Information Security and its Impact on Project Managers

Convergency™

May 9, 2018PMI Chicagoland Chapter MeetingBrian Nigl, Convergency LLC

The significant vulnerabilities present on an average enterprise

server typically take 5 minutes or less

to remediate, each

to exploit

AGENDA

• An Exciting Time

• Data Privacy Regulation on the Rise

• Risk Management Challenges

• Information Security Problem Solving

“The world’s most valuable resource is no longer oil, but data.”

The Economist

May 2017

The Economist, May 6, 2017

The Power to Augment Human Intelligence

COMPETING PRIORITIES THROUGH 2021

Digital Innovation

COMPETING PRIORITIES THROUGH 2021

Operational Transformation

COMPETING PRIORITIES THROUGH 2021

End of Life

COMPETING PRIORITIES THROUGH 2021

Risk & Compliance

DATA PRIVACY REGULATION ON THE RISE

Why Does Privacy Matter?

U.S. PATCHWORK OF REGULATION

• Patchwork of federal laws – Gramm-Leach-Bliley Act (GLB), Video Privacy Protection Act, Electronic Communications Privacy Act (ECPA), Fair Credit Reporting Act, Children’s Online Privacy Protection Act (COPPA), Health Information Portability & Accountability Act (HIPAA)

• U.S. State Data Privacy Laws with lack of uniformity – for example, breach notification

RECENT DATA PROTECTION REGULATIONS

Country Effective Date Significant Issues Global GDP Share

China June 1, 2017 Migrating more than one terabyte requires consent

18.1%

Russia July 1, 2017 Notice to authorities 30 days before processing data; significant control of approved systems; VPN ban

3.6%

RECENT REGULATIONS

• PCI 3.2 – February 1, 2018

• PCI 3.2 Encryption in Transit Hardening – July 1, 2018

• NY State Dept of Financial Services – Certification –February 15, 2018

• Arizona Data Breach Notification – April 11, 2018

• Delaware Data Breach Notification – April 18, 2018

UPCOMING REGULATIONS

• EU General Data Protection Regulation – May 25, 2018

• EU e-Privacy Regulation – Approval Pending

• Unsolicited Marketing

• Cookies

• Confidentiality (all communication channels)

GDPR IMPACT

• 72 hour notification period – citizens and regulator

• Companies must assign someone to the role of Chief Data Officer

• Companies must conduct and provide a Data Privacy Impact Assessment (public record)

GDPR IMPACT

• EU citizens have the right to be forgotten, except where law requires data to be retained (taxes, financial records, etc.)

• Companies must collect and retain only data which is relevant for processing

• EU citizens have the right to know where and how their data is being used

GDPR PREPAREDNESS GAP

U.S. Fortune 500 Survey:

• 11% have yet to define a plan• 40% to achieve compliance after May 25, 2018• 59% not prepared for 72-hour notification• 64% not prepared to exercise data subject rights

GDPR LESSONS LEARNED

GDPR Conferences Take-Away

EU Commission is looking for an early target –a U.S.-based corporation

GDPR IMPACT ON PROJECTS

How will this project…..

• Align with personal information classification?• Adhere to 72-hour notifications?• Permit “right to be forgotten”?• Adhere to the right of disclosure?

RISK MANAGEMENT CHALLENGES

INFORMATION TECHNOLOGY’S SECURITY CONCERNS

Security has long been

a check-the-box activity

INFORMATION TECHNOLOGY’S SECURITY CONCERNS

✓Our educational system lacks “Security by Design” knowledge and training

✓IT lacks security training prerequisites for app dev, infrastructure and support roles

✓IT lacks security requirements in app dev, infrastructure and support job descriptions

INFORMATION TECHNOLOGY’S SECURITY CONCERNS

✓Security has yet to be “baked in” well-enough in development languages and network devices

✓IT lacks understanding of what “good” security looks like

3.5 Millionunfilled cybersecurity jobs by 2021

LABOR SHORTAGE PROJECTED

When Our Projects Do Not Account for Good Security….

DATA BREACH INCREASES

7.8 BillionRecords exposed.

a 24.2% increase over

2016’s previous high of 6.3 billion.

* 2017 Data Breach QuickView Report

DATA BREACH RECORDS EXPOSED

Only 18.6%of all breaches

were discovered by the

organization responsible

for protecting the data

* 2017 Data Breach QuickView Report

DATA BREACH RECORDS EXPOSED

Penance Projects

➢C-Suite Changes to replace upper management personnel who were responsible for security.

➢Public Relations Campaigns to convince customers and stakeholders that the problem is being addressed.

➢Marketing & Advertising Campaigns to improve marketplace reputation.

Penance Projects

➢Legal Action is implied. Settlements continue to rise.

➢Regulatory Action from government agencies imposing excessive fines. Europe’s GDPR carries a risk of 4% of annual revenue or 20mm EUR.

➢Walls of Shame. Long-lasting public portals that list ne’er do wells.

Penance Projects

Forrester 2018 Prediction:

“One U.S.-based, Fortune 500 CEO will lose his/her job as a result of GDPR violations in 2018.”

Penance Projects

$7.35 Millionthe average cost of

a US security breach in 2017.

5% increase over 2016.

SECURITY IMPACT ON PROJECTS

For this project…..

• Do my resources know how to apply “good” security?

• How many hours should I allocate to fixing security gaps?

• Who is the subject matter expert that can provide remediation advice?

INFORMATION SECURITY

PROBLEM SOLVING

SECURITY BY DESIGN

A SOLUTION

• Hire or Appoint Subject Matter Expert(s) – Security Architect(s) and Security Engineer(s)

• Training

• Security Skills Gap Assessment

• Training/Re-training on current security skills

A SOLUTION

• Standards – “Good” Security Defined

• Standards must be specific

• Standards embedded in contracts

• Vendors and suppliers held accountable

• Data classifications defined

• Processor roles defined

“GOOD” SECURITY DEFINED

• Encryption in Transit

• Encryption at Rest

• Device encryption

• Cell-level encryption of data

• Advanced encryption techniques (key vault, enterprise key management)

• VDI over VPN

• Multi-factor authentication

• Detailed Security Standards

• No SSLv3, TLS 1.0, TLS 1.1

• No weak or insecure ciphers

• Detailed Security Procedures

• Annual Penetration Testing

• Quarterly Vulnerability Scanning

• Monitoring intervals well-defined

• Logging criteria well-defined

“GOOD” SECURITY DEFINED

• Policies and Standards documents assessed (internal and vendor/supplier)

• Privacy law matrix alignment

• End of Life planning

• Onboarding/offboarding controls reviewed quarterly

• Decommission plans well-executed

A SOLUTION

• Risk Management Organization

• Alignment with Third Party Lifecycle Management program

• Participation from relevant business units (Legal, Finance, Audit, Compliance, etc.

A SOLUTION

• Risk Maturity Model

• Define current maturity

• Define goals, improve, re-evaluate

A SOLUTION

• Governance

• Risk assessment process defined

• Risk assessments conducted annually

• Governance board reviews exceptions

• Add Deployment Gate Checks

• Vulnerability Scans that assess compliance to

standards

A SOLUTION

• Governance (continued)

• Audits conducted annually on regulated systems

• Top-down controls defined with service level agreements

• Bottom-up reporting with accountability and repercussions for failure to comply

• Changed to regulation adopted into workflows

A SOLUTION

• Incident Response Plan

• Definition

• Third party organizations contracted to meet notification windows

• Practice Drills

• Actions taken noted

• Testing

• Audit

A SOLUTION

• Annual Review / Recertification

Q & A

Thank You for the Opportunity