Privacy Aspects Of Securing Business Applications In Us Final Nl

IT SERVICES ADVISORY

ADVISORY

Privacy aspects of securing business applications – US experience

© 2009 ZAO KPMG, a company incorporated under the Laws of the Russian Federation and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 2

What Is This Presentation About?

• Privacy in US – General Regulatory Background

• Experience of Building Privacy Program for a Multi-billion Company (US)

• Privacy in Russia – General Information and IT Auditor Outlook


Privacy Regulatory Environment – How Did We Get Here?

•  Freedom of Information Act of 1966

•  Fair Credit Reporting Act of 1970

•  Privacy Act of 1974

•  Foreign Intelligence Surveillance Act of 1978

•  Electronic Communications Privacy Act of 1986

•  Video Privacy Protection Act of 1988

•  Health Insurance Portability and Accountability Act of 1996

•  Children’s Online Privacy Protection Act of 1998

•  Gramm-Leach-Bliley Act of 1999

•  State breach notification laws


US Privacy Regulatory Background- Today

•  Federal Legislation

•  Health Insurance Portability and Accountability Act (HIPAA) •  Gramm-Leach-Bliley Act (GLBA) •  Safe Harbor (from EU Privacy) •  Fair Credit Reporting Act (FCRA) •  Children's Online Privacy Protection Act (COPPA)

•  California Legislation – recognized privacy legislation trend-setter

•  AB 424 – Identity Theft: Personal Information (2006) •  SB 1633 – Medical Information Privacy (2004) •  AB 1950 – Personal Information Security (2004) •  SB 1 – Financial Information Privacy (2003) •  AB 68 – Online Privacy Protection Act of 2003 •  SB 27 – Information Sharing Disclosure (2003) •  SB 1386 / AB 700 – Notice of Security Breach (2002)


Building Data Privacy Program – Large FMCG Company

One of the world’s largest consumer products firms, earning annual revenues of approximately $70 billion – building privacy program for employees (not customers)

Phase I

•  Identify all data flows •  Identify all data storages (DB, excel sheets) •  Identify traditional confidentiality/security aspects – access, encryption at rest, encryption in xfer, etc

Needed:

•  Inventory of all business processes •  Inventory of all IT applications (and related back-end DB)


Privacy-related Data Flow - Just for One System (HR Module)



Phase II

•  Build inventory of all the data elements

Needed:

•  Results of the previous phase


Inventory of Private Data Elements

●  Name ●  Date of Birth ●  Place of Employment / Employee

Number ●  Mother's Maiden Name ●  SSN ●  Birth Certificate ●  Death Certificate ●  Marriage Certificate ●  Email Address ●  Former Name ●  Home Address ●  Home Phone # ●  Name of Spouse / other relatives ●  Passport Number

●  Citizenship ●  Driver's License Number ●  Electronic Signature ●  Taxpayer identification number ●  Government-issued ID number ●  Any information that reveals racial or ethnic origin,

political opinions, religious or philosophical beliefs, trade-union membership, or sex life.

●  Bank (checking / savings) and credit card number ●  Other financial services account numbers ●  Income / credit history ●  Information provided to obtain a loan / credit card /

other financial product / service ●  Account balance information ●  Payment history ●  Information from a consumer report ●  Transaction history or records ●  Health Insurance Information / ID #



Phase III

•  Identify PII (Personally Identifiable Information) critical for the given business

Needed:

•  Results of the previous phase •  Focus not only on individual data elements, but rather on combinations thereof (up to 3) •  Generated a list of all combinations of 2 and 3 (CN

2, CN3)

•  Went through the combined list with business, legal, and security to determine “interesting” combinations


Business-specific PII (“interesting” combinations of private data elements)

Single element •  Social Security Number (“SSN”) •  Employee Home Address (“Empl_Address”) •  Information like Driver’s License or Passport Number (“Govt_ID”) •  Health and Medical information (“Medical_Info”) •  Financial or Bank related information (“Bank_Acc_Info”) •  Credit card Numbers or Financial Institution Information (“Credit_Card_Info”)

Two-element combinations •  Combination of Employee’s Name (“Empl_Name”) and Employee’s Date of Birth (“Empl_DOB”) •  Combination of Employee’s Name (“Empl_Name”) and Employee’s Personnel Identification Number

(“PerNo”) •  Combination of Employee’s Personal Phone Numbers like Mobile or Home Number (“Empl_Phone”)

and Employee’s Date of Birth (“Empl_DOB”) •  Combination of Employee’s Personal Phone Number (“Empl_Phone”) and Employee’s Personnel

Identification Number “PerNo” •  Combination of Employee’s Date of Birth “Empl_DOB” and Employee’s Personnel Identification

Number “PerNo”



Phase IV

•  Identify data element owners (new concept, data ownership is driven by business process ownership)

Most complicated phase!


Understanding Private Data Management at 3rd Parties

Phase V •  Develop questionnaires for 3rd parties, obtain responses (very important step, data leaking out of

the management domain)

Needed: •  Results of the previous phases •  Support from procurement

Some of the categories for 3rd parties:

●  Travel Reservations ●  Background Checks ●  Medical Prescriptions ●  Accounts Payable ●  Casualty Claims Management ●  Human Resources ●  Career Counseling ●  Ombudsmen Hotline

●  Records Management ●  Matching Gifts ●  Adoption Assistance Re-imbursement ●  Payroll/Group Life Insurance ●  Employee Refund Program ●  State Unemployment ●  Benefits ●  Restricted Stock, Options


Categorizing 3rd Parties by Risk

0 10 20 30 40 50 60 70 80 90

100 110 120

Risk Score

Service Provider

Service Provider Risk Assessment

Critical High

Medium Low Risk


Categorizing Risks by Risk Area

Service Provider



Phase VI

•  Build data flow maps (inside and outside company, with media, interface, storage, etc, paper and electronic)

Needed:

•  Results of the previous phase

Phase VII

•  Build employee profiles (needed support from HR)


Employee Geography Profile


Data Elements Mapped into Regulations (Federal and State)

Phase VIII •  Identify regulatory requirements



Phase IX

•  Build risk profiles (based on both company-driven definition of PII and legal/compliance definition of private data ought to protect)

•  Apply these risk profiles to the private data flow maps (storage-wise and transfer-wise) •  Develop recommendations to the related systems and interfaces

•  Privacy classification – system-based, not data-based •  Excessive data collection – not required by business process itself (you do not need to protect

what you have not received) •  Excessive promises to employees in the corporate Privacy policy •  Lack of encryption leading to regulatory risks •  Lack of control over E-rooms, “shared” drives, etc •  Lack of control over removable media and email (candidate for DLP solution?) •  No control over 3rd parties


Data Governance Lifecycle

Phase 1 – Generation •  Ownership •  Classification

•  Governance

Phase 5 – Storage •  Access Control •  Structured v. Unstructured

• Integrity / Availability / Confidentiality

•  Encryption

Phase 2 – Use •  Internal v. External •  Third Party •  Appropriateness •  Discovery/Subpoena

Phase 3 – Transfer • Public v. Private Networks •  Encryption Requirements •  Access Control

Phase 6 – Archival •  Legal and Compliance •  Media / Offsite Concerns •  Retention

Phase 7 – Destruction •  Secure •  Complete

Compliance •  Audit & Regulatory •  Legal •  Measurement •  Business Objectives

Phase 4 – Transformation •  Derivation •  Aggregation •  Integrity

Phase 1 and 2: Employee/Trusted third- party creation

and usage should drive business value.

Phase 3: Infrastructure capabilities should enable

controlled transfer and movement of data.

Phase 4: Additional processing and/or manipulation to achieve increased business value

for reporting or specific business requirements.

Phase 5 and 6: Organizational capabilities to manage and maintain

information in a cost effective manner for timely

access or retrieval to achieve business

objectives.

Organizational responsibility to ensure adherence to legal and

regulatory requirements through each phase of the life cycle.

Phase 7: Controlled destruction of information

and storage media.


Acronyms

Generally Accepted Privacy Principles (GAPP)

http://infotech.aicpa.org/Resources/Privacy/Generally+Accepted+Privacy+Principles/Generally+Accepted+Privacy+Principles/

International Association of Privacy Professionals (IAPP)

https://www.privacyassociation.org/index.php

Certified Information Privacy Professional (CIPP)

https://www.privacyassociation.org/index.php?option=com_content&task=view&id=1586&Itemid=87


Privacy Incident Tracker – Three Most Recent Issues (as of April 8th)

http://www.privacyrights.org/ar/ChronDataBreaches.htm#CP

DATE MADE PUBLIC NAME (Location) TYPE OF BREACH NUMBER

OF RECORDS Mar. 31, 2009 Symantec

(Cupertino, CA) Symantec is warning a small number of customers that their credit card numbers may have been stolen from an Indian call center used by the security vendor. Symantec sent out warning letters , after the BBC reported that it managed to purchase credit card numbers obtained from Symantec's call center from a Delhi-based man. The letters were sent to just over 200 customers. Most of those notified are in the U.S., but the company also notified a handful of customers in the U.K. and Canada.

200

Apr. 1, 2009 Palo Alto Medical Foundation (Palo Alto, CA)

A laptop computer recently stolen at the Palo Alto Medical Foundation's Santa Cruz office contained personal and medical information of 1,000 Santa Cruz County patients.

1,000

Apr. 1, 2009 Maryland State The names, Social Security numbers and other personal information of about 8,000 state employees could be compromised. The potential problem came to light when a torn and empty envelope from the company that manages the state's health savings account program arrived by U.S. mail. The envelope was missing an invoice that contains confidential information.

8,000


Структура российского законодательства в области защиты персональных данных

Международные соглашения •  Европейская конвенция о защите физических лиц при автоматизированной обработке персональных данных

•  ФЗ № 160 от 19.12.2005 г.

Основополагающие законы •  Конституция Российской Федерации

Основные законы •  Трудовой кодекс РФ •  Кодекс об административных правонарушениях РФ •  Уголовный кодекс РФ •  ФЗ № 152 от 27.07.2006 г. “О персональных данных” •  ФЗ № 149 от 27.07.2006 г. “Об информации, информационных технологиях и о защите информации”


Структура российского законодательства в области защиты персональных данных

Постановления Правительства ●  № 781 от 17.11.2007 г. “Об утверждении Положения об обеспечении безопасности персональных данных при их обработке в информационных системах персональных данных”

●  № 687 от 15.09.2008 г.”Об утверждении Положения об особенностях обработки персональных данных, осуществляемой без использования средств автоматизации”

●  № 228 от 16.03.2009 “О Федеральной службе по надзору в сфере связи, информационных технологий и массовых коммуникаций”

Приказы и иные руководящие документы ●  Документы ФСТЭК (“Методика…”, “Основные мероприятия…”, “Базовая модель угроз…”,

“Рекомендации…”) ●  Документы ФСБ (“Методические рекомендации…”, “Типовые требования…”) ●  Приказ 55/86/20 от 13.02.2008 г. “Об утверждении порядка проведения классификации…”

Инициативы ●  Требования для операторов связи ●  Новые документы ФСТЭК ●  “Новые стандарты” от Роскомнадзора


Достоинства и недостатки российского законодательства и российского подхода к защите персональных данных

ДОСТОИНСТВА •  Оно (законодательство) есть! •  Установлена ответственность и определены области ответственности (ФСТЭК, ФСБ, Роскомнадзор)

•  Ратификация европейской конвенции

НЕДОСТАТКИ •  Нечеткость, некорректность, двоякая трактовка формулировок и требований •  Размытость ответственности •  Неадекватность требований по защите, спорные подходы к классификации ИСПД, устаревшие понятия

•  Отсутствие понятной концепции по защите персональных данных •  Отсутствие адекватной оценки ущерба от нарушения защиты персональных данных и адекватных наказаний виновных


Статистика по России

•  Защита персональных данных является актуальной задачей для российских организаций. 52% компаний-респондентов обрабатывают более 10 тыс. записей о персональных данных, а 15,3% – более 1 млн. записей.

•  Наибольшую угрозу конфиденциальности персональных данных представляет ИТ-персонал, топ-менеджмент и аналитические службы. Доступ к массивам ПД имеют соответственно 57,6%, 21,9% и 18,5% этих подразделений.

•  Защита ПД – системная задача, требующая разработки единого подхода и формализации взаимодействий между операторами. Только 64,3% компаний имеют монопольный доступ к обрабатываемым ПД, остальные допускают к информации дочерние или материнские структуры либо партнеров. Для 13,1% операторов это зарубежные фирмы.

• Основное препятствие на пути в реализации ФЗ «О персональных данных» заключается в неясном характере этих положений (34,7%), бюджетные ограничения (20,6%) и отсутствие квалифицированных кадров (19%).

•  Большинство респондентов (65,3%) считают, что государство должно законодательно закрепить требование публикации сведений об утечках ПД.

Источник: «Персональные данные в России’08», Perimetrix, http://newsdesk.pcmag.ru/node/11967


Реальная ситуация в Российских Компаниях

•  Отсутствие структурированного подхода

•  Практически в свободном доступе огромный пласт приватной информации

•  Необоснованно обширный доступ отдельных сотрудников к информационным ресурсам

•  Сложность с организацией режима информационной безопасности

•  Сложность соответствия регуляторным требованиям выпущенными разными ведомствами и международными организациями

•  Бюджетные ограничения


Цели Аудитора

• Убедиться что риски контролируются, а не найти ошибки

• Закончить проект в отведенные сроки

• Ознакомить стороны с результатами работы и убедиться, что его наблюдения правильно поняты и приняты к сведению


Что ищет Аудитор?

• Существующую структуру управления и контроля

• Формализированные процессы

• Следы исполнения контролей

• Свидетельства понимания рисков и процедуры управления со стороны компании

• Свидетельства структурированного контроля


The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.

Contact details

Nikolai Legkodimov, CISSP, CIPP [email protected]

Tigran Malkhasyan, CISA, к.э.н. [email protected]

www.kpmg.ru

Privacy Aspects Of Securing Business Applications In Us Final Nl

Technology

Transcript of Privacy Aspects Of Securing Business Applications In Us Final Nl