ITS 833 – INFORMATION GOVERNANCE
Chapter 11 – Information Governance
Privacy and Security Functions
University of the Cumberlands
Dr Isaac T. Gbenle
1
1
CHAPTER GOALS AND OBJECTIVES
2
Things To Know:
Sources of Threats to protection of data
Solution
s to threats to protection of data
Identify some privacy laws that apply to securing an organization’s data
What is meant by redaction
What are the limitations on perimeter security?
What is IAM?
What are the challenges of securing confidential e-documents?
What are the limitations on an repository-based approach to securing confidential e-documents?
Things to Know:
What are some solutions to securing confidential e-documents?
What is stream messaging?
How is a digital signature different from an electronic signature?
What is DLP Technology?
What are some basic DLP methods?
What are some of the limitations of DLP?
What is IRM?
What are some key characteristics or requirements for effective IRM?
What are some approaches to security data once it leaves the organization?
2
Who are the victims ?
Government
Corporations
Banks
Schools
Defense Contractors
Private Individuals
Cyberattack Proliferation
3
Who are the perpetrators?
Foreign Governments
Domestic and foreign businesses
Individual Hackers/Hacking societies
Insiders
3
INSIDER THREATS
4
Some malicious/some not malicious
Insider threats can be more costly than outside threats
Nearly 70% of employees have engaged in IP theft
Nearly 33% have taken customer contact information, databases and customer data
Most employees send e-documents to their personal email accounts
Nearly 60% of employees believe this is acceptable behavior
Thieves who are insiders feel they are somewhat entitled as partial ownership because they created the documents or data
58% say the would take data from their company if terminated and believe they could get away with it
4
SOLUTION?
Security – including document life cycle security
Risk Education
Employee Use Policy
IG Training and Education
Enforcement and Prosecution – Make an example!
Monitoring
5
5
PRIVACY LAW THAT MAY APPLY
Federal Wire Tapping Act
Prohibits the unauthorized interception and/or disclosure of wire, oral or electronic communications
Electronic Communications Privacy Act of 1986
Amended Federal Wire Tapping Act
Included specifics on email privacy
Stored Communications and Transactional Records Act
Part of ECPA
Sometimes can be used to protect email and other internal communications from discovery
Computer Fraud and Abuse Act
Crime to intentionally breach a “protected computer”
Used extensively in the banking industry for interstate commerce
Freedom of Information Act
Citizens ability to request government documents – sometimes redacted
6
6
LIMITATIONS ON SECURITY
“Traditional Security Techniques”
Perimeter Security
Firewalls
Passwords
Two-factor authentication
Identity verification
Limitations to traditional techniques
Limited effectiveness
Haphazard protections
Complexity.
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
ITS 833 – INFORMATION GOVERNANCEChapter 11 – Information Gov.docx
1. ITS 833 – INFORMATION GOVERNANCE
Chapter 11 – Information Governance
Privacy and Security Functions
University of the Cumberlands
Dr Isaac T. Gbenle
1
1
CHAPTER GOALS AND OBJECTIVES
2
Things To Know:
Sources of Threats to protection of data
Solution
s to threats to protection of data
Identify some privacy laws that apply to securing an
organization’s data
What is meant by redaction
What are the limitations on perimeter security?
What is IAM?
2. What are the challenges of securing confidential e-documents?
What are the limitations on an repository-based approach to
securing confidential e-documents?
Things to Know:
What are some solutions to securing confidential e-documents?
What is stream messaging?
How is a digital signature different from an electronic
signature?
What is DLP Technology?
What are some basic DLP methods?
What are some of the limitations of DLP?
What is IRM?
What are some key characteristics or requirements for effective
IRM?
What are some approaches to security data once it leaves the
organization?
2
Who are the victims ?
Government
Corporations
3. Banks
Schools
Defense Contractors
Private Individuals
Cyberattack Proliferation
3
Who are the perpetrators?
Foreign Governments
Domestic and foreign businesses
Individual Hackers/Hacking societies
Insiders
3
INSIDER THREATS
4
Some malicious/some not malicious
Insider threats can be more costly than outside threats
Nearly 70% of employees have engaged in IP theft
Nearly 33% have taken customer contact information, databases
and customer data
Most employees send e-documents to their personal email
4. accounts
Nearly 60% of employees believe this is acceptable behavior
Thieves who are insiders feel they are somewhat entitled as
partial ownership because they created the documents or data
58% say the would take data from their company if terminated
and believe they could get away with it
4
SOLUTION?
Security – including document life cycle security
Risk Education
Employee Use Policy
IG Training and Education
Enforcement and Prosecution – Make an example!
Monitoring
5
5. 5
PRIVACY LAW THAT MAY APPLY
Federal Wire Tapping Act
Prohibits the unauthorized interception and/or disclosure of
wire, oral or electronic communications
Electronic Communications Privacy Act of 1986
Amended Federal Wire Tapping Act
Included specifics on email privacy
Stored Communications and Transactional Records Act
Part of ECPA
Sometimes can be used to protect email and other internal
communications from discovery
Computer Fraud and Abuse Act
Crime to intentionally breach a “protected computer”
Used extensively in the banking industry for interstate
commerce
Freedom of Information Act
Citizens ability to request government documents – sometimes
redacted
6
6
6. LIMITATIONS ON SECURITY
“Traditional Security Techniques”
Perimeter Security
Firewalls
Passwords
Two-factor authentication
Identity verification
Limitations to traditional techniques
Limited effectiveness
Haphazard protections
Complexity
No direct protections
Security requires a change in thinking about security
Secure the document itself, in addition to traditional techniques
that secure “access” to the document
7
7
7. DEFENSE IN DEPTH TECHNIQUES TO SECURITY
Use Multiple Layers of Security Mechanisms
Firewall
Antivirus/antispyware software
Identity and Access Management (IAM)
Hierarchical passwords
Intrusion Detection
Biometric Verification
Physical Security
What is IAM?
Goal is to prevent unauthorized people from accessing a system
Effective IAM included:
Auditing
Constant updating
Evolving roles
Risk reduction
8
8
LIMITATIONS OF REPOSITORY-BASED APPROACHES TO
SECURITY
Traditionally, we have applied “repository-based” solutions
8. which have not been effective. We have document repositories
that reside in databases and email servers behind a firewall.
Once Intruder breaches firewall and is inside the network, they
can legitimately access data
Knowledge workers tend to keep a copy of the documents on
their desktop, tablet, etc.
We operate in an Extended Enterprise of mobile and global
computing comprising sensitive and confidential information
9
9
SOLUTION?
Better technology for better enforcement in the extended
enterprise
Basic security for the Microsoft Windows Office Desktop-
protection of e-documents through password protection for
Microsoft Office files
Good idea but passwords can’t be retrieved if lost
9. Consider that “deleted” files actually aren’t.
Wipe the drive clean and completely erased to ensure that
confidential information is completely removed
Lock Down: Stop all external access to confidential documents.
Take computer off network and block use to ports
Secure Printing
Use software to delay printing to network printers until ready to
retrieve print
Erase sensitive print files once they have been utilized
10
10
SOLUTION (contd)
E-mail encryption
Encryption of desktop folders and e-docs
10. Use Stream messages when appropriate
Use of Digital Signatures ---not the same thing as an electronic
signature
Use Data Loss Prevention (DLP) software to ensure that
sensitive data does not exit through the firewall
(Three techniques for DLP-Scanning traffic for keywords
or regular expressions, classifying documents and content based
upon predefined set, and tainting) This method has weaknesses!
IRM Software/ERM Software-provides security to e-documents
in any state (persistent security)
11
11
SOLUTION (Contd)
11. Device Control Methods –example blocking ports
Use of “thin clients”
Compliance requirements by different organizations
Hybrid Approach: Combining DLP and IRM technologies
12
12
More on IRM
Transparently – no user intervention required
Remote control of e-documents
Provides for file-level protection that travels with file even if
stolen
Includes cross-protection for different types of documents
Allows for creation and enforcement of policies governing
access and use of sensitive/confidential e-documents
Decentralized administration
12. Good IRM software provides useful audit trail
Integration with other enterprise systems
Provides embedded protection that allows the files to protect
themselves
Key Characteristics of IRM
Security
Transparency – can’t be more difficult to use than working with
unprotected documents
Easy to deploy and manage
13
13
SECURING DATA ONCE IT
LEAVES THE ORGANIZATION
REMEMBER – CONTROL DOES NOT REQUIRE
OWNERSHIP!
Consider new architecture where security is built into the DNA
of the network using 5 data security design patterns
Thin Client
Thin Device-remotely wipe them