Governance for Privacy Data Governance Technology Framework Data Lifecycle The four focus areas of the framework Action Plan Summary Data Governance for Privacy and GRC Privacy Requirements Business Data Req. Compliance Data Req. Strategy Documented Policies & Procedures GRC Implementation Risk Governance Compliance Data Governance for Privacy and GRC Governance Organizations should collect only the data required to conduct business Data should be rationalized and shared Risk Data should be secured from unauthorized access and use Data should be accurate Data should be accessible Data Governance for Privacy and GRC Compliance All applicable laws and regulations relating to data and the systems that the data is stored or processed on should be complied with Questions for the Organization Am I collecting data in alignment with business goals and priorities? Am I notifying customers and obtaining their consent first when personal information is involved? Am I managing data risk appropriately? If the data I am storing is personal information how am I protecting my customers’ privacy? Am I handling the data within compliance? What statutes and regulations do I need to follow? Agenda Privacy Review of privacy concerns in today’s world Statutory and Regulatory landscape Standards Data Governance Data Governance for Privacy Data Governance Technology Framework Data Lifecycle The four focus areas of the framework Action Plan Summary Information Lifecycle Understanding the information lifecycle helps in thinking about data governance principles It is also useful when looking at how data is collected, processed and shared within an organization, and who has access to it The information lifecycle is the basis of a technology framework for data governance Information Lifecycle Collect Delete Update Data Storage Transfer (New Lifecycle) Transfer Process Agenda Privacy Review of privacy concerns in today’s world Statutory and Regulatory landscape Standards Data Governance Data Governance for Privacy Data Governance Technology Framework Data Lifecycle The four focus areas of the framework Action Plan Summary Four Focus Areas Secure Infrastructure Safeguards against malware and intrusions Safeguards against unauthorized access to personal info Protect systems from evolving threats Identity and Access control Protect personal information from unauthorized access or use Provide management controls for identity, access and provisioning Information Protection Protect sensitive personal information in structured DBs Protect sensitive personal information in unstructured documents, messages and records, through encryption Protect data while on the network Auditing and reporting Monitor to verify integrity of systems and data Monitor to verify compliance with business processes Agenda Privacy Review of privacy concerns in today’s world Statutory and Regulatory landscape Standards Data Governance Data Governance for Privacy Data Governance Technology Framework Data Lifecycle The four focus areas of the framework Action Plan Summary Action Plan Remember, technology is only part of the solution Catalog sensitive information Classify sensitive information Plan your technical controls Leverage the Information Lifecycle to evaluate potential threats at each stage, for each set of data Action Plan For each area in the framework, options can be thought of as candidate controls Think about what privacy risks exist, and how the technology can address is Identify technologies that integrate with other technologies in the same and other areas in the framework Integration will make management easier and help reduce the likelihood that gaps in coverage will exist Bringing it All Together Lifecycle and Framework Secure Infrastructure Identity and Access Control Information Protection Auditing and Reporting Collect Secure client and web site authN/authZ Encrypt traffic Update Secure client and web site authN/authZ Encrypt traffic Log user Process Secure host authN/authZ Encrypt traffic Log reason Delete Secure wipe authN/authZ authN/authZ Transfer Data Storage Secure server Log delete Encrypt traffic Encrypt data store Log user examples & tools Example 1: Secure Infrastructure Issue: Compromised systems put personal information at risk of compromise or disclosure Example 1: Secure Infrastructure Solution: Anti-malware and firewall defenses can protect systems from compromise Windows Update and WSUS can keep systems up to date with software patches for OS and some apps Forefront Client Security provides anti-malware defenses with centralized reporting and scanning Windows Firewall provides advanced host firewall protection NAP allows only healthy systems to access network resources containing personal information Example 2: Information Protection Issue: Databases are a rich repository of customer personal data and PII Focus of external attacks by hackers using multiple methods Rogue administrators and non-authorized internal personnel may try to access data Solution: Encryption in database can protect data from unauthorized users SQL Server uses certificates to protect symmetric keys which are used to encrypt data Example 3: Information Protection Issue: Mobile workforce carry customer data on mobile devices If device is lost or stolen data might fall into hands of unauthorized users Solution: Encryption of content will protect data if device is lost or stolen BitLocker will encrypt all files on laptop Rights Management Services can be used to restrict access to business documents Rights Management Services IT Compliance Management Architecture Compliance Planning Guide Determine GRC Applicability Plan for GRC Control Requirements Follow Checklists Manage GRC Life Cycle through MOF Review Authority Documents GRC Authority Docs Subject Matter Experts Plan Controls Planning Guide IT Manager Compliance Workbook Configuration Guidance Links Deploy Controls Job Aids IT Pro IT Compliance Management Workbook Microsoft Privacy Standard for Developers (and Web sites) 3.1 Provides guidelines for: Creating notice and consent notices Providing sufficient data security Maintaining data integrity Supplying controls when developing software products and web sites Data Governance Web-site Microsoft Confidential Data Governance Web-site Contains white papers, one-pagers, presentations and other resources Tailored for specific audiences http://www.microsoft.com/datagovernance Summary Privacy issues are real, and a challenge for organizations of all sizes Data governance is an approach to tackling Privacy issues The information lifecycle and data governance framework help organizations understand data use and relationships and identify suitable technology Visit the Microsoft Data Governance web-site for more information and guidance Resources www.microsoft.com/teched www.microsoft.com/learning Sessions On-Demand & Community Microsoft Certification & Training Resources http://microsoft.com/technet http://microsoft.com/msdn Resources for IT Professionals Resources for Developers www.microsoft.com/learning Microsoft Certification and Training Resources Track Resources http://www.microsoft.com/datagovernance Complete an evaluation on CommNet and enter to win! © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.