Data Centric Security Management - Chapters Site - Home · information security strategy, ......
Transcript of Data Centric Security Management - Chapters Site - Home · information security strategy, ......
Data Centric Security Management
Protecting information in a rapidly evolving and interconnected future
Clint Jensen
Director (San Francisco) IT Security Privacy & Risk
Talha Tariq
Manager (San Francisco) IT Security Privacy & Risk
Mobile: (415) 498-7344
E-mail: [email protected]
Mobile: (415) 728-7952
E-mail: [email protected]
Clint is a Director with over 12 years of experience with information security strategy, IT security risk management program design and execution, security controls design and review, and data protection program design and execution. He currently focuses on assisting organizations with the following types of engagements: • Security Program Development and Process Design • Data Protection Program Design, Remediation, and
Enabling Technology Deployment • Privacy, PCI, and Other Regulatory Assessment and
Remediation • Threat & Vulnerability Assessment and Remediation • ISO27001 Readiness Strategy Planning and Execution • IT Security Control Framework Customization, Adoption,
and Controls Audit • Technical Configuration Definition, Testing, Deployment,
and Monitoring
Talha is a Manager in PwC's IT Security, Privacy & Risk practice with more than 7 years of international experience in information security strategy, design and technical security assessments. He is a contributing member of the OWASP Mobile Security project, member of the PwC Attack & Penetration and Mobile Security Core Team, He is also the west region Subject Matter Specialist on malware trends, Advanced Persistent Threats and leads the Attack and Penetration testing teams on the west coast. Prior to joining PwC, Talha worked at Microsoft and Sun Microsystems and has Research & Development experience in Secure Operating Systems, Virtualization and Secure Cloud computing. His work has been published in renowned conferences and tech magazines and he holds a patent in building trusted platforms.
Speakers Bio
Chris Toohey
Partner (San Francisco) Internal Audit
Mike Corey
Partner (San Francisco) IT Risk & Security
Mobile: (925) 872-2965
E-mail: [email protected]
Mobile: (415) 505-2482 E-mail: [email protected]
Chris is a Partner in PwC’s San Francisco office and leads the Internal Audit Services Practice. He has been engaged to perform a wide array of governance, risk and controls related services during his 26-year professional career. This experience includes conducting internal and external audits on public companies, non-public companies and quasi governmental agencies and serving as the Audit Committee Chairman and on the Boards of several non-profit organizations. Chris specializes in assisting clients understand and manage complex operational processes, IT, accounting, and financial reporting requirements. His overall responsibilities focus on providing leadership in the planning and execution of risk based internal audit services encompassing governance, IT, regulatory, compliance process and controls analyses. More specifically, he provides thought leadership; manages groups of professionals to identify, monitor and mitigate risk; and participates in process improvement and project management support, as necessary. He also assists company management in executing its business objectives while also aiding the Audit Committee of the Board of Directors in discharging its fiduciary responsibilities.
Mike is a Partner with over 20 years of experience leading internal audit, IT internal audit, information security strategy, IT security risk management , data protection and privacy engagements. Mike is responsible for our West Region IT Risk and Security practice. This practice specializes in providing IT risk and information security services to our internal audit clients. Mike’s experience includes leading numerous IT Internal Audit outsourcing and co-sourcing engagements and is a CPA and CISA. Prior to joining PwC, Mike led the IT Internal Audit department for a large Midwestern financial service company.
Speakers Bio
Breaches are frequent and large
• 47,000+ reported security incidents *Source: “Verizon 2013 Data Breach Investigations Report”
• 700m+ records lost last year
• 44m+ compromised data records
• Organizations reporting losses of $10M or greater increasing 75%
from 2011. * 2014 PwC Global State of Information Security
• Average cost of data breach is approximately $5.4m
• Average cost per record: $188 *Source: Ponemon Institute’s “2013 Annual Study: U.S. Cost of a Data Breach”
5
Significant Data Breaches in 2013
6
Company Breach Stats Details
Target 110 million records A data breach over a three week period capturing credit and debit card records. Encrypted PIN information also stolen. Other Customer Information may also have been stolen.
Schnuck Markets
2.4 million records In October, Schnucks agreed to a proposed class-action settlement stemming from the breach of its computer systems.
CorporateCarOnline.com
850,000 records Hackers stole and stored information online related to customers who used limousine and other ground transportation for this St Louis based limo software provider. The online information included plain text archives of credit card numbers, expiration dates, names, and addresses. Many of the customers were wealthy and used credit cards that would be attractive to identity thieves. Some of the big names on the list include Tom Hanks, Sen. Tom Daschle, and Donald Trump.
Adobe 38 million customer accounts
3 million credit card accounts
Originally just thought to be a compromise of 3 million PII records, the loss of a vast trove of login credentials was subsequently, and, more also its source code for various applications
LivingSocial 50 million accounts Computer systems were hacked, resulting in “unauthorized access.” The company updated its password encryption method after the breach . Names, email addresses, dates of birth, and salted passwords were stolen.
Advocate Medical Group
4 million patient records stolen
The theft of four computers from offices owned by this medical company exposed more than 4 million patient records. One of the largest losses of unsecured health information since notification to the Department of Health and Human Services became mandatory in 2009.
The actors and the information they target
Adversary
7
Input from Office of the National Counterintelligence Executive, Report to Congress on the Foreign Economic Collection and Industrial Espionage, 2009-2011, October 2011.
Emerging technologies
Military technologies
Advanced materials and manufacturing techniques
Healthcare, pharmaceuticals, and related technologies
Business deals information
What’s most at risk?
Nation State
Organized Crime
Insiders
Hacktivists
Health records and other personal data
Industrial Control Systems (SCADA)
R&D and / or product design data
$ Payment card and related information / financial markets
Adversary motives and tactics evolve as business strategies change and business activities are executed;
‘crown jewels’ must be identified and their protection prioritized, monitored and adjusted accordingly.
Information and communication technology and data
Why organizations have not kept pace
8
Years of underinvestment in certain areas has left organizations unable to adequately adapt and respond to dynamic cyber risks.
Product & Service Security
Physical Security
Operational Technology
Security
Public/Private Information
Sharing
Threat Modeling
& Scenario Planning
Technology Adoption and Enablement
Ecosystem & Supply Chain
Security
Global Security
Operations
Breach Investigation and Response
Notification and
Disclosure
Privileged Access Management
Security Technology
Rationalization
Patch & Configuration Management
consectetur adipiscing elit
Insider Threat
User Administration
Technology Debt
Management
Secure Mobile and Cloud Computing
Security Strategy and Roadmap
Board, Audit Committee, and Executive Leadership Engagement
Business Alignment and Enablement
Process and Technology
Fundamentals
Threat Intelligence
Incident and Crisis
Management
Ris
k a
nd
Im
pa
ct
Ev
alu
ati
on
R
eso
ur
ce
Pr
ior
itiza
tion
Security Program, Functions, Resources and Capabilities
Compliance Remediation
Security Culture and Mindset
Monitoring and Detection
Critical Asset Identification and
Protection
Product & Service Security
Physical Security
Operational Technology
Security
Public/Private Information
Sharing
Threat Modeling
& Scenario Planning
Technology Adoption and Enablement
Ecosystem & Supply Chain
Security
Global Security
Operations
Breach Investigation and Response
Notification and
Disclosure
Privileged Access Management
Security Technology
Rationalization
Patch & Configuration Management
consectetur adipiscing elit
Insider Threat
User Administration
Technology Debt
Management
Secure Mobile and Cloud Computing
Security Strategy and Roadmap
Board, Audit Committee, and Executive Leadership Engagement
Business Alignment and Enablement
Ris
k a
nd
Im
pa
ct
Ev
alu
ati
on
R
eso
ur
ce
Pr
ior
itiza
tion
Security Program, Functions, Resources and Capabilities
Compliance Remediation
Has your organization kept pace?
9
Questions to consider when evaluating your ability to respond to the new challenges.
Security Culture and Mindset
Process and Technology
Fundamentals
Threat Intelligence
Monitoring and Detection
Critical Asset Identification and
Protection
Incident and Crisis
Management
Develop a cross-functional incident response plan for effective crisis management
• Have your business leaders undertaken cyberattack scenario planning?
• Do you have a defined cross functional structure, process and capability to respond?
• Are you enhancing and aligning your plan to ongoing business changes?
Evaluate and improve effectiveness of existing processes and technologies
• Have you patched and upgraded your core platforms and technology?
• How are you securing new technology adoption and managing vulnerability with your legacy technology?
• Have you evolved your security architecture and associated processes?
Enhance situational awareness to detect and respond to security events • How are you gaining visibility into internal and
external security events and activities? • Are you applying correlation and analytics to
identify patterns or exceptions? • How do you timely and efficiently determine
when to take action?
Identify, prioritize, and protect the assets most essential to the business • Have you identified your most critical assets and
know where they are stored and transmitted? • How do you evaluate their value and impact to
the business if compromised? • Do you prioritize the protection of your crown
jewels differently than other information assets?
Establish values and behaviors to create and promote security effectiveness
• How is leadership engaged and committed to
addressing cyber risks facing the business? • What sustained activities are in place to improve
awareness and sensitivity to cyber risks? • How have your business practices evolved to
address the threats to your business?
Understand the threats to your industry and your business
• Who are your adversaries and what are their motivations?
• What information are they targeting and what tactics are they using?
• How are you anticipating and adapting your strategy and controls?
The security challenge now extends beyond the enterprise
10
Global Business Ecosystem
Pressures and changes which create opportunity and risk
Traditional boundaries have shifted; companies operate in a dynamic environment that is increasingly interconnected, integrated, and interdependent.
• The ecosystem is built around a model of open collaboration and trust—the very attributes being exploited by an increasing number of global adversaries.
• Constant information flow is the lifeblood of the business ecosystem. Data is distributed and disbursed throughout the ecosystem, expanding the domain requiring protection.
• Adversaries are actively targeting critical assets throughout the ecosystem—significantly increasing the exposure and impact to businesses.
Years of underinvestment in security has impacted organizations’ ability to adapt and respond to evolving, dynamic cyber risks.
Risk Factors
Financial
Legal
Regulatory
Compliance
Data Privacy & Information Security Risks
• Companies face several financial risks associated with a breach:
• Federal/state regulatory fines • Stock price decline • Remediation efforts
• Companies are experiencing increasing lawsuits from:
• Employees • Customers • Investors
• Enforcement actions from federal and state agencies
• Regulatory inquires may require long-term third party remediation in order to verify regulatory compliance
• Negative impact to the brand • Loss of employee, customer,
& investor confidence
Reputational
• Compliance with government or industry regulations / enforcements (HIPAA, PCI, GLBA, COPPA, FTC Act)
• Compliance with self-regulatory frameworks (i.e., U.S.-EU Safe Harbor, TRUSTe, DMA OBA Principles)
12
Risks generally not perceived as well managed
85% believe
security threats are increasing,
yet only
12% think
their organization
manages risks
extremely well.
Source: PwC’s 2013 State of the Internal Audit Profession Study
13
Risks seen as increasing the most
in the last year Economic uncertainty
Regulations and government
IT security/cyber security
Data privacy
Government spending and taxation
Competition
Commercial market shifts
Financial markets
Large Programs (such as ERP)
Talent and labor
Risks seen as the most well managed
last year Talent & Labor
Competition
Reputation/brand
Financial markets
Fraud and ethics
Government spending and taxation
Mergers, acquisitions and JVs
Regulations and government policies
IT / Cyber Security
Economic uncertainty
Organizations with high-performing internal audit functions manage risk better than others
Source: PwC’s 2013 State of the Internal Audit Profession Study
14
Having a Program In Place to Protect Data
16
A comprehensive program is needed to address the myriad of compliance requirements, and to protect consumer information and sensitive company information.
Governance
Risk
Assessment
Processes &
Controls Technical
Security &
Controls
Training &
Awareness
Monitoring &
Auditing
Incident
Response
Strategic Approach : End to End Data Lifecycle Protection
Organizations have historically focused on protecting the perimeter to prevent intrusion (and therefore data loss). The organizations should start by looking at various stages of the Information Lifecycle and understand the best way to protect sensitive data in each of these stages.
17
Engage your Stakeholders
18
Data protection and privacy is a relatively new consideration within the Risk Management disciplines. As a result, the manner with which organizations address this risk could differ widely. Some of the typical stakeholders associated with data protection and privacy concerns are listed below:
Process Area Concern (examples)
Legal • FTC complaints • Records Management
Marketing • eCommerce initiatives • CRM • Social media campaigns
Information Security • Audit findings • PCI readiness • Data breaches
Internal Audit • Board or Audit Committee requests • Increasing the enterprise risk scope
Compliance • HIPAA (healthcare), GLBA (financial) • Regulatory examination
Privacy Office • Governance structure • Operating privacy, how to “live” by the privacy policy
Data Protection and Privacy Program Monitoring
19
Ongoing auditing or monitoring of a company’s data protection and privacy program is essential. Example of areas that auditing and monitoring activities should focus on include:
• Data protection and privacy program gap assessment
• Evaluation of, or assistance with, the company’s periodic data protection and privacy risk assessment process
• Compliance with established data protection and privacy policies and procedures
• Data protection and privacy training and awareness programs
• Data protection and privacy related remediation
• Third party/vendor data protection and privacy practices
PwC
Considerations for Your Organization
20
Understanding threats
• Has your data been exposed – and would you know if it were?
• Do you know what breach indicators you should be monitoring?
Building protections
• Has the company established formal governance and controls to protect the sensitive data?
• Are the controls and safeguards periodically tested?
• Have the controls and safeguards been updated to respond to changing business models?
Responding to incidents
• Are you prepared to respond to legal actions?
• If a Regulator were to inquire or investigate the company, would the company be prepared to respond?
• Has the company established formal plans to respond to incidents when they occur?
PwC
Considerations for Your Organization
21
Understanding Company Governance & Awareness
• What are the company’s compliance requirements?
• What is the culture of the company and what is the philosophy regarding information security and privacy?
• Who leads the efforts for information security (e.g., Steering Committee)?
• How does the company ensure alignment between the management and staff?
• What is the company trying to achieve with their information security/privacy program?
Understanding sensitive data
• What sensitive data do you have that needs to be protected?
• Has the company classified and inventoried that data?
• Who has access to sensitive data – internally and externally?
• Who is responsible for protecting your sensitive data?
• Who is responsible for the oversight of vendors that may hold sensitive data?
Coordinated lines of defense
Line of defense: Management
Functional and line
management are responsible for
operationalizing risk management and internal controls
Line of defense: Risk Mgmt & Compliance
Risk management and compliance
functions are responsible for
establishing and monitoring effective
risk management policies & standards
Line of defense: Internal Audit
Internal audit is responsible for
providing objective assurance and advice on governance, risk, and compliance to
the board and executive
management
1st 2nd 3rd
Senior management Board/audit committee
22
The role of internal audit
Internal Audit can play a role in the ongoing independent monitoring of a company’s data protection and privacy program.
• Keep the board abreast of emerging security and privacy risks
• Embed yourself in key activities that roll out new business processes, products or information systems (i.e., privacy by design)
• Communicate with the board and executive management
• Privacy/Security program gap assessment
• Evaluation of, or assistance with, the company’s periodic privacy/security risk assessment process
• Audits of established privacy/security policies and procedures and/or controls
• Audits of privacy/security training and awareness programs
• Audits of third party/vendor data protection and privacy practices
23
Enhancing security strategy and
capability
1. Is our cybersecurity program aligned with our business strategy?
2. Do we have the capabilities to identify and advise on strategic threats and adversaries targeting us?
3. Can we explain our cybersecurity strategy to our stakeholders? Our investors? Our regulators? Our ecosystem partners?
Understanding and adapting to changes in the security risk
environment
1. Do we know what information is most valuable to the business?
2. Do we know what our adversaries are after / what would they target?
3. Do we have an insider threat program? Is it inter-departmental?
4. Are we actively involved in relevant public-private partnerships?
Advance their security posture
through a shared vision and culture
1. How was our last security crisis identified; in-house or government identified?
2. Who leads our incident and crisis management program? Is our program cross functional / inter-departmental?
3. How often are we briefed on our cyber initiatives? Do we understand the cyber risks associated with certain business decisions and related activities?
Questions you should be asking
24
What is important to regulators
25
• Accountability and program ownership
• Considerations of data protection, privacy and security throughout the organization and its processes
• Training and awareness programs
• Risk assessment processes
• Policies/procedures
• Data protection controls
• Monitoring technologies and capabilities
• Focus is on transparency in notice to consumers
• Do the systems and controls process data as described by your privacy notice?
• Do consumers have choice, and do they consent?
This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the
information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the
accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, [insert legal name of the PwC firm], its members,
employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in
reliance on the information contained in this publication or for any decision based on it.
© 2013 PricewaterhouseCoopers LLP All rights reserved. In this document, “PwC” refers to PricewaterhouseCoopers LLP which is a member firm of
PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity.
Additional Questions?
A US-only survey shows that, even when in place, security technologies and policies often do not prevent incidents.
1 2013 US State of Cybercrime Survey, co-sponsored by CSO magazine, CERT Coordination Center at Carnegie Mellon University, Federal
Bureau of Investigation, PwC, and the US Secret Service, March-April 2013
28
Respondents to the 2013 US State of Cybercrime Survey,1 co-sponsored by PwC, say security incidents increased 33%, despite implementation of security practices. For many, existing security technologies and policies are simply not keeping pace with fast-evolving threats.
Security technologies and policies in place (US only)
Use policy-based network connections to detect and/or counter security incidents 68%
Inspect inbound and outbound network traffic 61%
Use account/password management in an attempt to reduce security incidents 60%
Have an acceptable-use policy 55%
Use malware analysis as a tool to counter advanced persistent threats (APTs) 51%
Use data loss prevention technology to prevent and/or counter security incidents 51%
Use security event management to detect and/or counter security incidents 50%
Use cyber-threat research in an attempt to reduce security incidents 25%
Do not allow non-corporate-supplied devices in the workplace/network access 17%
It is imperative that organizations identify, prioritize, and protect their “crown jewels.” Many, however, have not yet implemented basic policies necessary to safeguard intellectual property (IP).
22% 22%
29%
37%
16%
20%
24%
32%
17%
20%
26%
31%
Classifying businessvalue of data
Procedures dedicatedto protecting IP
Inventory of assets/asset management
Regular review of users and access
2011 2012 2013
29
Despite the potential consequences, many respondents do not adequately safeguard their high-value information.
Have policies to help safeguard IP and trade secrets
Evolution of the Security – Paradigm Shift
30
Heavy focus on identity management – right people, right place, right access.
Focus on enhanced layers of security, adoption of incremental security solutions.
Focus on security technology for the perimeter.
Te
ch
no
log
y R
eli
an
ce
/Co
mp
lex
ity
Time
“Inclusion & Exclusion Security”
“Layered Security”
“Perimeter Security”
Assumed State of Compromise
2012+ 2000s 1990s 1980s
• Significant and evolving cyberthreats unlike ever before.
• Highly skilled/motivated, and yet patient adversaries, including nation states.
• Increasing speed of business, digital transformation, and hyper connectivity across supply chain and to customers.
• Massive consumerization of IT and reliance on mobile technologies.
• Increasing regulatory compliance requirements (e.g., SEC Cyber Guidance).