PRIVACY POLICY from the Washington State Perspective

1
PRIVACY POLICYfrom the Washington State
Perspective

• Roselyn Marcus
• Acting Manager
• Contracts and Legal Affairs Office
• Washington State Department of Information
  Services

2
AGENDA

• Context in which we operate federal and state
  legal framework
• Governors Executive Order Cornerstone of
  Washington Privacy Policy
• Security verses Privacy

3
A Modern View of Privacy
Circa 1890
Privacy is a distinctly modern product, one of
the luxuries of civilization. - E. L. Godkin
(1890)
Source Scribners Magazine, 1890
4
A Modern View of Privacy
Circa 2001

• The idea that technology and privacy are
  intrinsically opposed is false.
• Phil Agre, UCLA Professor

• The protection of privacy has brought a new
  sector of the economy into being.
• Among entrepreneurs and venture capitalists it is
  known as the privacy space.
• Tobe Lester, Atlantic Monthly

Source Atlantic Monthly, March 2001
5
Legislative Approach
"Do not wait for a privacy meltdown of Chernobyl
- like proportions before you endorse some
governmental role." - Rep. Ed Markey
Now is the time for a comprehensive privacy
infrastructure - Evan Hendricks, Editor
6
The nature of the information is what counts ...
not the nature of the technology.
Treat ALL records of a type the same.
Or Internet Privacy is not separate from
Privacy.
7
Executive Order 00-03
Public

• Minimizing the collection, retention, and
  release of personal information by the state
• Prohibiting the unauthorized sale of citizens
  personal information by state government
• Providing citizens with broad opportunities to
  know what personal information about them the
  state holds, and to review and correct that
  information and
• Making certain that those who violate this trust
  are held accountable.

Records
Privacy
96 of survey respondents were concerned with the
confidentiality of their information. - Gilmore
Research Group, 2001
Protections
8
Executive Order 00-03
Major

• Protecting the Confidentiality Personally
  Identifiable Information.
• Prohibiting the Sale of Personal Information.
• Limitation on Collection and Retention of
  Personal Information.
• Protection of Personal Information used by
  Contractors.
• Prohibiting the Release of Lists of Individuals
  for Commercial Purposes.
• Internet Privacy Policies.
• Notification and Correction.
• Citizen Complaints and Oversight.
• http//www.governor.wa.gov/eo/eo_00-03.htm

Provisions
9
Model Privacy Notice
Major

• Information Collected and How Used.
• Personal Information and Choice.
• Public Access to Information.
• Nondisclosure of Certain Personal Information.
• Review and Correction of Personally Identifiable
  Information.
• Cookies and Applets.
• Security.
• Disclaimer.
• Contact Information.
• http//www.wa.gov/dis/architecture/FinalPrivacyMod
  el.htm

Provisions
10
IMPACT ON E-GOVERNMENT
Major

• Privacy Notices on the Web
• Contracting Procedures
• Personal Identifiers
• Rentention issues
• Access Control
• Staff Education and Training

Impacts
11
Security keeps the privacy promise.
State security architecture and policy are both
based on the premise of

• 44 concerned about
• Internet Security.
• Gilmore Research Group
• 2001

until proven

• Information Integrity
• Misuse
• Unauthorized Information Browsing
• Penetration
• Computer Viruses
• Fraud
• Component Failure

12
Security verses Privacy

• Privacy - The assurance that information provided
  for a specific purpose will not be used by the
  recipient for purposes not authorized by the
  provider.
• Security - Measures and controls that ensure
  confidentiality, integrity, availability, and
  accountability of the information transmitted
  over a network or processed and stored by a
  computer.

13
Managing Risk
"The key mistake people make is that they think
about it wrong. They think, 'How do I avoid the
threat?' When they should be thinking, 'How do I
manage the risk?' "

• Bruce Schneier, Founder CTO Counterpane
  Internet Security and author of Secrets Lies
  Digital Security in a Networked World

Source Bruce Schneier, Secrets Lies Digital
Security in a Networked World, New York, John
Wiley Sons, 2000.
14
IT Security
Policy
Managing RISK

• The intent of the policy is that states
  transition from multiple proprietary network
  connections over dedicated leased networks to the
  Internet for conducting vital public business
  incorporate
• Common approaches to end-user authentication
• Consistent and adequate network, server, and
  data management
• Appropriate uses of secure network connections
• The closing unauthorized pathways into the
  network and into the data
• The integrity of which is audited every three
  years by an independent, knowledgeable party
• http//www.wa.gov/dis/portfolio/itsecuritypolicy.h
  tm

15
IT Security
Policy
Shared SECURITY LAYER

• Such an environment is made possible through an
  enterprise approach to security in state
  government that
• Promotes an enterprise view among separate
  agencies
• Requires adherence to a common security
  architecture and use of recoverable
  infrastructure
• Recognizes an interdependent relationship among
  agencies, such that strengthening security for
  one strengthens all and, conversely, weakening
  one weakens all
• Assumes mutual distrust until proven friendly,
  including relationships within government, with
  trading partners, and with anonymous users

16
IT Security
Guidelines
Agency-to-ENTERPRISE
Access Security Identification and
Authentication Authentication Risk Level
Determination Digital Signatures and
Certificates Logon and Password controls Control
use of dial-up lines Protect long distance
authorization codes. Recording of
telecommunications access Manufacturer, vendor,
3rd party access
Data Security Agency data security policy
statements Software Version Control and
Currency Access control techniques Data entry
processes Processing accuracy Distribution of
output reports and introduction or release of
data Data and program back-up Media
Protection Controls to prevent unauthorized use
or removal of media Data encryption guidelines
for storage and transmission Processing audit
trails System access violations Virus prevention,
detection, and removal Control of Interactive
Internet Technology Disposal of Sensitive
Hardcopy Data Software Testing
Physical Security Facility characteristics/
physical security attributes Physical Access
control Data storage and telecommunications
controls Off-site media storage Mobile/remote
computing security control
Personnel Security Hiring practices Vendor and
service personnel monitoring Reference
checks Security awareness training
Network/ Telecommunications Security Network and
telecommunications management Inventory
control Secure location of communications
equipment Prevention of tampering Terminal,
remote job entry (RJE) and network node access
security Controls to prevent unauthorized program
installation computer systems Network Security
Breach Detection Network Security Breach
Response Use of Virtual Private Networks
Source IT Portfolio Management
17
IT Security
Architecture
Building a Shared Trusted ENVIRONMENT
Forward Function Enterprise Security Design
Washington State IT Security Policy
Transact Washington? Secure Gateway
Electronic Authentication Act
Internet Security Architecture
Digital Certificate Strategic Initiatives
Washington State Certificate Policy
State Certification Authority (CA)
1995
1998
2001
2000
18
CONCLUSION

• A Privacy Policy is a total program.
• A Privacy Policy requires constant monitoring and
  updating.
• A Privacy Policy includes a focus on security.
• It is easier to build into your systems from the
  start than to re-engineer later on.
• Build it and they may not come.