Privacy and Security Audits/PIAS/TRAS

Information Privacy and Data ProtectionLexpert Seminar

Bruce McWilliam December 9, 2013

Privacy and Security Audits

Importance of privacy and security audits– Reported incidents of large-scale loss, theft, or

exposure of personally identifiable information have increased from 21 to 1,622 from 2003 to 2012

– The hacking of Sony’s PlayStation Network cost the company an estimated $171M in cleanup costs

– Reputational harm is severe – one company’s stock price fell 70% in the 3-month period following a single hacking incident

– Average loss in brand value ranged from $184M to $330M (minimum brand loss was 12%)

3

Goals of a Privacy and Security Audit

Determines the level of compliance with:

– Applicable privacy laws and regulations – Internally adopted privacy practices

4

Benefits of a Privacy and Security Audit– Measures privacy effectiveness– Demonstrates compliance – Identifies gaps between required and actual

privacy controls – Forms the basis for a privacy remediation and

improvement plan

5

Scope of audit – internal parties

– Departments or groups dealing directly with customers • Public affairs • Call centers • Reception

– IT department – HR – Finance

6

Scope of audit – external parties

– Business partners– Technology partners – Business customers/vendors – Final consumer

7

Who conducts audits

– Internal (not recommended – outsiders spot problems you will miss)

– Accounting firms– Large IT Organizations – Small firms specializing in security

8

Hiring an auditor

– Look at the audit team’s real credentials– Review résumés– Find the right fit– Insist on details– Ask for a statement of work– Prepare to be audited – Set the ground rules in advance– Prepare all documentation/information to be provided to

auditors

9

A typical audit

– The auditor will evaluate and test the information technology processes and systems to obtain sufficient, reliable, and relevant evidence to achieve the objectives of the audit.

– The findings and conclusions of the audit should be supported by appropriate analysis and interpretation of the evidence.

10

The audit process– Establish a baseline through annual audits– Define the scope and objectives of the audit– Outline the approach to be taken in carrying out the

audit– Identify stakeholders and their roles/responsibilities– Create an audit plan– Identify the audit criteria – Conduct the audit – Prepare the audit report – Take remedial steps, if any

11

Comprehensive risk assessment

– Sensitivity of the data– Collection processes– Storage techniques – Complexity of processing and interfaces – Third parties – Disclosure policies and procedures

• Employee training • Management accountability

– General security policies and procedures

12

Auditing Standards

13

StandardsStandard Organization

Generally Accepted Privacy Principles (GAPP)

Canadian Institute of Chartered Accountants (CICA) and American Institute of Certified Public Accountants (AICPA)

Payment Card Industry Data Security Standard (PCI DSS)

Payment Card Industry Security Standards Council

Canadian Standard on Assurance Engagements (CSAE) 3416, “Reporting on Controls at a Service Organization”

CICA

Information Technology Control Guidelines (ITCG)

CICA

14

Standard Organization

Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization (AT Section 101)

AICPA

International Standards for Assurance Engagements (ISAE) No. 3402, Assurance Reports on Controls at a Service Organization

International Auditing and Assurance Standards Board (IAASB)

SysTrust/WebTrust CICA/AICPA

ISO/IEC 27001:2005 Information technology -- Security techniques -- Information security management systems -- Requirements

International Organization for Standardization (ISO)

15

Standards cont’d

Standard Organization

ISO/IEC 27002:2005 Information technology -- Security techniques -- Code of practice for information security management

ISO

ISO 22307:2008 Financial services -- Privacy impact assessment

ISO

Harmonized Threat and Risk Assessment Methodology

Communications Security Establishment Canada and Royal Canadian Mounted Police

Enterprise RiskManagement - Integrated Framework

Committee of Sponsoring Organizations of the Treadway Commission (COSO)

Control Objectives for Information and Related Technology (COBIT)

Information Systems Audit and Control Association (ISACA )

16

Standards cont’d

Standard Organization

IT Audit and Assurance Standards and Guidelines (includes code of professional conduct)

Information Systems Audit and Control Association (ISACA)

Information Technology Infrastructure Library (ITIL)

UK Office of Government Commerce

NIST SP 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems

U.S. National Institute of Standards and Technology (NIST)

Common Criteria for Information Technology Security Evaluation (Common Criteria or CC)

Common Criteria Recognition Arrangement (CCRA)

17

and others.

Standards cont’d

Privacy Impact Assessments (PIA)

18

What are privacy impact assessments?

– A systematic process for evaluating the potential effects on privacy of a project, initiative or proposed system or scheme and finding ways to mitigate or avoid any adverse effects

– PIA’s are a tool used to ensure privacy protection is a core consideration when a project is planned and implemented

– In Canada, virtually all government institutions must conduct PIA’s for new or redesigned programs and services that raise privacy issues

– Also used by some private organizations

Typical content of a PIA

– Describes how personal information flows in a project

– Analyses the possible privacy impacts on individuals’ privacy

– Identifies and recommends options for managing, minimizing, or eliminating these impacts

– Contains recommendations to address issues identified

Risks of foregoing a PIA

– Non-compliance with relevant privacy law leading to a breach and/or negative publicity

– Loss of credibility and damage to reputation– Potential system redesign, which can be

very costly and time consuming when done mid-stream

PIAs as a compliance tool

– A PIA should:– Include information on relevant privacy

laws and regulations– Identify necessary adjustments for

compliance– Discuss how a project’s practices,

systems and rules comply with specific legal obligations

Threat Risk Assessments (TRA)

23

What is a threat risk assessment?

– Formalized process used to assess potential impacts to information assets and supporting resources, and to recommend safeguards and controls

Threat and risk assessment

– Differing methodologies aimed at answering question such as:– What needs to be protected?– Who/what are the threats and vulnerabilities?– What are the implications if they are

damaged or lost?– What is the value to the organization?– What can be done?

TRA typical components

– Scope– Data collection– Analysis of policies and procedures– Threat/vulnerability analysis– Assessment of risk acceptability

TRA components - scope

– Must identify what is covered and what is not covered in the assessment

– Identifies what needs to be protected, the sensitivity of what is being protected and to what level and detail

– A scope that is too broad will be cumbersome, while one that is too narrow may miss important threats/risks

TRA components – data collection

– Collect all policies and procedures currently in place and identify those that are missing or undocumented

– Interviews with key personnel– Information on vulnerabilities and threats

against specific systems and services is documented

TRA components – analysis of policies and procedures

– Existing policies and procedures are analyzed

– Sources for policy compliance that can be used as a base line are:– ISO 17799, BSI 7799, Common Criteria

– ISO 15504

TRA components – threat/vulnerability analysis– Threats are anything that could contribute to

the tampering, destruction, or interruption of any service or item of value

– Identify and assess both human and non-human threats

– Current exposure is identified and quantified– Should use a grading system that incorporates

both the probability of occurrence and the impact of occurrence

TRA components – assessment of risk acceptability

– Review of existing and planned safeguards to determine if discovered risks and threats have been mitigated

– Identification of what level of risk is acceptable to the organization

– Selection of appropriate security measures

Integration of PIA/TRA

– Threat risk assessments are a broad tool that capture all kinds of risks, including those related to private information

– Integration with a PIA is possible and can save both time and money

– Some consulting firms conduct integrated assessments

34

For further information regarding this presentation and its content please contact:

Bruce McWilliam

Direct: (416) 865-7214

bruce.mcwilliam@mcmillan.ca

McMillan LLP

Brookfield Place

181 Bay Street, Suite 4400

Toronto, Ontario

M5J 2T3