Keeping an eye on piracy civolution viacess orca whitepaper may2014
Keeping Your Eye on Privacy
description
Transcript of Keeping Your Eye on Privacy
1
Keeping Your Eye on Privacy
Mike Gurski, Director: Bell Privacy Centre of Excellence
April, 2008NY. NY.
Background Privacy ThreatsCanadian Privacy LawSample of University Privacy PosturesSolutions for Privacy Management
Bell Restricted3 Date
Background: How Soon We Forget
On August 1, 2006, USA Today reported that, "in the past 18 months, colleges were the source of one-third to half of all publicly disclosed (privacy) breaches. By reviewing 109 privacy breaches at 76 campuses, USA Today found that 70 percent of the incidents involved hacking."
What does this tell us?
Bell Restricted4 Date
U.S. to Ease Privacy Rules
Federal Education Department proposed new regulations to clarify when Universities may release confidential student information after Virginia Tech shootings.
NY Times, March 25th, 2008
Bell Restricted5 Date
Privacy Threat Models Reviewed
The ‘duh’ factorThe infinite information appetite syndrome: including HackersThe privacy policy riddleThe attacker models: and willing participants in a University setting
Reporter, Marketer, InsiderThe ‘balancing rights’ conundrumThe proportional response problemThe save us from disaster misconception
Examining the Risks: Probabilities and Outcomes
Bell Restricted6 Date
A Special University Privacy Challenge
A Hot Bed of Early Adopters
Web 2.0/3.0
Social Networks
Software as a Service
Bell Restricted7 Date
A Different Privacy Landscape in Canada?
Provincial OCIO bans instant messaging and file sharing after privacy breaches in NFLD:
Memorial University CSO mirrors ban:
March 28, 2008 NFLD
Question: How is the University Responding?
Primary Focus on tactical PIA’s for BANNER and Laptops
Bell Restricted8 Date
The Canadian Particulars
Legislative Landscape: Fair Information Practices Based
A Digression to GWU and Daniel Solove
A Privacy Maturity Model for Universities
The Role of Strategy as opposed to Tactics
The Role of Technology and New Tools
Bell Restricted9 Date
Daniel Solove
A taxonomy of privacy attacks
A new way to think about privacy legislation and technology
Bell Restricted10 Date
Organization’s Privacy Management Maturity
Level 1
Ad-Hoc
Level 2
Focused
Level 3
Standardized
Level 4
Integrated
• Privacy processes are not defined or documented
• Privacy processes are partially documented• Minimal automation for privacy automation• Training policy with event based training
• Processes, roles, and workflows are defined•Privacy Management is broad based to serve strategic goals•Training ongoing
• Processes fully defined and audited• Privacy management fully integrated with bus.
Bell Restricted11 Date
A Strategic Approach
• The key steps:
– Build a business case for strategic investment in privacy management
– Build Internal Privacy Management Capacity (reducing cost and reliance on outside consultants)
– Use tools that allow non-specialists to manage privacy
– Set out a strategy and planning roadmap
– Develop a vulnerability assessment/gap analysis of personal information management within the University
– Engage all levels in privacy management
– Reduce resources needed to manage privacy
– Provide a new focus on system design for personal information banks
Bell Restricted12 Date
New Tools
Compliance and Assessment Tools
Internal Capacity Workshops
Data repository for knowledge transfer
Training Curriculum geared to privacy management capacity
Enterprise Privacy Strategy/Roadmap
Privacy Enhancing Technologies
Bell Restricted14 Date
Contact Information
Mike Gurski, Director: Bell Privacy Centre of [email protected]