SlideShare una empresa de Scribd logo

Popi and Sharepoint 2010

Descargar como PPTX, PDF
Willem Burger
Willem Burger

nThis is a discussion on Protection of Private Information in SharePoint and also PII information and the South African Law impact. Also applicable to privacy, security and governance in general in SharePoint 2010

TecnologíaNoticias y política
1 de 26
PROTECTION OF PRIVATE INFORMATION (PoPI) & SharePoint September 2012 Willem Burger Shoprite : SharePoint Lead
Private Information of customers are one of the most important assets that many companies store.
What is Privacy and Private Information? The Oxford Dictionary defines ‚privacy‛, as ‚the state of being left alone and not watched or disturbed by other people‛. From a business perspective it means that personal information must be used in an appropriate manner within defined parameters. The appropriateness of the use of personal information depends on a number of factors such as context, regulatory requirements, the individual’s expectations as well as the right of an individual to control how their personal information is used or ‘processed’.
What is Privacy and Private Information? There are different types of privacy that individuals have rights to, each emphasising different aspects of privacy. These include:  physical privacy - relevant to government search and seizure operations and peeping toms;  bodily and decisional privacy - concerned with choice and the integrity of an individual's body, the right to abortion and cavity searches;  proprietary privacy - concerned with publicity, media representation and celebrity, ownership and control of the body, appearance and identity; and  information privacy - the interest an individual has in controlling information about them.
What is Privacy and Private Information? It is important to understand that organisations have certain obligations when processing personal information and that individuals have certain rights. These may be established in laws, regulations and organisational policies. South Africa’s Protection of Personal Information Bill [No. 9 of 2009] (PoPI) is primarily focused on ‘information privacy’, also known as ‘data protection’ or ‘data privacy’.
What is Personally Identifiable Information (PII)? Chapter 1 of PoPI defines personal information (PI) as meaning: ‘‘information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to:  (a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;  (b) information relating to the education or the medical, financial, criminal or employment history of the person;  (c) any identifying number, symbol, e-mail address, physical address, telephone number or other particular assignment to the person;  (d) the blood type or any other biometric information of the person;  (e) the personal opinions, views or preferences of the person;  (f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;  (g) the views or opinions of another individual about the person; and  (h) the name of the person if it appears with other personal information relating to the person or if the  disclosure of the name itself would reveal information about the person” [3].
What is Personally Identifiable Information (PII)? Examples of attributes that may include personal information are: passport and ID numbers; gender and biometric identifiers; bank account and credit card numbers; birth dates; home address details; personal telephone numbers for both landlines and mobile devices ; personal email and IP addresses; photographs; financial profiles; personal identification numbers (PINs) and passwords for financial accounts; health information; race; religious or philosophical beliefs; age;
What is the scope of PoPI? PoPI covers the processing of personal information in both electronic and paper-based format. Processing in terms of PoPI means any operation or activity, concerning personal information, including :  (a) the collection, receipt, recording, storage, updating or modification, retrieval, alteration;  (b) distribution or making available in any other form; or  (c) merging, linking, erasure or destruction of information.
Why is it so important to protect Personal Information? • Reputation • Globalisation • Legislation All have a financial Impact!
What is the status of the legislation? The bill is due to be promulgated by the end of 2012 and there is a years grace to implement (therefore the end of 2013)
How can Business and IT Pros be ready for PoPI with SharePoint
What your business need to do? 1. Find the Data and Map the flow and storage of it. 2. Understand whether the data is needed, if not remove it. 3. Define rules for personal data storage and transmission against the legislation. 4. Secure the Data. 5. Educate users in terms of the rules.
Fundamentals – Applied to SharePoint Assess • Where is personal information located? (libraries ,lists, documents, sql) • How do you know if you have PII in your SharePoint sites? The answer seems simple, you need to look for it! • Who has access to personal information? (check security) Secure (Focus on quick wins) • Use Groups and security settings of Sites and Libraries • Watch out for insiders, Administrators! Comply (Build into project plan) • Comply smart with a one project approach or per business leg, cost saving. • Comply by type . PCI Comply for Credit card info etc Respond (Be Prepared) • What is the action plan on a security incident? • What can customers expect when they call for their information? • Audit Logging and version history of SharePoint libraries.
Four essential elements to responsibly protect and manage personal information More secure infrastructure Microsoft Forefront and Forefront Security for SharePoint (UAG & TMG) Identity and access control Active Directory and other identity and access control technologies. Information protection Information rights management - encryption so that only authorized parties can view or change . Protecting information at rest through the use of encryption . Auditing and reporting SharePoint administrators can set auditing policies to log activities. Coming laws generally require breach disclosure for security breaches which result in the loss or theft of their citizen's personally identifiable information (PII).
‚SharePoint Security‛ Permissions Permissions are not security. Relying on permissions only for your SharePoint Security strategy is a mirage . Hardening ‚What about least privilege administration?‛ The idea of least privilege is to limit the damage in the event that any single account gets compromised . Again, this is a mirage. User Behavior Another mirage is relying on end users to decide what they will or will not upload into SharePoint -‚2011 Digital Universe Study‛ IDC concluded that 28% of information needs security Extending a site extending a SharePoint site to make content accessible from the Internet. Extending a web site and opening a port on your border firewall creates a single point of failure
Practical Example Capture a customers information on a Form that resides on our public website and submit this information into a library to be stored for processing. Assess • Where is personal information located? (Public site) • Who has access to personal information? (everyone if unsecure) Secure • HTTPS site or page (Port 443) • Via TMG Access only • Secure site library Comply • Build in Project plan a PoPI compliant design. Content cannot reside in public space. • How long should we retain this content? Respond • Customers content available on request visible only to owners. • Audit Logging and version history of SharePoint libraries confirm history.
HTTPS://www.checkers.co.za /newcustomer Checkers WEB site customer T Library M Workflow or G retention policy FIREWALL Pulse Internal Site customer Libraries & pages http://pulses.hoprite.co.za/checkers/customers Group Security, Record management, Auditing, version history search etc. Workflow for customer processing
Firewall
Library (Document, form, lists etc) - Permissions - Auditing - Version History - Search
PoPI in SharePoint Governance Permissions management (integrity , confidentiality, privacy) • Follow the Principle of Least Privilege • Give people access by adding them to standard, default SharePoint groups • Use permissions inheritance to create a clean, easy-to-visualize hierarchy. • Organize your content to take advantage of permissions inheritance.
PoPI in SharePoint Governance Audit Tracking (Information management policy enforcement ) Record Centre • Vault abilities (ensure the integrity of the records ) • Information management policy enforcement • Record routing incoming records to their proper location, based on their record type. Track versions Search (Mark with restricted permissions )
Data Governance Life Cycle or Information Flow Stages Collection PII from multiple sources. Set standards, respect Customer desire Storage Not just databases , it scatters to e-mails etc + devices Usage Data becoming more fluid, limit external use Retention/destruction Cheaper data storage. Don’t retain all. Setup finite lifespan for sensitive data
Tools SharePoint Content Scanner SharePoint Risk Assessment You can perform scans of files in your SharePoint sites and find PII including credit card data, customer financial information, social security numbers, and other data patterns associated with PII. Resources http://www.sharepointdefenseindepth.com/ Run in Google site:<your domain>.co.za Check what is exposed and visible on your public sites. Refine and adjust sensitive data content privacy and security. Run again.
In Conclusion • Private Information of customers are important assets • We have obligations when processing personal information • PoPI covers the processing of personal information • Assess, Secure , Comply , Respond • Get everyone on Board and aware of PoPI • Added bonus will be general Governance improvement of Customer specific sites and content • Have Security Policy around SharePoint and storage of PII
Thanks Willem Burger Blog: http://sharepointburger.wordpress.com/ Twitter: http://twitter.com/willemburger Email : wburger@shoprite.co.za Questions?

Recomendados

Handling PII and sensitive content in SAP BusinessObjects
Handling PII and sensitive content in SAP BusinessObjects Handling PII and sensitive content in SAP BusinessObjects
Handling PII and sensitive content in SAP BusinessObjects
Wiiisdom
 
Ecommerce Chap 10
Ecommerce Chap 10Ecommerce Chap 10
Ecommerce Chap 10
Pimsat University
 
GDPR Ramifications of Blockchain Technologies
GDPR Ramifications of Blockchain TechnologiesGDPR Ramifications of Blockchain Technologies
GDPR Ramifications of Blockchain Technologies
Parsons Behle & Latimer
 
Ilta 2011 balancing km with data privacy facilitated by dave cunningham aug...
Ilta 2011 balancing km with data privacy facilitated by dave cunningham aug...Ilta 2011 balancing km with data privacy facilitated by dave cunningham aug...
Ilta 2011 balancing km with data privacy facilitated by dave cunningham aug...
David Cunningham
 
Law firm data privacy by dave cunningham
Law firm data privacy by dave cunninghamLaw firm data privacy by dave cunningham
Law firm data privacy by dave cunningham
David Cunningham
 
Self-Protecting Information for De-Perimiterised Electronic Relationships
Self-Protecting Information for De-Perimiterised Electronic RelationshipsSelf-Protecting Information for De-Perimiterised Electronic Relationships
Self-Protecting Information for De-Perimiterised Electronic Relationships
Jeremy Hilton
 
What I learned at the Infosecurity ISACA North America Conference 2019
What I learned at the Infosecurity ISACA North America Conference 2019What I learned at the Infosecurity ISACA North America Conference 2019
What I learned at the Infosecurity ISACA North America Conference 2019
Ulf Mattsson
 
How to implement GDPR for the public sector, December 2017
How to implement GDPR for the public sector, December 2017How to implement GDPR for the public sector, December 2017
How to implement GDPR for the public sector, December 2017
Browne Jacobson LLP
 

Recomendados

Handling PII and sensitive content in SAP BusinessObjects
Handling PII and sensitive content in SAP BusinessObjects Handling PII and sensitive content in SAP BusinessObjects
Handling PII and sensitive content in SAP BusinessObjects
Wiiisdom
 
Ecommerce Chap 10
Ecommerce Chap 10Ecommerce Chap 10
Ecommerce Chap 10
Pimsat University
 
GDPR Ramifications of Blockchain Technologies
GDPR Ramifications of Blockchain TechnologiesGDPR Ramifications of Blockchain Technologies
GDPR Ramifications of Blockchain Technologies
Parsons Behle & Latimer
 
Ilta 2011 balancing km with data privacy facilitated by dave cunningham aug...
Ilta 2011 balancing km with data privacy facilitated by dave cunningham aug...Ilta 2011 balancing km with data privacy facilitated by dave cunningham aug...
Ilta 2011 balancing km with data privacy facilitated by dave cunningham aug...
David Cunningham
 
Law firm data privacy by dave cunningham
Law firm data privacy by dave cunninghamLaw firm data privacy by dave cunningham
Law firm data privacy by dave cunningham
David Cunningham
 
Self-Protecting Information for De-Perimiterised Electronic Relationships
Self-Protecting Information for De-Perimiterised Electronic RelationshipsSelf-Protecting Information for De-Perimiterised Electronic Relationships
Self-Protecting Information for De-Perimiterised Electronic Relationships
Jeremy Hilton
 
What I learned at the Infosecurity ISACA North America Conference 2019
What I learned at the Infosecurity ISACA North America Conference 2019What I learned at the Infosecurity ISACA North America Conference 2019
What I learned at the Infosecurity ISACA North America Conference 2019
Ulf Mattsson
 
How to implement GDPR for the public sector, December 2017
How to implement GDPR for the public sector, December 2017How to implement GDPR for the public sector, December 2017
How to implement GDPR for the public sector, December 2017
Browne Jacobson LLP
 
Isaca atlanta - practical data security and privacy
Isaca atlanta - practical data security and privacyIsaca atlanta - practical data security and privacy
Isaca atlanta - practical data security and privacy
Ulf Mattsson
 
GDPR considerations for blockchain solution architects.
GDPR considerations for blockchain solution architects.GDPR considerations for blockchain solution architects.
GDPR considerations for blockchain solution architects.
Salman Baset
 
BigID Data Sheet HIPAA Data Security & Privacy
BigID Data Sheet HIPAA Data Security & Privacy BigID Data Sheet HIPAA Data Security & Privacy
BigID Data Sheet HIPAA Data Security & Privacy
BigID Inc
 
How to implement GDPR for the health sector, February 2018
How to implement GDPR for the health sector, February 2018How to implement GDPR for the health sector, February 2018
How to implement GDPR for the health sector, February 2018
Browne Jacobson LLP
 
GDPR and Blockchain
GDPR and BlockchainGDPR and Blockchain
GDPR and Blockchain
Salman Baset
 
A practical data privacy and security approach to ffiec, gdpr and ccpa
A practical data privacy and security approach to ffiec, gdpr and ccpaA practical data privacy and security approach to ffiec, gdpr and ccpa
A practical data privacy and security approach to ffiec, gdpr and ccpa
Ulf Mattsson
 
Provenance Information in the Web of Data
Provenance Information in the Web of DataProvenance Information in the Web of Data
Provenance Information in the Web of Data
Olaf Hartig
 
BigID DataSheet: Data Access Intelligence
BigID DataSheet: Data Access IntelligenceBigID DataSheet: Data Access Intelligence
BigID DataSheet: Data Access Intelligence
BigID Inc
 
Are you prepared for eu gdpr indirect identifiers? what are indirect identifi...
Are you prepared for eu gdpr indirect identifiers? what are indirect identifi...Are you prepared for eu gdpr indirect identifiers? what are indirect identifi...
Are you prepared for eu gdpr indirect identifiers? what are indirect identifi...
Steven Meister
 
The Privacy Law Landscape: Issues for the research community
The Privacy Law Landscape: Issues for the research communityThe Privacy Law Landscape: Issues for the research community
The Privacy Law Landscape: Issues for the research community
ARDC
 
Csa privacy by design &amp; gdpr austin chambers 11-4-17
Csa privacy by design &amp; gdpr austin chambers 11-4-17Csa privacy by design &amp; gdpr austin chambers 11-4-17
Csa privacy by design &amp; gdpr austin chambers 11-4-17
Trish McGinity, CCSK
 
CBC GDPR The Physics
CBC GDPR The PhysicsCBC GDPR The Physics
CBC GDPR The Physics
Jason Chapman
 
The interface between data protection and ip law
The interface between data protection and ip lawThe interface between data protection and ip law
The interface between data protection and ip law
Francesco Banterle
 
Cor concepts information governance-protection-of-personal-information-act-popi
Cor concepts information governance-protection-of-personal-information-act-popiCor concepts information governance-protection-of-personal-information-act-popi
Cor concepts information governance-protection-of-personal-information-act-popi
Robust Marketing & Consulting (Pty) Ltd
 
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Frank Dawson
 
week 7.pptx
week 7.pptxweek 7.pptx
week 7.pptx
StephenGwadi
 
Deconstructing Data Breach Cost
Deconstructing Data Breach CostDeconstructing Data Breach Cost
Deconstructing Data Breach Cost
Resilient Systems
 
Co3 rsc r5
Co3 rsc r5Co3 rsc r5
Co3 rsc r5
Patrick Florer
 
Data Breaches and Security Rights in SharePoint Webinar
Data Breaches and Security Rights in SharePoint WebinarData Breaches and Security Rights in SharePoint Webinar
Data Breaches and Security Rights in SharePoint Webinar
Concept Searching, Inc
 
Data Protection & Risk Management
Data Protection & Risk Management Data Protection & Risk Management
Data Protection & Risk Management
Endcode_org
 
Beyond GDPR Compliance - Role of Internal Audit
Beyond GDPR Compliance - Role of Internal AuditBeyond GDPR Compliance - Role of Internal Audit
Beyond GDPR Compliance - Role of Internal Audit
Omo Osagiede
 
Office 365 : Data leakage control, privacy, compliance and regulations in the...
Office 365 : Data leakage control, privacy, compliance and regulations in the...Office 365 : Data leakage control, privacy, compliance and regulations in the...
Office 365 : Data leakage control, privacy, compliance and regulations in the...
Edge Pereira
 

Más contenido relacionado

La actualidad más candente

BigID Data Sheet HIPAA Data Security & Privacy
BigID Data Sheet HIPAA Data Security & Privacy BigID Data Sheet HIPAA Data Security & Privacy
BigID Data Sheet HIPAA Data Security & Privacy
BigID Inc
 
How to implement GDPR for the health sector, February 2018
How to implement GDPR for the health sector, February 2018How to implement GDPR for the health sector, February 2018
How to implement GDPR for the health sector, February 2018
Browne Jacobson LLP
 
A practical data privacy and security approach to ffiec, gdpr and ccpa
A practical data privacy and security approach to ffiec, gdpr and ccpaA practical data privacy and security approach to ffiec, gdpr and ccpa
A practical data privacy and security approach to ffiec, gdpr and ccpa
Ulf Mattsson
 
BigID DataSheet: Data Access Intelligence
BigID DataSheet: Data Access IntelligenceBigID DataSheet: Data Access Intelligence
BigID DataSheet: Data Access Intelligence
BigID Inc
 
Are you prepared for eu gdpr indirect identifiers? what are indirect identifi...
Are you prepared for eu gdpr indirect identifiers? what are indirect identifi...Are you prepared for eu gdpr indirect identifiers? what are indirect identifi...
Are you prepared for eu gdpr indirect identifiers? what are indirect identifi...
Steven Meister
 

La actualidad más candente (13)

Isaca atlanta - practical data security and privacy
Isaca atlanta - practical data security and privacyIsaca atlanta - practical data security and privacy
Isaca atlanta - practical data security and privacy
 
GDPR considerations for blockchain solution architects.
GDPR considerations for blockchain solution architects.GDPR considerations for blockchain solution architects.
GDPR considerations for blockchain solution architects.
 
BigID Data Sheet HIPAA Data Security & Privacy
BigID Data Sheet HIPAA Data Security & Privacy BigID Data Sheet HIPAA Data Security & Privacy
BigID Data Sheet HIPAA Data Security & Privacy
 
How to implement GDPR for the health sector, February 2018
How to implement GDPR for the health sector, February 2018How to implement GDPR for the health sector, February 2018
How to implement GDPR for the health sector, February 2018
 
GDPR and Blockchain
GDPR and BlockchainGDPR and Blockchain
GDPR and Blockchain
 
A practical data privacy and security approach to ffiec, gdpr and ccpa
A practical data privacy and security approach to ffiec, gdpr and ccpaA practical data privacy and security approach to ffiec, gdpr and ccpa
A practical data privacy and security approach to ffiec, gdpr and ccpa
 
Provenance Information in the Web of Data
Provenance Information in the Web of DataProvenance Information in the Web of Data
Provenance Information in the Web of Data
 
BigID DataSheet: Data Access Intelligence
BigID DataSheet: Data Access IntelligenceBigID DataSheet: Data Access Intelligence
BigID DataSheet: Data Access Intelligence
 
Are you prepared for eu gdpr indirect identifiers? what are indirect identifi...
Are you prepared for eu gdpr indirect identifiers? what are indirect identifi...Are you prepared for eu gdpr indirect identifiers? what are indirect identifi...
Are you prepared for eu gdpr indirect identifiers? what are indirect identifi...
 
The Privacy Law Landscape: Issues for the research community
The Privacy Law Landscape: Issues for the research communityThe Privacy Law Landscape: Issues for the research community
The Privacy Law Landscape: Issues for the research community
 
Csa privacy by design &amp; gdpr austin chambers 11-4-17
Csa privacy by design &amp; gdpr austin chambers 11-4-17Csa privacy by design &amp; gdpr austin chambers 11-4-17
Csa privacy by design &amp; gdpr austin chambers 11-4-17
 
CBC GDPR The Physics
CBC GDPR The PhysicsCBC GDPR The Physics
CBC GDPR The Physics
 
The interface between data protection and ip law
The interface between data protection and ip lawThe interface between data protection and ip law
The interface between data protection and ip law
 

Similar a Popi and Sharepoint 2010

Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Frank Dawson
 
Deconstructing Data Breach Cost
Deconstructing Data Breach CostDeconstructing Data Breach Cost
Deconstructing Data Breach Cost
Resilient Systems
 
Data Breaches and Security Rights in SharePoint Webinar
Data Breaches and Security Rights in SharePoint WebinarData Breaches and Security Rights in SharePoint Webinar
Data Breaches and Security Rights in SharePoint Webinar
Concept Searching, Inc
 
Office 365 : Data leakage control, privacy, compliance and regulations in the...
Office 365 : Data leakage control, privacy, compliance and regulations in the...Office 365 : Data leakage control, privacy, compliance and regulations in the...
Office 365 : Data leakage control, privacy, compliance and regulations in the...
Edge Pereira
 
DAMA Webinar: The Data Governance of Personal (PII) Data
DAMA Webinar: The Data Governance of Personal (PII) DataDAMA Webinar: The Data Governance of Personal (PII) Data
DAMA Webinar: The Data Governance of Personal (PII) Data
DATAVERSITY
 
ISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloudISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloud
Ulf Mattsson
 
#1NWebinar: GDPR and Privacy Best Practices for Digital Marketers
#1NWebinar: GDPR and Privacy Best Practices for Digital Marketers#1NWebinar: GDPR and Privacy Best Practices for Digital Marketers
#1NWebinar: GDPR and Privacy Best Practices for Digital Marketers
One North
 

Similar a Popi and Sharepoint 2010 (20)

Cor concepts information governance-protection-of-personal-information-act-popi
Cor concepts information governance-protection-of-personal-information-act-popiCor concepts information governance-protection-of-personal-information-act-popi
Cor concepts information governance-protection-of-personal-information-act-popi
 
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
 
week 7.pptx
week 7.pptxweek 7.pptx
week 7.pptx
 
Deconstructing Data Breach Cost
Deconstructing Data Breach CostDeconstructing Data Breach Cost
Deconstructing Data Breach Cost
 
Co3 rsc r5
Co3 rsc r5Co3 rsc r5
Co3 rsc r5
 
Data Breaches and Security Rights in SharePoint Webinar
Data Breaches and Security Rights in SharePoint WebinarData Breaches and Security Rights in SharePoint Webinar
Data Breaches and Security Rights in SharePoint Webinar
 
Data Protection & Risk Management
Data Protection & Risk Management Data Protection & Risk Management
Data Protection & Risk Management
 
Beyond GDPR Compliance - Role of Internal Audit
Beyond GDPR Compliance - Role of Internal AuditBeyond GDPR Compliance - Role of Internal Audit
Beyond GDPR Compliance - Role of Internal Audit
 
Office 365 : Data leakage control, privacy, compliance and regulations in the...
Office 365 : Data leakage control, privacy, compliance and regulations in the...Office 365 : Data leakage control, privacy, compliance and regulations in the...
Office 365 : Data leakage control, privacy, compliance and regulations in the...
 
Insight analytics: Identity Nexus - The Future of Consumer Personal Information
Insight analytics: Identity Nexus - The Future of Consumer Personal InformationInsight analytics: Identity Nexus - The Future of Consumer Personal Information
Insight analytics: Identity Nexus - The Future of Consumer Personal Information
 
GDPR in the Healthcare Industry
GDPR in the Healthcare IndustryGDPR in the Healthcare Industry
GDPR in the Healthcare Industry
 
Dealing with Dark Data
Dealing with Dark DataDealing with Dark Data
Dealing with Dark Data
 
DAMA Webinar: The Data Governance of Personal (PII) Data
DAMA Webinar: The Data Governance of Personal (PII) DataDAMA Webinar: The Data Governance of Personal (PII) Data
DAMA Webinar: The Data Governance of Personal (PII) Data
 
ISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloudISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloud
 
Presentation on Information Privacy
Presentation on Information PrivacyPresentation on Information Privacy
Presentation on Information Privacy
 
Wayne richard - pia risk management - atlseccon2011
Wayne richard - pia risk management - atlseccon2011Wayne richard - pia risk management - atlseccon2011
Wayne richard - pia risk management - atlseccon2011
 
Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event
 
Ethics in Data Management.pptx
Ethics in Data Management.pptxEthics in Data Management.pptx
Ethics in Data Management.pptx
 
Global Data Privacy Regulation
Global Data Privacy RegulationGlobal Data Privacy Regulation
Global Data Privacy Regulation
 
#1NWebinar: GDPR and Privacy Best Practices for Digital Marketers
#1NWebinar: GDPR and Privacy Best Practices for Digital Marketers#1NWebinar: GDPR and Privacy Best Practices for Digital Marketers
#1NWebinar: GDPR and Privacy Best Practices for Digital Marketers
 

Último

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 

Último (20)

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 

Popi and Sharepoint 2010

  • 1. PROTECTION OF PRIVATE INFORMATION (PoPI) & SharePoint September 2012 Willem Burger Shoprite : SharePoint Lead
  • 2. Private Information of customers are one of the most important assets that many companies store.
  • 3. What is Privacy and Private Information? The Oxford Dictionary defines ‚privacy‛, as ‚the state of being left alone and not watched or disturbed by other people‛. From a business perspective it means that personal information must be used in an appropriate manner within defined parameters. The appropriateness of the use of personal information depends on a number of factors such as context, regulatory requirements, the individual’s expectations as well as the right of an individual to control how their personal information is used or ‘processed’.
  • 4. What is Privacy and Private Information? There are different types of privacy that individuals have rights to, each emphasising different aspects of privacy. These include:  physical privacy - relevant to government search and seizure operations and peeping toms;  bodily and decisional privacy - concerned with choice and the integrity of an individual's body, the right to abortion and cavity searches;  proprietary privacy - concerned with publicity, media representation and celebrity, ownership and control of the body, appearance and identity; and  information privacy - the interest an individual has in controlling information about them.
  • 5. What is Privacy and Private Information? It is important to understand that organisations have certain obligations when processing personal information and that individuals have certain rights. These may be established in laws, regulations and organisational policies. South Africa’s Protection of Personal Information Bill [No. 9 of 2009] (PoPI) is primarily focused on ‘information privacy’, also known as ‘data protection’ or ‘data privacy’.
  • 6. What is Personally Identifiable Information (PII)? Chapter 1 of PoPI defines personal information (PI) as meaning: ‘‘information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to:  (a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;  (b) information relating to the education or the medical, financial, criminal or employment history of the person;  (c) any identifying number, symbol, e-mail address, physical address, telephone number or other particular assignment to the person;  (d) the blood type or any other biometric information of the person;  (e) the personal opinions, views or preferences of the person;  (f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;  (g) the views or opinions of another individual about the person; and  (h) the name of the person if it appears with other personal information relating to the person or if the  disclosure of the name itself would reveal information about the person” [3].
  • 7. What is Personally Identifiable Information (PII)? Examples of attributes that may include personal information are: passport and ID numbers; gender and biometric identifiers; bank account and credit card numbers; birth dates; home address details; personal telephone numbers for both landlines and mobile devices ; personal email and IP addresses; photographs; financial profiles; personal identification numbers (PINs) and passwords for financial accounts; health information; race; religious or philosophical beliefs; age;
  • 8. What is the scope of PoPI? PoPI covers the processing of personal information in both electronic and paper-based format. Processing in terms of PoPI means any operation or activity, concerning personal information, including :  (a) the collection, receipt, recording, storage, updating or modification, retrieval, alteration;  (b) distribution or making available in any other form; or  (c) merging, linking, erasure or destruction of information.
  • 9. Why is it so important to protect Personal Information? • Reputation • Globalisation • Legislation All have a financial Impact!
  • 10. What is the status of the legislation? The bill is due to be promulgated by the end of 2012 and there is a years grace to implement (therefore the end of 2013)
  • 11. How can Business and IT Pros be ready for PoPI with SharePoint
  • 12. What your business need to do? 1. Find the Data and Map the flow and storage of it. 2. Understand whether the data is needed, if not remove it. 3. Define rules for personal data storage and transmission against the legislation. 4. Secure the Data. 5. Educate users in terms of the rules.
  • 13. Fundamentals – Applied to SharePoint Assess • Where is personal information located? (libraries ,lists, documents, sql) • How do you know if you have PII in your SharePoint sites? The answer seems simple, you need to look for it! • Who has access to personal information? (check security) Secure (Focus on quick wins) • Use Groups and security settings of Sites and Libraries • Watch out for insiders, Administrators! Comply (Build into project plan) • Comply smart with a one project approach or per business leg, cost saving. • Comply by type . PCI Comply for Credit card info etc Respond (Be Prepared) • What is the action plan on a security incident? • What can customers expect when they call for their information? • Audit Logging and version history of SharePoint libraries.
  • 14. Four essential elements to responsibly protect and manage personal information More secure infrastructure Microsoft Forefront and Forefront Security for SharePoint (UAG & TMG) Identity and access control Active Directory and other identity and access control technologies. Information protection Information rights management - encryption so that only authorized parties can view or change . Protecting information at rest through the use of encryption . Auditing and reporting SharePoint administrators can set auditing policies to log activities. Coming laws generally require breach disclosure for security breaches which result in the loss or theft of their citizen's personally identifiable information (PII).
  • 15. ‚SharePoint Security‛ Permissions Permissions are not security. Relying on permissions only for your SharePoint Security strategy is a mirage . Hardening ‚What about least privilege administration?‛ The idea of least privilege is to limit the damage in the event that any single account gets compromised . Again, this is a mirage. User Behavior Another mirage is relying on end users to decide what they will or will not upload into SharePoint -‚2011 Digital Universe Study‛ IDC concluded that 28% of information needs security Extending a site extending a SharePoint site to make content accessible from the Internet. Extending a web site and opening a port on your border firewall creates a single point of failure
  • 16. Practical Example Capture a customers information on a Form that resides on our public website and submit this information into a library to be stored for processing. Assess • Where is personal information located? (Public site) • Who has access to personal information? (everyone if unsecure) Secure • HTTPS site or page (Port 443) • Via TMG Access only • Secure site library Comply • Build in Project plan a PoPI compliant design. Content cannot reside in public space. • How long should we retain this content? Respond • Customers content available on request visible only to owners. • Audit Logging and version history of SharePoint libraries confirm history.
  • 17. HTTPS://www.checkers.co.za /newcustomer Checkers WEB site customer T Library M Workflow or G retention policy FIREWALL Pulse Internal Site customer Libraries & pages http://pulses.hoprite.co.za/checkers/customers Group Security, Record management, Auditing, version history search etc. Workflow for customer processing
  • 18.
  • 20. Library (Document, form, lists etc) - Permissions - Auditing - Version History - Search
  • 21. PoPI in SharePoint Governance Permissions management (integrity , confidentiality, privacy) • Follow the Principle of Least Privilege • Give people access by adding them to standard, default SharePoint groups • Use permissions inheritance to create a clean, easy-to-visualize hierarchy. • Organize your content to take advantage of permissions inheritance.
  • 22. PoPI in SharePoint Governance Audit Tracking (Information management policy enforcement ) Record Centre • Vault abilities (ensure the integrity of the records ) • Information management policy enforcement • Record routing incoming records to their proper location, based on their record type. Track versions Search (Mark with restricted permissions )
  • 23. Data Governance Life Cycle or Information Flow Stages Collection PII from multiple sources. Set standards, respect Customer desire Storage Not just databases , it scatters to e-mails etc + devices Usage Data becoming more fluid, limit external use Retention/destruction Cheaper data storage. Don’t retain all. Setup finite lifespan for sensitive data
  • 24. Tools SharePoint Content Scanner SharePoint Risk Assessment You can perform scans of files in your SharePoint sites and find PII including credit card data, customer financial information, social security numbers, and other data patterns associated with PII. Resources http://www.sharepointdefenseindepth.com/ Run in Google site:<your domain>.co.za Check what is exposed and visible on your public sites. Refine and adjust sensitive data content privacy and security. Run again.
  • 25. In Conclusion • Private Information of customers are important assets • We have obligations when processing personal information • PoPI covers the processing of personal information • Assess, Secure , Comply , Respond • Get everyone on Board and aware of PoPI • Added bonus will be general Governance improvement of Customer specific sites and content • Have Security Policy around SharePoint and storage of PII
  • 26. Thanks Willem Burger Blog: http://sharepointburger.wordpress.com/ Twitter: http://twitter.com/willemburger Email : wburger@shoprite.co.za Questions?

Notas del editor

  1. Get educatedI think the big issue is that SharePoint professionals and information security professionals don’t spend enough time together.
  2. More secure infrastructure: Safeguards that protect against malware, intrusions and unauthorized access to personal information and protect systems from evolving threats.To help prevent unauthorized disclosure, organizations should build their IT infrastructure using software that is designed for maximum security (e.g. Microsoft Forefront and Microsoft Forefront for SharePoint*), and they should employ tools and services to continually protect against evolving threats.* Forefront Security for SharePoint: Formerly called Antigen for SharePoint, this product helps organizations protect their SharePoint Portal Server and Windows SharePoint Services deployments against viruses, worms and inappropriate content. Using multiple anti-virus engines, it scans all documents as they are uploaded or retrieved from SharePoint document libraries. It also offers content-filtering capabilities that help prevent inadvertent or intentional posting of documents containing offensive language or other inappropriate content, as well as file types that potentially expose organizations to legal risk, such as MP3 audio files.Identity and access control: Systems that help protect personal information from unauthorized access or use and provide management controls for identity access and provisioning.To reduce the risk of a deliberate or accidental data breach, and to help organizations comply with regulatory requirements, Microsoft offers identity and access control technologies (e.g. Active Directory management via SharePoint) that protect personal information from unauthorized access while seamlessly facilitating its availability to legitimate users.Information protection: Protecting sensitive personal information in structured databases and unstructured documents, messages and records by means such as encryption so that only authorized parties can view or change it throughout its life cycle.Information rights management technology extends the capabilities of RMS into the Microsoft Office system and Internet Explorer. The 2010 Microsoft Office system provides even broader RMS capabilities through new developments in Microsoft SharePoint. Administrators can set access policies for SharePoint document libraries on a per-user basis. For example, users who have “view-only” access to documents in a library—but cannot print, copy or paste—will have those policies enforced by RMS, even when the document has been removed from the SharePoint site.Auditing and reporting: Monitoring to verify the integrity of systems and data in compliance with business policies.SharePoint administrators can set auditing policies to log activities as reading, deletion and modification of documents, and monitor those policies through reports. They can also implement document-retention policies, such as “expiring” unneeded content after a certain amount of time.A major data spillage, security breach or failure to comply with government regulations can have significant long-term implications for an organization’s bottom line and for its brand. Managing and protecting sensitive personal information is not only the right thing to do for customers, it’s also the right thing to do from a business perspective.In combination with the right policies, people and processes, technology like SharePoint can help lay a strong foundation for a successful data governance strategy.
  3. Follow the Principle of Least Privilege: Give people the lowest permission levels they need to perform their assigned tasks.Give people access by adding them to standard, default SharePoint groups (such as Members, Visitors, and Owners). Make most people members of the Members or Visitors groups, and limit the number of people in the Owners group. Use permissions inheritance to create a clean, easy-to-visualize hierarchy. That is, avoid granting permissions to individuals, instead work with SharePoint groups. Where possible, have sub-sites simply inherit permissions from your team site, rather than having unique permissions.Organize your content to take advantage of permissions inheritance: Consider segmenting your content by security level – create a site or a library specifically for sensitive documents, rather than having them scattered in a larger library and protected by unique permissions.
  4. Audit Tracking (Information management policy enforcement )For sensitive files define a policy that allows you to enable &apos;Audit&apos; tracking of events, such as file changes, copies or deletion.Record CentreCentral repository in which an organization can store and manage all of its records or sensitive and PII content such as legal or financial documentsVault abilities (ensure the integrity of the records )Information management policy enforcementRecord routing The Records Center includes a Content Organizer automatically routes incoming records to their proper location, based on their record type.Track versionsIf you need to keep previous versions of files, libraries can help you track, store, and restore the files. SearchAs a site owner, you can choose whether or not the content on your site appears in search results. Make sure content is marked with restricted permissions so that it does not appear in search results for users who don’t have the permissions to read it
  5. This information flow (AKA the Data Governance Life Cycle) comprises four key stages, within which an organization can construct many unique data governance scenarios to address specific considerations. The four stages are:Collection: Personal information is usually collected from multiple sources (in person, online, via other systems, 3rd party, etc.) and must establish appropriate controls that uniformly assure privacy policy compliance regardless of collection method. This involves setting consistent standards and expectations in contracts with external partners that receive or manage the information, as well as addressing consumers’ desire for greater choice and control in how their personal information is collected. It also requires the organization to consider how these policies will be honoured throughout the lifespan of the data.Storage: While protecting data stored only in a database is relatively straightforward, the task is far more complex as personal information scatters within and between organizations in unstructured forms such as e-mail, spreadsheets and text documents. As data in these forms is increasingly being stored on laptops and mobile devices, the risk of data breaches has risen sharply—which in turn may require organizations to implement more aggressive and sophisticated storage controls.Usage: As information becomes increasingly fluid, it is also subject to access by multiple applications and people—including many that are outside the organization as a by-product of outsourcing agreements and partnerships. In this environment, ensuring that only the right people can gain access to this data and enforcing strict limits on their ability to take data outside the organization (such as on their laptops) are crucial considerations.Usage also results in new data describing how the target data was used, when it was accessed, by whom and so on. This data represents a record of data use and is commonly called metadata. Importantly, all of the controls applied to the target data must also be applied to metadata.Retention/destruction: Data storage is becoming cheaper every day, to the point where many organizations have found that the time involved in deciding which records to delete from their systems is more costly than simply retaining it all. However, this practice does not account for the liabilities associated with holding onto sensitive personal and confidential information after it has outlived its usefulness. Viewed from the standpoint of minimizing an organization’s exposure to risk from a data breach, the effort involved in setting a finite lifespan for sensitive data and enforcing policies for its automatic deletion or secure archival is a worthwhile investment.A multifaceted approach to data governance involves a combination of policy, people, processes and technology. While all components are essential for proper data governance, the technology component (like the use of SharePoint) will be the focus of this article.Technology has a key role in enabling organizations to implement effective data governance processes, policies, and compliance with business practices and regulations.