Governance of Privacy & Security: Balancing Compliance & Risks

CSO Breakfast ClubDC Chapter

September 30, 2008

Jody R. Westby, Esq.CEO, Global Cyber Risk LLC

Adjunct Distinguished Fellow, Carnegie Mellon CyLab

www.globalcyberrisk.com

2 www.globalcyberrisk.com

The International Business & Legal Landscape

• Cybercrime, Privacy & Cyber Security Are Integrated Issues

• 233 Countries Connected to Internet; 1.5 Billion Online Users

• Global Operations Following the Sun and Outsourcing for Competitiveness

• International Legal Framework Highly Inconsistent

• Must Manage Risks Internally and For Outsourced Operations

• Governance of Security Required at Board & Senior Executive Levels

© Jody R. Westby

3 www.globalcyberrisk.com

Principles of Corporate Governance

• Manage Risks of Organization & Align with Strategy

• Protect Critical Assets

• Preserve Resources of Organization

• Meet Compliance Requirements

• Set Culture and Managerial Tone for Conduct

• Make Governance Systemic Throughout Company

• Determine a Clear, Strategic Direction with Goals

• Assure Decisions are Implemented Through Effective Controls, Metrics, & Policies

Business Roundtable, Principles of Corporate Governance 2005

© Jody R. Westby

4 www.globalcyberrisk.com

Effective Security Governance Characteristics

• Security Managed as Enterprise Issue• Leaders are Accountable• Security Viewed as Business Requirement• Risk Based (Compliance, Operational, Reputational, Financial)• Roles & Responsibilities Defined with Segregation of Duties• Security Addressed & Enforced in Policy• Adequate Resources Committed• Staff Aware & Trained• Security Addressed Throughout System Development Life Cycle• Security is Planned, Managed, Measured & Weaknesses Addressed• Reviewed & Audited

© Jody R. Westby

5 www.globalcyberrisk.com

Enterprise Security Program

RMP

ESS

Enterprise Security Plan

Business Unit Security PlansSystem Security PlansPolicies & ProceduresSystem Architecture

6 www.globalcyberrisk.com

System interconnection points

Operating environment and

operational criteriaCulture and

management policies and proceduresBusiness plan and

strategic goals

Asset Info on data, applications,

networks

Assessments & audit findings

Incident response & crisis

communications Reqs for business continuity and disaster recovery

Standards, best prac. & guidance

Technological considerations &system arch.

Legal & cybercrime considerations

RMP, ESS & risks, threats, vulnerabilities

ROI and financial information

Enterprise Security Program

Security Plan

Security Policies

Security Procedures

© Jody R. Westby

Enterprise Security Program Inputs

7 www.globalcyberrisk.com

Compliance Issues for ESP

• Privacy (Federal, State, Foreign)• Security • Breach Notification (States, Fed Reserve, Watch Foreign)• Economic Espionage Act & Cybercrime Laws• Financial (GLBA, FCRA, FACTA, SOX)• Health/Medical• Intellectual Property• Other protected types of data• Procedural and Rules of Evidence (chain of custody (s/s &

forensic), integrity, admissibility• E-Discovery

8 www.globalcyberrisk.com

Nexus Between Cyber Security, Privacy, & Cybercrime

Major Component of Cyber Security is Ability to Protect Against Unauthorized Access & Disclosure; Enterprise Approach Needed; Must be Able to Deter, Detect, Obtain Evidence

Privacy & Security BreachesAre Cybercrimes; Laws Deter, Enable Prosecution

Privacy Dependent upon Security;Driven by Laws, Culture

CybercrimePrivacy

Security

© Jody R. Westby

9 www.globalcyberrisk.com

Governance Structure

AOBM CA OP IA EA

BOD

CEO/COO

BRC BAC

X-Team

BM AO CA OP IA EA

10 www.globalcyberrisk.com

Governance for Enterprise Security Program Flowchart

11 www.globalcyberrisk.com

ESP Activity Sequence

• Governance• Structure & Roles and Responsibilities• Inventory of Assets• Compliance & Mapping• Cybercrime & Mapping• Privacy Impact Assessment & Privacy Audits• Risk Assessments• Operational Criteria• Security Input to RMP, Develop ESS

• Integration & Operations• Categorization, Controls, Metrics• Best Practices & Standards• Security Configuration Settings• Supporting Plans (IR, BC/DR, CC)• 3rd Party & Vendor Requirements• Change Management Plans• ESP, Policies & Policies

• © Jody R. Westby

12 www.globalcyberrisk.com

ESP Activity Sequence

• Implementation & Evaluation• Implement & Train• Monitor & Enforce• Test & Evaluate Controls, Policies & Procedures• Identify System Weaknesses & Correct• Issue Authority to Operate

• Capital Planning & Investment Controls• Determine Security Business Case, ROI, Funding Needs• Formal Review of ESP• Formal Audit of ESP

© Jody R. Westby

13 www.globalcyberrisk.com

Roles and Responsibilities & Artifacts

• BRC

• X-Team

• Business Managers• Asset Owners• Operational Personnel• Certification Authority• Internal & External Auditors

© Jody R. Westby

Artifacts• BRC, X-Team Mission, Goals, Objectives• Organization Chart and R&R• Top Level Policies• Inventory of Assets• Detailed Security Responsibilities• Table of Authorities & Mappings• Privacy Impact Assessments & Audits• Risk Assessments, Certification Letter• Operational Criteria• Enterprise Security Plan & ESS• Categorization, Controls & Metrics• Best Practices & Standards, Settings• Supporting Plans (IR, BC/DR, CC, Chg)• 3rd Party & Outsource Vendor Reqments• Policies & Procedures• Security System Architecture Plan• Implementation & Training• Monitoring & Enforcement• Testing & Evaluation, POAMs• ESP Security Funding, ROI• Annual Reviews, Audits

14 www.globalcyberrisk.com

• More and More Offshore – India, China, Philippines Largest Markets

• Lack of Available Talent, Increasing Wage Scales, Weak Infrastructure Causing Major Outsourcing Vendors to go to Satellite Sites

• Popular Destinations for Satellite Operations are China, Mexico, Romania, Philippines, Eastern European countries

• Many of These Countries Lack Privacy Laws, Economic Espionage Laws

• Cybercrime Laws are Inadequate, Poor Law Enforcement Assistance

• Weak Criminal Procedures, Lack of Trained Judiciary Personnel re Cybercrimes, Investigations

• Poor International Cooperation With Law Enforcement

• Recent Breaches of US & EU Data Caused Response from Regulators

Global Environment Today

© Jody R. Westby

15 www.globalcyberrisk.com

• Your Data is in Hands of Company You Do Not Control

• Lack of Ability to Control Vendor Personnel, Monitoring, Enforcement

• Vendor May Not Inform You Until Later On

• Provider May Not Have Adequate Incident Response Plan or Not Follow Plan

• Provider May Not Preserve Evidence

• Provider May Make Statements to Press, Law Enforcement, Others That Could Harm Brand, Stock Price, Market Share

• Provider May Have Contractual Obligation to Protect Data, But No Statutory Obligation

• Provider May Have Other Clients Whose Data Attracts Hackers, Economic Espionage

• Provider May Get Legal Requests for Your Data

Reality of Outsourcing Breaches

© Jody R. Westby

16 www.globalcyberrisk.com

Immediate Barriers to Effective Response

• Legal Differences in Laws, Procedures• Jurisdictional Issues• International Cooperation Issues• Investigation & Prosecution Difficulties• Evidentiary Considerations (Logs, Audit Trails, Search/Seizure)• Compliance Responsibilities of Company & Provider Conflict • Reality of Time Zones

© Jody R. Westby

17 www.globalcyberrisk.com

Goverance Actions That Reduce Risk

• Identify Compliance Issues & Weave Through ESP

• Take Laws of Outsourced Jurisdiction into Account for Table of Authorities & Mapping

• Determine Roles & Responsibilities for Personnel

• Conduct Privacy Impact Assessments

• Push Security Requirements Out to Providers, Third Parties (Controls, Metrics, Policies/Procedures)

• Review Policies & Procedures & Supporting Plans

• Monitoring & Enforcement & Communications Plan

• Regular Reporting (Incidents, Monitoring, Enforcement)

• Business Cases for IT Include Privacy, Security & BC/DR

• Conduct Privacy & Security Audits (Internal & Vendors)

© Jody R. Westby

18 www.globalcyberrisk.com

THANK YOU!

Jody R. Westbywestby@globalcyberrisk.com

202.255.2700