Protecting Sensitive Disaster Recovery Information from Public Release

Slide Note
Embed
Share

Learn how to safeguard sensitive disaster recovery information to prevent its unauthorized release under PIA regulations. Follow best practices to evaluate vulnerabilities, implement protections, and maintain confidentiality to ensure the security of critical data.


Uploaded on Dec 08, 2024 | 0 Views


Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript


  1. HOW TO AVOID HAVING SENSITIVE DISASTER RECOVERY INFORMATION RELEASED UNDER PIA By Ryan Henry Law Offices of Ryan Henry, PLLC 1380 Pantheon Way, Suite 215 San Antonio, Texas 78232 Phone: 210-257-6357 Facsimile: 210-569-6494

  2. Town of Murphys Law

  3. City Manager Arthur Art I. Right

  4. City Engineer Dexter Dex Aster

  5. April 1, 2013 Natural Disaster

  6. Water System Failures

  7. Just fix it darn it!

  8. After long hours of work, Dex gets the system fixed 1. Evaluated what went wrong 2. Evaluated vulnerabilities to other natural disasters 3. Fixed problems but noted existing and new vulnerabilities 4. Proposed and implemented protections and backups

  9. Then comes the PIA from Natasha Nosey Buttinsky- Reporter

  10. Sensitive Information

  11. City Attorney and AG - Must release

  12. Mr. Right promptly has a heart attack

  13. After being revived-

  14. Homeland Security Act 418.177. Confidentiality of Certain Information Relating to Risk or Vulnerability Assessment Information is confidential if the information: (1) is collected, assembled, or maintained by or for a governmental entity for the purpose of preventing, detecting, or investigating an act of terrorism or related criminal activity; and (2) relates to an assessment by or for a governmental entity, or an assessment that is maintained by a governmental entity, of the risk or vulnerability of persons or property, including critical infrastructure, to an act of terrorism or related criminal activity.

  15. 418.181. Confidentiality of Certain Information Relating to Critical Infrastructure Those documents or portions of documents in the possession of a governmental entity are confidential if they identify the technical details of particular vulnerabilities of critical infrastructure to an act of terrorism.

  16. 418.176. Confidentiality of Certain Information Relating to Emergency Response Providers (a) Information is confidential if the information is collected, assembled, or maintained by or for a governmental entity for the purpose of preventing, detecting, responding to, or investigating an act of terrorism or related criminal activity and: . (2) relates to a tactical plan of the provider; or (3) consists of a list or compilation of pager or telephone numbers, including mobile and cellular telephone numbers, of the provider.

  17. 418.179. Confidentiality of Certain Encryption Codes and Security Keys for Communications System (a) Information is confidential if the information: (1) is collected, assembled, or maintained by or for a governmental entity for the purpose of preventing, detecting, or investigating an act of terrorism or related criminal activity; and (2) relates to the details of the encryption codes or security keys for a public communications system. (b) This section does not prohibit a governmental entity from making available, at cost, to bona fide local news media, for the purpose of monitoring emergency communications of public interest, the communications terminals used in the entity s trunked communications system that have encryption codes installed.

  18. 418.182. Confidentiality of Certain Information Relating to Security Systems a) Except as provided by Subsections (b) and (c), information, including access codes and passwords, in the possession of a governmental entity that relates to the specifications, operating procedures, or location of a security system used to protect public or private property from an act of terrorism or related criminal activity is confidential. (b) Financial information in the possession of a governmental entity that relates to the expenditure of funds by a governmental entity for a security system is public information that is not excepted from required disclosure under Chapter 552.

  19. AG Opinion (not a ruling) The fact that information may relate to a governmental body s security measures does not make the information confidential. See Open Records Decision No. 649 at 3 (1996) The mere recitation of a statute s key terms is not sufficient to demonstrate protection.

  20. A governmental body asserting one of the confidentiality provisions of the Texas Homeland Security Act must adequately explain how the responsive records fall within the scope of the claimed provision. See Gov t Code 552.301(e)(1)(A) (SUBJECTIVE OPINION OF ASSISTANT AG ASSIGNED TO YOUR CASE) Public information is not rendered confidential merely because it can be combined with other information or knowledge to reveal confidential information

  21. Subjective AAG Review

  22. Not adequately explained Failed to establish how air filtration systems to dispel bio toxins from research area is a critical infrastructure (must release) How bio toxins can be used as a weapon (must release) Exterior elevations, the landscape plan, and the tree survey in relation to location of water utility points (must release) Water system assessment which was not comprehensive Three sentence overradaction

  23. Adequately explained Electronic backup for billions of commercial transactions. Supported by report issued by the U.S. Securities and Exchange Commission Waste water infrastructure, with explanations of exact locations, type of equipment, and types of weaknesses which could be exploited. Vulnerability assessment - the facility s power sources, communication feeds, utility and drainage routes, and other critical access points. Specifications of the security system that record DVDs

  24. Example and Tips Detail the problems and failures with the utility and the exact locations where the system has been identified as faulty or ineffective. (Add a few sentences of criminal element vulnerability) Detail the location, type of equipment, power source, operating procedures, and security positions. No. OR2004-5654 (2004) Note you are conducting a vulnerability assessment for your disaster purpose AND assessment to identify vulnerabilities to the criminal element.

  25. No release if properly identified at front end

  26. Know better for the next disaster The End

Related


More Related Content