16 th Karnataka IS Audit Conference. PII Risk Management. Srinivasan S K CISA, CISM, President, SKS Consulting

Transcription

1 16 th Karnataka IS Audit Conference PII Risk Management 20 th July 2013 Srinivasan S K CISA, CISM, President, SKS Consulting 1

2 In Theory, Theory and Practice are the same In Practice They Are Not Lawrence Peter Yogi Berra 2

3 Agenda 1. The News Makers 2. PII - The Definition 3. Privacy & PII 4. Privacy Framework Principles 5. PII Risk Management The Approach 6. Managing PII Risks A Few Pointers 7. PII Safeguards 3 3

4 The News Makers Public Vs Private 4

5 Personally Identifiable Information - Defined Information in electronic or any other form, that can be used: Directly to uniquely identify, contact or locate an individual With other sources to uniquely identify, contact or locate an individual / single person What constitutes both PII and other sources may vary between different jurisdictions. PII generally includes either in itself or in combination full name; date of birth; social insurance (or social security) number; tax identification number; and credit or debit card numbers. Other country specific PII components may include medical health records, marital status, religion, personal financial data, photographic image, ethnicity/race, school records and biometric prints. The PII custodian is responsible for compliance with jurisdictional legal and regulatory requirements (both domestic and international). 5 5

6 Privacy & PII An understanding of Privacy a pre-requisite to effectively manage PII. Privacy - a much broader term; protecting PII confidentiality just one aspect of it. A comprehensive privacy program should address: the range of privacy issues (including PII) that an enterprise may be subjected to starts with establishing policies and procedures that address all of the Privacy Principles Privacy Principles - framework for most modern privacy laws around the world. (notifying individuals as regards information collection, indicating how personal information will be used and protected, measures to adopted for providing individuals with privacy protections and transparency.) Merely establishing Privacy Principles may not significantly impact protecting the confidentiality of personal information. Fair Information Practices that establish appropriate security safeguards, specify clearly defined objectives, limit usage of PII, collection limitation, and accountability are directly relevant to the protection of the confidentiality of PII. 6 6

7 Privacy Framework Principles Preventing Harm recognize interests of every individual to legitimate expectations of privacy. Notice provide clear and easily accessible statements about enterprise practices and policies with respect to personal information (Personal information controllers responsibility). Collection Limitation the collection of personal information should be: limited to information that is relevant to the purposes of collection; such information should be obtained by lawful and fair means, and where appropriate, with notice to, or consent of, the individual concerned. Uses of Personal Information should be used only to fulfil the purposes of the collection and other compatible related purposes, except with the consent of the individual, when necessary to provide a product or service requested by the individual, or by authority of law. Choice where appropriate, individuals should be provided with clear, prominent, easily understandable, accessible and affordable mechanisms to exercise choice in relation to the collection, use and disclosure of their personal information. Data Quality / Integrity of Personal Information Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date. Purpose Specification The purpose(s) for which personal data are collected should be specified earlier or at the time of data collection and the subsequent use limited to the fulfilment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose. 7

8 Privacy Framework Principles. Usage Limitation Personal data should not be disclosed, made available or otherwise used for purposes other than those specified, except with the consent of the data subject or by the authority of law. Security Safeguards Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification or disclosure of data. Such safeguards should be proportional to the likelihood and severity of the harm threatened, the sensitivity of the information, and the context in which it is held, and they should be subject to periodic review and reassessment. Transparency / Openness There should be a general policy of openness about developments, practices and policies i with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller. Individual Participation the individual should have the right to: Seek and obtain confirmation of whether or not the Enterprise has data relating to the individual; have communicated to the person, data relating to the person within a reasonable time, at a charge, if any, which is reasonable and in a form that is readily intelligible to the person; and be given reasons if a request is made for his PII but it is denied and, to be able to challenge such denial; and challenge data relating to oneself and, if the challenge is successful, to have the data erased, rectified, completed, or amended. d Accountability a personal information controller should be accountable for complying with measures that give effect to the principles stated above. 8

9 PII Risk Management Approach But where exactly does it fit under the Enterprise Architecture? 9

10 Managing the PII Risk A Few Pointers Identify all PII residing in the organizational environment. Minimize the use, collection, and retention of PII to what is strictly necessary to accomplish their business purpose and mission. Review current holdings of PII and ensure they are accurate, relevant, timely, and complete; Reduce PII holdings to the minimum necessary for proper performance of agency functions; Develop a schedule for periodic review of PII holdings; and Establish a plan to eliminate the unnecessary collection and use of social security numbers (Aadhar). Categorize e all PII by its confidentiality ty impact levels. e The ease with which PII can be used to identify specific individuals. For example, an Aadhar uniquely and directly identifies an individual, but a telephone area code at best can identify only a group of people in an area. Apply the appropriate p safeguards for PII based on the PII confidentiality impact levels. Develop an incident response plan to handle breaches involving PII. Encourage close coordination among chief privacy officers, senior agency officials for privacy, chief information officers, chief information security officers, and legal counsel when addressing issues related to PII. Perform periodic compliance audits 10

11 PII Safeguards Develop comprehensive policies and procedures for protecting the confidentiality of PII. Ensure that all individuals in the organisation receive appropriate training before being granted access to systems containing PII to minimise impact of inappropriate access to, and use of PII. De-personalise records by removing sufficient personal information so that the remaining information does not identify an individual and there is no reasonable basis to believe that the information can be used to identify an individual. De-personalised records can be used, for instance for statistical analysis instead of the full PII. Control access to PII through access control policies and procedures (e.g access control lists). Prohibit or strictly limit access to PII from portable and mobile devices, which are generally have a higherrisk potential than non-portable devices, such as desktop computers in the office. Protect the confidentiality of transmitted PII. Monitor events that affect the confidentiality of PII, such as inappropriate access to PII, discussions/feedbacks on the official face book page. Develop an incident response plan to handle breaches involving PII. Last but not least, encourage close coordination among chief privacy officers, senior executives for privacy, CIOs, CISOs, and law officers counsel while addressing issues related to PII. 11

12 PII Risk Management QUESTIONS? Srinivasan S K, CISA, CISM President SKS Consulting srini@sksconsulting.biz