May 27th, 2015

Information Security and Privacy

IAPP KnowledgeNet

Background❖ Thanks so much to IAPP for making this possible

❖ It was October or November 2014 when Lisa McKay and I, as the Membership Director for the ISACA Toronto chapter, talked about having IAPP and ISACA doing something together and here we are on the first of, I expect, many joint collaborations

❖ Thanks to my fellow panelists and

❖ Thank you for being here

Topics

❖ I will divide my speech in four topics:

❖ The relevance of the interaction between the Information Security specialist and the Privacy specialist

❖ Information security frameworks

❖ Current threats for privacy and InfoSec

❖ A couple of advices

The relevance of the interaction

❖ You cannot have good privacy without a good information security model

❖ Personal data or personal identifiable information is a subset of the general concept of information a company or any organization has to deal with

❖ The Chief Information Security Officer is the one responsible for providing the proper controls to safeguard the information the company works with

The relevance of the interaction❖ On the other hand, the Chief Privacy Officer has to build

the necessary measures to safeguard the privacy of the individuals a company works with and these measures might include the definition and use of information security controls

❖ This makes indispensable the interaction among these two professionals

❖ Not interacting results in an expensive and possibly ineffective operation for the organization

Information Security Frameworks❖ There are multiple frameworks that can be used to support the

definition of an Information Security model inside the organization; however, there are two that can be considered as the leaders for this:

❖ COBIT. Divided in five domains integrated by 35 processes from which 1 is specifically devoted to Information Security, COBIT is the proposal from ISACA to define an effective IT governance model. The pros: this is a a very mature framework, being in the field for more than 25 years and covering a lot of topics for internal control on IT; the cons: it is not specifically focused on Information Security so it may lack of detail.

Information Security Frameworks

❖ Another one widely used is ISO 27000 series

❖ This is the evolution of BS7799 which evolved to ISO 17799 and later evolved to ISO 27000

❖ The 27000 series has different standards (close to 40) and all of them are related to the definition of an Information Security Management System or ISMS which is certifiable specifically under the standard ISO 27001.

❖ The most recent version of ISO 27001 was released on 2013 and includes 11 domains which are:

❖ Information Security Policies

❖ Organization of Information Security

❖ Human Resource Security

❖ Asset Management

❖ Access Control

❖ Cryptography

❖ Physical and environmental security

❖ Operations security

❖ Communications security

❖ System acquisition, development and maintenance

❖ Supplier relationships

❖ Information security incident management

❖ Information security aspects of Business Continuity Management

❖ Compliance (Internal and external)

Information Security Frameworks❖ How many of these do you think are related to privacy?

❖ More than one, but specifically the one related to compliance is closely linked.

❖ If we think of COBIT, there is a process specifically devoted to Information Security and another one related to Compliance.

❖ In addition to that, the British Standards Institute has released and is working on the evolution of BS10012 that works on the specification of a personal information management system which could evolve into a certifiable standard like 27001.

Information Security Frameworks

❖ Which one can you use now?, well, ISO 27001 is a leading practice, COBIT is globally accepted, so you need to understand the specific risks in your organization and, based on that, decide which frameworks you will use and how you will use them

❖ The key here is: Teamwork. We have focused on Information Security, but there are some other players and IT audit, is one of them. Don't wait until it's late.

Current Threats on Privacy and InfoSec

❖ Big Data

❖ Hot topic

❖ More data, more risk

❖ More data movement, more risk

❖ More sharing, more risk

❖ Important tools are freely distributed (Hadoop) and security and privacy issues should be considered

❖ Predictive analytics can affect privacy and ethics plays a key role

❖ The Cloud Security Alliance, altogether with ISACA released a document presenting the Top Ten Security and Privacy challenges on Big Data, look at it, you will find it useful

❖ Identify Big Data and Analytics projects at your organizations or clients and ask if information security and privacy concerns have been considered.

Current Threats on Privacy and InfoSec

❖ Internet of Things (IoT) What is that?

❖ Scenario in which objects animals or people are provided with unique identifiers and the ability to transfer data over a network without requiring human to human or human to computer interaction

❖ We have wearables and sensors on cars, fridges or air conditioning systems. We even have tools like the Amazon's Dash, a small device with a single push-button that can place an order of, maybe washing powder.

Current Threats on Privacy and InfoSec

❖ That's fantastic and opens a new world of opportunities, but the sensors will be sending information on how we:

❖ Drive

❖ Exercise

❖ Sleep

❖ Control our environment

❖ So we need to be careful on which information we are sharing and who we are sharing it with

❖ If your company or client is already "playing" with IoT, the both of you, InfoSec and Privacy practitioners, need to be there

❖ ISACA has an interesting study on this that shows how organizations are concerned about the risks and individuals are excited about the benefits

A couple of advices

❖ Go to your Information Security counterpart and... Know each other now!!! You don't want to do that in the middle of a crisis

❖ Identify the framework that can fit your organization based on specific risk analysis

❖ Open your eyes and mind to detect your company's or client's new initiatives and get involved immediately, be proactive