Post on 13-Jul-2020
Security Threat Risk Assessment:
the final key piece of the PIA puzzle
Curtis Kore, Information Security Analyst
Angela Swan, Director, Information Security
2
Agenda
Introduction
Current issues
The value of assessment
Assessment stages and focus areas
Incorporating security assessment into the PIA
Processes and catch points
Q&A
3
Current Issues
The yes/no impact assessment
– Is the personal information adequately protected?
• Yes
• Yes, it is stored on a computer in an office with a locked door
• Yes, with a password that we all share
Trying to convey ‘reasonable security arrangements’ to
Business Units and IT departments
Lack of systems understanding in PIA review
– Log files
– Instant messaging
4
Current Issues
Accountability for personal information protection
– Privacy
– Information Security
– Information Technology
– Business Unit
– Project Team
5
The value of security assessment
Gets to the facts of the proposed implementation or
change
Provides a detailed analysis of the risks
Allows for consistent risk ranking and for consistent
recommendations
Provides an opportunity for input from the Business
Units and IT teams
Ideally, requires sign-off at a senior level
6
Get past creative wording and into the facts
“The system requires user authentication, access
to unique software, authorization and the use of an
SSL connection.”
7
Know what information actually matters
8
Understand the proposed system
8
9
Objectives of security assessment
Identify what needs to be protected
Assess the value to the organization
Identify the threats and vulnerabilities
Identify the impact that a security breach or failure
would have
Identify the likelihood of a security breach or failure
occurring
Assign a level of risk
10
Probability
Rare Unlikely Possible Likely Almost Certain
The risk may only be
realized in
exceptional
circumstances with a
less than 5%
likelihood of
occurrence
The risk is not
expected but it could
occur at some time
with a 5% to 30%
likelihood of
occurrence
The risk may occur at
some time with a
30% to 60%
likelihood of
occurrence
The risk will probably
occur in many
circumstances with a
greater than 95%
likelihood of
occurrence
The risk is expected
to occur in most
circumstances with a
greater than 95%
likelihood of
occurrence
Impact
Minor 2 4 6 8 10 Low
Moderate 3 6 9 12 15 Medium
Major 4 8 12 16 20 High
Catastrophic 5 10 15 20 25 Critical
Probability
x Impact =
Risk
11
The stages of security assessment
Scope
Data Collection
Analysis of Policies and Procedures
Threat Analysis
Vulnerability Analysis
Correlation and assessment of Risk Acceptability
12
Scope of assessment
Identify the boundaries of the system being
assessed
Identify the components of the system and the
layers that need to be reviewed
Understand that the assessment is a point in time
and will need to be reviewed throughout the project
and post-implementation
13
Applicable standards and legislation
BC’s Freedom of Information and Protection of
Privacy Act
– Reasonable security
– Storage and access must be in Canada
• Some exceptions apply
Other standards and legislation may also apply
– Payment Card Industry – Data Security
Standard
14
Architecture of the system and
information flows
15
Identification of risks
Access Control
Network
Operating System
Database
Application
Business Continuity and Disaster Recovery
Physical Security
16
Authentication vs. Authorization
– Who you are
– What you can do
Access control
17
Something you know
Something you have
Something you are
Factors of authentication
Note that the same factor twice is not
two-factor authentication.
18
Unique to an individual
Getting harder to spoof
Trade-off between false positives and false
negatives
– 100% match is not a good thing
Security benefits need to be balanced with
employee privacy
Biometrics
19
What access the user needs to perform the assigned job duties… and nothing more
Requires a detailed understanding of business processes
Requires organizational roles to be defined
– As opposed to the old model – “just give the new guy the same access that Ted in Finance has”
Designed to avoid permission-creep
Role-based access control
20
Access control based on not only the role, but the
specific activity that the user is performing
User context access control
Robert Smith 428 Canada Way Burnaby BC 604-555-1212 DOB: 04/08/65 SIN: 123123123 Existing benefits
21
Keeping current
– Employee moves
– Departmental changes
– New hires
– Terminations
Managing access across multiple systems
Managing access for vendors and business partners
Challenges with access control
22
Networks
Defense in depth
Security zones
Identify direction and types of traffic
Ensure personal information is encrypted when
traversing security zones
23
Layered network defenses
24
Border guard for a networks or applications
– Assesses traffic based on rules and criteria
– Network, application or host based
– Performs network address translation (NAT)
Firewall
25
Common for contractor and mobile employee access in the Enterprise
Lower cost to implement than physical cabling
WEP and WPA1 encryption no longer acceptable for transmitting sensitive information
Technology and standards are rapidly changing 802.11ac, 802.11w, WPA2, etc…
Security controls dependant on the application and use
Wireless
26
Wireless
INTERNET
27
A private network that communicates over a public
network to connect users or sites to one another
Less expensive and more flexible than leased lines
Guarantees confidentiality and integrity of
communications over the internet
Virtual private network (VPN)
INTERNET
Head office Remote worker
Remote office
28
Cloud Computing
As a service
– Software as a Service (SaaS)
– Platform as a Service (PaaS)
– Infrastructure as a Service (IaaS)
29
Cloud Computing Characteristics
Available on-demand
Network accessible
Pooled resources
Flexible scalability
Measured services
30
Considerations in the Cloud
Administrative access
– Service provider personnel
– Levels of access
– Access audits
– Internal access to logs
– Reporting of inappropriate
access
Basic controls
– Password, two-factor, or...
– IP address restrictions
– Encryption in transit
– Encryption in storage
– Separation of client data
31
Servers
Encryption
Patching and patch management
Security configuration
Auditing and logging configuration
Anti-Virus
Vulnerability scan or penetration test
32
Databases
Require strong authentication
Encrypt and restrict client connections
Maintain patching
Secure zone or firewalled
Change management
Auditing and monitoring
33
BCP/DRP
May be outsourced or 3rd party handling your PI
Encryption still required
Review backup and restore procedures
Patching and patch management
Server configuration
Security controls
34
Physical Security
35
Security testing
Performed internally or by an independent third
party
– Internal for low-sensitivity systems or those that
do not require third-party attestation
– Be aware of allowing teams to test the systems
that they have configured or developed
Vulnerability scanning versus penetration testing
Check references for testing companies
36
Recommendations
How to fix issues found
Demonstrate an understanding of the business and operational requirements
Be reasonable
– Timeframes
– Requirements commensurate to the risk
Discuss with the business unit to be sure they understand the risks and the reasoning behind the recommendations
37
Business Response
What recommendations will be implemented and
by what date
What, if any, recommendations will not be
implemented and why not
38
Residual Risks
After the recommendations are implemented, what
if any risks will remain
Are the residual risks acceptable or is further
mitigation necessary
39
Acknowledgement and acceptance
Business sign-off on the assessment
Acknowledgement of the work performed
Confirmation that the risks are understood
Acceptance of risks that will not be mitigated
Acceptance of residual risks
Verification that the agreed upon recommendations
will be implemented
40
Approval to proceed
Go / no-go from Privacy and Information Security
Almost always a ‘Go’
In the case of a ‘No-go’ decision, must have
justification and will likely be escalated to top
management
41
42
Bringing security assessment into the PIA
process
PIA assessment of ‘reasonable security’ is no
longer a short set of questions
The Information Security Assessment (ISA) is a
required part of all PIAs
Conversely, the ISA asks if FIPPA applies so that a
security review adequately accounts for Personal
Information stored within the system
PIAs and ISAs are signed by the Business Owner
and the Director of Information Privacy and
Security
43
Bringing technology, privacy and
security together
In April of 2013, the Privacy team and the
Information Security team amalgamated
– Information Security benefits from greater
knowledge and understanding of Privacy
legislation
– Privacy benefits from greater technical
knowledge and understanding of how systems
operate and communicate
44
Processes and catch points
Privacy - an assessment is required for all new
systems to determine if a PIA is necessary – even
when it is not, Information Security is advised of the
new system
Information Security – all system changes require
an information security assessment prior to
implementation – Privacy is advised if Personal
Information is impacted in any way
Purchasing – catches new systems and services
and informs Privacy and Information Security
45
Curtis Kore
Information Security Analyst
BCLC (250) 852-5256
Angela Swan
Director, Information Privacy & Security
BCLC (250) 828-5615
The end…