SEC303

Assessing and Managing Privacy in the Enterprise

JC CannonPrivacy Strategist

Agenda

Planning and assessing enterprise privacy

Managing WMP & Office privacy settings

Managing Internet-based Services in Windows Server 2003

Integrating P3P into your websites

Privacy Framework

Push privacy features in PR & Push privacy features in PR & conferencesconferencesContent on ms.com and MSDN privacy Content on ms.com and MSDN privacy sitessitesInteract with privacy leaders & Interact with privacy leaders & analystsanalysts

Privacy training for all teamsPrivacy training for all teamsPrivacy analysis on features & Privacy analysis on features & componentscomponentsPrivacy settings linked to group policyPrivacy settings linked to group policyTurn off communications to the Turn off communications to the InternetInternetTurn privacy settings offTurn privacy settings offProtect access to dataProtect access to dataPrivacy deployment guidelinesVisible first-run experiencePrivacy response team creation

PDPD33 + Communications + Communications

Privacy Privacy by Designby Design

PrivacyPrivacy by Defaultby Default

PrivacyPrivacy in in DeploymentDeployment

CommunicationsCommunications

Planning for Privacy

Build a team of privacy professionals

Provide privacy training for your entire company

Create a corporate privacy policy

Deploy the policy to each team in your company

Planning for PrivacyDefining policy

Define policyDefine policyEnsure complianceEnsure complianceAudit deploymentsAudit deployments

CorporatePrivacyGroup

Marketing HR SupportDefine processesDefine processesDeploy to all teamsDeploy to all teams

Data handling

Application deployment

Partner relationships

Document Data UsageThings to look for

Is the data encrypted during collection, storage, and transfer

Is there physical and programmatic security for the data

Is a good auditing mechanism in place

How do users access their data

Is there a retention policy

Document Data Usage

Consumers

Customerdatabase

Marketingteam

PartnersWeb

ServerWeb

Server

CollectionCollection StorageStorage

SharingSharing

Onward Onward transfertransfer

Legend

- Included in privacy statement

- Has a deletion policy

- Has security/ACLs

- Is encrypted

Documenting Applications

OfficeOnline help Disabled

CEI Program Disabled

IRM Enabled

Inventory all applications

Determine a policy for privacy settings

Use group policy where possible to enforce your policy

Partner Relationships

Make sure that partners understand your privacy policies

Understand their privacy practices

Always have a signed agreement in place before exchanging data

Office 2003Internet/Privacy Based Features

Internet Help

Office Update

Information Rights Management

Document metadata

Spotlight feature updates links from the Internet

Document templates assist with protecting data

Office 2003Word Privacy settings

Office 2003Administrative Templates

ADM file Application

Office11.adm Shared Office11 components

Access11.adm Microsoft Access11

Excel11.adm Microsoft Excel11

Gal11.adm Clip Organizer

Instlr11.adm Windows Installer 2.0

Outlk11.adm Microsoft Outlook11

Ppt11.adm Microsoft PowerPoint11

Pub11.adm Microsoft Publisher11

Office 2003Information Rights Management

Works with Windows Server 2003 Rights Management ServerProtects documents from invalid accessControls read, write, printing, and forwarding of documentsCan be used for legislation compliance

GLBA, HIPAA, and Patriot ActBased on visible, embedded email address

Office 2003Information Rights Management

Reviewer

Author

Author registers documentAuthor registers document

Document goesDocument goesto reviewerto reviewer Reviewer getsReviewer gets

document rightsdocument rights

RightsManagement

Server

Office 2003 - IRMPermissionsDialogs

Office 2003 - IRMSome things can’t be avoided

Controlling Office Controlling Office Privacy SettingsPrivacy Settings

demodemo

Windows Media Player 9 Overcoming Bad WMP 8 Practices

Forgot to disclose new features in WMP 8 privacy statement

Privacy expert announced, “MS can track the DVDs you watch.”

Privacy settings were missing or vague

Also, locally stored metadata lacked protection and access

Responses to privacy issues were not coordinated

Windows Media Player 9Install experience

Windows Media Player 9Privacy settings

Controlling WMP9 Controlling WMP9 Privacy SettingsPrivacy Settings

demodemo

Internet-Based ServicesBenefits

Improve user experience

Maintain high level of security and reliability

Provide innovative features

Reduce piracy

Internet-Based ServicesMisunderstandings

No “backdoor” to obtain user data

Microsoft does not sell, rent, or lease customer data to other companies

Internet-Based ServicesList for Windows Server 2003

Activation and registrationApplication HelpCertificate SupportDevice ManagerDriver ProtectionDynamic UpdateEvent ViewerFile AssociationHelp and Support CenterHyperTerminalInternet Explorer 6.0Internet Information Services

Internet Protocol v6NetMeetingOnline Device HelpOutlook Express 6.0Plug and PlayProgram Compatibility WizardRemote AssistanceSearch CompanionWindows Error ReportingWindows Media PlayerWindows Time ServiceWindows Update

Windows Error Reporting Error Dialog

Windows Error Reporting Settings

Controlling Windows Error Controlling Windows Error Reporting Privacy SettingsReporting Privacy Settings

demodemo

Windows Update Settings

Controlling Windows Controlling Windows Update Privacy SettingsUpdate Privacy Settings

demodemo

Using Group Policy to Using Group Policy to Control Privacy SettingsControl Privacy Settings

demodemo

Internet Explorer 6.0Privacy Features

P3P based privacy functionality

Permits cookie managementBased on domain name

Based on cookie type

Based on level of desired privacy

Integrating P3P improves trust

Internet Explorer 6.0Privacy settings

Building P3P Content

Policy Policy ReferenceReference

PagePage

Policy Policy ReferenceReference

PagePage

HTMLHTMLPolicy Policy PagePage

HTMLHTMLPolicy Policy PagePage

XMLXMLPolicy Policy PagePage

XMLXMLPolicy Policy PagePage

CompactCompactPolicyPolicy

DefinitionDefinition

CompactCompactPolicyPolicy

DefinitionDefinition

Ask The ExpertsGet Your Questions Answered

I will be available at the Windows Server 2003 until 2 July

Community Resources

Community Resourceshttp://www.microsoft.com/communities/default.mspx

Most Valuable Professional (MVP)http://www.mvp.support.microsoft.com/

NewsgroupsConverse online with Microsoft Newsgroups, including Worldwidehttp://www.microsoft.com/communities/newsgroups/default.mspx

User GroupsMeet and learn with your peershttp://www.microsoft.com/communities/usergroups/default.mspx

Suggested Reading And Resources

The tools you need to put technology to work!The tools you need to put technology to work!

TITLETITLE AvailableAvailable

Microsoft® Windows® Security Microsoft® Windows® Security Resource Kit:0-7356-1868-2Resource Kit:0-7356-1868-2 TodayToday

Microsoft® Windows® Server 2003 Microsoft® Windows® Server 2003 Administrator's Companion: 0-7356-Administrator's Companion: 0-7356-1367-21367-2 TodayToday

Microsoft Press books are 20% off at the TechEd Bookstore

Also buy any TWO Microsoft Press books and get a FREE T-Shirt

Writing Secure Code second editionWriting Secure Code second edition TodayToday

Using Windows in a Managed EnvironmentLocation of White Papers

Windows XP SP1http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/xpmanaged/00_abstr.asp

Windows 2000 SP3http://www.microsoft.com/technet/prodtechnol/windows2000pro/maintain/w2kmngd/00_abstr.asp

Windows Server 2003http://www.microsoft.com/technet/prodtechnol/windowsserver2003/maintain/security/ws03mngd/00_abstr.asp

Other Resources

Internet Explorer Administration Kithttp://www.microsoft.com/technet/prodtechnol/winxppro/maintain/xpmanaged/00_abstr.asp

Deploying P3P on your websitehttp://msdn.microsoft.com/workshop/security/privacy/overview/createprivacypolicy.asp

Office 2003 Resource Kithttp://www.microsoft.com/office/ork/xp/journ/orkbeta.htm

evaluationsevaluations

© 2003 Microsoft Corporation. All rights reserved.© 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.