Upload File

privacy act, bangladesh

65

Upload: nadia-nahar

Post on 13-Jul-2015

174 views

Category:

Law


2 download

Report

Tags:

TRANSCRIPT

Slide 1

Privacy Act, BangladeshInformation System Ethics, GE603Presentation On

PresentersMostafijur Rahman BSSE 0312 Md Irfan BSSE 0326 Nadia Nahar BSSE 0327Moshiur Rahman BSSE 0330

9/26/20132Referenced DocumentsInformation Security Policy Guideline, Version 1.12.12.00ICT Act, 2006

9/26/20133Preamble9/26/20134Government of the Peoples Republic of Bangladesh intends to materialize the Vision 2021: Digital Bangladesh. To achieve this vision government Ministries/Divisions, Departments/agencies and their subordinate bodies have started implementing e-Governance . increase the productivity of the government . It is very important to consider information security for a government while implementing e-Governance . This document is a guideline to help government agencies to formulate their own Information Security Policy to protect their information in the cyber space.

4Current Situation

9/26/20135In recent past, Bangladesh especially the government sector has faced number of cyber attack incident (e.g. web defacement, information damage, information theft, Distributed Denial of Service, etc.). 5Guideline Governance and Enforcement Ministry of ICT on behalf of the Government of Bangladesh will have the ownership

Ministry of ICT will monitor the implementation

Bangladesh Computer Council, Office of the CCA and Bangladesh Telecommunication Regulatory Commission (BTRC) will jointly coordinate the implementation9/26/201366Some terminologies of Security Management9/26/20137AttackEavesdropping ExploitPKI Risk assessment SpoofingAgency: Agency includes ministry/division, departments and sub-ordinate bodies of the Government of Bangladesh. Asset: Anything of value to an agency. Attack: Attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of an asset. Authentication: Provision of assurance that a claimed characteristic of an entity is correct. Authenticity: Property that an entity is what it claims to be. Availability: Information Systems available to users at any given or specified period of time and being accessible and usable upon demand by an authorized entity. Business continuity: Processes and/or Procedures for ensuring continued business operations. Confidentiality: Information is not made available or disclosed to unauthorized individuals, entities, systems or processes. Certification: Certification is something provided by any standard bodies or by some form of external review to an agency after evaluating their information system infrastructure and information security management system. Classified Information: It refers to the categories of information classified in accordance with the Security Regulations. Control: It means of managing risk, including policies, procedures, guidelines, practices or organizational structures, which can be of administrative, technical, management, or legal nature. Control is also used as a synonym for safeguard or countermeasure. Control objective: Statement describing what is to be achieved as a result of implementing controls. Corrective action: Action to eliminate the cause of a detected nonconformity or other undesirable situation. Eavesdropping: Eavesdropping, an unauthorized access to information, is a kind of network attack by capturing packets while communication/transmission of information. Exploit: A technique or code that uses a vulnerability to provide system access to the attacker. Guideline: A description that clarifies what should be done and how, to achieve the objectives set out in policies information processing facilities any information processing system, service or infrastructure, or the physical locations housing them Information: Digitally processed data or digitized information of an agency or an individual. Information asset: Information or data that has value to the agency or individual. Information System: An electronic information system that processes data electronically through the use of information technology - including but is not limited to: computer systems, servers, workstations, terminals, storage media, communication devices, network resources and Internet. Integrity: When authorized persons are allowed to make changes to the information stored or processed by Information Systems in any aspects. IS Policy: A documented list of management instructions that describe in detail the proper use and management of computer and network resources with the objective to protect these resources as well as the information stored or processed by Information Systems from any unauthorized disclosure, modifications or destruction. Information security: Preservation of confidentiality, integrity and availability of information; in addition, other properties, such as authenticity, accountability, non-repudiation, and reliability can also be involved Information security event: An information security event is an identified occurrence of a system, service or network state indicating a possible breach of information security policy or failure of safeguards, or a previously unknown situation that may be security relevant Information security incident: An information security incident is indicated by a single or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security PKI: PKI is a framework that consists of hardware, software, policies, and procedures for managing keys and certificates. Policy: Overall intention and direction as formally expressed by management Risk: Combination of the probability of an event and its consequence Risk analysis: Systematic use of information to identify sources and to estimate the risk Risk assessment: Overall process of risk analysis and risk evaluation Risk evaluation: Process of comparing the estimated risk against given risk criteria to determine the significance of the risk Risk management: Coordinated activities to direct and control an organization with regard to risk Risk treatment: Process of selection and implementation of measures to control or minimize risk Social engineering: Obtaining information from individuals by trickery. Spoofing: A form of masquerading where a trusted IP address is used instead of the true IP address as a means of gaining access to a computer system. Third party: That person or body that is recognized as being independent of the parties involved, as concerns the issue in question Threat: A potential cause of an unwanted incident, which may result in harm to a system or organization Vulnerability: A weakness of an asset or group of assets that can be exploited by a threat 7Objective9/26/20138Information is an important asset for an agency as well as for a state.8Scope

9/26/20139All government, semi-government, autonomous agency or public limited company in Bangladesh who wants to prepare their Information Security Policy document, can use this guideline. This is a baseline for them to prepare their policy to protect their information. Any private organization inside Bangladesh can also adopt this guideline. 9InformationInformation is an asset that, like other important business assets, is essential to an organizations business and consequently be appropriately safeguarded.Information can be in any form. It includes:9/26/201310Broadly defin. The Government holds information that is operationally, administratively, politically, commercially or personally significant. d Information is the basis on which the agency conducts their business .10Information AssetAsset is anything that has a value to the organization, agency or nation. Information is a key asset for an organization. Type of Assets9/26/20131111Information Asset Valuation9/26/20131212State of Information 9/26/20131313Information Classification 9/26/201314149/26/20131515Strategy for Information SecurityPreparing Strategy ISO/IEC 27002: Code of Practice for Information Security Management9/26/201316Agency before preparing its Information Security Policy should set a plan for integrating process, people, technology, procedures to safeguard its information from threats. The strategy should be reviewed periodically to mitigate newer threats and vulnerabilities in the area of information security. Objective-safeguard their information from threats in the cyber space Understanding-Before start developing security policy for the agency, it is required to have a thorough understanding of the agency. It is also required to consider the goals and direction of the agency.. conform to existing policies, rules, regulations and laws that the agency is subject to. Plan-agency shall prepare its security policy in this stage. This stage may include procedures, standards, guidelines etc along with the policy. Implementation-educate its personnel and distribute these guidelines to all its implementersSeminars and awareness campaigns Check Compliance-It is always recommended that the agency must develop a method to measure compliance with the policy and check compliance in a periodical basis. This compliance method may include the formation of auditing team to ensure that the policy is enforced Monitor-It is important to have monitoring and review mechanism for future improvement since new threats are being discovered as time passes by. Security controls have to be modified as necessary to mitigate any new threat introduced 16Risk, Threats and Vulnerabilities 9/26/201317While formulating a security policy every organization or agency should be aware of possible risks that can affect the safety and security of their information asset. The organization or agency should also have clear understanding about threats and vulnerabilities that could damage its information assets

This section will assist an agency to understand and identify and analyze threats, risks and vulnerabilities. 17

RiskThe potential (merely chance) for loss, damage or destruction of an information asset as a result of a threat exploiting a vulnerability.

9/26/201318Reducing the risk of an organization requires risk identification and risk management process to be done periodically. An agency should know major risks that may cause potential loss of their information asset. 18Reasons of Risk9/26/201319information is not classifiedinadequate information security policy operateslack of security awareness are thereweak access control mechanisms existsno official policy and no monitoring/intrusion detection or incident responseteam are in placeOperating procedures are not documentedEmployees are not identified adequately, visitors may roam uncheckedThe building is in an earthquake zone, where minor quakes are expectedThe building is in an flooded zone or can be affected by flood because of lack of proper water disposal systemLack of fire prevention systemlittle support for security measures19ThreatA threat is a potential cause of an unwanted incident, which may result in harm to a system or organizations information assets.

9/26/201320Threats can be occur by natural disaster, intentional or accidental acts originating inside or outside the agency. Most threats exploit vulnerabilities in information assets or their supporting infrastructure (hardware or software). 20Typical Information Security Threats unauthorized access, disclosure of information, legal threats, sabotage, inadequate security awareness, poor security policy, fraudulent,

workload, denial of service, spoofing, advanced persistent threat (APT), applications with bugs, eavesdropping

9/26/20132121VulnerabilityVulnerabilities are flaws or weaknesses associated with an agencys assets or capabilities. Vulnerability is merely a condition or set of conditions that may allow a threat to affect an asset.

Typically vulnerability results from: flawed procedures, under-skilled staff, incorrectly configured or defective technology.

9/26/201322Therefore, a vulnerability that cannot be exploited by a threat or an asset with no known or suspected vulnerabilities cannot be a security risk 22Classification of Vulnerability9/26/20132323Identification of Risk, Threats and Vulnerabilities 9/26/201324It is always seen that most agencies always mix up the definition of risk, threat and vulnerability. Risk, threat and vulnerability are not terminologies for same meaning. For clear understanding of these three terms, this is a good simple relational definition between information asset, risk, threat and vulnerability 24Risk ManagementEstablish the contextIdentify RiskAnalyze RiskEstimate Level of RiskConsequenceTreat RiskEvaluate RiskLikelihoodMonitoring and Review Communication and Consult9/26/201325The objective of the risk management process is to identify threats and vulnerabilities and to provide recommendations to ensure protection of information asset. Establish the context-The purpose of the context establishment is to characterize the target of the analysis and its environment. Criteria against which risk will be evaluated should be established and the structure of the analysis to be defined. Identify Risk -In this stage, the agency must identify where, when, why and how incident can happen.Analyze Risk -This is the stage where an agency will do the risk estimation. Here an agency will identify and evaluate existing controls. ---Then the agency will determine the consequences and likelihood and hence the level of risk. Evaluate Risk -This is a very important stage to make decision how to treat a risk. In this stage, on the basis of the result of analyzing risks, an agency will map the resulting risks with their associated risk values to decide how to treat risks Treat Risk -As per the result came from previous stage, the agency may prepare effective plans and procedure to mitigate the risks. It is always recommended to prepare plans with maximum effectiveness and minimum cost. 25Risk Management Template

9/26/201326Risk assessment template is a simple form with fields that an agency will periodically fill up after completing the risk analysis. 26Security ControlSecurity controls are safeguards or countermeasures to avoid, counteract or minimize security risks.

9/26/20132727Security Control Criteria9/26/201328Before the event, preventive controls; During the event, detective controls; After the event, corrective controls.

28Example of Some Security Controls Personnel Security, Equipment Control, Access controls, Physical and Environmental Protection, Operational Procedure and responsibilities, Third party service delivery management, System planning and acceptance, Application Security, Protection against malicious code,

Information back-up, Network security management, Removable Media handling, Information exchange/transmission, Information disposal, Information system security, Cryptographic controls, Correct processing, System files security, Monitoring

9/26/20132929Digital Signature certificates ensures 4 goals of Information Security 9/26/201330A digital signature is an electronic signature that can be used to authenticate the identity of the sender of a message or the signer of a document, and possibly to ensure that the original content of the message or document that has been sent is unchanged.

An agency must use digital signature certificate to ensure their cryptographic controls

Authenticity (authenticity of information and parties involved in information exchange) Confidentiality (ensures confidentiality of information using encryption technology) Integrity (assures information user about the alteration of information) Non-repudiation (information originator or signer can not challenge legally that (s)he or they did not sign or originate the information)

30Some Legal and Compliance Document ICT Act 2006 (amended in 2009) ICT Policy 2009 Right to Information Act Intellectual Property Rights Copyright, Patent, Trademark related laws PKI related rules/guidelines for cryptographic controls Laws on document & records retention Cyber Security related laws/guideline/policy UN conventions/Laws related to internet or cyber security

9/26/201331While preparing the policy the agency must be aware of legal and compliance issues that may be affected if the policy put in place. List of some legal and compliance document that an agency must consider while developing their policy: 31Business Continuity Plan Steps9/26/201332Business continuity: Processes and/or Procedures for ensuring continued business operations.

To protect critical business processes from the effects of major failures of information systems or disasters and to ensure their timely resumption, a business continuity management process should be implemented. Steps in Business continuity plan (as per ISO/IEC 27002) 32Some More Issues9/26/201333Standards and Guideline-there must be some guidance in the policy document. the agency must set the standards and guideline they are going to follow in every stage of protecting their information asset Information System Audit and Certification -In the context of Bangladesh, agencies those handle critical information system infrastructure, must go through IS audit periodically. The auditor in this case can be internal or external or both. IS audit is very significant to minimize disruptions in operational procedures and to improve performance. Incident Management -it is very crucial to consider incident management plan before an incident occur. No one can exactly know when and what incident is coming. Information security incidents may occur at any time. It is very important to establish robust and effective processes to deal with incident. National Cyber Security Strategy -National Cyber Security Strategy needs to be formulated. Moreover, a separate agency may be established in future for addressing cyber security and information security issues and may be titled as National Information Security Agency, Bangladesh (NISAB). 33 , ,

36

42

, , ,

, , -

,

, , , , -

, , ,

, , , , ,

, , , ,

,

, , , , ,

,

, -, ,

, , , ,

, , , ,


California Consumer Privacy Act Guidebook

Privacy Act Expungements: A Reconsideration

Differential Privacy - A Balancing Act

The Electronic Communications Privacy Act: Does the Act

An Introduction to the Privacy Act Privacy Act 1993 Promotes and protects individual privacy Is concerned with the privacy of information about people

Workplace Privacy Act 2011 - ACT Legislation Register · Authorised by the ACT Parliamentary Counsel—also accessible at Australian Capital Territory Workplace Privacy Act 2011

ICT Act 2006 Bangladesh English

Children's Online Privacy Protection Act and the Video Privacy Protection Act

Arbitration Act in Bangladesh

VAT ACT 1991 Bangladesh

Data Privacy Act of 2011

Bangladesh Power Reform Act, 2001

Bangladesh Succession Act, 1925 (Act No. XXXIX of 1925)

Insurance-Act-2010 Bangladesh

Bangladesh labor act 2006 english

Privacy Act 1988 - Legislation

The Bangladesh Labor Act

Bangladesh Labour Act

Water act 2013 Bangladesh

ELECTRONIC COMMUNICATIONS PRIVACY ACT REFORM

Bangladesh -- Factories Act, 1965

Privacy Act 1993

Bangladesh Custom Act'1969

PRIVACY ACT 1988

Electronic Communications Privacy Act pdf

Wiretap Act / Electronic Communications Privacy Act

Privacy Act Review – Issues Paper

IDRA Act 2010 (Bangladesh)

Bangladesh Labour Act, 2006 English

bangladesh Labour Act, 2006 (xlii Of 2006) - Doulahdoulah.net/bdlaws/Bangladesh Labor Act, 2006.pdf · Bangladesh Labour Act, 2006 (XLII of 2006) ... Constitution of newspaper workers

The Companies Act (Bangladesh), 1994

Privacy 101: aN iNTrODUcTiON TO THE Privacy acT · Privacy 101: aN iNTrODUcTiON TO THE Privacy acT 1 Contents Workbook layout 3 Introduction 7 The Office of the Privacy commissioner

Bangladesh Labor Act 2006

Bangladesh Diaster Management Act 2012

The Bangladesh Labour Act, 2006