Sunday, February 20, 2011

Protection of Personal Information (PPI) and SharePoint – Part 2 of 2

Microsoft answer to PPI is proper Data Governance.

Data governance involves the management of personal information in a manner that supports an organization’s mission, complies with imposed regulations as well as its own policies and aligns with customer expectations.

Examining how information flows throughout an organization over time, and how it is being accessed by multiple applications and people for various purposes, will clarify the various areas where the organization should deploy technologies to protect private information. This information flow (AKA the Data Governance Life Cycle) comprises four key stages, within which an organization can construct many unique data governance scenarios to address specific considerations.  The four stages are:

Collection: Personal information is usually collected from multiple sources (in person, online, via other systems, 3rd party, etc.) and must establish appropriate controls that uniformly assure privacy policy compliance regardless of collection method.  This involves setting consistent standards and expectations in contracts with external partners that receive or manage the information, as well as addressing consumers’ desire for greater choice and control in how their personal information is collected. It also requires the organization to consider how these policies will be honoured throughout the lifespan of the data.

Storage: While protecting data stored only in a database is relatively straightforward, the task is far more complex as personal information scatters within and between organizations in unstructured forms such as e-mail, spreadsheets and text documents. As data in these forms is increasingly being stored on laptops and mobile devices, the risk of data breaches has risen sharply—which in turn may require organizations to implement more aggressive and sophisticated storage controls.

Usage: As information becomes increasingly fluid, it is also subject to access by multiple applications and people—including many that are outside the organization as a by-product of outsourcing agreements and partnerships. In this environment, ensuring that only the right people can gain access to this data and enforcing strict limits on their ability to take data outside the organization (such as on their laptops) are crucial considerations.
Usage also results in new data describing how the target data was used, when it was accessed, by whom and so on. This data represents a record of data use and is commonly called metadata. Importantly, all of the controls applied to the target data must also be applied to metadata.

Retention/destruction: Data storage is becoming cheaper every day, to the point where many organizations have found that the time involved in deciding which records to delete from their systems is more costly than simply retaining it all. However, this practice does not account for the liabilities associated with holding onto sensitive personal and confidential information after it has outlived its usefulness. Viewed from the standpoint of minimizing an organization’s exposure to risk from a data breach, the effort involved in setting a finite lifespan for sensitive data and enforcing policies for its automatic deletion or secure archival is a worthwhile investment.

A multifaceted approach to data governance involves a combination of policy, people, processes and technology.  While all components are essential for proper data governance, the technology component (like the use of SharePoint) will be the focus of this article.

Technology has a key role in enabling organizations to implement effective data governance processes, policies, and compliance with business practices and regulations.

An effective technology-based framework needs four essential elements to responsibly protect and manage personal information, mitigate risk, achieve compliance, and promote trust and accountability.  The four elements are:

More secure infrastructure: Safeguards that protect against malware, intrusions and unauthorized access to personal information and protect systems from evolving threats.

To help prevent unauthorized disclosure, organizations should build their IT infrastructure using software that is designed for maximum security (e.g. Microsoft Forefront and Microsoft Forefront for SharePoint*), and they should employ tools and services to continually protect against evolving threats.

* Forefront Security for SharePoint: Formerly called Antigen for SharePoint, this product helps organizations protect their SharePoint Portal Server and Windows SharePoint Services deployments against viruses, worms and inappropriate content. Using multiple anti-virus engines, it scans all documents as they are uploaded or retrieved from SharePoint document libraries. It also offers content-filtering capabilities that help prevent inadvertent or intentional posting of documents containing offensive language or other inappropriate content, as well as file types that potentially expose organizations to legal risk, such as MP3 audio files.

Identity and access control: Systems that help protect personal information from unauthorized access or use and provide management controls for identity access and provisioning.

To reduce the risk of a deliberate or accidental data breach, and to help organizations comply with regulatory requirements, Microsoft offers identity and access control technologies (e.g. Active Directory management via SharePoint) that protect personal information from unauthorized access while seamlessly facilitating its availability to legitimate users.

Information protection: Protecting sensitive personal information in structured databases and unstructured documents, messages and records by means such as encryption so that only authorized parties can view or change it throughout its life cycle.

Information rights management technology extends the capabilities of RMS into the Microsoft Office system and Internet Explorer.  The 2010 Microsoft Office system provides even broader RMS capabilities through new developments in Microsoft SharePoint. Administrators can set access policies for SharePoint document libraries on a per-user basis. For example, users who have “view-only” access to documents in a library—but cannot print, copy or paste—will have those policies enforced by RMS, even when the document has been removed from the SharePoint site.

Auditing and reporting: Monitoring to verify the integrity of systems and data in compliance with business policies.

SharePoint administrators can set auditing policies to log activities as reading, deletion and modification of documents, and monitor those policies through reports.  They can also implement document-retention policies, such as “expiring” unneeded content after a certain amount of time.

A major data spillage, security breach or failure to comply with government regulations can have significant long-term implications for an organization’s bottom line and for its brand. Managing and protecting sensitive personal information is not only the right thing to do for customers, it’s also the right thing to do from a business perspective.

In combination with the right policies, people and processes, technology like SharePoint can help lay a strong foundation for a successful data governance strategy.

Managing and Protecting Personal Information (excellent reference – most of the article is based on this document) - 

Protection of Personal Information (PPI) and SharePoint – Part 1 of 2

The Protection of Personal information bill (the bill) has been getting a lot of attention lately, currently it’s a bill that is not yet enforced, but that is set to happen this year.

Organisations are expected to take reasonable steps NOW to ensure that they are compliant when this bill becomes law. So lots of seminars and training sessions are now becoming available to educate you on what the bill is all about and what “reasonable” steps can be taken in order for you to be compliant.

So what is this bill all about?

The bill regulates the collection, storage and distribution of personal information by both private and public bodies. It is based on world standards and is regarded as leading practice baseline for effective data privacy regulation around the world. The bill aims to provide an acceptable balance between the right to privacy and the legitimate need to use personal information.

Personal information is regarded as any information related to a person from first name to sexual orientation. He bill has eight core principles which form the minimal conditions for the lawful processing of personal information. The eight principles are:

Accountability: The party holding the personal information is responsible for the information and must follow the principles defined in the bill

Processing Limitations: Personal information must be collected directly from the data subject, with the data subjects consent.

Purpose Specification: Personal information must be collected for a specific, well defined and legitimate purpose. The data subject should be aware of the purpose for which the information is collected, and who the likely recipients of the information will be.

Further processing limitations: Personal information may not be processed further in a way that is incompatible with the purpose for which the information was collected initially.

Information Quality: The person or party that determines the purpose and means for processing personal information should ensure that the information is complete, up to date and accurate.

Openness personal: Personal information may only be collected if the Information Protection Commission was notified. Also, where personal information of a data subject is collected, the person or institution responsible for such collection must ensure that the data subject is aware of:
  • The fact that the information is being collected;
  • The name and address of the person or institution collecting the information;
  • Whether or not the supply of the information by that data subject is voluntary or mandatory and the consequences of failure to reply ;and
  • Where the collection of information is authorised or required under any law, the particular law to which the collection is subject.
Data Subject Participation: A data subject is entitled to the particulars of his or her personal information held by any institution or person, as well as to the identity of any person that had access to his or her personal information. The data subject is also entitled to require the correction of any information held by another party.

Security Safeguards: The Bill requires the implementation of technical and organisational measures to secure the integrity of personal information, and to guard against the risk of loss, damage or destruction of personal information. Also, personal information should also be protected against any unauthorised or unlawful access or processing.

That’s the main overview, the bill also mentions the processing of “special personal information” (i.e. religious or philosophical beliefs, race or ethnic origin, trade union membership, political opinions, health, sexual life, or criminal behaviour) which is basically prohibited for collection, storage and distribution.

Now since you understand what PPI is all about, let’s look at how SharePoint can help (in Part 2).