PROTECTION OF PRIVATE INFORMATION

(PoPI) & SharePointSeptember 2012

Willem BurgerShoprite : SharePoint Lead

Private Information of customers are one of the most important assets that many companies store.

The Oxford Dictionary defines “privacy”, as “the state of being left alone and not watched or disturbed by other people”.

From a business perspective it means that personal information must be used in an appropriate manner within defined parameters.

The appropriateness of the use of personal information depends on a number of factors such as context, regulatory requirements, the individual’s expectations as well as the right of an individual to control how their personal information is used or ‘processed’.

What is Privacy and Private Information?

There are different types of privacy that individuals have rights to, each emphasising different aspects of privacy.

These include: physical privacy - relevant to government search and

seizure operations and peeping toms;

bodily and decisional privacy - concerned with choice and the integrity of an individual's body, the right to abortion and cavity searches;

proprietary privacy - concerned with publicity, media representation and celebrity, ownership and control of the body, appearance and identity; and

information privacy - the interest an individual has in controlling information about them.

What is Privacy and Private Information?

It is important to understand that organisations have certain obligations when processing personal information and that individuals have certain rights.

These may be established in laws, regulations and organisationalpolicies. South Africa’s Protection of Personal Information Bill [No. 9 of 2009] (PoPI) is primarily focused on ‘information privacy’, also known as ‘data protection’ or ‘data privacy’.

What is Privacy and Private Information?

Chapter 1 of PoPI defines personal information (PI) as meaning: ‘‘information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to:

(a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;

(b) information relating to the education or the medical, financial, criminal or employment history of the person;

(c) any identifying number, symbol, e-mail address, physical address, telephone number or other particular assignment to the person;

(d) the blood type or any other biometric information of the person; (e) the personal opinions, views or preferences of the person; (f) correspondence sent by the person that is implicitly or explicitly of a

private or confidential nature or further correspondence that would reveal the contents of the original correspondence;

(g) the views or opinions of another individual about the person; and (h) the name of the person if it appears with other personal information

relating to the person or if the disclosure of the name itself would reveal information about the person”

[3].

What is Personally Identifiable Information (PII)?

Examples of attributes that may include personal information are:

passport and ID numbers; gender and biometric identifiers; bank account and credit card numbers; birth dates; home address details; personal telephone numbers for both landlines and mobile devices ; personal email and IP addresses; photographs; financial profiles; personal identification numbers (PINs) and passwords for financial accounts; health information; race; religious or philosophical beliefs; age;

What is Personally Identifiable Information (PII)?

What is the scope of PoPI?

PoPI covers the processing of personal information in both electronic and paper-based format.

Processing in terms of PoPI means any operation or activity, concerning personal information, including :

(a) the collection, receipt, recording, storage, updating or modification, retrieval, alteration;

(b) distribution or making available in any other form; or

(c) merging, linking, erasure or destruction of information.

Why is it so important to protect Personal Information?

• Reputation• Globalisation• Legislation

All have a financial Impact!

What is the status of the legislation?

The bill is due to be promulgated by the end of 2012 and there is a years grace to implement (therefore the end of 2013)

How can Business and IT Pros be ready for PoPI with SharePoint

What your business need to do?

1. Find the Data and Map the flow and storage of it.

2. Understand whether the data is needed, if not remove it.

3. Define rules for personal data storage and transmission against the legislation.

4. Secure the Data.5. Educate users in terms of the

rules.

Fundamentals – Applied to SharePoint

Assess• Where is personal information located? (libraries ,lists,

documents, sql)• How do you know if you have PII in your SharePoint sites? The

answer seems simple, you need to look for it!• Who has access to personal information? (check security)

Secure (Focus on quick wins)• Use Groups and security settings of Sites and Libraries• Watch out for insiders, Administrators!

Comply (Build into project plan)• Comply smart with a one project approach or per business leg,

cost saving.• Comply by type . PCI Comply for Credit card info etc

Respond (Be Prepared)• What is the action plan on a security incident?• What can customers expect when they call for their

information?• Audit Logging and version history of SharePoint libraries.

Four essential elements to responsibly protect and manage personal information

More secure infrastructureMicrosoft Forefront and Forefront Security for SharePoint (UAG & TMG)

Identity and access controlActive Directory and other identity and access control technologies.

Information protectionInformation rights management - encryption so that only authorized parties can view or change .Protecting information at rest through the use of encryption .

Auditing and reportingSharePoint administrators can set auditing policies to log activities.Coming laws generally require breach disclosure for security breaches which result in the loss or theft of their citizen's personally identifiable information (PII).

“SharePoint Security”

PermissionsPermissions are not security. Relying on permissions only for your SharePoint Security strategy is a mirage .

Hardening“What about least privilege administration?” The idea of least privilege is to limit the damage in the event that any single account gets compromised . Again, this is a mirage.

User BehaviorAnother mirage is relying on end users to decide what they will or will not upload into SharePoint-“2011 Digital Universe Study” IDC concluded that 28% of information needs security

Extending a siteextending a SharePoint site to make content accessible from the Internet. Extending a web site and opening a port on your border firewall creates a single point of failure

Practical Example

Assess• Where is personal information located? (Public site)• Who has access to personal information? (everyone if unsecure)

Secure • HTTPS site or page (Port 443)• Via TMG Access only • Secure site library

Comply • Build in Project plan a PoPI compliant design. Content cannot

reside in public space.• How long should we retain this content?

Respond • Customers content available on request visible only to owners.• Audit Logging and version history of SharePoint libraries confirm

history.

Capture a customers information on a Form that resides on our public website and submit this information intoa library to be stored for processing.

FIREWALL

 

TMG

HTTPS://www.checkers.co.za/newcustomer

 

 customer

Library

External FARM

WEB

 http://pulses.hoprite.co.za/checkers/customers

customerLibrari

es & pages

Workflow or retention

policy

Internal FARMPulse

Internal Site

Checkers site

Group Security, Record management, Auditing, version history search etc.Workflow for customer processing

Firewall

Library (Document, form, lists etc)- Permissions- Auditing- Version History- Search

PoPI in SharePoint Governance

Permissions management (integrity , confidentiality, privacy)

• Follow the Principle of Least Privilege• Give people access by adding them to standard, default

SharePoint groups• Use permissions inheritance to create a clean, easy-to-

visualize hierarchy. • Organize your content to take advantage of permissions

inheritance.

PoPI in SharePoint Governance

Audit Tracking (Information management policy enforcement )

Record Centre• Vault abilities (ensure the integrity of the records )• Information management policy enforcement • Record routing incoming records to their proper location,

based on their record type.

Track versions

Search (Mark with restricted permissions )

Data Governance Life Cycle or Information Flow Stages

Collection PII from multiple sources. Set standards, respect Customer desire

StorageNot just databases , it scatters to e-mails etc + devices

UsageData becoming more fluid, limit external use

Retention/destructionCheaper data storage. Don’t retain all. Setup finite lifespan for sensitive data

Tools

SharePoint Content ScannerSharePoint Risk AssessmentYou can perform scans of files in your SharePoint sites and find PII including credit card data, customer financial information, social security numbers, and other data patterns associated with PII.

Resourceshttp://www.sharepointdefenseindepth.com/

Run in Googlesite:<your domain>.co.za Check what is exposed and visible on your public sites. Refine and adjust sensitive data content privacy and security. Run again.

In Conclusion

• Private Information of customers are important

assets

• We have obligations when processing personal

information

• PoPI covers the processing of personal information

• Assess, Secure , Comply , Respond

• Get everyone on Board and aware of PoPI

• Added bonus will be general Governance

improvement of Customer specific sites and

content

• Have Security Policy around SharePoint and

storage of PII

Questions?

Willem BurgerBlog: http://sharepointburger.wordpress.com/Twitter: http://twitter.com/willemburgerEmail : wburger@shoprite.co.za

Thanks