Privacy vs.

Security:
Do We Have to Choose?
Ohio Digital Summit
Wednesday, September 16
Columbus, Ohio

Privacy vs. Security:

Do We Have to Choose?
Office of Information Security & Privacy
Dave Brown
Chief Information Security Officer
Daren Arnold
Chief Privacy Officer
9/16/2015

Privacy vs. Security:

Do We Have to Choose?
Privacy
Definition Respecting the choices
people make about what personal
information is disclosed when and also
how it is used

9/16/2015

Privacy vs. Security:

Do We Have to Choose?
Privacy
Privacy Practice:

Addressing privacy risks on a daily as we

do business level
People, processes and technology
Looks for win-win, tries to avoid zero-sum

9/16/2015

Privacy vs. Security:

Do We Have to Choose?
Privacys Fair Information Practice Principles
Transparency
Individual
Participation
Purpose
Specification

9/16/2015

Data Minimization
Use Limitation
Data Integrity
Security
Accountability

Privacy vs. Security:

Do We Have to Choose?
Why privacy?
Mitigate potential harms to people
Build trust
Support citizen-centric services
Avoid project-ending or delaying controversies
Support data management
Comply with legal requirements*
9/16/2015

Privacy vs. Security:

Do We Have to Choose?
Securitys Foundational Principles
Confidentiality
Integrity
Availability

9/16/2015

Privacy vs. Security:

Do We Have to Choose?
Securitys Foundational Principles
Confidentiality
Integrity
Also examines:
Availability
People
Processes
Technology
9/16/2015

Privacy vs. Security:

Do We Have to Choose?
Why security?
Enables privacy
Mitgates potential harm to people and
organizations
Protects the trust with people and
businesses
Comply with legal requriements
Ensures continuity of government
9/16/2015

Privacy vs. Security:

Do We Have to Choose?

Shared Goal = Build Trust

9/16/2015

10

Privacy vs. Security:

Do We Have to Choose?
Other foundational
principles
Security
Confidentiality
Integrity

Privacy

Use limitation
Integrity
Security

9/16/2015

11

Privacy vs. Security:

Do We Have to Choose?
Other foundational
principles
Security
Confidentiality
Integrity

Privacy

Both look at:

People
Processes
Technology

Use limitation
Integrity
Security

9/16/2015

12

Privacy vs. Security:

Do We Have to Choose?
Misconceptions =
Missed Opportunities

Building trust & other shared goals

Extend relationships
Connect business to IT in terms of risk
mitigation

Mishandled PII
Mishandled incidents
9/16/2015

13

Privacy vs. Security:

Do We Have to Choose?
Our Experience
Info sec team will identify privacy issues
Info sec team encourages privacy
impact assessments and looks for those
Plus an number of efforts that closely
relate

9/16/2015

14

Privacy vs. Security:

Do We Have to Choose?
Related efforts
Training and awareness
Notice and warning banners
Contracts

Incident response, use, termination

9/16/2015

15

Privacy vs. Security:

Do We Have to Choose?
Incident response

Is this information considered PII and

subject to specific laws?
Reporting and notice legal requirements?
Evaluation of specific risks to individuals
affected by an incident
ID theft protection service
Internal reporting
Incident response planning

9/16/2015

16

Privacy vs. Security:

Do We Have to Choose?
More than
enough work
to go
around

9/16/2015

17

Privacy vs. Security:

Do We Have to Choose?
Still some responsibilities are separate
Privacy more involved with
business/legal
Authorized use did the business unit
consider privacy implications?
Privacy principles (no overlap)
Consent and right to inspect
Data minimization
Transparency

9/16/2015

18

Privacy vs. Security:

Do We Have to Choose?
Still separate efforts
Info Security

About securing non-PII data, too

Securing systems per agency-centric risk

9/16/2015

19

Office of
Information Security
&
Privacy