PROTECTION OF PRIVATE  INFORMATION (PoPI) &            SharePoint                          September 2012                 ...
Private Information ofcustomers are one of themost important assetsthat many companiesstore.
What is Privacy and Private Information?The Oxford Dictionary defines ‚privacy‛, as ‚the state of being left aloneand not ...
What is Privacy and Private Information?There are different types of privacy that individuals have rights to, eachemphasis...
What is Privacy and Private Information?It is important to understand that organisations have certain obligationswhen proc...
What is Personally Identifiable Information (PII)?Chapter 1 of PoPI defines personal information (PI) as meaning:‘‘informa...
What is Personally Identifiable Information (PII)?Examples of attributes that may include personal information are:passpo...
What is the scope of PoPI?PoPI covers the processing of personal information inboth electronic and paper-based format.Proc...
Why is it so important to protectPersonal Information?•   Reputation•   Globalisation•   LegislationAll have a financial I...
What is the status of the legislation?The bill is due to be promulgated by the endof 2012 and there is a years grace toimp...
How can Business and IT Pros be ready forPoPI with SharePoint
What your business need to do?1.   Find the Data and Map the flow and     storage of it.2.   Understand whether the data i...
Fundamentals – Applied to SharePointAssess• Where is personal information located? (libraries ,lists, documents, sql)• How...
Four essential elements to responsibly protect andmanage personal information More secure infrastructure Microsoft Forefro...
‚SharePoint Security‛PermissionsPermissions are not security. Relying on permissionsonly for your SharePoint Security stra...
Practical ExampleCapture a customers information on a Form that resideson our public website and submit this information i...
HTTPS://www.checkers.co.za             /newcustomerCheckers                                                               ...
Firewall
Library (Document, form, lists etc)-  Permissions-  Auditing-  Version History-  Search
PoPI in SharePoint GovernancePermissions management (integrity , confidentiality, privacy)•   Follow the Principle of Leas...
PoPI in SharePoint GovernanceAudit Tracking (Information management policy enforcement )Record Centre• Vault abilities (en...
Data Governance Life Cycle or Information Flow StagesCollectionPII from multiple sources. Set standards, respect Customer ...
ToolsSharePoint Content ScannerSharePoint Risk AssessmentYou can perform scans of files in your SharePoint sites and find ...
In Conclusion• Private Information of customers are important assets• We have obligations when processing personal informa...
ThanksWillem BurgerBlog: http://sharepointburger.wordpress.com/Twitter: http://twitter.com/willemburgerEmail : wburger@sho...
Popi and Sharepoint 2010
Upcoming SlideShare
Loading in...5
×

Popi and Sharepoint 2010

973

Published on

nThis is a discussion on Protection of Private Information in SharePoint and also PII information and the South African Law impact. Also applicable to privacy, security and governance in general in SharePoint 2010

Published in: Technology, News & Politics
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
973
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
36
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Get educatedI think the big issue is that SharePoint professionals and information security professionals don’t spend enough time together.
  • More secure infrastructure: Safeguards that protect against malware, intrusions and unauthorized access to personal information and protect systems from evolving threats.To help prevent unauthorized disclosure, organizations should build their IT infrastructure using software that is designed for maximum security (e.g. Microsoft Forefront and Microsoft Forefront for SharePoint*), and they should employ tools and services to continually protect against evolving threats.* Forefront Security for SharePoint: Formerly called Antigen for SharePoint, this product helps organizations protect their SharePoint Portal Server and Windows SharePoint Services deployments against viruses, worms and inappropriate content. Using multiple anti-virus engines, it scans all documents as they are uploaded or retrieved from SharePoint document libraries. It also offers content-filtering capabilities that help prevent inadvertent or intentional posting of documents containing offensive language or other inappropriate content, as well as file types that potentially expose organizations to legal risk, such as MP3 audio files.Identity and access control: Systems that help protect personal information from unauthorized access or use and provide management controls for identity access and provisioning.To reduce the risk of a deliberate or accidental data breach, and to help organizations comply with regulatory requirements, Microsoft offers identity and access control technologies (e.g. Active Directory management via SharePoint) that protect personal information from unauthorized access while seamlessly facilitating its availability to legitimate users.Information protection: Protecting sensitive personal information in structured databases and unstructured documents, messages and records by means such as encryption so that only authorized parties can view or change it throughout its life cycle.Information rights management technology extends the capabilities of RMS into the Microsoft Office system and Internet Explorer. The 2010 Microsoft Office system provides even broader RMS capabilities through new developments in Microsoft SharePoint. Administrators can set access policies for SharePoint document libraries on a per-user basis. For example, users who have “view-only” access to documents in a library—but cannot print, copy or paste—will have those policies enforced by RMS, even when the document has been removed from the SharePoint site.Auditing and reporting: Monitoring to verify the integrity of systems and data in compliance with business policies.SharePoint administrators can set auditing policies to log activities as reading, deletion and modification of documents, and monitor those policies through reports. They can also implement document-retention policies, such as “expiring” unneeded content after a certain amount of time.A major data spillage, security breach or failure to comply with government regulations can have significant long-term implications for an organization’s bottom line and for its brand. Managing and protecting sensitive personal information is not only the right thing to do for customers, it’s also the right thing to do from a business perspective.In combination with the right policies, people and processes, technology like SharePoint can help lay a strong foundation for a successful data governance strategy.
  • Follow the Principle of Least Privilege: Give people the lowest permission levels they need to perform their assigned tasks.Give people access by adding them to standard, default SharePoint groups (such as Members, Visitors, and Owners). Make most people members of the Members or Visitors groups, and limit the number of people in the Owners group. Use permissions inheritance to create a clean, easy-to-visualize hierarchy. That is, avoid granting permissions to individuals, instead work with SharePoint groups. Where possible, have sub-sites simply inherit permissions from your team site, rather than having unique permissions.Organize your content to take advantage of permissions inheritance: Consider segmenting your content by security level – create a site or a library specifically for sensitive documents, rather than having them scattered in a larger library and protected by unique permissions.
  • Audit Tracking (Information management policy enforcement )For sensitive files define a policy that allows you to enable 'Audit' tracking of events, such as file changes, copies or deletion.Record CentreCentral repository in which an organization can store and manage all of its records or sensitive and PII content such as legal or financial documentsVault abilities (ensure the integrity of the records )Information management policy enforcementRecord routing The Records Center includes a Content Organizer automatically routes incoming records to their proper location, based on their record type.Track versionsIf you need to keep previous versions of files, libraries can help you track, store, and restore the files. SearchAs a site owner, you can choose whether or not the content on your site appears in search results. Make sure content is marked with restricted permissions so that it does not appear in search results for users who don’t have the permissions to read it
  • This information flow (AKA the Data Governance Life Cycle) comprises four key stages, within which an organization can construct many unique data governance scenarios to address specific considerations. The four stages are:Collection: Personal information is usually collected from multiple sources (in person, online, via other systems, 3rd party, etc.) and must establish appropriate controls that uniformly assure privacy policy compliance regardless of collection method. This involves setting consistent standards and expectations in contracts with external partners that receive or manage the information, as well as addressing consumers’ desire for greater choice and control in how their personal information is collected. It also requires the organization to consider how these policies will be honoured throughout the lifespan of the data.Storage: While protecting data stored only in a database is relatively straightforward, the task is far more complex as personal information scatters within and between organizations in unstructured forms such as e-mail, spreadsheets and text documents. As data in these forms is increasingly being stored on laptops and mobile devices, the risk of data breaches has risen sharply—which in turn may require organizations to implement more aggressive and sophisticated storage controls.Usage: As information becomes increasingly fluid, it is also subject to access by multiple applications and people—including many that are outside the organization as a by-product of outsourcing agreements and partnerships. In this environment, ensuring that only the right people can gain access to this data and enforcing strict limits on their ability to take data outside the organization (such as on their laptops) are crucial considerations.Usage also results in new data describing how the target data was used, when it was accessed, by whom and so on. This data represents a record of data use and is commonly called metadata. Importantly, all of the controls applied to the target data must also be applied to metadata.Retention/destruction: Data storage is becoming cheaper every day, to the point where many organizations have found that the time involved in deciding which records to delete from their systems is more costly than simply retaining it all. However, this practice does not account for the liabilities associated with holding onto sensitive personal and confidential information after it has outlived its usefulness. Viewed from the standpoint of minimizing an organization’s exposure to risk from a data breach, the effort involved in setting a finite lifespan for sensitive data and enforcing policies for its automatic deletion or secure archival is a worthwhile investment.A multifaceted approach to data governance involves a combination of policy, people, processes and technology. While all components are essential for proper data governance, the technology component (like the use of SharePoint) will be the focus of this article.Technology has a key role in enabling organizations to implement effective data governance processes, policies, and compliance with business practices and regulations.
  • Popi and Sharepoint 2010

    1. 1. PROTECTION OF PRIVATE INFORMATION (PoPI) & SharePoint September 2012 Willem Burger Shoprite : SharePoint Lead
    2. 2. Private Information ofcustomers are one of themost important assetsthat many companiesstore.
    3. 3. What is Privacy and Private Information?The Oxford Dictionary defines ‚privacy‛, as ‚the state of being left aloneand not watched or disturbed by other people‛.From a business perspective it means that personal information must beused in an appropriate manner within defined parameters.The appropriateness of the use of personal information depends on anumber of factors such as context, regulatory requirements, the individual’sexpectations as well as the right of an individual to control how theirpersonal information is used or ‘processed’.
    4. 4. What is Privacy and Private Information?There are different types of privacy that individuals have rights to, eachemphasising different aspects of privacy.These include:  physical privacy - relevant to government search and seizure operations and peeping toms;  bodily and decisional privacy - concerned with choice and the integrity of an individuals body, the right to abortion and cavity searches;  proprietary privacy - concerned with publicity, media representation and celebrity, ownership and control of the body, appearance and identity; and  information privacy - the interest an individual has in controlling information about them.
    5. 5. What is Privacy and Private Information?It is important to understand that organisations have certain obligationswhen processing personal information and that individuals have certainrights.These may be established in laws, regulations and organisationalpolicies. South Africa’s Protection of Personal Information Bill [No. 9 of2009] (PoPI) is primarily focused on ‘information privacy’, also known as‘data protection’ or ‘data privacy’.
    6. 6. What is Personally Identifiable Information (PII)?Chapter 1 of PoPI defines personal information (PI) as meaning:‘‘information relating to an identifiable, living, natural person, and where itis applicable, an identifiable, existing juristic person, including, but not limited to:  (a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;  (b) information relating to the education or the medical, financial, criminal or employment history of the person;  (c) any identifying number, symbol, e-mail address, physical address, telephone number or other particular assignment to the person;  (d) the blood type or any other biometric information of the person;  (e) the personal opinions, views or preferences of the person;  (f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;  (g) the views or opinions of another individual about the person; and  (h) the name of the person if it appears with other personal information relating to the person or if the  disclosure of the name itself would reveal information about the person” [3].
    7. 7. What is Personally Identifiable Information (PII)?Examples of attributes that may include personal information are:passport and ID numbers;gender and biometric identifiers;bank account and credit card numbers;birth dates;home address details;personal telephone numbers for both landlines and mobile devices ;personal email and IP addresses;photographs;financial profiles;personal identification numbers (PINs) and passwords for financial accounts;health information;race;religious or philosophical beliefs;age;
    8. 8. What is the scope of PoPI?PoPI covers the processing of personal information inboth electronic and paper-based format.Processing in terms of PoPI means any operation oractivity, concerning personal information, including :  (a) the collection, receipt, recording, storage, updating or modification, retrieval, alteration;  (b) distribution or making available in any other form; or  (c) merging, linking, erasure or destruction of information.
    9. 9. Why is it so important to protectPersonal Information?• Reputation• Globalisation• LegislationAll have a financial Impact!
    10. 10. What is the status of the legislation?The bill is due to be promulgated by the endof 2012 and there is a years grace toimplement (therefore the end of 2013)
    11. 11. How can Business and IT Pros be ready forPoPI with SharePoint
    12. 12. What your business need to do?1. Find the Data and Map the flow and storage of it.2. Understand whether the data is needed, if not remove it.3. Define rules for personal data storage and transmission against the legislation.4. Secure the Data.5. Educate users in terms of the rules.
    13. 13. Fundamentals – Applied to SharePointAssess• Where is personal information located? (libraries ,lists, documents, sql)• How do you know if you have PII in your SharePoint sites? The answer seems simple, you need to look for it!• Who has access to personal information? (check security)Secure (Focus on quick wins)• Use Groups and security settings of Sites and Libraries• Watch out for insiders, Administrators!Comply (Build into project plan)• Comply smart with a one project approach or per business leg, cost saving.• Comply by type . PCI Comply for Credit card info etcRespond (Be Prepared)• What is the action plan on a security incident?• What can customers expect when they call for their information?• Audit Logging and version history of SharePoint libraries.
    14. 14. Four essential elements to responsibly protect andmanage personal information More secure infrastructure Microsoft Forefront and Forefront Security for SharePoint (UAG & TMG) Identity and access control Active Directory and other identity and access control technologies. Information protection Information rights management - encryption so that only authorized parties can view or change . Protecting information at rest through the use of encryption . Auditing and reporting SharePoint administrators can set auditing policies to log activities. Coming laws generally require breach disclosure for security breaches which result in the loss or theft of their citizens personally identifiable information (PII).
    15. 15. ‚SharePoint Security‛PermissionsPermissions are not security. Relying on permissionsonly for your SharePoint Security strategy is a mirage .Hardening‚What about least privilege administration?‛The idea of least privilege is to limit the damage in the event that any single accountgets compromised . Again, this is a mirage.User BehaviorAnother mirage is relying on end users to decide what they will or will not uploadinto SharePoint-‚2011 Digital Universe Study‛ IDC concluded that 28% of information needs securityExtending a siteextending a SharePoint site to make content accessible from the Internet. Extending aweb site and opening a port on your border firewall creates a single point of failure
    16. 16. Practical ExampleCapture a customers information on a Form that resideson our public website and submit this information intoa library to be stored for processing.Assess• Where is personal information located? (Public site)• Who has access to personal information? (everyone if unsecure)Secure• HTTPS site or page (Port 443)• Via TMG Access only• Secure site libraryComply• Build in Project plan a PoPI compliant design. Content cannot reside in public space.• How long should we retain this content?Respond• Customers content available on request visible only to owners.• Audit Logging and version history of SharePoint libraries confirm history.
    17. 17. HTTPS://www.checkers.co.za /newcustomerCheckers WEB site customer T Library M Workflow or G retention policy FIREWALL Pulse Internal Site customer Libraries & pages http://pulses.hoprite.co.za/checkers/customers Group Security, Record management, Auditing, version history search etc. Workflow for customer processing
    18. 18. Firewall
    19. 19. Library (Document, form, lists etc)- Permissions- Auditing- Version History- Search
    20. 20. PoPI in SharePoint GovernancePermissions management (integrity , confidentiality, privacy)• Follow the Principle of Least Privilege• Give people access by adding them to standard, default SharePoint groups• Use permissions inheritance to create a clean, easy-to-visualize hierarchy.• Organize your content to take advantage of permissions inheritance.
    21. 21. PoPI in SharePoint GovernanceAudit Tracking (Information management policy enforcement )Record Centre• Vault abilities (ensure the integrity of the records )• Information management policy enforcement• Record routing incoming records to their proper location, based on their record type.Track versionsSearch (Mark with restricted permissions )
    22. 22. Data Governance Life Cycle or Information Flow StagesCollectionPII from multiple sources. Set standards, respect Customer desireStorageNot just databases , it scatters to e-mails etc + devicesUsageData becoming more fluid, limit external useRetention/destructionCheaper data storage. Don’t retain all. Setup finite lifespan for sensitivedata
    23. 23. ToolsSharePoint Content ScannerSharePoint Risk AssessmentYou can perform scans of files in your SharePoint sites and find PIIincluding credit card data, customer financial information, socialsecurity numbers, and other data patterns associated with PII.Resourceshttp://www.sharepointdefenseindepth.com/Run in Googlesite:<your domain>.co.zaCheck what is exposed and visible on your public sites. Refine andadjust sensitive data content privacy and security. Run again.
    24. 24. In Conclusion• Private Information of customers are important assets• We have obligations when processing personal information• PoPI covers the processing of personal information• Assess, Secure , Comply , Respond• Get everyone on Board and aware of PoPI• Added bonus will be general Governance improvement of Customer specific sites and content• Have Security Policy around SharePoint and storage of PII
    25. 25. ThanksWillem BurgerBlog: http://sharepointburger.wordpress.com/Twitter: http://twitter.com/willemburgerEmail : wburger@shoprite.co.za Questions?
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×