Monday, May 18, 2015

Records security and information privacy

Content security
  • Provision for the protection against intentional destruction, disclosure, modification, or breach of confidentiality of information
  • Based on principal people have right to decide what personal information they wish to divulge, to whom and for what purpose. People have right to expect the information will be kept private and used only for purposes for which it was obtained.
  • Growing proliferation of electronic databases containing personal information
    • Government: health, income tax, census, military, etc.
    • Private sector: credit cards, affinity cards, etc.
  • Information highway: integrated computer, communication, and cable/satellite TV networks
  • Need to balance need for access with protection from unauthorized users
Canadian privacy legislation
Access to information act
  • Access to Information and Privacy Homepage
    https://www.tbs-sct.gc.ca/atip-aiprp/index-eng.asp
  • In order to help requestors find government records and determine where to send their requests, the Access to Information Act and the Privacy Act require each government institution subject to the two Acts to describe the nature of their records in Infosource http://infosource.gc.ca
PIPEDA
  • Personal Information Protection and Electronic Documents Act
  • All Canadian Provinces were to pass like legislation by January 1, 2004 or fall under the Federal Legislation
  • Electronic and paper documents are equivalent
Manitoba Privacy Legislation
Voluntary Organizational Protection
  • Voluntary programs by businesses are emerging in the private sector
    • Altruistic motives
    • Voluntary compliance to head off legislated compliance
    • Self protection from law suits for the breach of confidentiality and invasion of privacy
  • Voluntary Privacy Codes http://web.archive.org/web/20100211204326/http://www.ic.gc.ca/eic/site/oca-bc.nsf/eng/ca01361.html
  • The following Associations are examples of Canadian organizations which have developed important voluntary codes dealing with privacy:
    • Canadian Association of Internet Providers
    • Canadian Bankers Association
    • Canadian Marketing Association
    • Canadian Medical Association
    • Insurance Bureau of Canada
Security management
  • Establish objectives
  • Define responsibilities
  • Assess risk
  • Establish into security policies and procedures
  • Audit, monitor, and evaluate security management
Area and facility access
  • Security measures vary from organization to organization
  • System of controlled access must be established to maintain safeguards against unauthorized invasion of equipment and records
  • Primary criterion for entrance: admit only those whose work requires access
Types of access controls
  • Keys
    • Easily duplicated and lost
    • Anyone can use
    • Lock itself vulnerable
  • Electric, electronic, or mechanical entry (keypad systems)
    • People forget the code or record it where others may find it and use it
    • Combination can be shared easily
    • Vulnerable to electronic lock picking
  • Plastic cards with coded strips
    • Card can be lost (should carry no ID which allows finder to know what it unlocks)
    • More difficult to duplicate
  • Biometric and physical attributes
    • Match individual characteristics electronically
    • Biometric devices: fingerprints, voice, chromosomes in strand of hair, retinal eye patterns
  • Combination systems
Audit trails
  • Ability to record an audit trail of all access attempts can be built into many of the area and facility access systems
  • Printouts showing who has had access, date and time of entry, unauthorized entry attempts, etc.
    • Useful in monitoring access system
Equipment access
  • Procedures for controlling theft and unauthorized access must be provided
    • Keep current inventory including date of purchase, serial no., cost
    • Tag with ID no. both inside and out
    • If employees can borrow have sign out system with due dates for return
    • Supervise and monitor equipment use during breaks, lunch, after hours
    • Train building security guard to check for computer equipment, etc.
  • Need to balance security with employee privacy rights
Security devices
  • Cables
  • Locking cabinets
  • Computer alarms
  • Anchoring pads
Paper document access
  • Desirable to have central source with one person responsible for compliance with company guidelines
  • Guidelines to be written, disseminated and enforced
Typical procedures
  • Review of personal record
    • 2 pieces of ID, completion of authorization form
  • Copy of personal record
    • 2 pieces of ID, completion of authorization form, plus signature for receipt of copy
  • Company employee
    • Signature on receipt for copy, or signature on a log identifying record logged out
  • Request by mail
    • Verify legitimacy; obtain written permission for release when necessary
  • Highly confidential records
    • Check requestor’s name against “authorized to see” list
  • All other requests
    • Records manager or designee must grant authorization on case-by-case basis
    • Signature on log or request form
Electronic files access
  • The bigger you get and the more private information that you maintain online, the more of a target you become to hackers. Hackers may be after your private information, but they may also be after the notoriety that comes with cracking your site.
  • Security breaches can be caused by problems with the technological systems that you use, but they can also be caused by negligent staff
Security measures
  • Firewalls
    • hardware and/or software that controls information entering your computer system or network
  • Intrusion detection software
    • detects unauthorized intrusions into your computer systems
  • Encryption
    • a security method that transforms information into random streams of bits to create a secret code. There is software-based encryption such as Public Key Infrastructure (PKI) and Secure Sockets Layer (SSL). Hardware-based encryption, such as smart cards, is another type of encryption.
  • PKI
    • the combination of software, encryption technologies, and services that enables enterprises to protect the security of their communications and business transactions on the Internet.
  • SSL
    • a program layer created by Netscape for managing the security of message transmissions in a network
  • Smart card
    • a plastic card resembling a credit card that contains a computer chip, which enables the holder to perform various operations, including limiting access to individual computers to legitimate users
Nonremovable media security
  • To prevent access to data stored on hard disks must control access to equipment
    • Assigned numeric code for each person, a password or combination of the two
Removable media security
  • Key and lock for disks
  • Deny access to employees who resign, then immediately change access codes
  • Encrypt (scramble) sensitive and confidential files
  • Mutilate or erase disks before disposal
  • Turn off modems when not in use
  • Turn off computers when not in use so unauthorized users cannot access files
Virus protection
  • Use and update antivirus software
  • For further information on computer security see: 

No comments: