4. Risk Based Approach
The Program should take into
consideration the size, scope of
business, amount of
resources, nature and quantity of data
collected or stored, and the need for
security1.
Page 3
5. Mandates, Guidelines,
Obligations
State of Washington3
State of Massachusetts1,2
Federal Trade CommissionRed Flags
Clients, customers, constituents
Employees
Perceptions
Page 4
7. Red Flags Rule
An Identity Theft Prevention
Program to detect the warning signs
— or "red flags" — of identity theft in
day-to-day operations4,5,6.
Page 6
13. Deterrents
• Two factor authentication
• Know where personal information is:
• Inventories of
laptops, desktops, servers, applicatio
ns, data sets.
Page 12
15. Security Classifications
•
•
•
•
•
Physical – Stolen laptops, locked server room
Logical – usernames, passwords, two-factor
Transmissions – email, file transfer
Applications – especially custom written
Social – impersonating tech. support
Page 14
16. Policies, Procedures, Plans
• For customers, clients, constituents
–
–
–
–
Privacy and Confidentiality Policy8
Security Statement9
Security Overview10
Third Party provider summary11
Page 15
17. Policies, Procedures, Plans
• For employees
– Acceptable Use Policy
– Professional Ethics & Standards Policy
• For management
– Security Policy
– Data Breach Incident Response Plan12
Page 16
18. Training
• Employees should know:1
– What information they have access to
– What their responsibilities are regarding it
• Document all training!
Page 17
19. Information Security Policy13
Who is the audience?
Why will they read it?
What decisions will they make after reading?
Purpose
Assure management that information is safe
from theft and loss.
Page 18
20. Information Security
Operations
•
•
•
•
•
Here is a list of our data.
Here is its location.
This is who has access to it.
Here is what we do to protect it.
Here is what we do if we lose it.
Page 19
Start with why I like to discuss topic. I like to debunk all the scare tactics, for instance the need to encrypt all email if one client lives in Mass.Security is a very technical subject, however the application of it at the practical level needs to be simple.Security can be very expensive if not applied correctly. Also can be disastrous. http://www.mass.gov/Eoca/docs/idtheft/201CMR17faqs.pdf