LIVING IN THE CLOUD IN A COMPLIANT, RISK-BASED, AND LEGALLY DEFENSIBLE APPROACH You can outsource functions and activities, but not responsibility. 1 Michael Cox, CIPP, President SoCal Privacy Consultants AITP SD Cloud Computing Conference 2014 San Diego Marriott La Jolla Thursday, 13Nov2014
70
Embed
LIVING IN THE CLOUD IN A COMPLIANT, RISK-BASED, AND LEGALLY DEFENSIBLE APPROACH You can outsource functions and activities, but not responsibility. 1 Michael.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1
LIVING IN THE CLOUD IN A COMPLIANT, RISK-BASED, AND
LEGALLY DEFENSIBLE APPROACHYou can outsource functions and activities,
but not responsibility.
Michael Cox, CIPP, PresidentSoCal Privacy ConsultantsAITP SD Cloud Computing Conference 2014San Diego Marriott La JollaThursday, 13Nov2014
2
BIO: Michael Cox, CIPP/US
President, SoCal Privacy Consultants Confidential clients include private and public customer-centric organizations in health care,
Internet, technology services, financial services, bitcoin ATMs, etc. For an FTC consent order client, established multi-state information security programs and
provides ongoing consulting - resulting in four consecutive satisfactory audits certifying compliance to the order
Conducts gap assessments and establishes lean, sustainable and legally defensible privacy and security programs for partners, service providers, and M&A buyers and sellers
Obtains executive commitment; operationalizes governance with clear roles and responsibilities; develops policies; conducts training; advises on implementation; and provides tools and an effective transfer of knowledge
Chief Privacy Officer, Pathway Genomics Corporation, an international genetics testing laboratory Previous experience
VP of Enterprise Risk Management, Goal Financial Business Risk Officer, Capital One Auto Finance VP of Operations – multiple organizations, including 2 Fortune 200 companies
Certified Information Privacy Professional (CIPP/US) Member, International Association of Privacy Professionals (IAPP) Member, IAPP Professional Privacy Faculty Member, two privacy think-tank groups, Lares Institute Co-author, Security chapter for HIMSS Good Informatics Practices (GIP) Frequent speaker on privacy and security subjects B.S., Business Administration, Virginia Tech Contact information: [email protected] or (619) 318-1263
Markets Health care Financial services Retail Technology service providers Others _________________
4
Data Innovation Pledge: “I will promote the Ethical and Innovative Use of Data to improve people’s lives”
Too often there is perceived tension between
privacy, technology and innovation
Rather than just co-exist, they can
thrive and drive innovation as a team
Privacy should be thought of as a functional requirement,
like sales and revenue, and not just a quality attribute
Without privacy, there is no customer trust
Together, privacy, technology and innovation bring unparalleled
value, opportunity, efficiency, service, and connectivity
5
California is a privacy leader
2003 - 1st state breach notification law
2012 - law amended to require notifications to CA State AG when 500+ CA citizens data compromised
From 2012 to 2013, reported compromised breach records increased 600%
Data breaches expected to keep climbing
6
FTC Consent Order client impacts 20 year consent order
CEO will likely want another executive to sign the order, e.g. GC, CFO or CRO
A copy of the order must be delivered to / receipt acknowledged by all current / future: subsidiaries, principals, officers, directors, managers, employees, agents, and representatives having responsibilities relating to the order
Increased cost of compliance Provide 30 days notice of change to corporation, e.g., dissolution, assignment, sale,
merger or like action
Within 90 days of order, provide a report of compliance to the order Respond within 10 days to additional information requests
Expensive independent biennial audits by CISSP, CISA, or GIAC (not be CPA) Demonstrate compliance on any given day during biennial period
Retain specified compliance documentation for a period of 5 years Any documents that “contradict, qualify, or call into question compliance with” the order;
risk assessments; consumer complaints; plans, reports, studies, reviews, audits, audit trails, training materials, and assessments; statements disseminated to consumers re: privacy/security
Compliance is elevated due to: FTC expectations, e.g. privacy/security training occurs prior to providing new hires access to PII
Being on the FTC’s radar screen and wanting to avoid another breach
7
Key takeaways
Compelling business case for Privacy, yet many compliant organizations continue to suffer breaches
Achieving a legally defensible posture better protects an organization and its customers
ERM establishes a legally defensible system by creating accountability for risk and making informed decisions within company’s risk tolerance
Risk associated with subcontractors, including cloud services providers, must be addressed in a legally defensible manner
8
FIRST, A FEW CONCEPTS
To ensure alignment
9
What is privacy?
Is about individual rights and choices around data privacy lifecycle
Requires information governance around PII Onward transfer (x-border transfer rules), notice/consent-choice,
collection, purpose/use, access/availability/correction/quality, disclosure/sharing/transfer, storage/retention and secure disposal
Includes security of PII Administrative, physical, and technical controls
10
Privacy is complex and evolving
Continually challenged by emerging issues:
New threats and vulnerabilities
Snowden/NSA surveillance
New technologies, e.g. mobile apps/devices, biometrics, wearable computing
Big Data, e.g. bio-banks, predictive analytics
Internet of Things (IoT)
Defined by:
Laws, regulations, guidance, enforcement actions
Context – e.g., purpose
Social norms – “rules of civility” - what would the “reasonable person” expect? - different markets have different expectations – data sensitivity
11
Why is there this seemingly endless parade of breaches?
Question: Why are so many “compliant organizations” suffering breaches and the resulting regulatory fines and enforcement actions, class action lawsuits, and adverse brand and equity impacts?
Answer: 1. Treating strictly as a compliance risk
2. Underestimating the risk or not aware they are assuming a risk
3. Not pursuing a risk-based, legally defensible strategy
4. Not implementing governance
12
COMPELLING BUSINESS CASE
For Privacy
13
Calculating breach risk
risk = probability x impact
Risk Levels
Probability of Occurrence
Impact Severity
Insignificant Minor Significant Damaging Serious Critical
Negligible Very Low Very Low Low Low Low Low
Very Low Very Low Low Low Low Moderate Moderate
Low Very Low Low Moderate Moderate High HighMedium Very Low Low Moderate High High Very High
High Low Moderate High High Very High Very High
Very High Low Moderate High High Very High Very High
Extreme Low Moderate High Very High Very High Very High
Note: even a low probability with a serious impact equals a high risk
But the probability of a breach is usually underestimated – Businesses in last 12 months had: 90% one or more breaches; 59% multiple breaches (Ponemon Institute)
14
Continually under attack from rapidly growing threats A managed security services provider can monitor external and internal threats
15
Impacts can be catastrophicPrivacy is more than a compliance risk
Regulatory risk
Legal risk
Financial risk (Ponemon Institute) Revenue loss $5.4-7.2 million avg. per incident cost over last 7 years 12-22% avg. loss in brand value
Reputation/brand risk
Operational risk CEOs lost 1-1.5 years of productivity (interviews)
Officer liability risk (Target CEO and board)
16
Yet, cost to protect is lowand creates legally defensible posture
Avg. protection cost ($16) is less than 7% of avg. breach costs ($204) per compromised record (Gartner)
Avg. breach cost reductions per record (Poneman Institute)
$23 for CPO/CISO $42 for incident response plan
97-99% of breaches are avoidable with reasonable (simple/intermediate) controls (Verizon Business Data Breach Investigation Reports)
Legal defensibility is getting to 97-99% avoid-ability, not “absolute privacy/security”, as there is no such thing
17
While we’re taking about costs …What are the postponement costs?
Cost for doing it later is 17 times higher than the incremental cost to do it now (Capital One)
Plus the risk exposure from not being in a legally defensive posture … Stephen Covey calls that a “Lose-Lose” situation
Purpose of brakes on a car is … ?
not to slow a car down …
but to allow it to go fast!
18
But the cyber security gap is growing
19
Security goals are also bigger than compliance
Protect from theft, business disruption and compromise:
Company technology and infrastructure
Intellectual property and trade secrets
PII data
20
Key types of theft:
Which is worth more on the black market and why?
When customers are compromised, so is the businessLife changing impact on compromised individuals
Privacy can be an asset for gaining competitive edgeBy building and maintaining stakeholder trust and loyalty
Privacy Builds and Maintains Company Brand
80% of CEOS believe good data protection increases brand / marketplace value*
Privacy Enables Achievement of Business Objectives
Win partner business
Secure investor confidence
Secure acquiring company bid
Obtain cyber risk insurance when ready (no absolute security)
*Ponemon Institute survey
22
Expectations of public company boardsCyber attacks affect integrity of capital market infrastructure, public companies and investors
SEC Commissioner Aguilar: “… boards who choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at their own peril.”
Fiduciary duty breach in managing/monitoring material risks Duty of due care – knowledgeable and active, direct role Duty of oversight – board minutes/reports should document this
10K cybersecurity disclosures: SEC’s 2011 guidance to adequately inform shareholders Disclose material events that would affect operational results,
liquidity and financial condition, or cause financial information not to be indicative of future operating results
23
Recommendations to protect against liabilityBoard members should mitigate business/D&O liability and class action lawsuit risk
Ensure establishment of a legally defensible program
Governance and oversight
- Ensure comprehensive policies/procedures/standards, including vendor management
- Become well-informed of company’s policies/practices/gaps and industry standards
- Recruit and hire at least one “cybersecurity (tech-savvy) director”; use outside experts and auditors
- Appoint well-qualified privacy and security officers and periodically meet with them
- Establish a senior, cross-functional privacy and security steering (oversight) committee
Monitoring and reporting
- Ensure company: maintains data mapping; conducts controls evaluations and risk assessments; reviews vendors; monitors for external, internal and third party threats
- Require regular reporting to the board
Make appropriate public cybersecurity disclosures
Consider cybersecurity risk insurance
24
ACHIEVING A LEGALLY DEFENSIBLE POSTURE
Achieving Privacy/Security-by-Design through ERM
25
Imagine this not-so-improbable scenario1. IT reports malware has been discovered on computer systems and it is likely that PHI,
business plans and intellectual property have been exposed.
2. U.S. state data security breach notification laws have been triggered. Chief Privacy Officer advices that once the required notices go out, expect media inquiries and letters from the HHS, FTC and State Attorneys General seeking information about the breach and the company’s cybersecurity practices.
3. A letter comes from a prominent legislator asking questions about the breach.
4. Corporate partners inquire about contractual data security and privacy obligations, and the potential impact of the breach on their systems, data, and business.
5. Investors and plaintiffs’ lawyers are organizing to pursue actions related to the breach and its effect on the company, its operations and revenues, and individuals’ privacy.
6. (If public: SEC 8k requires evaluating whether to report the incident as a material risk.
7. And the Board wants to know what steps the company has taken to assess and mitigate the legal risks.
Is the organization in a legally defensible position and ready to appropriately and quickly respond?
Scenario originally described by Harriet Pearson, partner with Hogan Lovells US LLP: “Cybersecurity: The Corporate Counsel’s Agenda.”
26
Compliance vs. legally defensible strategy
Check-the-box compliance is not defensible
Standards establish a minimum baseline, but are not enough
Standards cannot keep up with emerging threats, new technologies, changing laws/regulations, and guidance/enforcement actions
Many compliant organizations continue to suffer breaches
Fundamental principles to preserve and build long-term value
When, not if – presumption that breach will occur and will be subject to legal proceedings to defend itself and its assets
Be able to make legally sound/compelling arguments from view of a plaintiff’s attorney/judge/jury/regulator that entity has done everything reasonable
d. Define sensitivity of data and processes outsourced (use cases)i. Develop data flow and resource mapping
ii. Conduct privacy risk impact assessment and develop mitigation plans
e. Define security responsibilities/requirements: who develops/tests/deploys/manages/monitors
i. Cloud client: encrypt data in transit/at rest (retain keys); secure communications; secure configuration/network segmentation; access controls/IAM integration; backups/data replication; monitoring - vulnerability scans, periodic RBAC reviews; F/W egress filtering; consider 3rd party tools to add features/functionality and ease to move to alternative CSP
ii. CSP: acceptable contract terms, e.g. breach notification, etc.; independent audit to specific regulatory standards; privileged identity management; logs enabled and correlation/response; F/W, IDS/IPS
38
Establishing a legally defensiblecloud strategy and implementation
Step 2. Select and properly contract with CSPa. Assess contracts of finalists, e.g. breach notification, right to audit, security
requirements
b. Verify acceptable risk tolerance to plan
c. Select and contract with CSP – only after competitive evaluation of finalists’ agreements
Step 3. Govern, monitor and manage cloud servicesa. Implement cloud client responsibilities, including management and monitoring of
CSP
b. Establish policies/SOPs
c. Securely migrate data/applications
d. Monitor to ensure implementation matches objectives/requirements
39
Develop a regulatory coverage map
Applicable laws/regs/standards determined by:
Consumer residency- Consumer protection laws tend to protect residents of a
jurisdiction
Data location - NSA/Snowden causing some countries to not want data to
leave their country, e.g. Russia’s new law - Some international mega-companies, including cloud service
providers, rapidly building data centers in these countries
40
Identify applicable laws re: outsourced PI
Privacy laws GLBA, HIPAA, etc.
Data breach notification laws U.S. state laws generally (but not all) provide an exception for encryption Tend to focus on SSNs, driver’s license #s, and credit/card #s Consider sensitive data privacy laws – genetic information International developing breach notification laws
Cross-border data transfer rules restrictions Consent EU/EEA
Resource Owners are responsible for ensuring RBAC design, authorizing RBAC rights, and periodically reviewing RBAC rights for accuracy
Resource Custodians are responsible for the Privacy/Security-by-Design of assigned resources
Match protection to data sensitivityEither do not move sensitive data to public cloud or ensure adequate protection if you do
Quartile 4 Data Sensitivity Classifications
Examples may vary by country of jurisdiction
4 Highly Sensitive includes any of the following: SSN, payment card info, user ID/password, security question/answer (mother’s maiden name, DOB, place of birth, etc.), health insurance ID #; genetic info (defined by GINA), medical/health info, background check info, biometric record or identifiers
3 Sensitive PII that does not fall into quartile 4 or 2, such as other personally identifiable dates, account #, vehicle ID/serial #, driver’s license/certificate #, other unique ID#/characteristic/code, geo-location data, other personnel file info
2 Slightly Sensitive
published contact info: name plus address, phone#; email address, fax#, instant message user ID, URL address, IP address, photo/video/audio file, persistent device/processor/serial ID; any other PII used for marketing purposes (see CA’s “Shine the Light Law”)
1 Non-Sensitive non-personal information, such as session identifiers/cookiesbusiness lead contact info is not sensitive in U.S., but is in Canada, EU, and elsewhere
45
Data sensitivity is largely determined by whether if compromised requires breach notification Operational examples – adjust processes based on data sensitivity levels, e.g. pre-contract due diligence and periodic monitoring of BAs, roles-based access controls (RBAC), encryption, etc.
Controls effectiveness scaleThe greater the risk, the stronger the controls should be
46
Scale Controls Effectiveness Examples
10 preventive, detective & corrective controls
IPS, account lock-out on failed log-ins
7-9 preventive and detective controls
4-6 preventive controls privacy/security-by-design, policies/SOPs, training (awareness/on-the-job), keycards, authentication, RBAC system controls, encryption, hardening, firewalls/IDS, real-time log correlation/response, white/black listing, code testing prior to release, DLP, database activity monitoring
Controls must be documented in a procedure, implemented, tested, monitored, and trained on where appropriate.
Higher control effectiveness rankings within a category are based on multiple layers of controls - defense in depth.
Controls can take into account: company’s size, complexity and capabilities; reasonability standard; costs vs. benefit; company’s administrative, physical and technical infrastructure.
Types of controlsTo manage cause-risk event-effect relationship
Preventive Controls are proactive controls established to stop or deter risk events/causes from occurring. Examples include:Procedures/process maps, Access Control PolicySegregation of Duties, e.g., dual control
Preventive Controls Detective Controls
Risk Event
Cause 1
Cause 2
Cause 3
Effect 1
Effect 2
Effect 3
Preventive Controls
Detective Controls
Detective Controls are established to discover errors that have occurred and can be used to determine when/if a preventative control breaks down. Examples include: Alarms, e.g., email notification signaling error/out-of-pattern situation
Reports, e.g., monitoring reports for validation/comparison purposes
Sampling, e.g., quality assurance sampling
Inherent Risk
Net / Residual
Risk
Management Review, e.g., sign-off on expense report
Training programs, e.g., new hire or skill training
Corrective Controls automatically manage/mitigate in response to an alert, e.g., IPS
48
Assessing and mitigating risk
Annual risk assessment Enterprise-oriented
Privacy (risk) impact assessment (PIA) Conduct for new / enhanced resources to define requirements
and implement and test prior to rollout (Privacy-by-Design) Cloud services is of course a resource
49
Qualifying and managing subcontractorsRegulators’ expectations of due diligence - ongoing
Assess subcontractor’s compliance Audits
- ISO 27001/27002:2013 - SSAE 16 SOC 2 Type II 5 Trust Service Principles- PCI-DSS- HIPAA- CSA- FedRAMP
InfoSec due diligence Questionnaire Include analysis of cloud provider agreements
Continuously manage and monitor compliance Avoid/report a pattern of improper activity Additional periodic due diligence if sensitive data Monitor cloud provider’s security
50
Many cloud computing agreements are take-it-or-leave-itCompensate by obtaining/reviewing contracts as part of due diligence and determining
what controls need to be integrated with and wrapped around the cloud service
All cloud agreements should include appropriate security measures Data locations – all instances including backups Secure access controls via console and APIs
Dedicated connection using 802.1q VLANs IPsec VPN tunnel via private subnet
Identity and access management tools Unique user IDs/passwords
- Multi-factor authentication for sensitive data RBAC roles
Encrypted data in transit and at rest Client should retain keys
Built-in firewalls to control ingress Manage F/Ws to control egress
Cooperation with cloud client Logging
24x7 correlation and response management for sensitive data Monitoring – patches, vulnerabilities
Determine whether to use cloud provider’s tools or independent tools with additional features and functionality that improve data portability from cloud to cloud
Consider a managed cloud services provider who resells and understands, for example AWS cloud services, and can help you successfully implement it for your use
51
Cloud Select Industry Group (CSIG) SLA standards guidanceCloud Security Alliance, ENISA, DLA Piper, Amazon, Google, IBM, Microsoft, etc.
Guidance regarding what business should seek to have in place: 6/20/2014 - 41 pages
1. Standards or certification mechanisms the cloud service provider complies with
2. Precise description of purposes of processing
3. Clear provisions regarding retention and erasure of data
4. Reference to instances of disclosure of personal data to law enforcement and notification to the customer of such disclosures
5. A full list of subcontractors involved in the processing and inclusion of a right of the customer to object to changes to the list, with special attention to requirements for processing of special or sensitive data
6. Description of data breach policies implemented by the cloud service provider including relevant documentation suitable to demonstrate compliance with legal requirements
7. Clear description of geographical location where personal data is stored or processed, for purposes of implementing appropriate cross-border transfer mechanisms
8. Time period necessary for a cloud service provider to respond to access, rectification, erasure, blocking, or objection requests by data subjects
Broad recommendations to be trialed by EU Commission and hopefully evolve into an ISO standard
52
Summary
Key points
53
Summary of key points
Compelling business case for Privacy, yet many compliant organizations continue to suffer breaches
Achieving a legally defensible posture better protects an organization and its customers
ERM establishes a legally defensible system by creating accountability for risk and making informed decisions within a company’s risk tolerance
The risk associated with subcontractors, including cloud services providers, must be addressed in a legally defensible manner
54
QUESTIONS?
55
Appendix
Supplementary Slides
56
ICAEW Audit Insights: Cyber Security 2015The work of a group of audit experts from the 6 largest audit firms - pub. Oct. 2014
Growing gap between business and cyber attacker capabilities Threats rapidly growing in scale and record numbers Economic growth leads to new business activity creating new cyber risks Focus finite resources in the right places, e.g. in monitoring, detection and response Coordinate system-wide actions, e.g. trading partners and service providers Social media exposes business with poor breach response capabilities
Viewing security as a compliance issue creates a significant barrier Heavy planning and not enough commitment and action to real change View as a competitive advantage as a trusted partner in the digital economy
2013 report: Embed cyber in all activities with appropriate responsibility/accountability
recognizing people as weakest link Accept that security will be compromised and consider use of 3rd party advisors Focus on critical information assets, where stored and who has access Get the basics right and demonstrate commitment to a strong security culture and
show leadership to encourage behavioral change
57
ICAEW Audit Insights: Cyber Security 2015: Board recommendationsTo ensure a commitment and priority to deliver real change
Continue to build cyber security knowledge/confidence and challenge officials to explain security strategy and risk mitigation plans
Should ensure they can explain their critical data and associated risks, even where regulatory pressure does not exist
Ensure security is designed into strategy and operations, especially new activities
Focus attention on monitoring, detection and response capabilities, including ad hoc cyber simulations, and not just consider preventive actions
Focus on making a positive case for security, based around being a trusted partner in the digital economy
Determine information needs regarding cyber risks and track progress of security activities
Drive adoption system-wide, including trading partners and supply chains
58
Information governance takes a villageActor High level responsibilities
Board of Directors
Duty to protect corporate assets : information(PII, trade secrets, IP) and critical infrastructure. SEC cybersecurity risk disclosure.
Executives Program commitment; establish as a strategic imperative; provide resources/budget
Privacy Governance Steering Committee – charter & standing agenda
Provide strategic guidance and ensure management support Help establish risk tolerance through risk related decision-making/guidance (risk assessments) Ensure privacy/security officials are engaged by their staff/resource owners for privacy/security
related design or other issues – be their “eyes and ears”
Privacy & Security Officials
Program leadership and establishment; SEC cybersecurity disclosure sign-off if public
Management Program support; on-the-job privacy/security training; ID staff AUP violations; ID prospective service providers to CPO early for due diligence; own Privacy/Security-by-Design for non-engineering activities
Privacy Liaisons Liaisons for each privacy data lifecycle function ensure adherence to privacy policy
HR Identify/schedule new hires for privacy/security training; conduct background checks
Legal / Compliance
Ensure proper contracting with service providers Keep the Board abreast of privacy and cybersecurity risk exposure and posture
InfoSec Team Implementation working group: regular review of RBAC rights; ensure implementation of risk mitigation activities and report status to Steering Committee
Domain Owners Application security; technical controls; physical controls; administrative controls (or 13 domains in ISO 27002:2013)
Resource Owners Authorize RBAC roles; grant rights; periodically review rights for accuracy
Resource Custodians
Implement approved RBAC rights; ensure Privacy/Security-by-Design for resources
Engineering Director / Program Manager
Provide Privacy/Security-by-Design guidance to engineers and SQA as well as code review teams for data driven initiatives, new / enhanced resources, and as changes are made to data flow process and/or data locations
Workforce Members
Adhere to AUP and other policies/SOPs
59
Risk assessment and management Formal risk assessment process
Invite appropriate participants and appoint a facilitator and record keeper Identify risks through brainstorming using data mapping and other tools Determine effectiveness of existing controls Determine likelihood of occurrence and severity of impact Rank based on total risk value and determine material risks requiring response Assign risk owner and agree on risk response based on organization risk tolerance
Risk mitigation planning and execution Develop risk mitigation plans including milestones Ensure mitigation plans are developed into requirements, implemented and tested prior
to roll-out
Approval and tracking by Privacy Steering Committee Obtain approval of identified and material risks, risk owners, risk response, and
mitigation plans Track / report on implementation progress of mitigation plans
Update policies/SOPs and training as appropriate
60
Basic risk assessment template
Risk Scope Controls Evaluation Risk Valuation
# Risk Scope In/Out
Domain / Domain Owner
Key Potential Root Causes
Existing Key
Controls
Controls Effectiveness
1-10
Potential Effects / Impacts
Net Likelihood
1-7
Net Impact
1-6
Net Loss
1-7
5 Medium Damaging High
Net Loss: Negligible, Very Low, Low, Medium, High, Very High, Extreme
61
5 risk responses
Accept – Business decides to accept the current level of risk because: a) the mitigation costs outweigh the benefits; or b) the key causes are out of its control (inescapable part of doing business)
Avoid - Eliminate a process or product to avoid the risk or condition as the risks outweigh the rewards E.g., eliminate installing a faulty slide that could hurt children from the project
plan
Transfer/Share - Contractually shift or share the consequences of a risk to a third party or insure the risk
Monitor – Temporarily delay selecting another response until more information, usually research, is obtained Timeframe should be agreed upon, usually no more than 30-60 days and
tracked
Mitigate – Improve control effectiveness to control the risk to an acceptable threshold, either by reducing the frequency and/or the effect
Rationales and approving authorities must be documented for all responses
62
RM tiers in NIST Cyber Security Framework Tier Definitions
1 PARTIAL RM Process Informal, ad-hoc (and sometimes reactive) RM practices. Prioritization of RM may not be directly informed by
organizational risk objectives, the threat environment, or business requirements. Integrated RM Program Limited RM awareness. RM implemented on an irregular, case-by-case basis. Processes do not enable risk
information to be shared within the organization. External Actions No processes in place to share information with other entities.2 RISK INFORMED RM Process Management approved RM practices are not established in policy. Prioritization of RM is directly informed by
organizational risk objectives, threat environment, or business/mission requirements. Integrated RM Program Risk awareness but informal RM. RM procedures are implemented. Staff has adequate resources to perform
their RM duties. Risk information is informally shared within the organization. External Actions Awareness, but no formalized capabilities to interact and share information externally.3 REPEATABLE
RM Process Formal RM practices in policy. RM practices are regularly updated based on changes in business requirements and a changing threat and technology landscape.
Integrated RM Program Formal RM and policies/procedures are implemented/reviewed and respond effectively to changes in risk. Personnel possess knowledge/skills to perform appointed roles/responsibilities.
External Actions Understanding of dependencies and collaborates and receives information with other entities.4 ADAPTIVE
Risk Management Process
Lessons learned and predictive indicators inform RM practices. Actively adapts to a changing risk landscape and responds to evolving/sophisticated threats in a timely manner.
Integrated RM Program RM is part of the culture and evolves from an awareness of previous activities, information shared by other sources, and continuous awareness of activities on systems/networks.
External Actions Collaborate to ensure accurate, current information to improve RM actions before events occur.
63
Basic risk mitigation planning templateRisk Response Risk Mitigation Status Update Post Mitigation Valuation
# Risk Risk Response
Mitigation Plan
Owner
Mitigation Strategy
Action Plans
Planned Due Date
On-Track Completion Progress:
G, Y, R
Controls Effectiveness
1-10
Post Mitigation
Likelihood: 1-7
Post Mitigation Impact:
1-6
Post Mitigation Loss:
1-7
On-Track Completion Progress: Green, Yellow, Red – allows a quick status update to inquire abut issues/obstacles where appropriate
Post Mitigation Loss: Negligible, Very Low, Low, Medium, High, Very High, Extreme
Executive (VPs+) commitment is demonstrated through participation in the Privacy Steering Committee for purposes of: Reviewing program reporting and providing appropriate guidance and approvals. For
example: risk assessment approval, breach/security incident updates, etc. Reviewing and approving policies as appropriate Allocating adequate resources and budget Ensuring management support and engagement to implement policy
Management (Dir + anyone w/ direct reports) shall actively support information security and company’s adherence to the requirements of all program policies by: Ensuring “Privacy/Security-by-Design” when creating requirements for new/enhanced
products, services, systems, and engagements with vendors and partners Ensuring implementation of adequate privacy/security controls across the company Providing oversight of users to ensure compliance with the Acceptable Use Policy and
other policies Requesting CPO conducts due diligence of service providers / vendors who may
have access to PHI/PII and properly contracting with same prior to granting access. Such contracts shall include the Business Associate Agreement and Information Security Agreement as appropriate.
Reporting non-compliance with the program’s policies to either the CPO or another InfoSec Team member
66
Cross Border Transfer Rules (mechanisms)
Available options Applies even for companies with international offices transferring data to a U.S. facility
1. De-identified data– Pathway is implementing this option March 1, 2014– Consent updated; reject non-de-identified samples and destroy at 60 day cycle
2. Safe Harbor– EU proposes 13 changes to strengthen accountability and enforcement (NSA reaction)
3. Consent – clear and unambiguous– Disclose data transfer is to country with inadequate privacy safeguards
4. Data transfer agreements, e.g., to deliver a product/service – Model Contract Clauses– Binding Corporate Rules (BCRs)
EU believes its jurisdiction applies when: (contractual “choice of law” in privacy policies” does not override this reach)
Corporate presence or agent in EU/EEA Cookies are placed on their citizen’s computers (not legally tested)
Proposed new EU law exerts jurisdiction if goods/services offered to or the monitoring of its citizens
U.S. Sentencing Guidelines for Effective Compliance ProgramsFor remedying harm from criminal conduct, and effective compliance and ethics program
Seven criteria used by state AGs and regulatory authorities to determine corporate culpability and impose appropriate sanctions
1. Designate a privacy/security official for day-to-day compliance and clearly define roles and responsibilities for personnel, management and executive governance committee
2. Establish written, comprehensive policies, procedures and standards to prevent and detect criminal conduct / unacceptable behavior and promote a culture of compliance
3. Conduct on-boarding and annual training and continual education - communicate company standards/procedures to officers, employees, and agents as appropriate
4. Develop open lines of communication for reporting security incidents and other compliance issues that should include providing an anonymous hotline and conducting exit interviews to uncover unreported issues
5. Monitor and self-audit by regularly conducting risk assessments and control assessments and reporting program effectiveness to the executive governance committee, and continually updating and improving the program
6. Respond appropriately to incidents and take steps to prevent recurrence, including investigation, mitigation plans, and, as appropriate, breach notification
7. Ensure consistently enforcement and discipline of violations of well-publicized policies to demonstrate program credibility and integrity, commitment to compliance and prevent recurrence
Regulators refer to this as a “culture of compliance” 67
Top 20 SANS Critical Security Controls for Effective Cyber Defense
Strengthen 10 year old HIPAA Security Rule with well vetted “Standard of Care”
68
Originally developed by the Consortium for Cyber Action that includes government agencies and private organizations, such as SANS, Verizon Business, American Express, Booz Allen Hamilton, Center for Internet Security, Core Security, Department of Defense Cyber Crime Center, Defense Information Systems Agency, Goldman Sachs, McAfee, nCircle, Qualys, Tenable, Australian Government - Innovations, Citibank, Centre for the Protection of National Infrastructure, Department of Homeland Security, Department of Defense, Mandiant, Mitre, National Security Agency, Symantec, others).
Tier 1. VERY HIGH Tier 4. Medium
Inventory of Authorized & Unauthorized Devices (1) Data Recovery Capability
Inventory of Authorized & Unauthorized Software (1) Security Skills Assessment & Appropriate Training to Fill Gaps
Secure Configurations for Hardware & Software on Mobile Devices, Laptops, Workstations, & Servers (1a.)
Maintenance, Monitoring, & Analysis of Audit Logs
Continuous Vulnerability Assessment & Remediation (1a.) Controlled Access Based on Need to Know
Security Configurations for Network Devices, e.g. Firewalls, Routers, & Switches Secure Network Engineering
Limitation & Control of Network Ports, Protocols, & Services Penetration Tests & Red Team Exercises
Controlled Use of Administrative Privileges
Boundary Defense
Tiers are based on assessment by NSA alone. All are considered important controls. The tiers may help with prioritization of efforts.
1st 5 Quick Wins: application white-listing; using common, secure configurations; patch application software w/in 48 hrs; patch systems software w/in 48 hrs; reduce # of users w/ administrative privileges.
Verizon Business no longer includes a list of remediation recommendation to its common root cause findings in its annual Data Breach Investigations Report and instead refers to the Top SANS 20 CSCs.
69
Certified, experienced privacy (CIPP), security (CISSP), and cloud (CCSK) professionals help you establish a legally defensible Privacy and Security Program with our 2-phased process:
Phase 1 – Gap Assessment Create data flow, inventory, and locations map Conduct controls evaluation of your current program against applicable regulations and standards
These may include HIPAA, PCI-DSS, GLBA, ISO 27002:2013, NIST Cybersecurity Framework, SEC Cybersecurity Alert, state privacy laws, cross-border transfer rules, cloud strategy, mobile apps, and more. Perform risk assessment Provide report of findings and prioritized roadmap for you to establish or strengthen your program
Phase 2 - Implementation Assist with custom implementation of Phase 1 recommendations, including policies and procedures
An effective transfer of knowledge and all our tools are provided to enable you to establish a LEAN Privacy and Security Program that is sustainable and legally defensible. Our goal is always to create a raving client!