8th CACR Information Security Workshop
2nd Annual Privacy and Security Workshop

Speaker
Charles Karstadt
Manager, Technology Risk Services,
PriceWaterhouseCoopers

Title
Privacy in the workplace

Abstract
Employees should have an expectation of privacy in their place of work. However, this must be tempered with the need for the company to ensure that its assets are not being used for purposes contrary to the direction that the business is taking. An employee9s responsibility regarding privacy over their use of information and technology must be clearly defined as part of a comprehensive information security architecture program. This program of policies, procedures and guidelines will also outline the employer9s responsibilities when it comes to protecting the privacy of their employees.

Organisations spend a great deal of money to provide their employees with the tools that they require to successfully do their job. The organisation needs to maximize this investment. One way of doing this is placing limits on how information and technology may be used. If an organisation believes that an employee is using information or technology in a way that may appear harmful to the organisation, they have the right to monitor what that employee does. Monitoring of an individual should only be done in support of an approved investigation and not as a regular occurrence. Instances of employees using e-mail to send materials of a questionable nature within the organisation have led to sever financial penalties as well as public relations problems. Without the ability to monitor these activities it appears that the organisation condones practices such as this.

Speaker Bio
Charles is a Manager in the Technology Risk Services (TRS) group with over than 13 years experience in the areas of information systems security architecture design, development and implementation, as well as, security reviews, audit, systems development, system reviews and client support. He is the Canadian lead for Enterprise Security Architecture. Charles has participated in and led numerous types of assignments, including enterprise security architecture reviews and development, network and dial-in penetration testing, operating system diagnostic reviews and information security strategy.

RECENT PROJECTS
Managed the development of the information security architecture for a large Thai bank. This included the development of; security policies, procedures and guidelines; information security organizational structure including roles and responsibilities; data classification schema, and; an outline for the development of thier security awareness program.

• Managed the security aspects of a new Ontario Crown Corporation during the development and implementation of new systems. This included reviewing policies and procedures, with recommendations for updates; recommending IT security department structure; providing security consulting as required for applications and infrastructure; quality assurance reviews over security as designed by the client vendor; and other security related matters.
• Managed and developed information security policies and procedures for a major securities client, outlining security policy, organizational roles and responsibilities, data classification, and provided guidance for the development of a security awareness program.
• Developed information security framework for a large insurance client. This included policy and procedures, data classification, platform requirements, development and delivery of the security awareness program.
• Lead and participated in a full-scale penetration project for a company with over 175 subsidiaries. The project included dial-up penetration, Internet penetration, intranet penetration, and physical walk-thru. Project also included diagnostic reviews of UNIX, NT, AS/400 and a number of firewalls.
• Multiple Microsoft Windows NT review and penetration projects. These projects entailed attempting to penetrate, in a controlled manner, client systems.
• Multiple AS/400 system audits and security reviews. In many cases these projects included the recommendation for security standards for all systems.