Tuesday, February 13, 2007

Data Security - California SB1386 – Risk/Mitigation analysis


As a Technology Officer, I consult with Aerospace and Automotive clients. I came across this security regulation publication - California SB1386. I foresee the following as the potential areas and effects that one will encounter - particularly in offshore/onshore kind of consulting environment. In the following sections I analyze and present my views and also brief the risks and mitigation on the issues.


Design of new systems that’ll interact with HR systems containing personal information of employees
Risk: There are chances that personal data captured in the new local system either in persistent or cached mode. Possible that if the data is not encrypted, may lead to potential view and misuse by the system designer/developer
Mitigation: Analyze the need for transfer of personal data in the design stage and eliminate packets of data that contains personal data. If access to personal data is essential in the new system, design with encryption mechanisms in cached and in persistent modes for the duration of entire lifecycle of the data.

Involvement of human resources that interact with systems that contain personal data ( employees or customers)

Risk: Deliberate or inadvertent misuse of personal data – for example, leaving hand written notes behind after testing the system or copying data sets on to a personal laptop/desktop that doesn’t belong to the customer system environment.
Mitigation: Have the developers and designers involved undergo necessary training about personal data regulation and bring them under appropriate governance structure like signing contract on personal data usage. Also, ensure necessary notification mechanisms are developed and tested part of the enterprise governance structure with regards to notifying the affected parties when potential misuse or loss of personal data event occurs.

Design of systems that interact with third party partner systems that transmits personal data

Risk: Potential transfer of company’s data set containing personal data and vice-versa. Like in issue one, the data may be stored persistently or cached on to a local system.
Mitigation: As in Issue 1, analyze and eliminate the need for personal data transfers or implement appropriate encryption mechanisms. Mitigation factors described in the Issue 2 also are applicable here.

Human resources that involves in transporting personal data in a mobile devices such as laptops and PDAs

Risk: Potential for loss of mobile devices containing personal data – for example, laptop thefts which are increasingly common these days.
Mitigation: Define and implement elements pertaining to transport of personal data on mobile devices in to data security governance structure. For example, define levels of employees that are eligible to transfer and carry personal data on mobile devices; provide education on risks of carrying personal data and mitigation factors to employees (for example – direct the employees that the mobile devices should be in their personal reach at all times during the times the device is carried outside the work location; should not check-in the laptop bag while flying etc). Define and enforce strong encryption process when data is transferred from company’s systems to laptop – ensure that the laptops don’t transfer any external system data without encryption. Define and implement dataset self destruction mechanisms – for example if the data is not accessed for stipulated time, then the dataset gets automatically deleted and/or becomes unusable.

Consultants giving out personal data to customer company – for example providing name, dob and SSN to obtain badges from customer company during onsite visit
Risk: Misuse of personal data that is transmitted over fax or paper documents that is sent by mail/courier. Consultants visiting onsite from India may not be aware of identity theft aspects in the US as such concepts are not prevalent in emerging countries like India yet. Such consultants may inadvertently leave paper trails in public places giving way for identity theft.
Mitigation: Train the employees on the risk and mitigation of providing personal data information to visiting onsite companies as well as being negligent about inadvertent exposure of such data in public places. Educate them on processes in seeking help when in need. Mitigation mechanisms described in the Issue 2 also should be included here (like governance structure, notification mechanisms etc)

Offshore consultants that potentially interact with system design/development with test data that contains personal information

Risk: As in Issue 2 but in this case it may have far reaching effects – for example, SSN and credit card numbers exposed in a different country could lead to gross misuse of information to buy merchandise or services online in a short time without traceability that might be possible within the US jurisdiction.
Mitigation: Implement elements in governance structure to completely restrict transmission of personal data to offshore locations. For testing purposes, only fictitious data needs to be created at offshore facilities. Onsite coordinators should be trained on the governance structure, risks and mitigation to eliminate the risks.


1 comment:

Anonymous said...

This is great info to know.