Data Centric Security Management

Protecting information in a rapidly evolving and interconnected future

Clint Jensen

Director (San Francisco) IT Security Privacy & Risk

Talha Tariq

Manager (San Francisco) IT Security Privacy & Risk

Mobile: (415) 498-7344

E-mail: clinton.m.jensen@us.pwc.com

Mobile: (415) 728-7952

E-mail: talha.bin.tariq@us.pwc.com

Clint is a Director with over 12 years of experience with information security strategy, IT security risk management program design and execution, security controls design and review, and data protection program design and execution. He currently focuses on assisting organizations with the following types of engagements: • Security Program Development and Process Design • Data Protection Program Design, Remediation, and

Enabling Technology Deployment • Privacy, PCI, and Other Regulatory Assessment and

Remediation • Threat & Vulnerability Assessment and Remediation • ISO27001 Readiness Strategy Planning and Execution • IT Security Control Framework Customization, Adoption,

and Controls Audit • Technical Configuration Definition, Testing, Deployment,

and Monitoring

Talha is a Manager in PwC's IT Security, Privacy & Risk practice with more than 7 years of international experience in information security strategy, design and technical security assessments. He is a contributing member of the OWASP Mobile Security project, member of the PwC Attack & Penetration and Mobile Security Core Team, He is also the west region Subject Matter Specialist on malware trends, Advanced Persistent Threats and leads the Attack and Penetration testing teams on the west coast. Prior to joining PwC, Talha worked at Microsoft and Sun Microsystems and has Research & Development experience in Secure Operating Systems, Virtualization and Secure Cloud computing. His work has been published in renowned conferences and tech magazines and he holds a patent in building trusted platforms.

Speakers Bio

Chris Toohey

Partner (San Francisco) Internal Audit

Mike Corey

Partner (San Francisco) IT Risk & Security

Mobile: (925) 872-2965

E-mail: christopher.j.toohey@us.pwc.com

Mobile: (415) 505-2482 E-mail: michael.j.corey@us.pwc.com

Chris is a Partner in PwC’s San Francisco office and leads the Internal Audit Services Practice. He has been engaged to perform a wide array of governance, risk and controls related services during his 26-year professional career. This experience includes conducting internal and external audits on public companies, non-public companies and quasi governmental agencies and serving as the Audit Committee Chairman and on the Boards of several non-profit organizations. Chris specializes in assisting clients understand and manage complex operational processes, IT, accounting, and financial reporting requirements. His overall responsibilities focus on providing leadership in the planning and execution of risk based internal audit services encompassing governance, IT, regulatory, compliance process and controls analyses. More specifically, he provides thought leadership; manages groups of professionals to identify, monitor and mitigate risk; and participates in process improvement and project management support, as necessary. He also assists company management in executing its business objectives while also aiding the Audit Committee of the Board of Directors in discharging its fiduciary responsibilities.

Mike is a Partner with over 20 years of experience leading internal audit, IT internal audit, information security strategy, IT security risk management , data protection and privacy engagements. Mike is responsible for our West Region IT Risk and Security practice. This practice specializes in providing IT risk and information security services to our internal audit clients. Mike’s experience includes leading numerous IT Internal Audit outsourcing and co-sourcing engagements and is a CPA and CISA. Prior to joining PwC, Mike led the IT Internal Audit department for a large Midwestern financial service company.

Speakers Bio

The new reality

4

Breaches are frequent and large

• 47,000+ reported security incidents *Source: “Verizon 2013 Data Breach Investigations Report”

• 700m+ records lost last year

• 44m+ compromised data records

• Organizations reporting losses of $10M or greater increasing 75%

from 2011. * 2014 PwC Global State of Information Security

• Average cost of data breach is approximately $5.4m

• Average cost per record: $188 *Source: Ponemon Institute’s “2013 Annual Study: U.S. Cost of a Data Breach”

5

Significant Data Breaches in 2013

6

Company Breach Stats Details

Target 110 million records A data breach over a three week period capturing credit and debit card records. Encrypted PIN information also stolen. Other Customer Information may also have been stolen.

Schnuck Markets

2.4 million records In October, Schnucks agreed to a proposed class-action settlement stemming from the breach of its computer systems.

CorporateCarOnline.com

850,000 records Hackers stole and stored information online related to customers who used limousine and other ground transportation for this St Louis based limo software provider. The online information included plain text archives of credit card numbers, expiration dates, names, and addresses. Many of the customers were wealthy and used credit cards that would be attractive to identity thieves. Some of the big names on the list include Tom Hanks, Sen. Tom Daschle, and Donald Trump.

Adobe 38 million customer accounts

3 million credit card accounts

Originally just thought to be a compromise of 3 million PII records, the loss of a vast trove of login credentials was subsequently, and, more also its source code for various applications

LivingSocial 50 million accounts Computer systems were hacked, resulting in “unauthorized access.” The company updated its password encryption method after the breach . Names, email addresses, dates of birth, and salted passwords were stolen.

Advocate Medical Group

4 million patient records stolen

The theft of four computers from offices owned by this medical company exposed more than 4 million patient records. One of the largest losses of unsecured health information since notification to the Department of Health and Human Services became mandatory in 2009.

The actors and the information they target

Adversary

7

Input from Office of the National Counterintelligence Executive, Report to Congress on the Foreign Economic Collection and Industrial Espionage, 2009-2011, October 2011.

Emerging technologies

Military technologies

Advanced materials and manufacturing techniques

Healthcare, pharmaceuticals, and related technologies

Business deals information

What’s most at risk?

Nation State

Organized Crime

Insiders

Hacktivists

Health records and other personal data

Industrial Control Systems (SCADA)

R&D and / or product design data

$ Payment card and related information / financial markets

Adversary motives and tactics evolve as business strategies change and business activities are executed;

‘crown jewels’ must be identified and their protection prioritized, monitored and adjusted accordingly.

Information and communication technology and data

Why organizations have not kept pace

8

Years of underinvestment in certain areas has left organizations unable to adequately adapt and respond to dynamic cyber risks.

Product & Service Security

Physical Security

Operational Technology

Security

Public/Private Information

Sharing

Threat Modeling

& Scenario Planning

Technology Adoption and Enablement

Ecosystem & Supply Chain

Security

Global Security

Operations

Breach Investigation and Response

Notification and

Disclosure

Privileged Access Management

Security Technology

Rationalization

Patch & Configuration Management

consectetur adipiscing elit

Insider Threat

User Administration

Technology Debt

Management

Secure Mobile and Cloud Computing

Security Strategy and Roadmap

Board, Audit Committee, and Executive Leadership Engagement

Business Alignment and Enablement

Process and Technology

Fundamentals

Threat Intelligence

Incident and Crisis

Management

Ris

k a

nd

Im

pa

ct

Ev

alu

ati

on

R

eso

ur

ce

Pr

ior

itiza

tion

Security Program, Functions, Resources and Capabilities

Compliance Remediation

Security Culture and Mindset

Monitoring and Detection

Critical Asset Identification and

Protection

Product & Service Security

Physical Security

Operational Technology

Security

Public/Private Information

Sharing

Threat Modeling

& Scenario Planning

Technology Adoption and Enablement

Ecosystem & Supply Chain

Security

Global Security

Operations

Breach Investigation and Response

Notification and

Disclosure

Privileged Access Management

Security Technology

Rationalization

Patch & Configuration Management

consectetur adipiscing elit

Insider Threat

User Administration

Technology Debt

Management

Secure Mobile and Cloud Computing

Security Strategy and Roadmap

Board, Audit Committee, and Executive Leadership Engagement

Business Alignment and Enablement

Ris

k a

nd

Im

pa

ct

Ev

alu

ati

on

R

eso

ur

ce

Pr

ior

itiza

tion

Security Program, Functions, Resources and Capabilities

Compliance Remediation

Has your organization kept pace?

9

Questions to consider when evaluating your ability to respond to the new challenges.

Security Culture and Mindset

Process and Technology

Fundamentals

Threat Intelligence

Monitoring and Detection

Critical Asset Identification and

Protection

Incident and Crisis

Management

Develop a cross-functional incident response plan for effective crisis management

• Have your business leaders undertaken cyberattack scenario planning?

• Do you have a defined cross functional structure, process and capability to respond?

• Are you enhancing and aligning your plan to ongoing business changes?

Evaluate and improve effectiveness of existing processes and technologies

• Have you patched and upgraded your core platforms and technology?

• How are you securing new technology adoption and managing vulnerability with your legacy technology?

• Have you evolved your security architecture and associated processes?

Enhance situational awareness to detect and respond to security events • How are you gaining visibility into internal and

external security events and activities? • Are you applying correlation and analytics to

identify patterns or exceptions? • How do you timely and efficiently determine

when to take action?

Identify, prioritize, and protect the assets most essential to the business • Have you identified your most critical assets and

know where they are stored and transmitted? • How do you evaluate their value and impact to

the business if compromised? • Do you prioritize the protection of your crown

jewels differently than other information assets?

Establish values and behaviors to create and promote security effectiveness

• How is leadership engaged and committed to

addressing cyber risks facing the business? • What sustained activities are in place to improve

awareness and sensitivity to cyber risks? • How have your business practices evolved to

address the threats to your business?

Understand the threats to your industry and your business

• Who are your adversaries and what are their motivations?

• What information are they targeting and what tactics are they using?

• How are you anticipating and adapting your strategy and controls?

The security challenge now extends beyond the enterprise

10

Global Business Ecosystem

Pressures and changes which create opportunity and risk

Traditional boundaries have shifted; companies operate in a dynamic environment that is increasingly interconnected, integrated, and interdependent.

• The ecosystem is built around a model of open collaboration and trust—the very attributes being exploited by an increasing number of global adversaries.

• Constant information flow is the lifeblood of the business ecosystem. Data is distributed and disbursed throughout the ecosystem, expanding the domain requiring protection.

• Adversaries are actively targeting critical assets throughout the ecosystem—significantly increasing the exposure and impact to businesses.

Years of underinvestment in security has impacted organizations’ ability to adapt and respond to evolving, dynamic cyber risks.

Protecting Data & Role of IA

11

Risk Factors

Financial

Legal

Regulatory

Compliance

Data Privacy & Information Security Risks

• Companies face several financial risks associated with a breach:

• Federal/state regulatory fines • Stock price decline • Remediation efforts

• Companies are experiencing increasing lawsuits from:

• Employees • Customers • Investors

• Enforcement actions from federal and state agencies

• Regulatory inquires may require long-term third party remediation in order to verify regulatory compliance

• Negative impact to the brand • Loss of employee, customer,

& investor confidence

Reputational

• Compliance with government or industry regulations / enforcements (HIPAA, PCI, GLBA, COPPA, FTC Act)

• Compliance with self-regulatory frameworks (i.e., U.S.-EU Safe Harbor, TRUSTe, DMA OBA Principles)

12

Risks generally not perceived as well managed

85% believe

security threats are increasing,

yet only

12% think

their organization

manages risks

extremely well.

Source: PwC’s 2013 State of the Internal Audit Profession Study

13

Risks seen as increasing the most

in the last year Economic uncertainty

Regulations and government

IT security/cyber security

Data privacy

Government spending and taxation

Competition

Commercial market shifts

Financial markets

Large Programs (such as ERP)

Talent and labor

Risks seen as the most well managed

last year Talent & Labor

Competition

Reputation/brand

Financial markets

Fraud and ethics

Government spending and taxation

Mergers, acquisitions and JVs

Regulations and government policies

IT / Cyber Security

Economic uncertainty

Organizations with high-performing internal audit functions manage risk better than others

Source: PwC’s 2013 State of the Internal Audit Profession Study

14

What you should be thinking

15

Having a Program In Place to Protect Data

16

A comprehensive program is needed to address the myriad of compliance requirements, and to protect consumer information and sensitive company information.

Governance

Risk

Assessment

Processes &

Controls Technical

Security &

Controls

Training &

Awareness

Monitoring &

Auditing

Incident

Response

Strategic Approach : End to End Data Lifecycle Protection

Organizations have historically focused on protecting the perimeter to prevent intrusion (and therefore data loss). The organizations should start by looking at various stages of the Information Lifecycle and understand the best way to protect sensitive data in each of these stages.

17

Engage your Stakeholders

18

Data protection and privacy is a relatively new consideration within the Risk Management disciplines. As a result, the manner with which organizations address this risk could differ widely. Some of the typical stakeholders associated with data protection and privacy concerns are listed below:

Process Area Concern (examples)

Legal • FTC complaints • Records Management

Marketing • eCommerce initiatives • CRM • Social media campaigns

Information Security • Audit findings • PCI readiness • Data breaches

Internal Audit • Board or Audit Committee requests • Increasing the enterprise risk scope

Compliance • HIPAA (healthcare), GLBA (financial) • Regulatory examination

Privacy Office • Governance structure • Operating privacy, how to “live” by the privacy policy

Data Protection and Privacy Program Monitoring

19

Ongoing auditing or monitoring of a company’s data protection and privacy program is essential. Example of areas that auditing and monitoring activities should focus on include:

• Data protection and privacy program gap assessment

• Evaluation of, or assistance with, the company’s periodic data protection and privacy risk assessment process

• Compliance with established data protection and privacy policies and procedures

• Data protection and privacy training and awareness programs

• Data protection and privacy related remediation

• Third party/vendor data protection and privacy practices

PwC

Considerations for Your Organization

20

Understanding threats

• Has your data been exposed – and would you know if it were?

• Do you know what breach indicators you should be monitoring?

Building protections

• Has the company established formal governance and controls to protect the sensitive data?

• Are the controls and safeguards periodically tested?

• Have the controls and safeguards been updated to respond to changing business models?

Responding to incidents

• Are you prepared to respond to legal actions?

• If a Regulator were to inquire or investigate the company, would the company be prepared to respond?

• Has the company established formal plans to respond to incidents when they occur?

PwC

Considerations for Your Organization

21

Understanding Company Governance & Awareness

• What are the company’s compliance requirements?

• What is the culture of the company and what is the philosophy regarding information security and privacy?

• Who leads the efforts for information security (e.g., Steering Committee)?

• How does the company ensure alignment between the management and staff?

• What is the company trying to achieve with their information security/privacy program?

Understanding sensitive data

• What sensitive data do you have that needs to be protected?

• Has the company classified and inventoried that data?

• Who has access to sensitive data – internally and externally?

• Who is responsible for protecting your sensitive data?

• Who is responsible for the oversight of vendors that may hold sensitive data?

Coordinated lines of defense

Line of defense: Management

Functional and line

management are responsible for

operationalizing risk management and internal controls

Line of defense: Risk Mgmt & Compliance

Risk management and compliance

functions are responsible for

establishing and monitoring effective

risk management policies & standards

Line of defense: Internal Audit

Internal audit is responsible for

providing objective assurance and advice on governance, risk, and compliance to

the board and executive

management

1st 2nd 3rd

Senior management Board/audit committee

22

The role of internal audit

Internal Audit can play a role in the ongoing independent monitoring of a company’s data protection and privacy program.

• Keep the board abreast of emerging security and privacy risks

• Embed yourself in key activities that roll out new business processes, products or information systems (i.e., privacy by design)

• Communicate with the board and executive management

• Privacy/Security program gap assessment

• Evaluation of, or assistance with, the company’s periodic privacy/security risk assessment process

• Audits of established privacy/security policies and procedures and/or controls

• Audits of privacy/security training and awareness programs

• Audits of third party/vendor data protection and privacy practices

23

Enhancing security strategy and

capability

1. Is our cybersecurity program aligned with our business strategy?

2. Do we have the capabilities to identify and advise on strategic threats and adversaries targeting us?

3. Can we explain our cybersecurity strategy to our stakeholders? Our investors? Our regulators? Our ecosystem partners?

Understanding and adapting to changes in the security risk

environment

1. Do we know what information is most valuable to the business?

2. Do we know what our adversaries are after / what would they target?

3. Do we have an insider threat program? Is it inter-departmental?

4. Are we actively involved in relevant public-private partnerships?

Advance their security posture

through a shared vision and culture

1. How was our last security crisis identified; in-house or government identified?

2. Who leads our incident and crisis management program? Is our program cross functional / inter-departmental?

3. How often are we briefed on our cyber initiatives? Do we understand the cyber risks associated with certain business decisions and related activities?

Questions you should be asking

24

What is important to regulators

25

• Accountability and program ownership

• Considerations of data protection, privacy and security throughout the organization and its processes

• Training and awareness programs

• Risk assessment processes

• Policies/procedures

• Data protection controls

• Monitoring technologies and capabilities

• Focus is on transparency in notice to consumers

• Do the systems and controls process data as described by your privacy notice?

• Do consumers have choice, and do they consent?

This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the

information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the

accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, [insert legal name of the PwC firm], its members,

employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in

reliance on the information contained in this publication or for any decision based on it.

© 2013 PricewaterhouseCoopers LLP All rights reserved. In this document, “PwC” refers to PricewaterhouseCoopers LLP which is a member firm of

PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity.

Additional Questions?

Appendix Slides PwC Global State of Information Security Survey 2014

27

A US-only survey shows that, even when in place, security technologies and policies often do not prevent incidents.

1 2013 US State of Cybercrime Survey, co-sponsored by CSO magazine, CERT Coordination Center at Carnegie Mellon University, Federal

Bureau of Investigation, PwC, and the US Secret Service, March-April 2013

28

Respondents to the 2013 US State of Cybercrime Survey,1 co-sponsored by PwC, say security incidents increased 33%, despite implementation of security practices. For many, existing security technologies and policies are simply not keeping pace with fast-evolving threats.

Security technologies and policies in place (US only)

Use policy-based network connections to detect and/or counter security incidents 68%

Inspect inbound and outbound network traffic 61%

Use account/password management in an attempt to reduce security incidents 60%

Have an acceptable-use policy 55%

Use malware analysis as a tool to counter advanced persistent threats (APTs) 51%

Use data loss prevention technology to prevent and/or counter security incidents 51%

Use security event management to detect and/or counter security incidents 50%

Use cyber-threat research in an attempt to reduce security incidents 25%

Do not allow non-corporate-supplied devices in the workplace/network access 17%

It is imperative that organizations identify, prioritize, and protect their “crown jewels.” Many, however, have not yet implemented basic policies necessary to safeguard intellectual property (IP).

22% 22%

29%

37%

16%

20%

24%

32%

17%

20%

26%

31%

Classifying businessvalue of data

Procedures dedicatedto protecting IP

Inventory of assets/asset management

Regular review of users and access

2011 2012 2013

29

Despite the potential consequences, many respondents do not adequately safeguard their high-value information.

Have policies to help safeguard IP and trade secrets

Evolution of the Security – Paradigm Shift

30

Heavy focus on identity management – right people, right place, right access.

Focus on enhanced layers of security, adoption of incremental security solutions.

Focus on security technology for the perimeter.

Te

ch

no

log

y R

eli

an

ce

/Co

mp

lex

ity

Time

“Inclusion & Exclusion Security”

“Layered Security”

“Perimeter Security”

Assumed State of Compromise

2012+ 2000s 1990s 1980s

• Significant and evolving cyberthreats unlike ever before.

• Highly skilled/motivated, and yet patient adversaries, including nation states.

• Increasing speed of business, digital transformation, and hyper connectivity across supply chain and to customers.

• Massive consumerization of IT and reliance on mobile technologies.

• Increasing regulatory compliance requirements (e.g., SEC Cyber Guidance).

What is this thing on my external network ?

31

Internet Cencus

32

Project Sonar

33