INFORMATION SECURITY & PRIVACYPublic Sector actions, policies and regulations on information and security.

E. Rey Garcia, MPA Candidate

The University of Texas Rio Grande Valley (UTRGV)

PAFF 6315: Management of Government Information Systems

Fall 2015, Module One

Lecturer: John Milford

October 11, 2015

OUTLINE

• Outline 2

• Public Sector Information 3

• Information Security 4

• Information Privacy 5

• Policy Instruments 6

• Policy Legalities & Regulations 7

• Environmental Security Challenges 8

• IT Security Issues 9

• Employee Security 10

• Threat & Controls 11

• Cybercrime 12

• Cybersecurity 13-14

• Concluding Recommendations 15

• References 16

Information Security & Privacy - E. Rey Garcia, MPA Candidate

2

PUBLIC SECTOR INFORMATION

Both security and privacy play an intricate role in the public sector. All public information must conform to the following four criteria:

1. Availability: Must be available at all times, to avoid social and economic disruptions.

2. Confidentiality: Must be guaranteed at a high-level security at all times.

3. Privacy: Must be uncompromisable when combining government data.

4. Integrity: Must be maintained across all data, programs, and agencies

(Reddick, C., 2012).

Information Security & Privacy - E. Rey Garcia, MPA Candidate

3

INFORMATION SECURITY

The term “information security” means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide:

(1) Integrity, which means guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity;

(2) Confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; and

(3) Availability, which means ensuring timely and reliable access to and use of information

(Cornell School of Law, 2015).

Information Security & Privacy - E. Rey Garcia, MPA Candidate

4

INFORMATION PRIVACY

Many commentators have lamented that the meaning of “privacy” is vague and elusive. We should understand privacy is an umbrella term for a group of related yet distinct things. Privacy is about respecting the desires of individuals where compatible with the aims of the larger community. Privacy is not just about what people expect but about what they desire. Privacy is not merely an individual right – it is an important component of any flourishing community (Solove, D., 2011, May 17).

Information Security & Privacy - E. Rey Garcia, MPA Candidate

5

POLICY INSTRUMENTS

Four principle policy instruments that can be used to enhance public sector security:

• Legal and Regulatory – Tax credits and subsidies. Liability laws in case of failures. National legislation and regulations.

• Economic – Insurance markets to protect both businesses and citizens, access to information, and legal and financial penalties for violation of regulations.

• Technical – Information security and testing, using best IT practices.

• Information and Behavioral – Educate staff and community on national/international information sharing.(Reddick, C., 2012), (Adapted by Bauer and van Eeten, 2009).

Information Security & Privacy - E. Rey Garcia, MPA Candidate

6

POLICY LEGALITIES & REGULATIONS

Legal and regulatory policies impact information security:

• Dictates the constraints with which citizens and businesses must live.

• Creates new insurance economic markets for both businesses and citizens.

• Implements a technical policies that dictate the security standards.

• Educates and create awareness for business and citizens(Reddick, C., 2012).

Information Security & Privacy - E. Rey Garcia, MPA Candidate

7

ENVIRONMENTAL SECURITY CHALLENGES

Hundreds of companies push their agendas . . .

Lobbyists contacting the agencies can affect the context of legislation (Brown E. and Loomis B., 2014). Both agencies and lobbyists play a key role in the factors and preparedness that affect the environment, posing the following challenges:

• Safeguarding - All sensitive, critical, proprietary information.

• Protecting - The overall Information Communications Technology (ICT).

• Trust from the Leadership must be based on Credibility.

• Legal Regulations and Laws – Adopt and enforce laws and regulations(Reddick, C., 2012).

Information Security & Privacy - E. Rey Garcia, MPA Candidate

8

INFORMATION TECHNOLOGY SECURITY ISSUES

The following information technology issues :

• Viruses – The Internet brings the threat of external data-compromise.

• Maintenance – Security systems must be continuously in sync with the latest security patches.

• Perpetual Upgrades – Security must continuously be up-to-date.

• Top Management Support – Due to the costly nature of security management systems, the support of administration or top management is imperative (Reddick, C., 2012).

Information Security & Privacy - E. Rey Garcia, MPA Candidate

9

EMPLOYEE SECURITY

Employees should be educated and informed.

• Policy Statements – Security guidelines for employees.

• Informed Users - Educate employees on resources and consequences.

• Alert Users – Keep employees informed of all vulnerabilities and threats.

• Preventive Security – Implement and maintain security technologies across the Information Communications Technology (ICT) network (Reddick, C., 2012).

Information Security & Privacy - E. Rey Garcia, MPA Candidate

10

THREATS & CONTROLS

Three layers of deterrents depict computer security:

• Deterrents – Policies outlining the acceptable and the unacceptable employee practices.

• Preventives – Measures to reduce or control criminal behavior.

• Detectives – Bots that detect misuse so that it is not repeated

(Reddick, C., 2012 and Foltz, 2004).

Information Security & Privacy - E. Rey Garcia, MPA Candidate

11

CYBERCRIME

Cybercrime is criminal activity perpetuated by the use of the Internet and other digital means (Reddick, C., 2012 and Haugen, 2005).

Most common Cybersecurity Threats:• Spam – Is the delivery of unsolicited e-mail.

• Phishing –Messages and Pop-up’s in the form of spam that deceive users.

• Spyware – Delivery in the form of e-mail, false advertisements with links to download cyber spyware to users’ computers and devices (GAO, 2005b).

Information Security & Privacy - E. Rey Garcia, MPA Candidate

12

CYBERSECURITY

President Barrack Obama has ordered a thorough review of federal efforts to defend the U.S. information and communications infrastructure and the development of a comprehensive approach to securing America’s digital infrastructure (The White House, Obama, B.).

Information Security & Privacy - E. Rey Garcia, MPA Candidate

13

CYBERSECURITY - CONTINUED

Major Goals designed to help secure the United States in cyberspace:

• To establish a front line of defense against today’s immediate threats by creating or enhancing shared situational awareness of network vulnerabilities, threats, and events within the Federal Government—and ultimately with state, local, and tribal governments and private sector partners—and the ability to act quickly to reduce our current vulnerabilities and prevent intrusions.

• To defend against the full spectrum of threats by enhancing U.S. counterintelligence capabilities and increasing the security of the supply chain for key information technologies.

• To strengthen the future cybersecurity environment by expanding cyber education; coordinating and redirecting research and development efforts across the Federal Government; and working to define and develop strategies to deter hostile or malicious activity in cyberspace (The White House, President Obama, B.)

Information Security & Privacy - E. Rey Garcia, MPA Candidate

14

CONCLUDING RECOMMENDATIONSThe success of implementing a secure, transparent government, is one in which Information Security and Privacy are not merely a technical solution, because it requires top management involvement in establishing, designing, and implementing:

• Policies

• Procedures

• Organizational Structure(s)

• Culture and Human Dimension

• Efficient and Effective security program

• Empirical Research data

(Reddick, C., 2012).

Information Security & Privacy - E. Rey Garcia, MPA Candidate

15

REFERENCES• 44 U.S. Code § 3542 - Definitions. (n.d.). Retrieved October 10, 2015, from

https://www.law.cornell.edu/uscode/text/44/3542.

• Brown, E. (2014, May 19). Lobbying the Watchdogs. In The Center for Public Integrity.Retrieved October 10, 2015, from http://www.publicintegrity.org/2005/05/03/6563/lobbying-watchdogs.

• Foltz, C. (2004). Cyberterrorism, Computer Crime, and Reality. In Information Management and Computer Security (2nd ed., Vol. 12, pp. 154-166).

• Haugen, S. (2005). E-Government Cyber-crime and Cyber-terrorism: A population at risk. In Electronic Government (4th ed., pp. 403-412).

• Obama, B. (2008-2009). The Comprehensive National Cybersecurity Initiative. In Foreign Policy. Retrieved October 10, 2015, from https://www.whitehouse.gov/issues/foreign-policy/cybersecurity/national-initiative

• Reddick, C. (2012). Information Security and Privacy, In Public Administration and Information Technology. Burlington, MA: Jones & Bartlett Learning.

• Solove, D. (2011, May 17). IT Policy and Law. In IT Cornell. Retrieved October 10, 2015, from http://www.it.cornell.edu/policies/infoprivacy/definition.cfm.

• U.S. Government Accountability Office (GAO). (2005). Critical Infrastructure Protection: Department of Homeland Security Faces Challenges in Fulfilling Cybersecurity Responsibilities., (GAO-05-434). Retrieved October 11, 2015, from http://www.gao.gov/products/GAO-05-434

Information Security & Privacy - E. Rey Garcia, MPA Candidate

16