Information Security Technological Security Implementation and Privacy Protection

  • Slides: 28
Download presentation
Information Security Technological Security Implementation and Privacy Protection

Information Security Technological Security Implementation and Privacy Protection

Agenda • Security Theory • Administrative Security • Basic Security Technologies • Potential Attacks

Agenda • Security Theory • Administrative Security • Basic Security Technologies • Potential Attacks • HIPAA Security Rule Overview • Challenges of a Changing World

Information Security Theory

Information Security Theory

Technological Security is… • Fluid • Imperfect • Difficult • Tedious • Inconvenient

Technological Security is… • Fluid • Imperfect • Difficult • Tedious • Inconvenient

C. I. A. Triad • • Basic Premise of Info. Sec Confidentiality • •

C. I. A. Triad • • Basic Premise of Info. Sec Confidentiality • • Integrity • • Secret information remains secret Information is not altered or destroyed Availability • Information is not inaccessible when needed

Authentication vs. Authorization • Two parts of the cliché, “who are you and what

Authentication vs. Authorization • Two parts of the cliché, “who are you and what are you doing here? ” • Authentication • Proving Identity • Authorization • Allowing or Disallowing Actions

Least Privilege and Need-to-Know • Basic tenets of information or system access control •

Least Privilege and Need-to-Know • Basic tenets of information or system access control • Least Privilege • Possessing the least amount of access necessary to perform job function • Need-to-Know • Access to information based only on job requirements

States of Data • Data in Transit • • Information being transmitted between systems

States of Data • Data in Transit • • Information being transmitted between systems Data at Rest • Information stored in any location, such as hard drive or flash drive

Administrative Functions of Security Policy Implementations

Administrative Functions of Security Policy Implementations

Risk Management Program • Identify Risks • Risk to information, systems, facilities, personnel, reputation

Risk Management Program • Identify Risks • Risk to information, systems, facilities, personnel, reputation • Determine Probability of Occurrence • Determine Impact on Confidentiality, Integrity, and Availability • Accept Risk or Mitigate Risk • Document and Reevaluate

Security Incidents • Any occurrence with potential security impact is an incident • Malware

Security Incidents • Any occurrence with potential security impact is an incident • Malware infection, unauthorized access, data breach, and many more • Incident management plan required • From HIPAA: Breach means the acquisition, access, use, or disclosure of protected health information in a manner. . . which compromises the security or privacy of the protected health information. • Breach disclosure laws vary from state to state

Account and Access Management Policies • Documented methodology for managing access • • Provisioning,

Account and Access Management Policies • Documented methodology for managing access • • Provisioning, altering, revoking, and reviewing access Unique identifiers = usernames • Role-based access control • • Users or systems given access based on role in an organization Doctors have access to more health information than administrative assistants

Auditing and Logging • Various levels and types of logging • Recording activities, particularly

Auditing and Logging • Various levels and types of logging • Recording activities, particularly security events • Monitoring logs • Identifying areas of concern

Basics of Security Technology

Basics of Security Technology

Authentication Mechanisms • • Passwords Single-use tokens Certificates Biometric

Authentication Mechanisms • • Passwords Single-use tokens Certificates Biometric

Multi-Factor Authentication Use of multiple authentication mechanisms to establish identity

Multi-Factor Authentication Use of multiple authentication mechanisms to establish identity

Encryption • • Obfuscation of information • Data appears completely random while encrypted •

Encryption • • Obfuscation of information • Data appears completely random while encrypted • Many different types and implementation matters Common Uses • Securing websites through SSL/TLS: any website beginning in “https: //” • Whole-Disk Encryption

Potential Attacks

Potential Attacks

Malware • • Any type of malicious program • Viruses, Trojans, Adware, Spyware, and

Malware • • Any type of malicious program • Viruses, Trojans, Adware, Spyware, and more No anti-virus program is 100% effective Malware is no longer destructive for the fun of it • • Malware used for profit and data theft Extensive organized crime involvement According to the 2013 Verizon Data Breach Investigations Report, malware was involved in 40% of data breaches in 2012

Social Engineering • Convincing a person within an organization to take a certain action

Social Engineering • Convincing a person within an organization to take a certain action • • Reveal private information Click a link People are wired to help each other Phishing and Spear-Phishing

Vulnerability of Media and Mobile Devices • • • Any method of transporting information

Vulnerability of Media and Mobile Devices • • • Any method of transporting information represents risk Mobile Devices (Smartphones, Tablets, Laptops) • • • Access to organization’s network Contain sensitive information Convenient but dangerous Media (CDs, DVDs, USB Flash Drives, etc. ) • • All types of information can be carelessly stored on media Easy to lose

HIPAA Security Rule Overview

HIPAA Security Rule Overview

Administrative Safeguards • • • Access establishment and modification process • Process for establishing,

Administrative Safeguards • • • Access establishment and modification process • Process for establishing, documenting, modifying, and reviewing access Security Awareness and Training Program Protection from Malicious software Log-in monitoring -- reporting discrepancies Password management policy • Setting, changing passwords and password requirements Security Incident Management procedures

Contingency Planning • Data backup • Disaster recovery • Emergency mode operation • Procedure

Contingency Planning • Data backup • Disaster recovery • Emergency mode operation • Procedure for continuous operation despite adverse conditions • Testing and evaluating plan • Determine criticality of systems for contingency operations

Technical Safeguards • Access Control and Emergency Access Procedure • • • Automatic Logoff

Technical Safeguards • Access Control and Emergency Access Procedure • • • Automatic Logoff Encryption/Decryption of e. PHI Audit Controls • Integrity Controls • • • Method of authenticating information Person or entity Authentication Transmission Security Controls • • Integrity Controls Encryption

Challenges of a Changing World

Challenges of a Changing World

Looking Ahead • • Cloud Computing and Cloud Storage Mobile Malware Moving Beyond Anti-Virus

Looking Ahead • • Cloud Computing and Cloud Storage Mobile Malware Moving Beyond Anti-Virus Bring Your Own Device

Christopher J. Morgan chris@chrismorgan. cc

Christopher J. Morgan chris@chrismorgan. cc

Technological Hazards Technological Hazards Smith Ch 13 TechnologicalTechnological Hazards Technological Hazards Smith Ch 13 Technological
PRIVACY AND SECURITY Security and Privacy Security thePRIVACY AND SECURITY Security and Privacy Security the
How Privacy Relates to Security Privacy Symposium PrivacyHow Privacy Relates to Security Privacy Symposium Privacy
OFFICE OF INFORMATION PRIVACY SECURITY HIPAA Privacy SecurityOFFICE OF INFORMATION PRIVACY SECURITY HIPAA Privacy Security
HL 7 Security and Privacy Data Protection PrivacyHL 7 Security and Privacy Data Protection Privacy
HL 7 SECURITY AND PRIVACY Data Protection PrivacyHL 7 SECURITY AND PRIVACY Data Protection Privacy
HL 7 Security and Privacy Data Protection PrivacyHL 7 Security and Privacy Data Protection Privacy
HL 7 Security and Privacy Data Protection PrivacyHL 7 Security and Privacy Data Protection Privacy
Privacy and Security of Personal Information Technological SolutionsPrivacy and Security of Personal Information Technological Solutions
Privacy and Security of Personal Information Technological SolutionsPrivacy and Security of Personal Information Technological Solutions
Privacy and Security Work Group Draft Privacy SecurityPrivacy and Security Work Group Draft Privacy Security
Fallbeispiel Privacy Was ist Privacy Wie wird PrivacyFallbeispiel Privacy Was ist Privacy Wie wird Privacy
Case studies Privacy Privacy Privacy Is an EUCase studies Privacy Privacy Privacy Is an EU
Privacy of Information What is Privacy of InformationPrivacy of Information What is Privacy of Information
Privacy by Design Building Data Privacy and ProtectionPrivacy by Design Building Data Privacy and Protection
Information security and privacy protection aspects of electronicInformation security and privacy protection aspects of electronic
Information Security Information security Information Security describes allInformation Security Information security Information Security describes all
Information Security Information security Information Security describes allInformation Security Information security Information Security describes all
Technological Progress and Growth Technological Progress and theTechnological Progress and Growth Technological Progress and the
Protection and Security 1 Protection and Security OperatingProtection and Security 1 Protection and Security Operating
Protection and Security 1 Protection and Security OperatingProtection and Security 1 Protection and Security Operating
Protection and Security 1 Protection and Security OperatingProtection and Security 1 Protection and Security Operating
Privacy Protection in Thailand ASIAN PRIVACY FORUM HongkongPrivacy Protection in Thailand ASIAN PRIVACY FORUM Hongkong
HIPAA Training Privacy Protection for Patients Privacy TrainingHIPAA Training Privacy Protection for Patients Privacy Training