Information Assurance in a Global Context: Strategies for Security and Privacy for Cross-Border and Multi-national Organizations Matt Stamper, MPIA, MS, CISA, ITIL VP of Services: redIT President: ISACA San Diego Chapter Co-Chair: InfraGard San Diego Board of Advisors: Multiple WCIT Guadalajara, Jalisco September 28 th , 2014
44
Embed
WCIT 2014 Matt Stamper - Information Assurance in a Global Context
Workshop at the WCIT 2014 Information Assurance in a Global Context Matt Stamper, redIT
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Information Assurance in a Global Context:Strategies for Security and Privacy for Cross-Border and
Multi-national Organizations
Matt Stamper, MPIA, MS, CISA, ITIL
VP of Services: redIT
President: ISACA San Diego Chapter
Co-Chair: InfraGard San Diego
Board of Advisors: Multiple
WCIT
Guadalajara, Jalisco
September 28th, 2014
Agenda Why information assurance (IA) matters
Core Definitions: ILM, Security, Privacy, and IA
Regulatory Requirements
Frameworks & Approaches
New Technologies: IoT & Cloud
Lessons from Tijuana/San Diego
Questions & Comments
PAGE 3
Why Information Assurance Matters…
We rarely question the quality of information we use to make
decisions…putting our organizations, economies, and personal lives at
risk
Information is the most valuable asset in our economy and fuels
innovation & growth (data is the raw material of the global economy)
o Commerce
o Science
o Government
Our dependencies on accurate and timely information are increasing
exponentially
Massive asymmetries in IA practices
Gap between laws & regulations and practice
Critically, trust is at risk!
PAGE 4
Trust and Societies: Quantifiable Impact
“If you take a broad enough definition of trust, then it would explain basically all the difference between the per capita income of the United States and Somalia,” ventures Steve Knack, a senior economist at the World Bank who has been studying the economics of trust for over a decade. That suggests that trust is worth $12.4 trillion dollars a year to the U.S., which, in case you are wondering, is 99.5% of this country’s income (2006 figures). If you make $40,000 a year, then $200 is down to hard work and $39,800 is down to trust” (http://www.forbes.com/2006/09/22/trust-economy-markets-tech_cx_th_06trust_0925harford.html)
Trust is essential to maintaining the social and economic benefits that networked technologies bring to the United States and the rest of the world” (Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy, February, 2012: White House)
Trust is at the heart of today’s complex global economy. But, paradoxically, trust is also in increasingly short supply in many of our societies, especially in our attitudes towards big business, parliaments and governments. This decline threatens our capacity to tackle some of today’s key challenges (http://www.oecd.org/forum/the-cost-of-mistrust.htm)
“The Growth of the Internet and the ability to move data rapidly and globally has been a key building block of the global economic order” (The Internet, Cross-Border Data Flows and International Trade, Joshua Meltzer, The Brookings Institute, February, 2013)
“Exports (emphasis mine) of cloud computing services were estimated to be worth approximately $1.5b in 2010 (and this is likely a conservative figure and the market for cloud computing services is anticipated to grow by up to 600 percent by 2015” (Policy Challenges of Cross-Border Computing” – Journal of International Commerce and Economics, November 2012).
Over 2 Billion Individual have access to the Internet
More devices will be connected than people – billions of devices
Nearly free transaction costs
The days of information arbitrage are over
Barriers to innovation & exploitation are equally low
Critical Shared Data Sets
Weather & Climate data
Census data
Healthcare and Disease Control data
Financial & Currency data
Trade data
A McKinsey Global Institute study estimated that the Internet contributed over 10 percent to GDP growth in the last five years to the world’s top ten economies and for every job lost as a result of the Internet, 2.6 jobs have been created.
PAGE 7
Open Government Initiatives: Public Sector Data
Governments across the globe recognize that information is both:
A national resource that requires protection
A public good that should be readily disseminated
Key areas of focus within the Open Government community include:
Transparency with budgets & procurement
Private/Public Sector data sharing
Innovation
“The original and essentially libertarian nature of the Internet is increasingly being challenged by
assertions by government of jurisdiction over the Internet or the development of rules that restrict
the ability of individuals and companies to access the Internet and move data across borders” (The
Internet, Cross-Border Data Flows and International Trade, Joshua Meltzer, The Brookings Institute,
February, 2013)
PAGE 8
Why Information Assurance is Critical Now!
Here’s just a quick sampling of what’s occurring on a daily basis. This is just the US public sector.
Organized Criminals in Russia Steal 1b Passwords (8/5/2014)
According to a Ponemon Institute Study, criminal attacks on healthcare systems
have risen 100% since 2010 with an average cost of a breach is $2m (US)
Over 90% of healthcare organizations have had a breach in the last two years with
38% having had more than five incidents (down from 45% the previous year)
Risks with mandated health information exchanges (third-party considerations) /
weakest link despite security standards from HIPAA-HITECH
Bring Your Own Device (BYOD) - nearly 50% of breaches attributed to a lost or
stolen device and over 88% of organizations allow the use of BYOD
Fortunately, the number of records compromised has decreased based on earlier
detection and incident response – we’re getting better at handling security
breaches…practices makes perfect?
Working Definitions
PAGE 11
Security - Defined
The easiest way to think about security is to think about the outcome of what good
security provides: confidentiality, integrity, and availability of information (CIA).
Confidentiality is the end-state of ensuring that information is only viewed and
acted upon by those individuals, organizations, or systems that are authorized to
see such information. “A loss of confidentiality is the unauthorized disclosure of
information” – FIPS 199.
Integrity is the end-state of information and its processing such that the
information is believed to be complete, accurate, valid and subject to restricted
access (CAVR)…essentially un tampered with or otherwise modified by
unauthorized activity. “A loss of integrity is the unauthorized modification or
destruction of information” – FIPS 199.
Availability is simply that…that the information is available for its required use
without delay or loss. “A loss of availability is the disruption of access to or use of
information or an information system” – FIPS 199.
Collectively, IT security is the set of processes that are involved with ensuring that
data and information meet the confidentiality, integrity, and availability objectives of
business.
PAGE 12
Privacy - Defined
Definitions of privacy are growing more nuanced over time.
Privacy is “the right to be left alone” (Samual Warren & Louis Brandeis: The Right to
Privacy, Harvard Law Review, 1890).
Privacy is “the right of the individual to be protected against the intrusion into his
(her) personal life or affairs, or those of his (her) family, by direct physical means or by
publication of information” (UK, Calcutt Committee: 1997)
Privacy has contextual considerations:
Information Privacy
Bodily Privacy
Territorial / Physical Privacy
Communications Privacy (Foundations of Information Privacy and Data Protection, Swire, et. al., IAPP, 2012)
PAGE 13
Information Assurance: Three Perspectives
National Defense: Information Assurance as a concept is strongly influenced by the defense and national security communities and the concept of network centric warfare techniques:
“Measures that protect and defend information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. This includes providing for restoration of information systems by incorporating protection, detection, and reaction capabilities” (Department of Defense Directive Number 8500.1: October 24, 2002)
Corporate View: Intellectual Property, Financial, Client & Partner Data, is subject to appropriate governance & controlled – CAVR.
Consumer View: Personal Health, Financial and other UII Data is controlled by the individual and disclosure is also controlled by the individual.
PAGE 14
Data Classification
Given the regulatory and jurisdictional issues related to information and data flows, organizations need to implement best practices to classify their data. There are a number of approaches including:
ISACA’s “IT Control Objectives for Cloud Computing: Controls and Assurance in the Cloud” provides a solid framework for assessing controls in cloud environments and a reference for good governance.
“ISACA defines governance as the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved and ascertaining that risks are managed appropriately.”
Leveraging cloud services requires controls and governance that touch upon the following: