Con f ecting Security and Privacy OR How to bake a security TRA with your PIA Marcel Gingras Cinnabar Networks Inc. [email_address] 613.262.0946

The Cook’s Background A major in security with a minor in privacy Manager of Risk Analysts TRA, PIA, BCP Big on methodology development IT Security since 1995, Privacy since 2001 Public service for 16 years IT software developer, software and network architect and network support manager

A major in security with a minor in privacy

Manager of Risk Analysts

TRA, PIA, BCP

Big on methodology development

IT Security since 1995, Privacy since 2001

Public service for 16 years

IT software developer, software and network architect and network support manager

Recipe Ingredients Risk Management and Limiting Disclosure PIA and TRA Methodologies Preparation Sharing the Data Gathering Cooking Collaborative Analysis Testing for Doneness Tasty Privacy and Security Safeguards

Ingredients

Risk Management and Limiting Disclosure

PIA and TRA Methodologies

Preparation

Sharing the Data Gathering

Cooking

Collaborative Analysis

Testing for Doneness

Tasty Privacy and Security Safeguards

Conference Theme: Disclosure Privacy Domain Principle: Limiting Use, Disclosure , and Retention Affects business process design May need security “confidentiality” services to limit disclosure (authentication, authorization, confidentiality services_ Security Protects a business process Provides confidentiality, integrity and availability security services

Privacy Domain

Principle: Limiting Use, Disclosure , and Retention

Affects business process design

May need security “confidentiality” services to limit disclosure (authentication, authorization, confidentiality services_

Security

Protects a business process

Provides confidentiality, integrity and availability security services

Disclosure Requirements using Risk Management Processes Variety of Risk Management Processes Business Strategic Risk Business Service Delivery Risk (Operational) Financial Risk Management Business Continuity Planning (BCP) Privacy Impact Analysis (PIA) Security Threat and Risk Analysis (TRA) Latter two directly analyze disclosure risks

Variety of Risk Management Processes

Business Strategic Risk

Business Service Delivery Risk (Operational)

Financial Risk Management

Business Continuity Planning (BCP)

Privacy Impact Analysis (PIA)

Security Threat and Risk Analysis (TRA)

Latter two directly analyze disclosure risks

Security Risk Management: A Long History Physical security Walls, doors, locks and safes Military security Protect the country, safeguard the troops Codes and ciphers IT Security Risk Analysis Well developed models and methodologies

Physical security

Walls, doors, locks and safes

Military security

Protect the country, safeguard the troops

Codes and ciphers

IT Security Risk Analysis

Well developed models and methodologies

IT Security Risk Analysis Process Conceptual analysis of system or application Statement of Sensitivity Inventory of Assets (includes classification) Injury tests Threat Assessment Vulnerability Assessment Examination of Existing Safeguards Risk Assessment Security Safeguard Recommendations

Conceptual analysis of system or application

Statement of Sensitivity

Inventory of Assets (includes classification)

Injury tests

Threat Assessment

Vulnerability Assessment

Examination of Existing Safeguards

Risk Assessment

Security Safeguard Recommendations

Privacy Risk Management: A Short History Variable expectations between social groups Values within a country, variations depending on context (commercial, banking, health, legal) Sense of privacy being under attack Fear of government ‘big brother’ Fear of erosion of privacy in an IT information age Privacy Compliance and Risk Analysis New models, limited risk management and ‘young’ supporting methodologies

Variable expectations between social groups

Values within a country, variations depending on context (commercial, banking, health, legal)

Sense of privacy being under attack

Fear of government ‘big brother’

Fear of erosion of privacy in an IT information age

Privacy Compliance and Risk Analysis

New models, limited risk management and ‘young’ supporting methodologies

Current Privacy Compliance and Risk Analysis Slanted towards compliance audit Checklist based No ranking of potential damages No ranking of risk (too many yes/no questions) No ranking of safeguard effectiveness No action plan Unless particular privacy safeguards are specified, it’s all ‘best guess’

Slanted towards compliance audit

Checklist based

No ranking of potential damages

No ranking of risk (too many yes/no questions)

No ranking of safeguard effectiveness

No action plan

Unless particular privacy safeguards are specified, it’s all ‘best guess’

Current Privacy Compliance and Risk Analysis – The Effect Audit against legislation and policy sufficient in some cases, but not helpful in selecting strength of privacy safeguards needed Checklist based discourages risk analysis Lack of risk rankings makes it difficult to justify appropriately strong solutions Lack of a prioritized action plan makes it difficult to plan next steps in the project

Audit against legislation and policy sufficient in some cases, but not helpful in selecting strength of privacy safeguards needed

Checklist based discourages risk analysis

Lack of risk rankings makes it difficult to justify appropriately strong solutions

Lack of a prioritized action plan makes it difficult to plan next steps in the project

Other Annoying Issues Too many TLAs (Three letter acronyms) Clutter in the project plan Too many interviews asking the same questions Timing issues: When to do these things to get actual value… Requirements when you need them and a reality check on the solution when you need it. Contradictory ‘disclosure’ and ‘confidentiality’ recommendations Potential for security solutions to be privacy invasive

Too many TLAs (Three letter acronyms)

Clutter in the project plan

Too many interviews asking the same questions

Timing issues: When to do these things to get actual value… Requirements when you need them and a reality check on the solution when you need it.

Contradictory ‘disclosure’ and ‘confidentiality’ recommendations

Potential for security solutions to be privacy invasive

What Can We Improve? (1) We can do privacy protection requirements gathering, analysis, and audit at the right time in the project lifecycle process. We can align related risk management processes (E.g. PIA and TRA) to be supportive and consistent.

We can do privacy protection requirements gathering, analysis, and audit at the right time in the project lifecycle process.

We can align related risk management processes (E.g. PIA and TRA) to be supportive and consistent.

What Can We Improve? (2) We can improve PIAs by borrowing from more mature risk analysis processes. We can incorporate the risk analysis processes into the current compliance audit PIA templates, providing a tool to be used as needed. Note: The current form and rigor of existing PIA methodologies do not need to be changed, just augmented.

We can improve PIAs by borrowing from more mature risk analysis processes.

We can incorporate the risk analysis processes into the current compliance audit PIA templates, providing a tool to be used as needed.

Note: The current form and rigor of existing PIA methodologies do not need to be changed, just augmented.

Project Lifecycle Integration What information do we need when? Privacy requirements identification with other business requirements Privacy protection solution identification with other business solutions Audit/testing of privacy solutions with other business functionality audit/testing

What information do we need when?

Privacy requirements identification with other business requirements

Privacy protection solution identification with other business solutions

Audit/testing of privacy solutions with other business functionality audit/testing

Bad Things That Can Happen… Unknown privacy requirement kills project E.g. Illegal use of SIN, Illegal disclosure of health card number Unknown security requirement creates ‘add-on’ expense Poorly implemented safeguards leave information at risk Intended safeguard implementation is deferred with unknown risk exposure

Unknown privacy requirement kills project

E.g. Illegal use of SIN, Illegal disclosure of health card number

Unknown security requirement creates ‘add-on’ expense

Poorly implemented safeguards leave information at risk

Intended safeguard implementation is deferred with unknown risk exposure

Project Lifecycle Integration

Things to Note All risk management activities should have a minimum of 3 stages: Requirements: Identification of risk and safeguard requirements Solution Evaluation: Verify that the proposed solutions are effective Implementation: Verify that the solutions are installed and operating as advertised Cost note: Typically, the cost of the first two exercises does not exceed 1.5 times the cost of doing a single large exercise (TRA or PIA). It’s an incremental update.

All risk management activities should have a minimum of 3 stages:

Requirements: Identification of risk and safeguard requirements

Solution Evaluation: Verify that the proposed solutions are effective

Implementation: Verify that the solutions are installed and operating as advertised

Cost note: Typically, the cost of the first two exercises does not exceed 1.5 times the cost of doing a single large exercise (TRA or PIA). It’s an incremental update.

Risk Assessment Alignment PIAs and TRAs Can we integrate PIA and TRA risk analysis processes? …save time and money? Can we do the two analyses in a timely fashion? Can we ensure that resulting safeguard recommendations do not conflict?

Can we integrate PIA and TRA risk analysis processes? …save time and money?

Can we do the two analyses in a timely fashion?

Can we ensure that resulting safeguard recommendations do not conflict?

Yes, But… Garbage in – Garbage out It still takes expertise in the methodology and subject area (security, privacy, …) to do good analysis Privacy analysis requires expertise of a separate body of knowledge Security analysts are not automatically good privacy analysts Team-of-2 approach works well!

Garbage in – Garbage out

It still takes expertise in the methodology and subject area (security, privacy, …) to do good analysis

Privacy analysis requires expertise of a separate body of knowledge

Security analysts are not automatically good privacy analysts

Team-of-2 approach works well!

At a High Level, TRAs & PIAs Have Similarities Both risk management processes seek to avoid adverse outcomes Both are communications and decision making tools Both seek to identify risks and identify safeguard requirements at the analysis phase Both seek to document “due diligence” analysis and safeguards prior to deployment Both stem from legislative or policy requirements

Both risk management processes seek to avoid adverse outcomes

Both are communications and decision making tools

Both seek to identify risks and identify safeguard requirements at the analysis phase

Both seek to document “due diligence” analysis and safeguards prior to deployment

Both stem from legislative or policy requirements

PIA/TRA Analysis Process Shared Elements System descriptions: detailed knowledge of the information flow Knowledge of effectiveness of safeguards Concept of “Damages” and “Acceptable Risk” of value to both

System descriptions: detailed knowledge of the information flow

Knowledge of effectiveness of safeguards

Concept of “Damages” and “Acceptable Risk” of value to both

Not Shared: Privacy Threats (1) More Than Keeping Personal Secrets Lack of authority to collect Inadequate consent Poorly informed data subject Low quality (incorrect) information Too much information being held (or held too long)

Lack of authority to collect

Inadequate consent

Poorly informed data subject

Low quality (incorrect) information

Too much information being held (or held too long)

Not Shared: Privacy Threats (2) Inappropriate use Data profiling Data mapping Transaction monitoring Identification of individuals Lack of, or fuzzy accountability Lack of openness

Inappropriate use

Data profiling

Data mapping

Transaction monitoring

Identification of individuals

Lack of, or fuzzy accountability

Lack of openness

Not Shared: Privacy Threats (3) Loss of personal control over and access to data, including right to object / challenge the system Physical observation of individuals Publishing or re-distribution of databases containing personal information

Loss of personal control over and access to data, including right to object / challenge the system

Physical observation of individuals

Publishing or re-distribution of databases containing personal information

Recap: Why do PIAs and TRAs together? Timeliness and cost savings Minimize disruption to business and development teams Assessments feed critical info to each other Requirements integrated and in agreement

Timeliness and cost savings

Minimize disruption to business and development teams

Assessments feed critical info to each other

Requirements integrated and in agreement

Solution: Risk Assessment Alignment - Detail

Solution: Risk Assessment Alignment - Detail

The Reports Separate PIA and TRA for different audiences Similar layout for easy reading (optional) Risk scenario based privacy analysis supporting PIA questionnaires (optional) Note: Questionnaire formats are being revisited in some jurisdictions as they have encouraged poor analysis

Separate PIA and TRA for different audiences

Similar layout for easy reading (optional)

Risk scenario based privacy analysis supporting PIA questionnaires (optional)

Note: Questionnaire formats are being revisited in some jurisdictions as they have encouraged poor analysis

Improving PIAs with Risk Scenario Analysis (1) Start with the privacy questionnaire… Postulate system-specific attacks against particular personal information Consider the initial risks, based on damages caused by disclosure, inaccuracy, etc. Consider existing privacy safeguards

Start with the privacy questionnaire…

Postulate system-specific attacks against particular personal information

Consider the initial risks, based on damages caused by disclosure, inaccuracy, etc.

Consider existing privacy safeguards

Risk Scenario Analysis (2) Rate residual risk Make additional privacy safeguard recommendations (if needed) Rate residual risk Organize analysis and safeguards by privacy principles

Rate residual risk

Make additional privacy safeguard recommendations (if needed)

Rate residual risk

Organize analysis and safeguards by privacy principles

Risk Scenario Analysis (3) Sample questionnaire question If personal information is to be used or disclosed for a secondary purpose not previously identified, is consent required? Very generic, asks for a Yes/No, does not encourage analysis

Sample questionnaire question

If personal information is to be used or disclosed for a secondary purpose not previously identified, is consent required?

Very generic, asks for a Yes/No, does not encourage analysis

Risk Scenario Analysis (4) Simplified Analysis Table Item Periodic audits by ATIP office P-PSA500 Consent procedures R-PSP252 Consistent notices and forms P-PSP251 Business Liaison with ATIP R-PSP250 Business Manual R-PSP201 L XXX User Agreements R-PSGP112 M-H H M Consent is not obtained in all cases. Persons who make inquiries by telephone or by regular mail may not formally consent to having personal information stored in a repository, or may not understand that their contact information will be retained following satisfaction of their inquiry. Their consent may be viewed as implicit. PR22 R Safeguards (Existing and Recommended) Privacy SG# R L I Risk Scenario R#

Risk Scenario Analysis (5) Privacy Safeguard Item Recom-mended Business Liaison with ATIP : There should be a manager-level business line point of contact or points of contact with the ATIP office to ensure consistency of policy and practices, as well as integration of privacy policy and practices throughout the lifetime of the system. PSP 250

Recipe Recap: Get the right information at the right time Lifecycle Alignment and Integration: Set up your project to get privacy requirements and solutions at the right time Risk Analysis Process Integration: Align your privacy and security risk management processes PIA Analysis Improvement Formalize and harmonize privacy risk analysis with other risk analysis processes

Lifecycle Alignment and Integration:

Set up your project to get privacy requirements and solutions at the right time

Risk Analysis Process Integration:

Align your privacy and security risk management processes

PIA Analysis Improvement

Formalize and harmonize privacy risk analysis with other risk analysis processes

Questions? Thank you for your time.