SLVA - Privacy Framework and Approach
-
Upload
slva-information-security -
Category
Technology
-
view
102 -
download
3
Transcript of SLVA - Privacy Framework and Approach
Protecting Personal InformationBuilding your Security for Privacy program
Kris Budnik
2014
Information is a valuable asset…
• Incidence and costs of fraud rose markedly in the past 12 months
• Information related fraud is common and evolving
• Employee abuse still the major cause (39%) but instances of
external hacking almost
doubled (35% vs 18%)
• Worse still, instances of hacking via 3rd party supplier or
service provider have trebled(17% vs. 5%)
• Complexity of IT infrastructures seen as contributing factor
Source: 2013/2014 Kroll Global Fraud Report
The fraud case involving a single location is now a rarity: the
client is in one country, the fraud in a second, the perpetrator
in a third and the money...well, that’s often the challenge.
Volume and frequency of personal data theft on the increase…
Pesonal data a commodity on a vast underground market…
• Online Bank Accounts:– Name your Bank and Country preference
• Fullz available here!– US, EU, Australia, UK, Canada, Asia
• Malware Infected Computers– 1k, 5k, 10k or 20k?
• Malware and Exploit Kits to lease– 3mts, 6mths and 1yr terms
• Hacker Services for Hire– DDoS Attacks
– Hacking of Websites
– Doxing
Services Price
VISA & Master Card (US) $4
VISA & Master Card (EU) $7 - $8
Credit Card with track 1 & 2 data (UK)
$19 - $20
Credit Card with track 1 & 2 data (EU)
$28
Fullz (UK, EU) $30 - $40
Bank Accounts with $70k -$115k
$300
Doxing $25 - $100
Health Data $150 - $200
Infected Computers (5k bots) $90
Denial of Service $3 -$5 per hour$400 -$600 per
week
Source: Dell SecureWorks, 2013
Corporate response often inadequate or misplaced...
Consequences avoidable…
Analysis of over 50 incidents reported in 2009 – 2013
(source: wiki.openrightsgroup.org/wiki/UK_Privacy_Debacles)
0
100000
200000
300000
400000
500000
600000
Design error Email error Insecuredisposal
Insecurehandling
Lost/StolenLaptop
Lost/StolenMedia
55
00
0 58
85
23
5
17
3
39
77
48
53
98
40
No. of records lost
Learning from others…
Our Framework
For the Enterprise…
ASSIGN RESPONSIBILITY
In IT…
DOCUMENT POLICIES & NOTICE STATEMENTS
DEFINE INCIDENT RESPONSE PROCESS
RAISE AWARENESS
Privacy Officer and Deputy TORs
PPI Operating Model
PPI Roles & Responsibilities
Core T&Cs (employment contracts, contracts,terms of engagement etc.)
Privacy Policy (for the handling of personal information in the enterprise)
Fair processing notice (directed at the Data Subject)
Alignment with other applicable laws, regulations & practices (Retention, Protection, Privacy)
PERFORM ISMS GAP ASSESSMENT
Security safeguards for Information Protection
Strategy for privacy incident response
Privacy training and Awareness content
Use & Retention criteria
Destruction methods
Information Security Tools & Techniques
Outsource arrangements
Data Subject Access provisions
Compliance Management and Reporting
Direct Marketing implications
Quality & Integrity
Disclosure provisions
Notice provisions
In the Line of Business…
Rights of the individual
Information Lifecycle
Management
Control over Information
Collection rules
Cross border flow considerations
Our QuickStart Approach
Governance model1.
Standard Contract Clauses2.
Retention Schedules3.
Technical Security Baselines4.
Training & Awareness Strategy5.
Incident Management Process6.
• ToRs for Privacy Officer• Information Protection Committee• Reporting requirements
• Employment contracts• Procurement contracts• Service level agreements
• Key information groups• Key applicable legislative requirements
• Encryption• Data transport• Leak management
• Induction• Call center agent awareness• Incident reporting procedure
• Incident handling procedures• Reporting practices (to regulator)• Incident resolution practices
Gap Analysis/ Implementation roadmap/ enabling technology solutions
Preparing a suitable IT response…
Your IT team can help…consider the following as minimum response strategies:
• eLearning to raise awareness
• Access Governance to ensure authorised access to:
– networks,
– systems,
– applications
– data
• Data Leak Management to ensure accountability and enforce policy
• Security Event and Information Management for early problem detection and efficient resolution
1745
763
468
483
340
395
895
152
87 110
100
121
927
153
92 116
100
121
0200400600800
100012001400160018002000
January February March April May June
Month
Unauthorized Webmail Attachments Rule Prompt -2008
# Prompts Associates Workstations
Thank you
For a further conversation:
Kris Budnik
082 600 7311