Information Security and its Impact on Project Managers · C-Suite Changes to replace upper...
Transcript of Information Security and its Impact on Project Managers · C-Suite Changes to replace upper...
Information Security and its Impact on Project Managers
Convergency™
May 9, 2018PMI Chicagoland Chapter MeetingBrian Nigl, Convergency LLC
The significant vulnerabilities present on an average enterprise
server typically take 5 minutes or less
to remediate, each
to exploit
AGENDA
• An Exciting Time
• Data Privacy Regulation on the Rise
• Risk Management Challenges
• Information Security Problem Solving
“The world’s most valuable resource is no longer oil, but data.”
The Economist
May 2017
The Economist, May 6, 2017
The Power to Augment Human Intelligence
COMPETING PRIORITIES THROUGH 2021
Digital Innovation
COMPETING PRIORITIES THROUGH 2021
Operational Transformation
COMPETING PRIORITIES THROUGH 2021
End of Life
COMPETING PRIORITIES THROUGH 2021
Risk & Compliance
DATA PRIVACY REGULATION ON THE RISE
Why Does Privacy Matter?
U.S. PATCHWORK OF REGULATION
• Patchwork of federal laws – Gramm-Leach-Bliley Act (GLB), Video Privacy Protection Act, Electronic Communications Privacy Act (ECPA), Fair Credit Reporting Act, Children’s Online Privacy Protection Act (COPPA), Health Information Portability & Accountability Act (HIPAA)
• U.S. State Data Privacy Laws with lack of uniformity – for example, breach notification
RECENT DATA PROTECTION REGULATIONS
Country Effective Date Significant Issues Global GDP Share
China June 1, 2017 Migrating more than one terabyte requires consent
18.1%
Russia July 1, 2017 Notice to authorities 30 days before processing data; significant control of approved systems; VPN ban
3.6%
RECENT REGULATIONS
• PCI 3.2 – February 1, 2018
• PCI 3.2 Encryption in Transit Hardening – July 1, 2018
• NY State Dept of Financial Services – Certification –February 15, 2018
• Arizona Data Breach Notification – April 11, 2018
• Delaware Data Breach Notification – April 18, 2018
UPCOMING REGULATIONS
• EU General Data Protection Regulation – May 25, 2018
• EU e-Privacy Regulation – Approval Pending
• Unsolicited Marketing
• Cookies
• Confidentiality (all communication channels)
GDPR IMPACT
• 72 hour notification period – citizens and regulator
• Companies must assign someone to the role of Chief Data Officer
• Companies must conduct and provide a Data Privacy Impact Assessment (public record)
GDPR IMPACT
• EU citizens have the right to be forgotten, except where law requires data to be retained (taxes, financial records, etc.)
• Companies must collect and retain only data which is relevant for processing
• EU citizens have the right to know where and how their data is being used
GDPR PREPAREDNESS GAP
U.S. Fortune 500 Survey:
• 11% have yet to define a plan• 40% to achieve compliance after May 25, 2018• 59% not prepared for 72-hour notification• 64% not prepared to exercise data subject rights
GDPR LESSONS LEARNED
GDPR Conferences Take-Away
EU Commission is looking for an early target –a U.S.-based corporation
GDPR IMPACT ON PROJECTS
How will this project…..
• Align with personal information classification?• Adhere to 72-hour notifications?• Permit “right to be forgotten”?• Adhere to the right of disclosure?
RISK MANAGEMENT CHALLENGES
INFORMATION TECHNOLOGY’S SECURITY CONCERNS
Security has long been
a check-the-box activity
INFORMATION TECHNOLOGY’S SECURITY CONCERNS
✓Our educational system lacks “Security by Design” knowledge and training
✓IT lacks security training prerequisites for app dev, infrastructure and support roles
✓IT lacks security requirements in app dev, infrastructure and support job descriptions
INFORMATION TECHNOLOGY’S SECURITY CONCERNS
✓Security has yet to be “baked in” well-enough in development languages and network devices
✓IT lacks understanding of what “good” security looks like
3.5 Millionunfilled cybersecurity jobs by 2021
LABOR SHORTAGE PROJECTED
When Our Projects Do Not Account for Good Security….
DATA BREACH INCREASES
7.8 BillionRecords exposed.
a 24.2% increase over
2016’s previous high of 6.3 billion.
* 2017 Data Breach QuickView Report
DATA BREACH RECORDS EXPOSED
Only 18.6%of all breaches
were discovered by the
organization responsible
for protecting the data
* 2017 Data Breach QuickView Report
DATA BREACH RECORDS EXPOSED
Penance Projects
➢C-Suite Changes to replace upper management personnel who were responsible for security.
➢Public Relations Campaigns to convince customers and stakeholders that the problem is being addressed.
➢Marketing & Advertising Campaigns to improve marketplace reputation.
Penance Projects
➢Legal Action is implied. Settlements continue to rise.
➢Regulatory Action from government agencies imposing excessive fines. Europe’s GDPR carries a risk of 4% of annual revenue or 20mm EUR.
➢Walls of Shame. Long-lasting public portals that list ne’er do wells.
Penance Projects
Forrester 2018 Prediction:
“One U.S.-based, Fortune 500 CEO will lose his/her job as a result of GDPR violations in 2018.”
Penance Projects
$7.35 Millionthe average cost of
a US security breach in 2017.
5% increase over 2016.
SECURITY IMPACT ON PROJECTS
For this project…..
• Do my resources know how to apply “good” security?
• How many hours should I allocate to fixing security gaps?
• Who is the subject matter expert that can provide remediation advice?
INFORMATION SECURITY
PROBLEM SOLVING
SECURITY BY DESIGN
A SOLUTION
• Hire or Appoint Subject Matter Expert(s) – Security Architect(s) and Security Engineer(s)
• Training
• Security Skills Gap Assessment
• Training/Re-training on current security skills
A SOLUTION
• Standards – “Good” Security Defined
• Standards must be specific
• Standards embedded in contracts
• Vendors and suppliers held accountable
• Data classifications defined
• Processor roles defined
“GOOD” SECURITY DEFINED
• Encryption in Transit
• Encryption at Rest
• Device encryption
• Cell-level encryption of data
• Advanced encryption techniques (key vault, enterprise key management)
• VDI over VPN
• Multi-factor authentication
• Detailed Security Standards
• No SSLv3, TLS 1.0, TLS 1.1
• No weak or insecure ciphers
• Detailed Security Procedures
• Annual Penetration Testing
• Quarterly Vulnerability Scanning
• Monitoring intervals well-defined
• Logging criteria well-defined
“GOOD” SECURITY DEFINED
• Policies and Standards documents assessed (internal and vendor/supplier)
• Privacy law matrix alignment
• End of Life planning
• Onboarding/offboarding controls reviewed quarterly
• Decommission plans well-executed
A SOLUTION
• Risk Management Organization
• Alignment with Third Party Lifecycle Management program
• Participation from relevant business units (Legal, Finance, Audit, Compliance, etc.
A SOLUTION
• Risk Maturity Model
• Define current maturity
• Define goals, improve, re-evaluate
A SOLUTION
• Governance
• Risk assessment process defined
• Risk assessments conducted annually
• Governance board reviews exceptions
• Add Deployment Gate Checks
• Vulnerability Scans that assess compliance to
standards
A SOLUTION
• Governance (continued)
• Audits conducted annually on regulated systems
• Top-down controls defined with service level agreements
• Bottom-up reporting with accountability and repercussions for failure to comply
• Changed to regulation adopted into workflows
A SOLUTION
• Incident Response Plan
• Definition
• Third party organizations contracted to meet notification windows
• Practice Drills
• Actions taken noted
• Testing
• Audit
A SOLUTION
• Annual Review / Recertification
Q & A
Thank You for the Opportunity