Post on 13-Nov-2014
description
brian bauer
Before we begin
If you learn what's in this presentation
You will .........
... spend LESS time preparing for test (IAPP, CISA, CGEIT, etc.)
... have interesting material to impress your friends
Learn the difference between real risk and just plain fun
Get a keener perspective of Operational Risk , which is
Risk without Reward
Let's get started !
SourcesAchieving Data Privacy in the Enterprise, Safenet Derek Tumulak, April 8, 2010
Regulatory Information Architecture, Steven Alder, IBM, 2010
The source of much of my research, Sue Hammer, IBM, 2010California Data Privacy Laws: Is Compliance Good Enough?, Lumension, Chris Merritt, May 2010Privacy Law & Financial Advisors, Proskauer, Brendon M. Tavelli, Nov 20, 2009Medical Records on the Run: Protecting Patient Data with Device Control and Encryption, Sept 2009
2010 Data Breach Report, Verizon
Five Countries: Cost of Data Breach Sponsored by PGP Corporation, Dr. Larry Ponemon, April 19, 2010How secure is your confidential data?, By Alastair MacWillson, ACCENTURE
The Leaking Vault, Five Years of Data Breaches, Suzanne Widup, Digital Forensics, July 2010
Top 10 Big Brother Companies: Ranking the Worst Consumer Privacy Infringers, Focus EditorsFirst Annual Cost of Cyber Crime Study, Ponemon, July 2010 States failing to secure personal data, By Kavan Peterson, Stateline.org National Archives & Records Administration in Washington2010 Annual Identity Protection Services Scorecard, Javelin Strategy & Research
A New Era of Compliance - Raising the Bar for Organizations Worldwide, RSA, Oct12, 2010
Evolve or Die, Bunger & Robertson, 2010Compliance With Clouds: Caveat Emptor, by Chenxi Wang, Ph.D. , August 26, 2010Obscured by Clouds, Ross Cooney, 2010
Digital Trust in the Cloud, Liquid Security in Cloudy Places, CSC, 2010
Making Data Governance as simple as possible, but not simpler, Dalton Servo
Let me be crystal clear, Brian is NOT a lawyer
DISCLAIMER
AllBusinessisRegulated DECLARATION
DISCLAIMER
My FOCUSOn the globe but US Centric
You are here
What's Inside ?
Erosion in Trust
Industry Customer
Regulator
Futures
Business is concerned with RISK
Risk from Regulation,Organized Crime,
Reduced Staffing,Sloppy Performance,
Lack of Training,New Technologies,
and even ...Clients/Customers
... is creating an EROSION in TRUST!
Financial Times
Top Business Concern
New Motivations
E&Y 2010
The Economist Intelligence Unit
Geography Implications
Loss of data is one of the biggest regulator concerns
Loss, theft, mistakes, under protected, ...
... a Breach of Trust – Over 500,000,000 U.S. records since 2005
90% from external sources
48% insider help
85% from organized criminals
94% targeted financial data or sector
98% of records stolen produced by hack
96% of Trojans found were: "Crimeware-as-a-Service.""Crimeware-as-a-Service."
We can do better
96% avoidable by simple controls
86% had evidence in log files
66% on devices NOT aware contain SPI
5% loss to shareholders after breach
43% higher breach cost in U.S.
Deloitte – 2010 Financial Services Global Security Study – the faceless threat
Financial Serviceproviders have a39% confidence factor for their ability to protect your data from Insider Threatsvs. 71% for External Threats
A reputation is easy to lose, not so easy to recover
- 60% of companies that lose their data will shut down within 6 months of the disaster.
- 93% of companies that lost their data center for 10 days or more due to a disaster filed for bankruptcy within one year of the disaster.
- 50% of businesses that found themselves without data management for this same time period filed for bankruptcy immediately.
Restrict and monitor privileged users
Watch for 'Minor' Policy Violations
Implement Measures to Thwart Stolen Credentials
Monitor and Filter Outbound Traffic
Change Your Approach to Event Monitoring and Log Analysis
Share Incident Information
What can business do?
What is the Customer's view?
...what is causing this Erosion of Trust
Identity Theft #1 Consumer Complaint - FTC
10M Victims in the U.S. $5K loss per business, $50B total$500 loss per victim, $5B total30 hours to recovery, 297M hoursall numbers are approximate or rounded up
What's on your mind?
RiskiestRiskiest places for SSN# Universities and collegesUniversities and colleges
Banking and financial institutionsBanking and financial institutionsHospitalsHospitals
State governments State governments Local government Local government
Federal government Federal government Medical (supply) businesses Medical (supply) businesses
Non-profit organizations Non-profit organizations Technology companies Technology companies
Health insurers and medical officesHealth insurers and medical officesSymantec – Nov, 2010
Trust Me – I'm lying?There is a notable difference between organizations’ intentions regardingdata privacy and how they actually protect it.
North Carolina attempting to get 50M records from Amazon on citizens
45% of businesses disagree to customer data control47% of businesses disagree the customer has a right to control
50% of businesses did not see need to limit distribution of PII
>50% of customers believe they have a right to control their data
1
Accountability – who's is looking out for me?A majority (58%) of companies have lost sensitive personal information...
Insider involved in over 48% of data breaches
2
<-Diverse
Deliberate->
Regulatory compliance – No confidence they can keep paceMany organizations believe complying with existing regulations is sufficient to protect their data. 3
What do these companies have in common?
Top 10 Big Brother Companies
Ranking the Worst Consumer Privacy Infringers, Focus Editors1
Third parties – you sent my data to who?Companies should be careful about the company they keep. It is crucial they understand the perspective on and approach to data protection and privacy taken by their third-party partners.
48% of breaches caused by insiders
48% involved privileged misuse
61% were discovered by a 3rd party
4
CultureCompanies that exhibit a “culture of caring” with respect to data protection and privacy are far less likely to experience security breaches.5
Assign ownership
Develop comprehensive governance program
Evaluate data protection and privacy technologies
Build a culture
Reexamine investments
Choose business partners with care
How to reverse the spin?
Build a Data Protectionand Privacy Strategy
You own some of this – Giving away your PRIVACY
Social networking
RFID tags/loyalty cards
The Patriot Act
GPS
The Kindle Bill Brenner, Senior Editor, CSO
Regulator View
Privacy
Data Protection
Breach Notification
Which comes 1st?
If theCarrot isn't workingit's time to ....
Protect the consumer
Punish the breach
Promote compliance
U.S. BreachNotificationLaws
46 States, the District of
Columbia, Puerto Rico and
the Virgin Islands
States with no security breach law: Alabama, Kentucky, New Mexico, and South Dakota.http://www.ncsl.org/IssuesResearch/TelecommunicationsInformationTechnology/SecurityBreachNotificationLaws/tabid/13489/Default.aspx
Data BreachLaws go Global
The carrot is now...avoid the paddle!
NERC - North American Electric Reliability Corporation
Take ReasonableMeasures
BreachPrevention
RiskBased
Approach
DataCentric
CurrentRegulatorFocus
Do the Regulatorshave to follow Regulations ?
The “Rules” of Rulemaking – Kings have rules Regulatory agencies create regulations according to rules and processes defined by another law known as the Administration Procedure Act (APA).
The APA defines a "rule" or "regulation" as...
”[T]he whole or a part of an agency statement of general or particular applicability and future effect designed to implement, interpret, or prescribe law or policy or describing the organization, procedure, or practice requirements of an agency.
The APA defines “rulemaking” as…
“[A]gency action which regulates the future conduct of either groups of persons or a single person; it is essentially legislative in nature, not only because it operates in the future but because it is primarily concerned with policy considerations.”
Under the APA, the agencies must publish all proposed new regulations in the Federal Register at least 30 days before they take effect, and they must provide a way for interested parties to comment, offer amendments, or to object to the regulation.
Once a regulation takes effect, it becomes a "final rule" and is printed in the Federal Register, the Code of Federal Regulations (CFR) and usually posted on the Web site of the regulatory agency.
(c)Tomo.Yun (www.yunphoto.net/en/)"
What should be our Focus?
Embrace risk-based compliance
Establish an Establish an enterprise controls framework enterprise controls framework
Set/adjust threshold for controls for "reasonable and appropriate" security
Streamline and automate compliance processes (GRC)
Fortify third-party risk management
Unify the compliance and business agendas
Educate and influence regulators and standards bodies
So ...
Regulators
Where are they headed?What's their next target?
Take ReasonableMeasures
BreachPrevention
RiskBased
Approach
DataCentric
Current... and foreseeable futureRegulatorFocus
Redux
CloudComputing
Privacy or data protection concerns make Clouds risky for Regulated data
Lack of Visibility
Who do you trust?
Security & Compliance Risk
Requires Risk Based Analysis
FedRamp - Proposed Security Assessment and Authorization for U.S. Government Cloud Computing, Nov 2, 2010
SocialMedia
81% of Senior Executivesrate their knowledge of laws regulating online activity as
non-existent
Business Investigations of data loss via social media:18% by video/audio 17% by social networking13% by blog posting
Quick tipOffline laws apply online
copyrighttrademark
fraudcontract
trade secretstheft/conversion
identity theftprivacy laws
tortscrimes
statutory lawssexual harassment
discriminationnegligence
defamation ...
More Regulator Activity & more to Come
45 states have enacted anti-bullying laws - http://www.bullypolice.org/Without: Hawaii, South Dakota, Michigan, New York, Montana, North Dakota and Missouri
(SEC), and (FINRA), issued guidance on use of social media sites Securities and Exchange Commission, Financial Industry Regulatory Authority
UK (ASA), issued guidance on social media marketingAdvertising Standard Authority
FTC, Final Guides governing social media endorsementsFederal Trade Commission
Maryland leads the way in social media campaign regulations
CA – (FPPC), “regulate the same as traditional media”Fair Political Practices Commission
Future Regulatory FocusAmateur Data ControllersRight to not be over-regulatedRight to demand co-operation
Privacy PoliciesRight to be better informed
Right to be forgottenRight to have policies monitored
Right to Data PortabilityEnd of online anonymity
Processing of data by 3rd partiesDuties for data controllers
Behavioral advertisingRight to opt-in vs. have to opt-out
The rights of minors
Where is this all headed?
For us?
For our clients?
Manage (Govern) the Data
What is Data Governance? An operating discipline for managing data and information as a key enterprise assets
Organization, processes and tools for establishing and exercising decision rights regarding valuation and management of data
Elements of data governanceDecision making authorityCompliancePolicies and standardsData inventoriesFull life-cycle managementContent managementRecords management,Preservation and disposalData qualityData classificationData security and accessData risk managementData valuation
Where does (Data Governance) fit?
Data Governance is the weakest link
Bitmap83
Why is Data Governance important?Regulator shift
OLDPrinciples
Based
NEWRule
Based
UK FSA, has proposed a “Data Accuracy Scorecard” Financial Services Authority
Regulators will punish inadequate Data Governance
Breach Notification laws create demand to govern data
Ensure that the Right Peoplehave the Right Access
to the Right Datadoing the Right Things
Efficientlyand Productively
RestoreTrust
Future Bottom LineRegulations will be MORE :
PrescriptiveProhibitive &Penalizing
Questions
BACKUP – this is backup
Laws & Regulations
• Data Protection Act• Gambling Act 2005• Protection from Harassment Act 1997• Racial, sexual and age discrimination
legislation• Obscenity Publications Act 1959
• “…obscene if it is intended to corrupt or deprave persons exposed to it”
Laws & Regulations• The Terrorism Acts 2000 & 2006• Money Laundering Regulations• CAP Codes & the ASA
• Transparency and Honesty• Careful with trans-national campaigns
• Consumer Protection from Unfair Commercial Practices Regulations 2008 (CPR’s)
• Contempt of Court
High-level International Overview
• New Basel Capital Accord (Basel-II)• Payment Card Industry Data Security Standard (PCI-DSS)• Society for Worldwide Interback Funds Transfer (SWIFT)• Personal Information Protection Act (PIPA) – Canada• Personal Information and Electronic Documents Act (PIPEDA) – Canada• Personal Information Privacy Act (JPIPA) – Japan• SafeSecure ISP – Japan• Federal Consumer Protection Code, E-Commerce Act – Mexico• Privacy and Electronic Communications (EC Directive) Regulations 2003 • Directive 95/46/EC Directive on Privacy and Electronic Communications –
European Union • Central Information System Security Division (DCSSI) Encryption – France• Federal Data Protection Act (FDPA - Bundesdatenschutzgesetz - BDSG) of
2001 – Germany • Privacy Protection Act (PPA) of Schleswig-Holstein of 2000 – Germany• US Department of Commerce “Safe Harbor”
Relevant Laws and Regulations
• Sarbanes-Oxley Act• PCAOB Rel. 2004-001 Audit Section• SAS94• Fair Credit Reporting Act (FCRA)• AICPA Suitability Trust Services Criteria• SEC CFR 17: 240.15d-15 Controls and
Procedures• NASD/NYSE 240.17Ad-7 Transfer Agent
Record Retention• GLBA (15 USC Sec 6801-6809) 16 CFR 314• Appendix: 12 CFR 30, 208, 225, 364 & 570• Federal Financial Institutions Examination
Council (FFIEC) Information Security• FFIEC Business Continuity Planning• FFIEC Audit• FFIEC Operations• Health Insurance Portability and Accountability
Act (HIPAA) § 164• 21 CFR Part 11 – FDA Regulation of Electronic
Records and Electronic Signatures• Payment Card Industry Data Security Standard
(PCI-DSS)
• Federal Trade Commission (FTC)• CC1798 (SB1386)• Federal Information Security Management Act
(FISMA)• USA PATRIOT• Community Choice Aggregation (CCA)• Federal Information System Controls Audit
Manual (FISCAM)• General Accounting Office (GAO)• FDA 510(k)• Federal Energy Regulatory Commission (FERC)• Nuclear Regulatory Commission (NRC) 10CFR
Part 95• Critical Energy Infrastructure Information (CEII)• Communications Assistance for Law
Enforcement Act (CALEA)• Digital Millennium Copyright Act (DMCA)• Business Software Alliance (BSA)• New Basel Capital Accord (Basel-II)• Customs-Trade Partnership Against Terrorism
(C-TPAT)• Video Privacy Protection Act of 1988 (codified at
18 U.S.C. § 2710 (2002))
US Federal Privacy Laws and US Federal Breach Laws (USA is a member, OECD and a member, CPEA. The US has also ratified CE ETS 185)
1. Children’s Online Privacy Protection Act (COPPA) 1. Federal Trade Commission's Final COPPA Rule (PDF) 2. Communications Assistance for Law Enforcement Act (CALEA) 3. Depart of Defense Directive 5400.11.R - Privacy Program (May 14, 2007 edition) (PDF) 1. Defense Privacy Office 4. Electronic Communications Privacy Act (ECPA) 5. Fair Credit Reporting Act (FCRA, PDF) 1. As Amended by the Fair and Accurate Credit Transactions Act of 2003 (FACT) 2. Federal Trade Commission's Red Flag Rule (PDF) (DELAYED UNTIL NOVEMBER 1st 2009) 6. Family Educational Rights and Privacy Act (FERPA, The Buckley Amendment) 1. US Department of Education Final Rule (PDF) 2. Protection of Pupil Rights Amendment (PPRA) 3. No Child Left Behind Act (PDF) 7. Genetic Information Nondiscrimination Act 2008 (GINA, PDF) 1. Proposed rule making genetic information covered under PII, HIPAA, and HITECH (PDF) 8. Gramm-Leach-Bliley Act (GLBA) 1. Federal Trade Commission's Final Financial Privacy Rule (PDF) 2. Federal Trade Commission's Final Safeguards Rule (PDF) 9. Health Insurance Portability and Accountability Act (HIPAA, PDF) 10. HITECH Act (Notice: I could not find it consolidated and called out anywhere, so had to create it myself, PDF) 1. HITECH Breach Notification Guidance and Request for Public Comment (From the US Department of Health and Human Services, PDF) 11. Federal Trade Commission's Health Breach Notification FINAL Rule (PDF) 12. Safe Harbor Guidelines from the US Department of Commerce