Embed Size (px)
Citation preview
0
World-wide Data Privacy
Frameworks and Directions
Tae Yong Kil (CIA,CISA,OCJP; Audit Manager; Prudential Financial Inc.)
David Dongki Lee (CIA,KICPA,CISA; Director; Ernst & Young Han Young)
1
PARTICIPATE IN Q&A• Download the IIA Conferences App to
participate in Q&A during select
sessions
• Select the session through the
schedule icon
• Submit your questions for the session
or to specific presenters by selecting
the ASK icon
• Ask a member of the Conference Staff
if you need assistance
• You can also go to https://ic.cnf.io/ from
your mobile device web browser
2
The comments, opinions, and illustrations contained herein are based on and/or derived from publicly available information from sources that Prudential Financial Inc. (PFI) believes to be reliable. We do not guarantee the accuracy of such sources or information. These materials are intended for informational purposes only. This information is not intended to provide and should not be relied upon for legal, accounting or tax advice or investment recommendations. These materials are not intended as an offer or solicitation with respect to the purchase or sale of any security or other financial instrument and should not be used as the basis for any investment decision. This document may contain confidential information and the recipient hereof agrees to maintain the confidentiality of such information. Distribution of this information to any person or organization other than the person or organization to whom it was originally delivered is unauthorized, and any reproduction of these materials, in whole or in part, or the divulgence of any of its contents, without the prior consent of PFI is prohibited. These materials are not intended for distribution to or use by any person in any jurisdiction where such distribution would be contrary to applicable law or regulation or is subject to any contractual restriction. Prudential Financial, Inc. of the United States is not affiliated with Prudential plc, which is headquartered in the United Kingdom.
General Statement
3
TOPIC PAGE
Data Privacy Overview 3 - 5
Privacy Regulations 6
IT Privacy and Data Security Frameworks 7 - 8
Recent Privacy-Related Incidents 9 - 10
GDPR - Components and Major Points 11
GDPR - Data Flows with Japan 12
Data Privacy Framework Evolution in South Korea 13
Preventive and detective controls and methodologies throughout the PII Life Cycle Management 14
Best practices discussions to protect Privacy Data (Quiz) 15
Q & A 16
Agenda
4
Data Privacy Overview
https://www.123rf.com/photo_85497699_word-cloud-with-data-privacy-related-tags.html
5 Source: The New Age of Near-zero Privacy (ISACA Journal 2016)
Relationship among Privacy, Secrecy, Security, and Safety Features on Privacy Rights
Data Privacy Overview - continued
6
• While data breaches were certainly occurring prior to 2005, most of the biggest data breaches recorded in
history are reported in 2005 or beyond. This can be attributed to the fact that the world’s volume of data has
been growing exponentially year after year, giving cyber criminals a greater opportunity to expose massive
volumes of data in a single breach. –(Source: Digital Guardian)
Data Privacy Overview - continued
• There will be around 40 trillion gigabytes of data (40 zettabytes) By 2020. (Source: EMC)
• 90% of all data has been created in the last two years. (Source: IBM)
• Today it would take a person approximately 181 million years to download all the data from the internet.
(Source: Physics.org)
• Internet users generate about 2.5 quintillion bytes of data each day. (Source: Data Never Sleeps 5.0)
• In 2018, internet users spent 2.8 million years online. (Source: Global Web Index)
7
Privacy Regulations
• Inevitable Legislation enforcement
• Various types of regulations
per regulatory body and/or country
US (HIPAA,FERPA,COPPA, State
Regulations etc.)
Europe (GDPR)
Others (Korea,Japan,Taiwan and Brazil
Privacy Laws & Regulations etc.)
Source: UNDTAD, 27/3/2019
8
IT Privacy and Data Security Frameworks
9
IT Privacy and Data Security Frameworks - continued
COBIT NIST
* The Framework Core (Core) will provide a set of activities to
achieve specific privacy outcomes, and reference examples of
guidance to achieve those outcomes. The Core is not a checklist of
actions to perform. It will present key privacy outcomes identified by
stakeholders as helpful in managing privacy risk. The Core will
comprise four elements: functions, categories, subcategories, and
informative references.
10 Source: The 18 biggest data breaches of the 21st century (CSO)
In some cases,
passwords and other information
were well protected by encryption,
so a password reset
eliminated the bulk of the risk.
Recent Privacy-related accidents
2018
(Accounts compromised)
Marriot
Biggest Data Breaches of the 21st century
Equifax
Adult Friend Finder
Anthem
eBay
JP Morgan Chase
Home Depot
Yahoo
Target Stores
Adobe
2017
2016
2015
2014
2013
500 mil.
143 mil.
79 mil.
412 mil.
76 mil.
56 mil.
3 bil.
110 mil.
38 mil.
145 mil.
11
Recent Privacy-related accidents - continued
12
GDPR - Components and Major Points
13
GDPR - Data Flows with Japan
14
Data Privacy Framework Evolution in South Korea
“Integrating the old standards
to efficiently
protect and manage
Information and Personal
Information
in a single system”
2001
ISMS-Privacy
deployed
20182014
Initiation for Integration
of certification system
Adoption of
ISMS
2010
PIMS
deployed
Old standards New standard
DRP
Monitor
DRP
Monitor
Org.
Facility Doc.
IS
Policy
Policy
Controller Controller
Processor
Org.
Facility Doc.
IS
Policy
• ISMS: Information Security Management System
• PIMS: Personal Information Management System
15
Preventive and detective controls and methodologies throughout the PII Life Cycle Management
• Preventive (Business)
Limit data obtained
only necessary
Training
Peer-Review
• Detective (Business)
Data Extraction Review
User Access
Recertification
• Preventive (Tech)
IDS
Threshold setting on
privacy data extraction
• Detective (Tech)
IPS
Packet Review
Source: Data Lifecycle Management Model
16
Best practices discussions to protect Privacy Data (Quiz)
I. 1st line of Defense
i. _______________________________
II. 2nd line of Defense
ii. _______________________________
III. 3rd line of Defense
iii. _______________________________
17
Q&A
18
Closing
Thank you!!!
19
References
Top 10 Security and Privacy Topics for IT Auditors (ISACA 2010 journal vol.2)
https://www.isaca.org/Journal/archives/2010/Volume-2/Pages/Top-10-Security-and-Privacy-Topics-for-IT-Auditors1.aspx
Mobile Workforce Security Considerations and Privacy
https://www.isaca.org/Journal/archives/2017/Volume-4/Pages/mobile-workforce-security-considerations-and-privacy.aspx
Everything You Need To Know About GDPR (2017)
https://www.dubber.net/everything-need-know-gdpr/
https://www.google.com/imgres?imgurl=https%3A%2F%2Fs18267.pcdn.co%2Fwp-content%2Fuploads%2F2017%2F06%2F2016-01-
30_GDPR_history.gif&imgrefurl=https%3A%2F%2Fwww.dubber.net%2Feverything-need-know-
gdpr%2F&docid=Q45j2fDAidRYQM&tbnid=awxzGPfCgCxu-
M%3A&vet=10ahUKEwi0vpTTpLPiAhUDXLwKHbKSDqUQMwhDKAUwBQ..i&w=609&h=360&bih=794&biw=1459&q=data%20breach%20protection%20
regulations%20history%20statistics&ved=0ahUKEwi0vpTTpLPiAhUDXLwKHbKSDqUQMwhDKAUwBQ&iact=mrc&uact=8
A BRIEF HISTORY OF DATA PROTECTION: HOW DID IT ALL START? (2018)
https://cloudprivacycheck.eu/latest-news/article/a-brief-history-of-data-protection-how-did-it-all-start/
Google GDPR
https://www.cnil.fr/en/cnils-restricted-committee-imposes-financial-penalty-50-million-euros-against-google-
llc?fbclid=IwAR3X4Cgmf6Jaq_1Ji2CXoXf9Rsy_dyQ4C6ysSOFnKqXSeXMzunujLTta4Mg
GDPR vs. Japan
https://www.skadden.com/insights/publications/2018/09/quarterly-insights/data-protection-in-japan-to-align-with-gdpr
20
References
GDDR Components and Major Points
https://www.bankinghub.eu/banking/finance-risk/gdpr-deep-dive-implement-right-forgotten
COBIT Data Privacy Framework
https://www.isaca.org/Journal/archives/2019/Volume-1/Pages/assurance-considerations-for-ongoing-gdpr-
conformance.aspx?utm_referrer=
NIST Privacy Framework
https://www.nist.gov/sites/default/files/documents/2019/02/27/outline_privacy_framework_2.27.19.pdf
Basic Information Security & Privacy framework
https://slideplayer.com/slide/14336984/
Privacy regulations List
https://www.consumersinternational.org/media/155133/gdpr-briefing.pdf
21
TELL US WHAT YOU THINK!
Evaluate this session right in the
IIA Conference App!
Not using the conference app?
Visit: ic.cnf.io to complete
your session evaluations.
