Security Threat Risk Assessment:

the final key piece of the PIA puzzle

Curtis Kore, Information Security Analyst

Angela Swan, Director, Information Security

2

Agenda

Introduction

Current issues

The value of assessment

Assessment stages and focus areas

Incorporating security assessment into the PIA

Processes and catch points

Q&A

3

Current Issues

The yes/no impact assessment

– Is the personal information adequately protected?

• Yes

• Yes, it is stored on a computer in an office with a locked door

• Yes, with a password that we all share

Trying to convey ‘reasonable security arrangements’ to

Business Units and IT departments

Lack of systems understanding in PIA review

– Log files

– Instant messaging

4

Current Issues

Accountability for personal information protection

– Privacy

– Information Security

– Information Technology

– Business Unit

– Project Team

5

The value of security assessment

Gets to the facts of the proposed implementation or

change

Provides a detailed analysis of the risks

Allows for consistent risk ranking and for consistent

recommendations

Provides an opportunity for input from the Business

Units and IT teams

Ideally, requires sign-off at a senior level

6

Get past creative wording and into the facts

“The system requires user authentication, access

to unique software, authorization and the use of an

SSL connection.”

7

Know what information actually matters

8

Understand the proposed system

8

9

Objectives of security assessment

Identify what needs to be protected

Assess the value to the organization

Identify the threats and vulnerabilities

Identify the impact that a security breach or failure

would have

Identify the likelihood of a security breach or failure

occurring

Assign a level of risk

10

Probability

Rare Unlikely Possible Likely Almost Certain

The risk may only be

realized in

exceptional

circumstances with a

less than 5%

likelihood of

occurrence

The risk is not

expected but it could

occur at some time

with a 5% to 30%

likelihood of

occurrence

The risk may occur at

some time with a

30% to 60%

likelihood of

occurrence

The risk will probably

occur in many

circumstances with a

greater than 95%

likelihood of

occurrence

The risk is expected

to occur in most

circumstances with a

greater than 95%

likelihood of

occurrence

Impact

Minor 2 4 6 8 10 Low

Moderate 3 6 9 12 15 Medium

Major 4 8 12 16 20 High

Catastrophic 5 10 15 20 25 Critical

Probability

x Impact =

Risk

11

The stages of security assessment

Scope

Data Collection

Analysis of Policies and Procedures

Threat Analysis

Vulnerability Analysis

Correlation and assessment of Risk Acceptability

12

Scope of assessment

Identify the boundaries of the system being

assessed

Identify the components of the system and the

layers that need to be reviewed

Understand that the assessment is a point in time

and will need to be reviewed throughout the project

and post-implementation

13

Applicable standards and legislation

BC’s Freedom of Information and Protection of

Privacy Act

– Reasonable security

– Storage and access must be in Canada

• Some exceptions apply

Other standards and legislation may also apply

– Payment Card Industry – Data Security

Standard

14

Architecture of the system and

information flows

15

Identification of risks

Access Control

Network

Operating System

Database

Application

Business Continuity and Disaster Recovery

Physical Security

16

Authentication vs. Authorization

– Who you are

– What you can do

Access control

17

Something you know

Something you have

Something you are

Factors of authentication

Note that the same factor twice is not

two-factor authentication.

18

Unique to an individual

Getting harder to spoof

Trade-off between false positives and false

negatives

– 100% match is not a good thing

Security benefits need to be balanced with

employee privacy

Biometrics

19

What access the user needs to perform the assigned job duties… and nothing more

Requires a detailed understanding of business processes

Requires organizational roles to be defined

– As opposed to the old model – “just give the new guy the same access that Ted in Finance has”

Designed to avoid permission-creep

Role-based access control

20

Access control based on not only the role, but the

specific activity that the user is performing

User context access control

Robert Smith 428 Canada Way Burnaby BC 604-555-1212 DOB: 04/08/65 SIN: 123123123 Existing benefits

21

Keeping current

– Employee moves

– Departmental changes

– New hires

– Terminations

Managing access across multiple systems

Managing access for vendors and business partners

Challenges with access control

22

Networks

Defense in depth

Security zones

Identify direction and types of traffic

Ensure personal information is encrypted when

traversing security zones

23

Layered network defenses

24

Border guard for a networks or applications

– Assesses traffic based on rules and criteria

– Network, application or host based

– Performs network address translation (NAT)

Firewall

25

Common for contractor and mobile employee access in the Enterprise

Lower cost to implement than physical cabling

WEP and WPA1 encryption no longer acceptable for transmitting sensitive information

Technology and standards are rapidly changing 802.11ac, 802.11w, WPA2, etc…

Security controls dependant on the application and use

Wireless

26

Wireless

INTERNET

27

A private network that communicates over a public

network to connect users or sites to one another

Less expensive and more flexible than leased lines

Guarantees confidentiality and integrity of

communications over the internet

Virtual private network (VPN)

INTERNET

Head office Remote worker

Remote office

28

Cloud Computing

As a service

– Software as a Service (SaaS)

– Platform as a Service (PaaS)

– Infrastructure as a Service (IaaS)

29

Cloud Computing Characteristics

Available on-demand

Network accessible

Pooled resources

Flexible scalability

Measured services

30

Considerations in the Cloud

Administrative access

– Service provider personnel

– Levels of access

– Access audits

– Internal access to logs

– Reporting of inappropriate

access

Basic controls

– Password, two-factor, or...

– IP address restrictions

– Encryption in transit

– Encryption in storage

– Separation of client data

31

Servers

Encryption

Patching and patch management

Security configuration

Auditing and logging configuration

Anti-Virus

Vulnerability scan or penetration test

32

Databases

Require strong authentication

Encrypt and restrict client connections

Maintain patching

Secure zone or firewalled

Change management

Auditing and monitoring

33

BCP/DRP

May be outsourced or 3rd party handling your PI

Encryption still required

Review backup and restore procedures

Patching and patch management

Server configuration

Security controls

34

Physical Security

35

Security testing

Performed internally or by an independent third

party

– Internal for low-sensitivity systems or those that

do not require third-party attestation

– Be aware of allowing teams to test the systems

that they have configured or developed

Vulnerability scanning versus penetration testing

Check references for testing companies

36

Recommendations

How to fix issues found

Demonstrate an understanding of the business and operational requirements

Be reasonable

– Timeframes

– Requirements commensurate to the risk

Discuss with the business unit to be sure they understand the risks and the reasoning behind the recommendations

37

Business Response

What recommendations will be implemented and

by what date

What, if any, recommendations will not be

implemented and why not

38

Residual Risks

After the recommendations are implemented, what

if any risks will remain

Are the residual risks acceptable or is further

mitigation necessary

39

Acknowledgement and acceptance

Business sign-off on the assessment

Acknowledgement of the work performed

Confirmation that the risks are understood

Acceptance of risks that will not be mitigated

Acceptance of residual risks

Verification that the agreed upon recommendations

will be implemented

40

Approval to proceed

Go / no-go from Privacy and Information Security

Almost always a ‘Go’

In the case of a ‘No-go’ decision, must have

justification and will likely be escalated to top

management

41

42

Bringing security assessment into the PIA

process

PIA assessment of ‘reasonable security’ is no

longer a short set of questions

The Information Security Assessment (ISA) is a

required part of all PIAs

Conversely, the ISA asks if FIPPA applies so that a

security review adequately accounts for Personal

Information stored within the system

PIAs and ISAs are signed by the Business Owner

and the Director of Information Privacy and

Security

43

Bringing technology, privacy and

security together

In April of 2013, the Privacy team and the

Information Security team amalgamated

– Information Security benefits from greater

knowledge and understanding of Privacy

legislation

– Privacy benefits from greater technical

knowledge and understanding of how systems

operate and communicate

44

Processes and catch points

Privacy - an assessment is required for all new

systems to determine if a PIA is necessary – even

when it is not, Information Security is advised of the

new system

Information Security – all system changes require

an information security assessment prior to

implementation – Privacy is advised if Personal

Information is impacted in any way

Purchasing – catches new systems and services

and informs Privacy and Information Security

45

Curtis Kore

Information Security Analyst

BCLC (250) 852-5256

Angela Swan

Director, Information Privacy & Security

BCLC (250) 828-5615

The end…