THE INSTITUTE OF INTERNAL AUDITORS – District Conference · 9% -Breach Notification Costs 27%...
Transcript of THE INSTITUTE OF INTERNAL AUDITORS – District Conference · 9% -Breach Notification Costs 27%...
March 10, 2015
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd
THE INSTITUTE OF INTERNAL AUDITORS –District Conference
Information Security / Cybercrime
PresenterEric GrassDirector, Business Advisory ServicesE: [email protected]
• What are the nature and compliance requirements related to handling personal information
• What to consider when developing your Information Security Program and what are the trending data breach statistics
• What are organizations doing to plan ahead and prepare
Agenda Topics
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 2
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 3
Information Privacy
How is personal information classified?Personal Identifiable Information (PII)
– any data that could potentially identify a specific individual. This can be either:
Non-Sensitive Personal Information, or– Name, Address, etc.Sensitive Personal Information (SPI)– SSN, Passport Number, Driver's License, etc.– Personally Identifiable Financial Information (PIFI)
including bank accounts, credit cards, etc.– Personal Health Information (PHI)– Emerging areas (Biometrics, Static IP Addresses, etc.)
Other Personal Information– Employment Information (salary, performance
ratings, etc.)– Customer Information (purchase history, voice
recordings, etc.)
Non-SensitivePersonal
Information
SensitivePersonal
Information
Other Personal
Information
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 4
Information Privacy
What are the sources of personal information?
• Public Records– information collected and maintained by a
government entity and available to the general public (example: certain real estate information)
• Publically Available Information– information that is generally available to a
wide range of persons (example: Name and address in the phone book, published information, etc.)
• Nonpublic Information– is not generally available or easily accessed
due to law, custom, or fiduciary duty (example: medical records, financial information, adoption records, employment information, etc.)
NonpublicInformation
PublicRecords
PublicallyAvailable
Information
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 5
Information Privacy
What is an organization's responsibilities?• Establish adequate information security safeguards to comply with the
appropriate regulatory requirements and protect personal information• Communicate internally to employees the specific governance regarding the
handling practices for personal information• Communicate externally awareness regarding how the organization intends
to collect, use, retain, and disclose personal information
NonpublicInformation
PublicRecords
PublicallyAvailable
Information
Non-SensitivePersonal
Information
SensitivePersonal
Information
Other Personal
Information
Focus Area
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 6
Information Privacy
What are some of the common compliance standards?
Name Type Objective Limited Scope
PCI DSS Payment Card Industry Data Security Standard
Contractual Requirement
Protects cardholder data (i.e., credit cards, debit cards, etc.) Cardholder data
HIPAA / HITECH
Health Insurance Portability and Accountability Act / Health Information Technology for Economic and Clinical Health Act
Government Regulation
Governs the use and disclosure of Protected Health Information (PHI) and reporting of data breaches
PHI
GLBA Gramm-Leach-Bliley Act Government Regulation
Governs the collection, disclosure, and protection of consumer's non-public personal information by financial institutions
Consumer's non-public personal information
SOX Sarbanes-Oxley Government Regulation
Governs the adequacy of a company's internal control on financial reporting
Internal controls over financial reporting
SOC Reports
Service Organization Controls Report
Accounting Standard
Documents and tests controls implemented by outsourced service providers.
Controls over outsourced services
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 7
Information Privacy
What are the Generally Accepted Privacy Principles (GAPP)?
Core ideaPrivacy encompasses "the rights and obligations of individuals and organizations with respect to the collection, use, retention, disclosure and disposal of personal information."
Originator Developed by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA).
Structure Comprised of 10 general principles - which are defined by 73 measurable criteria..
Metrics for compliance
Degree of compliance is known as "Maturity Level" with five levels from least to greatest: Ad Hoc; Repeatable; Defined; Managed; Optimized.
• Industry benchmark for assessing your organization's internal information privacy compliance capabilities
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 8
Information Privacy
What are the 10 GAPP Principles?
1. Management: assign accountability2. Notice: provide notice about privacy
policies and purposes for which information is collected, used, retained, and disclosed
3. Choice and consent: obtain consent with respect to collection and use of personal information
4. Collection: collect personal information only for purposes identified in notice
5. Use, retention and disposal: personal information is managed in a manner consistent with privacy notice and applicable laws/regulations
6. Access: access to information for review and update
7. Disclosure to third parties: disclosure consistent with purposes identified in notice and with consent of the individual
8. Security for privacy: personal information protected against unauthorized access (physical and logical)
9. Quality: maintain accurate, complete and relevant personal information for the purposes identified in the notice
10. Monitoring and enforcement: monitor compliance with internal privacy policies and procedures, and institute procedures to address privacy-related complaints and disputes
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 9
Information Privacy
What are the Maturity Level Definitions?
Rating Category Definition
1 Ad Hoc Undocumented, uncontrolled and reactive responses by users
2 Repeatable Process that can be recurring and may yield consistent results
3 Defined Documented processes which are periodically subjected to improvement over time
4 Managed Metrics relied upon by management to effectively control "as-is" process
5 Optimized Continual performance improvement through incremental and innovative changes
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 10
Information Security
How do information privacy and information security relate?• Information Privacy
– controls an individual's rights to authorize an organizations use of their personal information
– establishes rules governing the collection and handling of personal information– requires Information Security to safeguard personal information … if security is
breached, then privacy controls will not be effective• Information Security
– system of implemented controls, which need to be monitored and reviewed, to ensure the organizational objectives are being met
– includes multiple types (physical, administrative, and technical) of control mechanisms
– protection of all information types in order to prevent loss, unauthorized access, or misuse (includes both personal information and the organization's intellectual property and assets)
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 11
Information Security
What should I include in my Information Security Program?• How do I keep my information security requirements current?
– monitor organizational security threats and vulnerabilities– monitor legal, regulatory, and contractual obligation changes– adapt with your organization's principles, policies, and objectives
• Maintain your information risk profile– conduct a thorough review and access your critical end-to-end
information flows• identify potential threats and vulnerabilities• estimate impact and expected economic loss
– prioritize the risks (i.e. Risk = Threats x Vulnerabilities x Expected Loss)– implement and monitor appropriate security controls– monitor the effectiveness of your information security program
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 12
Information Security
What are common misconceptions?
• It will never happen to me
• Our network is secure
• We are in compliance with industry standards
• We are not a big company
• We don't have any personal information so we aren't a target
• We have never been attacked
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 13
Information Security
What is behind recent high visibility data breaches?Financial
ImpactWhat was Breached? Attack Characteristics
Target$148 million
Credit / debit card holder information
Compromised a 3rd party vendor to gain legitimate login credentials. Infected POS systems with a "Ram-Scraping" virus. Estimated at 3 weeks in duration, $38 million from insurance
Sony$171 million
SPI, NPI, documents and e-
mails
Infected through their e-mail exchange servers.Estimated at 1+ years in duration, $60 million from insurance
eBayTBD
PII, encrypted passwords
Compromised employee credentials used to gain access. eBay was seen as "Exemplar" in its strong and sophisticated cyber defenses.Estimated at 2+ months in duration.
Google(discovered) OpenSSL
Hackers exploited a security vulnerability dubbed "Heartbleed" in the cryptographic software library used to secure millions of websites.Estimated at 2+ years before detection of the bug.
Anthem SPI, NPI, but not HPI Very sophisticated external cyber attack still being investigated
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 14
Information Security
What were the costs of data breaches in 20131?• The average cost of a data breach was $3.5
million ($5.9 million US only) or an average $145 ($201 US only) per record of information
• Data breach root cause is distributed across Malicious or criminal attack (42%), Human error (30%), and System glitch (29%)
7% - Detection and Escalation Costs
9% - Breach Notification Costs
27% - Post-Breach Costs
57% - Lost Business
US $5.9m - Breach Cost Characteristics
Factors that influence average cost per record:
1Ponemon Institute. 2014 Cost of Data Breach Study, May 5, 2014
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 15
Information Security
Are there common incident classification patterns2?
2Verizon 2014 Data Breach Investigation Report
• POS Intrusion – remote attacks where retail transactions are conducted
• Web App Attacks – directed a code-level vulnerabilities as well as thwarting authentication mechanisms
• Insider and Privilege Misuse –unapproved or malicious use of organizational resources
• Crimeware – attacks of various types and purposed using a malware-based approach
• Payment Card Skimmers – a skimming device was physically implanted (tampered) on asset that reads payment cards
• Cyber-Espionage – unauthorized network or system access linked to state-affiliated actors and/or exhibiting motive of espionage
92% of the 100,000 incidents we've analyzed from the last 10 years can
be described by just nine basic patterns
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 16
Information Security
How are incident patterns distributed across industries2?
2Verizon 2014 Data Breach Investigation Report
NA Industry Classification System CodeIncident Classification (Attack) Patterns
1 2 3 4 5 6 7 8 9 10
Accommodation and Food Service 75%
Administration and Support;Waste Mgmt. and Remediation Services 27% 43%
Construction 33%
Educational Services 19% 15% 20% 22%
Arts, Entertainment, and Recreation 22% 32%
Finance and Insurance 27% 22% 26%
Healthcare and Social Assistance 15% 46%
Information 41% 31% 16%
Management of Companies and Enterprises 44%
Manufacturing 24% 30%
Mining, Quarrying, and Oil & Gas Extraction 25% 40%
Professional, Scientific, and Technical Services 37% 29%
Public Administration 24% 19% 34% 21%
Real Estate; Rental and Leasing 37% 20%
Retail Trade 31% 33%
Wholesale Trade 30% 27%
Transportation and Warehousing; Postal Service 15% 16% 15% 24%
Utilities 38% 31%
Other Services (except Public Administration) 29% 17%
Legend:1 – POS Intrusions2 – Web App Attacks3 – Insider Misuse4 – Physical Theft / Loss5 – Miscellaneous Errors6 – Crimeware7 – Payment Card Skimmer8 – DoS Attack9 – Cyber-Espionage10 – Everything else
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 17
Information Security
Has the use of threat actions stayed constant over time2?
2Verizon 2014 Data Breach Investigation Report
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 18
Information Security
How are data breaches discovered2?
2Verizon 2014 Data Breach Investigation Report
Attack Pattern Discovery MethodTimespan of Events
Compromise Discovery
POS Intrusion99% External
(75% law enforcement; 14% fraud detection)
87% within minutes(51% seconds)
98% weeks to months(85% weeks)
Web App Attacks
Financial Motived – 88% External(74% customers)
Ideological Motivated – 98% External(93% unrelated party)
96% days or less(42% minutes)
85% days to years(41% months)
Insider and Privilege Misuse
55% Internal(19% audit activities, 13% by users)
Not provided in study
74% days to weeks(34% days)
Crimeware 84% External 89% within days
Payment Card Skimmers
76% External(26% fraud detection; 21% law
enforcement)Not provided in study
Cyber-Espionage
85% External(67% unrelated party)
83% weeks to years (62% months)
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 19
Planning Ahead
What are organizations doing to prepare and plan ahead?
• Refresh their information asset inventory and classification• Update their information security risk assessment• Review the adequacy of their vendor management polices and procedures• Review IT audit procedures for both information privacy and information
security control coverage• Conduct employee awareness and training• Develop Incident Response (IR) plan and procedures
– does DR or BCP plan allow for an investigation to proceed while recovery is effected– have your incident response team ready and practice at least quarterly
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 20
Planning Ahead
How comprehensive is your IR plan?
Treat every cyber breach as if it will end up in a criminal prosecution.
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 21
Planning Ahead
What is an adaptive Information Security Protection Process3?
• Key Challenges– existing blocking and prevention capabilities are insufficient for a motived
attacker– information security doesn't have the continuous visibility needed to
detect advanced attacks– organizations continue to invest in prevention-only strategies
• Recommendations– shift organizational mindset from "incident response" to "continuous
response" where in systems are assumed to be compromised and require continuous monitoring and remediation
– rebalance investment priorities into detective, response, and predictive capabilities
– develop a security operations center that supports continuous monitoring and is responsible for the threat protection process
3Gartner Designing an Adaptive Security Architecture for Protection From Advance Attacks, February 2014
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 22
Planning Ahead
What are the four stages of an Adaptive Security Architecture3?
3Gartner Designing an Adaptive Security Architecture for Protection From Advance Attacks, February 2014
• Harden and Isolate Systems• Divert Attackers• Prevent Incidents
• Detect Incidents• Confirm and prioritize risks• Contain Incidents
• Investigate / Forensics• Design / model change• Remediate / make change
• Baseline Systems• Predict Attacks• Proactive exposure analysis
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 23
Questions?