Embed Size (px)
Citation preview
Daniel Hallen Florian Stahl
Customer Data at Risk
Why simple compliance is not enough
ABOUT US
Florian Stahl
Lead Consultant for Information Security
CISSP, CIPP/IT
Security & Privacy evangelist
Works in Munich for msg systems ag, Germany’s 5th largest IT consulting and software company
Daniel Hallen
Managing Partner and founder Dahamoo GmbH
20 years’ international experience in Information Security & Privacy
Mathematician, Executive MBA, CISSP
AGENDA
1. Background
2. Shortcomings of “just” compliance …
… motivated a new assessment method:
3. Helicopter Assessments
“Real Life” Findings
Reporting & Communication
4. Q & A
BACKGROUND
Large-scale customer data loss incident
… despite formal compliance!
Company‘s own interest
To understand relevant risks in detail
Improve customer data security
COMPLIANCE
Definition: “Compliance is either a state of being in accordance with established guidelines, specifications, or legislation or the process of becoming so.” *
In the context of Data Protection: Fulfillment of laws and regulations to avoid fines
Conformance to policies and customer contracts
Compliance audit: A (real life) = B (requirement)
Checklist approach with predefined requirements (“B”)
* Source: http://searchdatamanagement.techtarget.com/definition/compliance
COMPLIANCE
Shortcomings of the compliance approach: Reality is more complex than requirements
No flexibility to find other risks than anticipated beforehand
Moreover, it mostly follows a formal, top-down approach with
Focus on contracts, policies, approvals, checklists, in other words “paper”
Hence, no time to get to the bottom of real working procedures
However: It gives you the feeling that you are safe, because checklists are completed (“the job is done”) and compliance can be demonstrated
HOW DO YOU ASSESS?
Survey – please participate! Do you perform data protection assessments?
Which approach: Compliance or risk-based?
Do you use checklists?
Do you perform on-site audits at your IT provider, supplier,
subsidiaries?
Do you interview your partner or do they perform self assessments?
Are your assessments document-based or do you check the operational effectiveness of data protection as well?
A DIFFERENT APPROACH
Risk-based “Helicopter Assessment”: Flexible, interactive approach, based on interviews & production checks Focusses on risks and vulnerabilities in systems and processes
where “real life” incidents happen!
Utilizes a risk rating to compare results
Instant, understandable presentation of preliminary results
Success factor: Experienced auditors know where to “dig” and which height to fly (flexible like a helicopter)
ASSESSMENT RESULTS (1)
Finding: An external bike courier takes customer billing data on an external encrypted hard disk to the print house. The encryption password is written down on a piece of paper that the courier has in his pocket. Compliance-based approach would ask: Was the data encrypted during transfer ? How to solve? Transfer the encryption password through a different channel.
ASSESSMENT RESULTS (2)
Finding: The marketing department has a shadow copy of the central CRM system DB to perform user analysis with SQL queries that are not possible with the standard queries of the CRM application. The copy is updated regularly. Compliance-based approach would ask: Is customer data in the CRM system secure? How to solve? Do not allow any copies or data export from the original
system unless the same level of security is ensured. Customer has to agree if you perform extended analysis
on his or her data. Control your marketing / sales department
ASSESSMENT RESULTS (3)
Finding: External call center agents that work for more than one client use the contact data of the customers of company A to sell them products of company B without mandate. Compliance-based approach would ask: Are contracts regarding privacy and non-disclosure agreements in place? How to solve? Employ call center agents that exclusively take care of your
customers, if possible. Put strict contracts and guidelines in place Control the agreements in practice (on-site audit) Provide training
ASSESSMENT RESULTS (4)
Finding: Because the internal backup system is not trusted, the operations staff decided to rely on the external print house instead, i.e. not ordering deletion of printed billing data. A compliance-based approach would ask: Are backups in place and secure? How to solve? Backups and archiving should be separated from printing
bills (separation of duties) or at least regulated by contract: Availability: Backup (Operations) vs. Confidentiality: Deletion (Data Security)
HOW TO REPORT RISKS ?
Dilemma 1: Risks deal with a uncertain future Hence, any risk rating system includes subjective factors
Dilemma 2: Risks are very complex by nature Hence, any risk rating system must reduce complexity to be usable
Dilemma 3: Management does not understand the details Hence, risk communication systems must be easy-to-understand
Conclusion: We need a suitable way to rate and communicate findings.
REPORTING & COMMUNICATION
Objective: Design a rough and subjective, but simple, transparent and reproducible rating system that enables risk communication on management level
Approach: - Evaluate findings by preset factors like
- Attack vectors - Attacker know-how and motivation - Value of assets
- Use a scale from 0 – 10 (highest risk) to score each finding - Add up risk scores per application or business unit
Benefits: - Relative comparability - Efficient risk communication
REPORTING & COMMUNICATION
Remark: All values have been invented. High values indicate high risks.
Comparison amongst business units
REPORTING & COMMUNICATION
Remark: All values have been invented. High values indicate high risks.
Example of a more sophisticated reporting Open findings of “assessment 1” Colored by Security Category
SUMMARY
Compliance-based data protection assessments have weaknesses: Focus on standard issues without considering risk situation of the
company
Are not efficient because they (might) focus on the wrong issues
Checklists often do not offer the required flexibility
Risk-based data protection assessments:
Identify key risks in an efficient way
Professional judgment required (experienced auditor)
Open and instant communication raises awareness
Comparable results and competition as motivation
QUESTIONS & ANSWERS
Thank you for your attention!
Feel free to contact us:
