View
216
Download
0
Category
Tags:
Preview:
Citation preview
Governance of Privacy & Security: Balancing Compliance & Risks
CSO Breakfast ClubDC Chapter
September 30, 2008
Jody R. Westby, Esq.CEO, Global Cyber Risk LLC
Adjunct Distinguished Fellow, Carnegie Mellon CyLab
www.globalcyberrisk.com
2 www.globalcyberrisk.com
The International Business & Legal Landscape
• Cybercrime, Privacy & Cyber Security Are Integrated Issues
• 233 Countries Connected to Internet; 1.5 Billion Online Users
• Global Operations Following the Sun and Outsourcing for Competitiveness
• International Legal Framework Highly Inconsistent
• Must Manage Risks Internally and For Outsourced Operations
• Governance of Security Required at Board & Senior Executive Levels
© Jody R. Westby
3 www.globalcyberrisk.com
Principles of Corporate Governance
• Manage Risks of Organization & Align with Strategy
• Protect Critical Assets
• Preserve Resources of Organization
• Meet Compliance Requirements
• Set Culture and Managerial Tone for Conduct
• Make Governance Systemic Throughout Company
• Determine a Clear, Strategic Direction with Goals
• Assure Decisions are Implemented Through Effective Controls, Metrics, & Policies
Business Roundtable, Principles of Corporate Governance 2005
© Jody R. Westby
4 www.globalcyberrisk.com
Effective Security Governance Characteristics
• Security Managed as Enterprise Issue• Leaders are Accountable• Security Viewed as Business Requirement• Risk Based (Compliance, Operational, Reputational, Financial)• Roles & Responsibilities Defined with Segregation of Duties• Security Addressed & Enforced in Policy• Adequate Resources Committed• Staff Aware & Trained• Security Addressed Throughout System Development Life Cycle• Security is Planned, Managed, Measured & Weaknesses Addressed• Reviewed & Audited
© Jody R. Westby
5 www.globalcyberrisk.com
Enterprise Security Program
RMP
ESS
Enterprise Security Plan
Business Unit Security PlansSystem Security PlansPolicies & ProceduresSystem Architecture
6 www.globalcyberrisk.com
System interconnection points
Operating environment and
operational criteriaCulture and
management policies and proceduresBusiness plan and
strategic goals
Asset Info on data, applications,
networks
Assessments & audit findings
Incident response & crisis
communications Reqs for business continuity and disaster recovery
Standards, best prac. & guidance
Technological considerations &system arch.
Legal & cybercrime considerations
RMP, ESS & risks, threats, vulnerabilities
ROI and financial information
Enterprise Security Program
Security Plan
Security Policies
Security Procedures
© Jody R. Westby
Enterprise Security Program Inputs
7 www.globalcyberrisk.com
Compliance Issues for ESP
• Privacy (Federal, State, Foreign)• Security • Breach Notification (States, Fed Reserve, Watch Foreign)• Economic Espionage Act & Cybercrime Laws• Financial (GLBA, FCRA, FACTA, SOX)• Health/Medical• Intellectual Property• Other protected types of data• Procedural and Rules of Evidence (chain of custody (s/s &
forensic), integrity, admissibility• E-Discovery
8 www.globalcyberrisk.com
Nexus Between Cyber Security, Privacy, & Cybercrime
Major Component of Cyber Security is Ability to Protect Against Unauthorized Access & Disclosure; Enterprise Approach Needed; Must be Able to Deter, Detect, Obtain Evidence
Privacy & Security BreachesAre Cybercrimes; Laws Deter, Enable Prosecution
Privacy Dependent upon Security;Driven by Laws, Culture
CybercrimePrivacy
Security
© Jody R. Westby
9 www.globalcyberrisk.com
Governance Structure
AOBM CA OP IA EA
BOD
CEO/COO
BRC BAC
X-Team
BM AO CA OP IA EA
11 www.globalcyberrisk.com
ESP Activity Sequence
• Governance• Structure & Roles and Responsibilities• Inventory of Assets• Compliance & Mapping• Cybercrime & Mapping• Privacy Impact Assessment & Privacy Audits• Risk Assessments• Operational Criteria• Security Input to RMP, Develop ESS
• Integration & Operations• Categorization, Controls, Metrics• Best Practices & Standards• Security Configuration Settings• Supporting Plans (IR, BC/DR, CC)• 3rd Party & Vendor Requirements• Change Management Plans• ESP, Policies & Policies
• © Jody R. Westby
12 www.globalcyberrisk.com
ESP Activity Sequence
• Implementation & Evaluation• Implement & Train• Monitor & Enforce• Test & Evaluate Controls, Policies & Procedures• Identify System Weaknesses & Correct• Issue Authority to Operate
• Capital Planning & Investment Controls• Determine Security Business Case, ROI, Funding Needs• Formal Review of ESP• Formal Audit of ESP
© Jody R. Westby
13 www.globalcyberrisk.com
Roles and Responsibilities & Artifacts
• BRC
• X-Team
• Business Managers• Asset Owners• Operational Personnel• Certification Authority• Internal & External Auditors
© Jody R. Westby
Artifacts• BRC, X-Team Mission, Goals, Objectives• Organization Chart and R&R• Top Level Policies• Inventory of Assets• Detailed Security Responsibilities• Table of Authorities & Mappings• Privacy Impact Assessments & Audits• Risk Assessments, Certification Letter• Operational Criteria• Enterprise Security Plan & ESS• Categorization, Controls & Metrics• Best Practices & Standards, Settings• Supporting Plans (IR, BC/DR, CC, Chg)• 3rd Party & Outsource Vendor Reqments• Policies & Procedures• Security System Architecture Plan• Implementation & Training• Monitoring & Enforcement• Testing & Evaluation, POAMs• ESP Security Funding, ROI• Annual Reviews, Audits
14 www.globalcyberrisk.com
• More and More Offshore – India, China, Philippines Largest Markets
• Lack of Available Talent, Increasing Wage Scales, Weak Infrastructure Causing Major Outsourcing Vendors to go to Satellite Sites
• Popular Destinations for Satellite Operations are China, Mexico, Romania, Philippines, Eastern European countries
• Many of These Countries Lack Privacy Laws, Economic Espionage Laws
• Cybercrime Laws are Inadequate, Poor Law Enforcement Assistance
• Weak Criminal Procedures, Lack of Trained Judiciary Personnel re Cybercrimes, Investigations
• Poor International Cooperation With Law Enforcement
• Recent Breaches of US & EU Data Caused Response from Regulators
Global Environment Today
© Jody R. Westby
15 www.globalcyberrisk.com
• Your Data is in Hands of Company You Do Not Control
• Lack of Ability to Control Vendor Personnel, Monitoring, Enforcement
• Vendor May Not Inform You Until Later On
• Provider May Not Have Adequate Incident Response Plan or Not Follow Plan
• Provider May Not Preserve Evidence
• Provider May Make Statements to Press, Law Enforcement, Others That Could Harm Brand, Stock Price, Market Share
• Provider May Have Contractual Obligation to Protect Data, But No Statutory Obligation
• Provider May Have Other Clients Whose Data Attracts Hackers, Economic Espionage
• Provider May Get Legal Requests for Your Data
Reality of Outsourcing Breaches
© Jody R. Westby
16 www.globalcyberrisk.com
Immediate Barriers to Effective Response
• Legal Differences in Laws, Procedures• Jurisdictional Issues• International Cooperation Issues• Investigation & Prosecution Difficulties• Evidentiary Considerations (Logs, Audit Trails, Search/Seizure)• Compliance Responsibilities of Company & Provider Conflict • Reality of Time Zones
© Jody R. Westby
17 www.globalcyberrisk.com
Goverance Actions That Reduce Risk
• Identify Compliance Issues & Weave Through ESP
• Take Laws of Outsourced Jurisdiction into Account for Table of Authorities & Mapping
• Determine Roles & Responsibilities for Personnel
• Conduct Privacy Impact Assessments
• Push Security Requirements Out to Providers, Third Parties (Controls, Metrics, Policies/Procedures)
• Review Policies & Procedures & Supporting Plans
• Monitoring & Enforcement & Communications Plan
• Regular Reporting (Incidents, Monitoring, Enforcement)
• Business Cases for IT Include Privacy, Security & BC/DR
• Conduct Privacy & Security Audits (Internal & Vendors)
© Jody R. Westby
Recommended