Protecting the Privacy of Investors: An Overview of the Regulatory - - PDF document

Protecting the Privacy of Investors: An Overview of the Regulatory Framework & Tips on Avoiding Threats

May 28, 2015 Malcolm Townsend, IT Research Analyst

Overview

• Background
• Trends
• Threat landscape
• Privacy regulatory framework
• Tips on avoiding threats

Background

• Privacy Breaches – often have technological

component

• Examples include websites, e-commerce,

applications, lost/ stolen mobile devices, unencrypted portable devices, unpatched systems

Current Trends Verizon Data Breach Report

• S

tolen credentials are the number 1 attack vector

• “ 23%
• f recipients now open phishing

messages and 11% click on attachments”

• Breach detection takes too long
• Vulnerabilities are not being patched
• Most malware is unique

Threats – Causes & Contribution to Breaches Mandate and Mission

• The mandate of the Office of the Privacy Commissioner
• f Canada (OPC) is overseeing compliance with both

the

• 1. Privacy Act, which covers the personal information-

handling practices of federal government departments and agencies

• 2. Personal Information Protection and Electronic

Documents Act (PIPEDA), Canada’ s private sector privacy law.

• The mission of the Office of the Privacy Commissioner
• f Canada (OPC) is to protect and promote the privacy

rights of individuals.

Ten PIPEDA Principles

• 1. Accountability
• 2. Identifying

purposes

• 3. Consent
• 4. Limiting

collection

• 5. Limiting use,

disclosure, and retention

Ten PIPEDA Principles

• 6. Accuracy
• 7. S

afeguards

• 8. Openness
• 9. Individual

access

• 10. Challenging

compliance

• 7. Safeguards

Personal information shall be protected by security safeguards appropriate to the sensitivity of the information

Enterprise - Safeguards

Governance

• Portfolio managers, CPO, DS

O, CIS O, CIO, BCP coordinator working together to achieve organization’s obj ectives

Privacy and S ecurity Awareness Training

• Ensure employees understand roles and responsibilities

Active compliance program

• Policies and procedures

Risk assessment

• New applications, services, significant changes to existing

applications and legacy systems

• Organizational changes

Operational - Safeguards

PREVENTATIVE CONTROLS

• Proactive logging of

systems, encryption, vulnerability assessments, Penetration testing, physical security, data minimization

TOOLS

• Examples include

Firewalls, anti-virus, intrusion detection and prevention systems (IDPS )

PRIV ACY & S ECURITY CHECKPOINTS (Internal to S

• ftware

Development Lifecycle(S DLC) CHANGE, RELEAS E and P ATCH MANAGEMENT

MINIMUM PERMIS S IONS

• S

ensitive information

• Based on roles,

responsibilities

S EGREGATION OF DUTIES

Key factors that should alert

• rganizations of greater risk of a breach

Universal

• Organizations in same

sectors where breaches have been reported

• Vulnerabilities that are being

exploited in software packages, applications or tools used by the

• rganization, reported in the

news

Organizational

• S

udden changes in reported scanning/ logging

• People as a threat vector
• Mergers and acquisitions
• S

udden staff turnover

• Planned layoffs
• Boom economy

How to Prepare For a Privacy Breach

• You need a Breach Response Plan
• Think about your team (insource or outsource)

and its leader

• Train your staff
• Review data retention & destruction policies
• Review security policies
• Know the law

In Summary

• Understand implications of Laws, Regulations & Policy

Instruments as they apply to your organization

• Ensure privacy and security controls are in place during

the system life cycle management

• Importance to comply with organizational policies and

procedures

• Ensure your controls meet your organizational
• bj ectives
• Prepare yourself for a breach

OPC Resources:

• Privacy Toolkit: A Guide for Businesses and

Organizations

• Getting Accountability Right with a Privacy

Management Program

• Ten Tips for Reducing the Likelihood of a Data

Breach

• Key S

teps for Organizations Responding to a Privacy Breach

• S

ecuring Personal Information: A S elf- Assessment Tool for Organizations

www.priv.gc.ca @privacyprivee 1-800-282-1376