CURRENT IT SECURITY INCIDENTS : BEYOND THE HEADLINES IM AWARE - JUNE Michael Alguire

Transcription

1 CURRENT IT SECURITY INCIDENTS : BEYOND THE HEADLINES IM AWARE - JUNE 2018 Michael Alguire

2 INFORMATION SECURITY Technology Controls IM Practices Business Processes 2

3 11.8 Million was transferred to scammers accounts in Hong Kong and Montreal Largest Publicly disclosed incident in Canada Private sector data is not easily available, but anecdotally this is not large or unusual How did this happen? Spear Phishing Financial Controls Failure / Human Process 3

4 Provincial FOIP Website leaked FOIP documents 19 year old man charged, then charges dropped Approx 7,000 documents were inappropriately accessed Approx 250 contained highly sensitive PII How did this happen? Security not engaged in design. NO code weakness to hack Penetration Testing not conducted. 4

5 Test your Personality App K Users logged in and completed test Because of historical settings most all of them had friends permissions set This allowed 270 mined profiles to become 50 Million. Data legally obtained due to contract clauses. How did this happen? Contractual Complexity Users not realizing Facebook has to monetize your data 5

6 Comment in 2014 when Facebook removed 3 rd party access Sound familiar? Think Open Data 6

7 PASSWORD / PASSPHRASE 7

8 QUESTIONS? 8

9 Enterprise Information Management Update June 2018 ecourse modules You may have noticed that IM (and FOIP) ecourses appear in the Government of Alberta (GoA) Learning Management System (or LMS) with V2 as part of the course name. In order to establish new due dates and track completions for non-mandatory courses, the LMS requires course modules to be re-uploaded into the system. To differentiate between course completions from last fiscal year and this fiscal year for reporting purposes, V2 was added to the course names. The course content remains the same. The Public Service Commission administers the LMS on behalf of government and is working with the vendor to devise a way to report on non-mandatory courses. Until then, Enterprise IM will send monthly completion reports to all department senior records officers. IM guidance for internal social media platforms in GoA In conjunction with the announcement last month from the DM of Executive Council on the relaunch of Yammer as a communications and collaboration tool, Enterprise IM published IM guidance on Using internal social media platforms in the GoA. These platforms are subject to mandatory business requirements that promote compliance with the Alberta Records Management Regulation and provide guidance for the creation, use, management and disposition of government information. The document is posted online in Managing Government Information, Content Management. PCI compliance We are happy to announce that as of June 1, 2018, the ARC has successfully completed a compliance assessment to be the GoA s approved PCI storage facility for records that may contain LCHD until final disposition. TBF has also approved our contracted storage vendor, Iron Mountain, as a PCI-compliant LCHD storage facility. The Payment Card Industry Data Security Standard (PCI-DSS) sets out requirements for securing credit card data that is stored, processed and/or transmitted by merchants and other organizations. The GoA s current environment for processing credit card information is PCI-DSS compliant as of However, legacy cardholder data (LCHD) from past credit card processing practices continue to exist across the GoA. Treasury Board and Finance (TBF) is responsible for merchant services and PCI compliance within the GoA and has completed assessments of participating ministry program areas to locate and identify all LCHD. Due to the complexities of the PCI-DSS requirements to secure and store LCHD, TBF approached the Alberta Records Centre (ARC) in 2017 to explore an option for the ARC to become the secure LCHD storage facility for the GoA. Over the next several months, program areas with LCHD will be transferring their LCHD physical records to the ARC. TBF anticipates the GoA will be fully LCHD PCI compliant, for both physical and electronic records, by end of Security Classification: PUBLIC June 2018

10 Inactive records storage at ARC Policy The Service Catalogue listing for Inactive Records storage at the Alberta Records Centre (ARC) has been updated to reflect a comprehensive review of the service. These changes are effective immediately and include the following: Development of an ARC business rules processing matrix showing different scenario types of a record and where they can be stored. A pilot project to reduce the minimum time remaining in a records retention period from two years to one year for intakes to the ARC. This pilot will be reviewed in one year to evaluate the effectiveness and efficiency of the new rule. Agencies, boards, and commissions are now officially able to access ARC storage services. Updated processes to address boxes not inbounded, either new or refiles, within timeframes. Updated features to include that the ARC is an approved storage facility for physical records containing legacy card holder data. Data and information management policy is in development. Revisions to the draft are being incorporated. Information inventory guidance is in development based off of research, best practice and documentation received from TBF. Data and Information Security classification is being revised. Engagement sessions will be scheduled soon with the SRO and MISO communities to enhance guidance for the standard. Note: Security classifications and their definitions are not being changed. Standards Digitization standard and supporting guidance is being updated to reflect changes in national (e.g. CGSB) and international (e.g. ISO) standards. Functional classification standard (business classification scheme) and supporting guidance is in development. Standard and guidance are being developed as it is a vital part for the success of current initiatives, such as ERP and ECM. IMT Governance Service Alberta s Deputy Minister announced a change to the department s organizational structure last month to better align with and achieve the priorities of government, and to enable SA to better meet the needs of Albertans and the government going forward. The Information Management Branch is now called Enterprise Information Management and is part of Enterprise Information Management and Technology (IMT) Services in the Office of the Corporate Chief Information Officer (OCCIO). Mark Brisson, Senior Assistant Deputy Minister/Corporate CIO, leads the OCCIO and Martin Dinel is now Acting Executive Lead of Enterprise IMT Services. I would like to take this opportunity to thank our former ADM, Manon Plante, for her leadership and support of the IM program over the last year and a half. 2 Security Classification: PUBLIC June 2018

11 IM Community Announcements Provincial Archives of Alberta To celebrate the web release of a new Provincial Archives of Alberta (PAA) s publication, Your Archives, Your Project, the PAA will host presentations and tours throughout that highlight how you can use the records found at the PAA in your own work and projects. Presentations are approximately 30 min in length and will be followed by a onehour theme-related tour of the facility. Join the PAA on Monday, June 25 for a closer look at the records held at PAA related to Indigenous peoples and how the PAA is building relationships with Indigenous communities. After the summer break, presentations will resume in September dates and times to be announced. You will find the complete list of presentations and registration instructions in the Community Updates section of today s presentation material, which will be posted online following this morning s session. Starting in September, PAA will continue with an overview of how government researchers can access records at the PAA and monthly presentations which highlight: o Using the land records that the PAA holds; o Exploring the Oddities or unexpected government records that the PAA s has received; o Discovering Alberta s visual history; o Preserving records at the PAA and how you can help to preserve those records still held by ministries; o Examining the PAA s Francophone partnerships and our Francophone records; o Utilizing archival architectural, engineering, and technical drawings from the perspective of the business area; and o Looking at the records about overseas taxations and Gainers Limited, an early Edmonton meat-packing company, to demonstrate how the PAA can help you find the record you need for your work! Dates and times of the sessions September onwards are to be announced. To register or inquire further about the presentations, please GR_reference@gov.ab.ca. 3 Security Classification: PUBLIC June 2018