What do these organizations have in common?

abdomendebonairSecurity

Nov 2, 2013 (4 years and 10 days ago)

116 views

What do these organizations
have in common?



City Of Toronto

Canada Post

Municipal Property Assessment Corp

Facing The

Privacy Challenge

Donald E Sheehy, CA*CISA


(dsheehy@grantthornton.ca)

What Underlying Message

Conflicting messages and views exist

Sun
Microsystem
s CEO Scott
McNealy was
once quoted:
"There is no
privacy on
the Internet.
Get over it.”


Alternatively

Doing an AltaVista search on the string

“Internet Privacy Issues” yields almost 2,000,000 hits

Privacy is regarded as the number one issue
affecting Internet based E
-
Commerce (E
-
Marketer)

Significant number of articles appear daily on
privacy and related issues (look at Yahoo News or
Computerworld.com)

We have new act appearing in Ontario and the US


WE HAVE NOT GOT OVER IT
!

Some of The Recent Headlines

“A comprehensive data privacy bill to be introduced
next year in the U.S. House will apply to online and
off
-
line practices, affecting virtually every company
that does business in the U.S”


“International privacy policies are permeating
planning at corporations struggling to comply with
the European Union's privacy rules and an
emerging set of strict Canadian data sharing
requirements.”

Even Microsoft


as Privacy
Champion?

“don’t look now but Microsoft is making a
grab for the mantle of Internet privacy
champion by pushing a standard few have
embraced…. The move…could backfire
and further muddle the intractable debate
about Internet privacy”

And some more personal

“Security experts discovered a flaw this week in the
Web site operated by Verizon Wireless that
potentially exposed the private customer
information of those who used the Web site to view
their personal cell phone bills”. (Sept 16)

Customer information exposed by Playboy.com
hacker (November 21, 2001) Playboy.com has
spent several days contacting customers and doing
an online security audit after a hacker broke into
the site's online store last weekend and got access
to customer information and credit card numbers.

What I’ll be Covering

What is meant by privacy

Current global legislation and dealing with
enterprise privacy risk that they cause

Dealing with special privacy concerns for
Internet

How the CA can help

What is Privacy?

Right to be left alone (1890, Harvard
Business Review)

Freedom from intrusion or public attention

The protection of the collection, storage,
destruction and dissemination of personal
information ( EU, Canada and US Safe
Harbor)


What does it consist of ?

Personally Identifiable
Information (factual or
subjective)

Name

Address

Salary

Employee files,

Credit records

Medical records etc




Sensitive Information
(factual or subjective)

Union/political
affiliation

Ethic origin

Sexual Orientation

Health Conditions

Religious affiliation

etc

Enterprise
-

wide vs. Internet
Privacy

Enterprise
-
wide privacy includes all
records, systems of an organization
whether electronic or not.

Internet privacy


also known as online
privacy, refers to the systems that
encompass a web presence and records
that hole data obtained via the presence

Internet privacy is a subset of enterprise
-
wide privacy

Legislation

OECD Guidelines (1980)

European Union (EU Directive 95/46EC,
1995, effective 1998)

Canada (Personal Info Protect & Electronic
Documents Act (PIPEDA), April 2000)

Australia (Privacy Amendment (private
sector) Act 2000)

UK (Data Protection Act, 1998)

US Privacy Legislation

Safe Harbor (July 2000)

Facilitate trade and commerce between the US and
EU

Voluntary and self
-
regulatory program

Graham Leach Bliley (July 2001)

Primary financial institutions (banks, insurance,
securities and others with credit operations)

Restricts disclosure of non
-
public info about
customers to third parties

Requires clear and conspicuous privacy policy
posting, including sharing with third parties

Children’s Online Privacy Protection Act (COPPA) April
2000


online collection of personal information from children
under 13.

spell out what a Web site operator must include in a
privacy policy, when/how to seek verifiable consent from a
parent and what responsibilities an operator has to protect
children's privacy and safety online

Health Insurance Portability and Accountability Act
(HIPPA)

Applies to health info created or maintained by health care
providers who engage in certain electronic transactions,
health plans and healthcare clearinghouses

Quick Comparison

PIPEDA Principles
Challenges

Accountability


in
charge

Identifying purpose


reason for collection

Consent


needed to
collect

Limiting Collection


to
that required for the
specific purpose

Limiting Use, disclosure
and retention


to a
minimum

Accuracy


of info

Safeguards


to protect

Openness


about
policy

Individual Access


to
see/correct

Challenging compliance


Why Deal With Privacy Risk

In many countries to ensure compliance
with law and regulations

In any event


stay out of public eye

Increase management awareness and
sensitivity, force change

Evidence due care and commitment

Goals for assessment

Id. the nature of PII associated
with business process

Document its collection,use,
disclosure and destruction

Provide mgt with tool to make
informed decisions based on
understanding of privacy risk

Ensure accountability

Create consistent format and
structured process

Reduce Revisions

What the profession is doing


enterprise level

CICA and AICPA Projects in process

Consultation between AICPA/CICA and
governments

ISACA publications … A Guide to Cross
-
Border
Privacy Impact Assessments, Thomas J. Carol

PWC assessment tool on Ontario PC site
http://www.ipc.on.ca/english/resources/resources.htm

Move to assurance reporting


on privacy
compliance

Firm methodologies for consulting and advising


Specific Challenges for

Internet (Online) Privacy

What are the Concerns for
Internet Privacy?

What information can be “discovered” by visiting a
site?

What information is being collected, why, do they
really need it?

Is the site secure enough to stop people from
accessing the information I give to a site in a
transaction?

Who really is watching what I do when I surf?

What will happen to my information?

Other On
-
line Concerns

I am not sure of who I am doing business
with

I don’t like the traceability

I am afraid I will get scammed

The Challenges

Cookies

Browsers

Bugs

Web Security


Concern for Cookies

What are they?

What can they do?

Why are they used?

Good or bad?

Cookie Recipe (user
and site info)



Name
: What the programmer chooses for the cookie.

Domain
: The domain name from the server that created and
sent the cookie.

Path
: Information about the path of the Web page a user was
reading when the cookie was sent. This setting helps restrict
other sites or areas within a site from accessing cookie data.

Expiration date
: When the cookie is set to expire, in the
format date
-
month
-
year
-
time (24
-
hour time, GMT).

Secure
: If this value is set in the cookie, the information is
encrypted during transmission between the server and the
browser.

Value
: The specific data being stored for future recognition
and action by the Web server; no white space, semicolons or
commas can be included, and a 4K
-
byte limit is desirable.

Cookies
-

uses

Identify return visitors

Maintain shopping basket information

Maintain user information

Types

Static (session)

Persistent (
staying on the user's hard disk for
months or even for years)


Cookies


good or bad?

Cannot obtain information NOT provided by
the user

Cannot be used between sites . . . usually

Can reveal information provided to the site
to other vendors (e.g.; DoubleClick)

Can provide functionality and ease of site
use

Can possibly transmit viruses

Some final thoughts on
cookies

64 federal agency Web sites use software to track
the habits of users despite rules banning the
practice, according to preliminary findings in a
report to Congress on Internet privacy that was
released last week (Office of Inspector General).

The European Parliament on Tuesday [Nov 13]
voted to adopt an amend. to the draft directive on
electronic data collection and privacy to restrict the
use of cookies. If the vote is ratified, Web sites will
have to explicitly ask users if they want to accept
cookies
--
a move that the advertising industry says
could be damaging to business.

Microsoft cooks cookies?

Microsoft issues patch for hole in Internet
Explorer (November 15, 2001) Versions 5.5
and 6 that can expose cookie data to
malicious hackers.


Microsoft P3P ( in new browser version)
-

creating problem with cookies 97/100 esp
P&G site

The browser


a real privacy hole

Internet users are “remote” node on the
network

Reveals

Operating system

Program(s) running

Path to/within the site

IP address

Creating a More Secure
Browsing Session in IE

Turn off script language ( Java, Active X)

Eliminate history information. To prevent Explorer
from replacing the History.html folder, put a locked
or read only file in that folder

Delete cookies and preferences re cookies.

Select Edit/Preferences/Receiving Files/Cookies

Select “Internet Preferences” file selected, choose
File/Get Info then check the “Locked” box

Secure the cache ( delete cache.waf file.. Can be
done by making alias into a “wipefile” program


http://phaster.com/unpretentious/browsing_micro$oft.html


Web bugs…

…and your privacy.

Web bugs
-

defined

A web bug is a graphic on a web page or in
an email message that is designed to
monitor who is reading the web page or
email message

The word "bug" is being used to denote a
small, eavesdropping device


Programming example


<img src="http://ad.doubleclick.

net/ad/pixel.quicken/NEW"

width=1 height=1 border=0><IMG WIDTH=1

HEIGHT=1border=0SRC=

"http://media.preferences.com/ping?

ML_SD=IntuitTE_Intuit_1x1_RunOfSite_A

ny&db_afcr=4B31
-
C2FB
-
10E2C&event=

reghome&group=register&time=

1999.10.27.20.5 6.37">


How common are they?

Common on free pages created through
Geocities and AOL

Estimated 18% of all personal pages,

Estimated 16% for home pages
of major
companies

Who was the biggest user last March?

What do they do?

Usually used to count visitors

Gather statistical information about web
sites without collecting personal information

General profiling for banner adds etc.

Why a Problem

By sharing info among bugs across
different sites, they can be used to track
people’s movements

If visitor has given personal info at one
linked site, then info can be linked through
the bugs to other sites

What can be done?

Not too much. . .

1x1 pixel

Hard to distinguish for normal GIF files


Free detection software

http://www.bugnosis.org/

Currently works with Internet Explorer 5.0 or
greater for Windows.


Can privacy exist without security?



NO!


Can security exist without privacy?



YES!

A Question of Security

The web security problem

Securing the web server and its data

Securing information while in transit

Securing the user’s computer

What are the risks?

Denial of service

Theft

Proprietary information or data

Hardware and software

Private customer information

Confidential business information

Methods of attack…

Trojan horse

Poor CGI script

Java and activeX (often used to leak info)

Spoofing

Lax password control

E
-
Mail

Virus threats

The forgotten areas

Physical restriction

Data backup


What can be done?

Policy management and change

Three “Ds” of protection

SysTrust
SM

WebTrust
SM



Trust Services

Three Ds of security policy

And . . .

eep

t

imple

tupid


What CAs are doing

WebTrust

System defined by
criteria

Report issued to
management


posted on
website

Six Principles


Security

Privacy

Availability

Transaction Integrity

Confidentiality

Customized
Assertions



Certification
Authorities

Independent Verification

Independent verification can allay the
majority of these fears as does financial
statement audit

Public accounting is quality controlled the
world over

Also serves as valuable eCommerce consulting
tool in understanding best practices

Follows standardized process from Web site to
Web site giving comfort to oversight
authorities



Trust Services & Independent Verification

Affords a broad scope of assurance to consumers,
business owners and oversight authorities.

Audit Level Testing of the following areas:

Effective Fraud Deterrent

Business Practices

Privacy

Security

Transaction Fulfillment Testing

Consumer Recourse Provision

Strong International Presence & Growing!

The Trust Services Advantage

Independent verification

CAs are the acknowledged

providers of assurance and trust

International network for building trust

Flexible solution to meet needs of
consumers, merchants, ISPs, and business
-
to
-
business markets

Evidence of increase in sales for merchants



A Global Range

Independent verification services such as WebTrust &
SysTrust are offered in:


Germany


United Kingdom & Ireland


United States


Canada


France


Australia & New Zealand


Denmark, Sweden


Netherlands, Belgium, Spain, Hong Kong


Israel

In Conclusion

Can’t relax on a corporate level


you need to gear
up for all the privacy legislation facing you

Look for controls, policies and procedures services
that will help your enterprise and its web presence
meet the privacy challenge head
-
on

Look for help from your qualified CA and legal

You can’t relax on a personal level

No Relaxing!