Protecting the Privacy of Investors: An Overview of the Regulatory Framework & Tips on Avoiding Threats May 28, 2015 Malcolm Townsend, IT Research Analyst Overview • Background • Trends • Threat landscape • Privacy regulatory framework • Tips on avoiding threats
Background • Privacy Breaches – often have technological component • Examples include websites, e-commerce, applications, lost/ stolen mobile devices, unencrypted portable devices, unpatched systems Current Trends Verizon Data Breach Report • S tolen credentials are the number 1 attack vector • “ 23% of recipients now open phishing messages and 11% click on attachments” • Breach detection takes too long • Vulnerabilities are not being patched • Most malware is unique
Threats – Causes & Contribution to Breaches Mandate and Mission • The mandate of the Office of the Privacy Commissioner of Canada (OPC) is overseeing compliance with both the 1. Privacy Act, which covers the personal information- handling practices of federal government departments and agencies 2. Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’ s private sector privacy law. • The mission of the Office of the Privacy Commissioner of Canada (OPC) is to protect and promote the privacy rights of individuals.
Ten PIPEDA Principles 2. Identifying 1. Accountability 3. Consent purposes 5. Limiting use, 4. Limiting disclosure, and collection retention Ten PIPEDA Principles 6. Accuracy 7. S afeguards 8. Openness 9. Individual 10. Challenging access compliance
7. Safeguards Personal information shall be protected by security safeguards appropriate to the sensitivity of the information Enterprise - Safeguards Governance • Portfolio managers, CPO, DS O, CIS O, CIO, BCP coordinator working together to achieve organization’s obj ectives Privacy and S ecurity Awareness Training • Ensure employees understand roles and responsibilities Active compliance program • Policies and procedures Risk assessment • New applications, services, significant changes to existing applications and legacy systems • Organizational changes
Operational - Safeguards PREVENTATIVE TOOLS PRIV ACY & S ECURITY CONTROLS • Proactive logging of CHECKPOINTS • Examples include systems, encryption, (Internal to S oftware Firewalls, anti-virus, vulnerability assessments, Penetration intrusion detection Development testing, physical and prevention Lifecycle(S DLC) security, data systems (IDPS ) minimization MINIMUM PERMIS S IONS CHANGE, RELEAS E S EGREGATION OF and P ATCH • S ensitive information DUTIES MANAGEMENT • Based on roles, responsibilities Key factors that should alert organizations of greater risk of a breach Universal Organizational • Organizations in same • S udden changes in reported sectors where breaches have scanning/ logging been reported • People as a threat vector • Vulnerabilities that are being • Mergers and acquisitions exploited in software • S udden staff turnover packages, applications or • Planned layoffs tools used by the • Boom economy organization, reported in the news
How to Prepare For a Privacy Breach • You need a Breach Response Plan • Think about your team (insource or outsource) and its leader • Train your staff • Review data retention & destruction policies • Review security policies • Know the law In Summary • Understand implications of Laws, Regulations & Policy Instruments as they apply to your organization • Ensure privacy and security controls are in place during the system life cycle management • Importance to comply with organizational policies and procedures • Ensure your controls meet your organizational obj ectives • Prepare yourself for a breach
OPC Resources: • Privacy Toolkit: A Guide for Businesses and Organizations • Getting Accountability Right with a Privacy Management Program • Ten Tips for Reducing the Likelihood of a Data Breach • Key S teps for Organizations Responding to a Privacy Breach • S ecuring Personal Information: A S elf- Assessment Tool for Organizations www.priv.gc.ca @privacyprivee 1-800-282-1376
Recommend
More recommend