Upload
vothu
View
214
Download
0
Embed Size (px)
Citation preview
• Cybersecurity Risk Oversight: the NIST Framework and EU approaches
• Antonis Patrikios, Director Privacy & Information Law Group • ACC webcast, 10 July 2014
www.fieldfisher.com 2"
• Why cybersecurity matters • US NIST Framework • EU approaches • What it all means in practice
• Overview
www.fieldfisher.com 7"
Hacked, lost equipment, fat fingers, misdirected comms, cloud failure, eavesdropped, supply chain breakdown…
• So, it’s not if but when… and it’s not just cyber
www.fieldfisher.com 9"
• Loss of IP. confidential information, PII • Detecting, containing, remedying and recovering from incident • Dealing with complaints and press enquiries • Business as usual is disrupted. Costs • Adverse publicity, brand damage, loss of trust. Share price drops • Satisfying legal requirements and meeting regulatory
expectations • Breach of law and/or contract • Action in court (including class actions) • Impact on insurance • Regulatory investigation • Incident response and dealing with regulators puts strain on
human and financial resources. More disruption and costs • Enforcement action, fines, stigma of being fined • More adverse publicity, brand damage, loss of trust…
• Possible impact of a serious cyber attack
www.fieldfisher.com 10"
• Socialize the problem and keep it on the agenda • Understand systems-based regulation and assess
the risk • Cyber and data security system
• Protect against cyber threats • Have a plan for failure (remembering that the press,
regulators and the public are not fools • Respond to cyber incidents
• So what should we be doing about it?
www.fieldfisher.com 12"
• Initiated by Executive Order 13636, Improving Critical Infrastructure Cybersecurity
• Led by NIST and DHS, with contributions from private sector, industry and companies
• Designed primarily for US critical infrastructure owners and operators, but suitable for use by other actors in other countries • How about companies that provide services to owners and
operators? • Applicability to companies of all sizes • Voluntary guideline. Not a fool proof formula for cybersecurity • Draws heavily from existing standards (e.g. NIST 800-53, ISO
27001, COBIT) • Provides an approach for managing cybersecurity risk
• NIST Framework: background
www.fieldfisher.com 13"
• Does not create new standards • Leverages existing cybersecurity practices such as
those developed by NIST or ISO • Provides a risk-based compilation of guidelines to
identify, implement and improve cybersecurity • Creates a common language • Requires proactive cyber risk management • Provides an assessment mechanism to determine
current cybersecurity capabilities, identify target state and establish a plan for cybersecurity programs
• 3 primary components: Profile, Implementation Tiers and Core
• NIST Framework: what does it do?
www.fieldfisher.com 14"
• Create a ‘Current Profile’ by measuring the current state of your cybersecurity program and identify a ‘Target Profile’
• Compare the two to identify gaps and create a prioritized roadmap to close them!
• ‘Implementation Tiers’: • Tier 1 – Partial • Tier 2 – Risk informed • Tier 3 – Repeatable • Tier 4 – Adaptive
• NIST Framework: Profile component
www.fieldfisher.com 16"
• Regarding personal information used, collected, processed, maintained or disclosed in connection with cybersecurity
• Possible problems: over-collection, over- retention, unrelated disclosure; privacy intrusiveness of cyber defences
• Activities should be compliant with applicable privacy laws, regulations and Constitutional requirements
• Incorporate privacy principles such as data minimization at collection, disclosure and retention of personal information; use limitations; transparency; individual consent; redress for adverse impacts; data quality, integrity and security; accountability and auditing
• Specific provisions concerning the processes for governance; steps to be taken to identify and address privacy concerns; awareness and training; privacy reviews of ‘anomalous’ activity detection and monitoring; response activities and information sharing
• NIST Framework: addressing privacy and civil liberties
www.fieldfisher.com 17"
• For most organizations, it is likely to help you improve risk-based cybersecurity
• It is likely to improve collaboration, communication, information sharing and threat intelligence
• It requires engagement at executive, business/process and operational levels, so will help create a security culture at your organization
• The Executive Order (s 8 (d)) talks about incentives • If you are a supplier to critical infrastructure owners or
operators, they are likely to expect you to comply • In the US, it may become the de facto standard for cybersecurity
and may impact legislation, judgements and regulatory thinking • It prepares you for compliance with future laws and regulations
on cyber and privacy • It will help you comply with legal requirements and regulatory
expectations on data security (e.g. in Europe!)
• NIST Framework: why should you adopt it?
www.fieldfisher.com 20"
• EU data security law and law making Personal Data E-
communications Cyber
Now Now Now
Law: Who: Effect:
DP Directive 1995 Data Controllers Appropriate T&O security measures for personal data
PEC Directive 2002/09 Telcos & ISPs Appropriate T&O for service security; breach notification; regulatory audits
Better Regulation Directive 2009 Telcos & ISPs Appropriate T&O for network and service security; breach notification
Next Next Next
Law: Who: Effect:
Draft DP Regulation 2012 Controllers and Processors Appropriate T&O for personal data; breach notification; regulatory audits; bigger fines
No change No change No change
Draft Cybersecurity Directive 2013 Utilities, transport, finance, public bodies, food supply Appropriate T&O for NIS; breach disclosure; regulatory audits
www.fieldfisher.com 21"
Data Protection Directive (95/46/EC) – Article 17, Security of Processing […] the controller must implement appropriate technical and organizational measures to protect personal data […] Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected. […] the controller must, where processing is carried out on his behalf, choose a processor providing sufficient guarantees in respect of the technical security measures and organizational measures governing the processing to be carried out, and must ensure compliance with those measures. The carrying out of processing by way of a processor must be governed by a contract or legal act binding the processor to the controller […]
• Duty to protect against personal data loss
www.fieldfisher.com 22"
Examples: ISO 27002, e.g.: – Installation and regular update of malicious code detection and
repair software to scan computers and media as a precautionary control, or on a routine basis
– Checks should include checking files on media and files received over networks for malicious code before use
– Checking email attachments and downloads for malicious code before use; check should be carried out at different places, e.g. at email servers, desk tops, and when entering the network of the organisation
PCI DSS, e.g.: – Install and maintain a firewall configuration to protect cardholder data – Use and regularly update anti-virus software or products; must be
used to protect systems from current and evolving malicious software threats
– Track and monitor all access to network resources and cardholder data
• Industry standards flesh out the requirements
www.fieldfisher.com 23"
• Government backed, industry supported scheme to help organisations protect against common cyber attacks
• Clear statement of basic controls and security measures • Also has the goal to function as an Assurance Framework
to enable organisations to demonstrate they take cyber security seriously through certification
• HM Government have pledged to require suppliers bidding for certain personal and sensitive information handling contracts to be certified from 1 October 2014
• UK Data Protection regulator has endorsed it
• HM Government Cyber Essentials Scheme (UK)
www.fieldfisher.com 25"
• As threats increase, new more powerful technologies emerge, e.g:
• As they evolve, obligations and expectations to adopt them increase • But increasing technological sophistication increases privacy risks
• The technology (and privacy) paradox
Standard
• Firewalls • Anti-virus • Anti-spam
Emerging
• DLP • SIEM
Forensics
• EnCase
www.fieldfisher.com 27"
• Good intentions and careful thinking can take us a long way
• Data security system; due diligence; contracts • Understand the IT and network perimeter; who is
responsible for legal compliance; consider roles and allocation of responsibilities
• Before implementing cyber security technologies, do a PIA!
• Environmental scan and benchmarking against industry standards
• Consider national particularities – legislation, case law, approach of regulators (practice, action and guidance)
• Risk mitigation • How you respond to incidents is paramount! • Prepare for the new legal regime
• Practical recommendations
www.fieldfisher.com 28"
• Get senior management buy in and sponsorship • Assess current posture, define targets and execute
• NIST Framework • Review, improve, and keep under review:
• Policies • Processes • Training • Risk assessments • Contracts • Operational security
• Engage external support if required
• Key step 1: get your cybersecurity ‘system’ right
www.fieldfisher.com 29"
• Focus/configuration: the person; the data; the network • Data type: content; traffic; personal; info stored on terminal
equipment • Monitoring type: – Interception – content in course of transmission – Traffic data in course of transmission – non intercept – Retained/stored/archived data
• Review and use: – Anonymous or identifiable – Initial review team. Escalation – Retention of results – Further use (including disclosures and sharing)
• Essential principles: lawfulness, necessity, proportionality, transparency and purpose limitation
• Key step 2: privacy impact assessments for cyberdefences
www.fieldfisher.com 30"
• Have a plan for failure, remembering that the press, regulators and the public aren’t fools
• Understand the information flows and the processing operations • Carry out and document a risk assessment • Scenario planning • Create clear incident management plan, with management roles
and reporting lines • Establish your positions on breach disclosure • Address the regulatory hotspots
• Key step 3: get on top of things before the breach happens
www.fieldfisher.com 31"
• Detect the breach! • Understand what has happened • Contain the problem • Recover from it • Mitigate harm • Satisfy legal obligations • Protect brand and reputation • Learn the lessons
• Key step 4: get incident response right!
www.fieldfisher.com 32"
• Not seeing the nuances and differences between kinds of incidents
• Misapprehending the gravity of the situation • Weak incident management processes • Silo’d teams handling the matter • Back-covering, including “told you so” • Worry about personal consequences • Not having a clear position on regulatory issues,
including breach disclosure
• Issues we see during our practice
www.fieldfisher.com 33"
• Legal component to your breach response is absolutely essential
• Obtaining the cloak of privilege for your work • Enable you to say that you were taking your legal
obligations seriously and were acting on advice • Enable you to address your legal obligations correctly
and in a timely fashion, e.g. regarding breach notification
• You’ve been hacked! The lens of litigation
www.fieldfisher.com 34"
• Fines are beatable, but it takes skill to present the right case and marshal your evidence by reference to the conditions precedent to fining
• At least in the UK, no or little likelihood of harm has proven to be a strong defence for controllers (Scottish Borders and Tetrus Telecoms)
• hacking cases, relying upon expert forensic evidence about degree of exposure of data and how they data can be used
• medical case, relying upon absence of complaints following patient notification expert
• medical case, obtaining witness statement from patients
• Beating regulatory fines
www.fieldfisher.com 35"
Discussion and Q&A [email protected] www.fieldfisher.com http://privacylawblog.fieldfisher.com/
• Thank you!