Cybersecurity Risk Oversight: the NIST Framework …webcasts.acc.com/handouts/7.10.14_Webcast_Slides.pdfwww.ﬁeldﬁsher.com 13" • Does not create new standards • Leverages existing

•  Cybersecurity Risk Oversight: the NIST Framework and EU approaches

•  Antonis Patrikios, Director Privacy & Information Law Group •  ACC webcast, 10 July 2014

www.fieldfisher.com 2"

•  Why cybersecurity matters •  US NIST Framework •  EU approaches •  What it all means in practice

•  Overview


•  Don’t believe the hype?


•  The evolving threat landscape


•  So what?


•  Everyone is vulnerable (not just Burger King)


Hacked, lost equipment, fat fingers, misdirected comms, cloud failure, eavesdropped, supply chain breakdown…

•  So, it’s not if but when… and it’s not just cyber


•  People care (or so think Microsoft)


•  Loss of IP. confidential information, PII •  Detecting, containing, remedying and recovering from incident •  Dealing with complaints and press enquiries •  Business as usual is disrupted. Costs •  Adverse publicity, brand damage, loss of trust. Share price drops •  Satisfying legal requirements and meeting regulatory

expectations •  Breach of law and/or contract •  Action in court (including class actions) •  Impact on insurance •  Regulatory investigation •  Incident response and dealing with regulators puts strain on

human and financial resources. More disruption and costs •  Enforcement action, fines, stigma of being fined •  More adverse publicity, brand damage, loss of trust…

•  Possible impact of a serious cyber attack


•  Socialize the problem and keep it on the agenda •  Understand systems-based regulation and assess

the risk •  Cyber and data security system

•  Protect against cyber threats •  Have a plan for failure (remembering that the press,

regulators and the public are not fools •  Respond to cyber incidents

•  So what should we be doing about it?


The NIST Framework for Improving Critical Infrastructure Cybersecurity


•  Initiated by Executive Order 13636, Improving Critical Infrastructure Cybersecurity

•  Led by NIST and DHS, with contributions from private sector, industry and companies

•  Designed primarily for US critical infrastructure owners and operators, but suitable for use by other actors in other countries •  How about companies that provide services to owners and

operators? •  Applicability to companies of all sizes •  Voluntary guideline. Not a fool proof formula for cybersecurity •  Draws heavily from existing standards (e.g. NIST 800-53, ISO

27001, COBIT) •  Provides an approach for managing cybersecurity risk

•  NIST Framework: background


•  Does not create new standards •  Leverages existing cybersecurity practices such as

those developed by NIST or ISO •  Provides a risk-based compilation of guidelines to

identify, implement and improve cybersecurity •  Creates a common language •  Requires proactive cyber risk management •  Provides an assessment mechanism to determine

current cybersecurity capabilities, identify target state and establish a plan for cybersecurity programs

•  3 primary components: Profile, Implementation Tiers and Core

•  NIST Framework: what does it do?


•  Create a ‘Current Profile’ by measuring the current state of your cybersecurity program and identify a ‘Target Profile’

•  Compare the two to identify gaps and create a prioritized roadmap to close them!

•  ‘Implementation Tiers’: •  Tier 1 – Partial •  Tier 2 – Risk informed •  Tier 3 – Repeatable •  Tier 4 – Adaptive

•  NIST Framework: Profile component


•  NIST Framework: core functions


•  Regarding personal information used, collected, processed, maintained or disclosed in connection with cybersecurity

•  Possible problems: over-collection, over- retention, unrelated disclosure; privacy intrusiveness of cyber defences

•  Activities should be compliant with applicable privacy laws, regulations and Constitutional requirements

•  Incorporate privacy principles such as data minimization at collection, disclosure and retention of personal information; use limitations; transparency; individual consent; redress for adverse impacts; data quality, integrity and security; accountability and auditing

•  Specific provisions concerning the processes for governance; steps to be taken to identify and address privacy concerns; awareness and training; privacy reviews of ‘anomalous’ activity detection and monitoring; response activities and information sharing

•  NIST Framework: addressing privacy and civil liberties


•  For most organizations, it is likely to help you improve risk-based cybersecurity

•  It is likely to improve collaboration, communication, information sharing and threat intelligence

•  It requires engagement at executive, business/process and operational levels, so will help create a security culture at your organization

•  The Executive Order (s 8 (d)) talks about incentives •  If you are a supplier to critical infrastructure owners or

operators, they are likely to expect you to comply •  In the US, it may become the de facto standard for cybersecurity

and may impact legislation, judgements and regulatory thinking •  It prepares you for compliance with future laws and regulations

on cyber and privacy •  It will help you comply with legal requirements and regulatory

expectations on data security (e.g. in Europe!)

•  NIST Framework: why should you adopt it?


The EU approach to cybersecurity


•  What shapes EU legislative and regulatory thinking


•  EU data security law and law making Personal Data E-

communications Cyber

Now Now Now

Law: Who: Effect:

DP Directive 1995 Data Controllers Appropriate T&O security measures for personal data

PEC Directive 2002/09 Telcos & ISPs Appropriate T&O for service security; breach notification; regulatory audits

Better Regulation Directive 2009 Telcos & ISPs Appropriate T&O for network and service security; breach notification

Next Next Next

Law: Who: Effect:

Draft DP Regulation 2012 Controllers and Processors Appropriate T&O for personal data; breach notification; regulatory audits; bigger fines

No change No change No change

Draft Cybersecurity Directive 2013 Utilities, transport, finance, public bodies, food supply Appropriate T&O for NIS; breach disclosure; regulatory audits


Data Protection Directive (95/46/EC) – Article 17, Security of Processing […] the controller must implement appropriate technical and organizational measures to protect personal data […] Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected. […] the controller must, where processing is carried out on his behalf, choose a processor providing sufficient guarantees in respect of the technical security measures and organizational measures governing the processing to be carried out, and must ensure compliance with those measures. The carrying out of processing by way of a processor must be governed by a contract or legal act binding the processor to the controller […]

•  Duty to protect against personal data loss


Examples: ISO 27002, e.g.: –  Installation and regular update of malicious code detection and

repair software to scan computers and media as a precautionary control, or on a routine basis

–  Checks should include checking files on media and files received over networks for malicious code before use

–  Checking email attachments and downloads for malicious code before use; check should be carried out at different places, e.g. at email servers, desk tops, and when entering the network of the organisation

PCI DSS, e.g.: –  Install and maintain a firewall configuration to protect cardholder data –  Use and regularly update anti-virus software or products; must be

used to protect systems from current and evolving malicious software threats

–  Track and monitor all access to network resources and cardholder data

•  Industry standards flesh out the requirements


•  Government backed, industry supported scheme to help organisations protect against common cyber attacks

•  Clear statement of basic controls and security measures •  Also has the goal to function as an Assurance Framework

to enable organisations to demonstrate they take cyber security seriously through certification

•  HM Government have pledged to require suppliers bidding for certain personal and sensitive information handling contracts to be certified from 1 October 2014

•  UK Data Protection regulator has endorsed it

•  HM Government Cyber Essentials Scheme (UK)


•  The law is actively enforced


•  As threats increase, new more powerful technologies emerge, e.g:

•  As they evolve, obligations and expectations to adopt them increase •  But increasing technological sophistication increases privacy risks

•  The technology (and privacy) paradox

Standard

•  Firewalls •  Anti-virus •  Anti-spam

Emerging

•  DLP •  SIEM

Forensics

•  EnCase


So, what does it all mean in practice?


•  Good intentions and careful thinking can take us a long way

•  Data security system; due diligence; contracts •  Understand the IT and network perimeter; who is

responsible for legal compliance; consider roles and allocation of responsibilities

•  Before implementing cyber security technologies, do a PIA!

•  Environmental scan and benchmarking against industry standards

•  Consider national particularities – legislation, case law, approach of regulators (practice, action and guidance)

•  Risk mitigation •  How you respond to incidents is paramount! •  Prepare for the new legal regime

•  Practical recommendations


•  Get senior management buy in and sponsorship •  Assess current posture, define targets and execute

•  NIST Framework •  Review, improve, and keep under review:

•  Policies •  Processes •  Training •  Risk assessments •  Contracts •  Operational security

•  Engage external support if required

•  Key step 1: get your cybersecurity ‘system’ right


•  Focus/configuration: the person; the data; the network •  Data type: content; traffic; personal; info stored on terminal

equipment •  Monitoring type: –  Interception – content in course of transmission –  Traffic data in course of transmission – non intercept –  Retained/stored/archived data

•  Review and use: –  Anonymous or identifiable –  Initial review team. Escalation –  Retention of results –  Further use (including disclosures and sharing)

•  Essential principles: lawfulness, necessity, proportionality, transparency and purpose limitation

•  Key step 2: privacy impact assessments for cyberdefences


•  Have a plan for failure, remembering that the press, regulators and the public aren’t fools

•  Understand the information flows and the processing operations •  Carry out and document a risk assessment •  Scenario planning •  Create clear incident management plan, with management roles

and reporting lines •  Establish your positions on breach disclosure •  Address the regulatory hotspots

•  Key step 3: get on top of things before the breach happens


•  Detect the breach! •  Understand what has happened •  Contain the problem •  Recover from it •  Mitigate harm •  Satisfy legal obligations •  Protect brand and reputation •  Learn the lessons

•  Key step 4: get incident response right!


•  Not seeing the nuances and differences between kinds of incidents

•  Misapprehending the gravity of the situation •  Weak incident management processes •  Silo’d teams handling the matter •  Back-covering, including “told you so” •  Worry about personal consequences •  Not having a clear position on regulatory issues,

including breach disclosure

•  Issues we see during our practice


•  Legal component to your breach response is absolutely essential

•  Obtaining the cloak of privilege for your work •  Enable you to say that you were taking your legal

obligations seriously and were acting on advice •  Enable you to address your legal obligations correctly

and in a timely fashion, e.g. regarding breach notification

•  You’ve been hacked! The lens of litigation


•  Fines are beatable, but it takes skill to present the right case and marshal your evidence by reference to the conditions precedent to fining

•  At least in the UK, no or little likelihood of harm has proven to be a strong defence for controllers (Scottish Borders and Tetrus Telecoms)

•  hacking cases, relying upon expert forensic evidence about degree of exposure of data and how they data can be used

•  medical case, relying upon absence of complaints following patient notification expert

•  medical case, obtaining witness statement from patients

•  Beating regulatory fines


Discussion and Q&A [email protected] www.fieldfisher.com http://privacylawblog.fieldfisher.com/

•  Thank you!

Documents

Cybersecurity Risk Oversight: the NIST Framework …webcasts.acc.com/handouts/7.10.14_Webcast_Slides.pdfwww.ﬁeldﬁsher.com 13" • Does not create new standards • Leverages existing