Embed Size (px)
Citation preview
Trust Economics: The Critical Linkages Between Information Assurance, Privacy & Security
Matt Stamper, MPIA, MS, CISA, ITIL, CIPP-US VP of Services: redIT President: ISACA San Diego ChapterCo-Chair: InfraGard San DiegoBoard of Advisors: Multiple
Agenda Trust Economics Why Information Assurance (IA) matters ILM, Security, Privacy, and IA Defined Regulatory Requirements Frameworks & Approaches Impact of New Technologies:
Internet of Things (IoT) Cloud Questions & Comments
PAGE 3
The import work of the IIA & ISACA
Our organizations play a critical role in assuring trust within our economy.
IIA – The role of Internal Audit:
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes
ISACA – Recognizing the dependencies on IT in our organizations
Trust in, and value from, information systems
PAGE 4
Viewing Organizational Trust and Internal Auditing
Trust can also be considered a public good, necessary for the success of economic transactions and Adam Smith’s invisible hand may best characterize trust…Trust is a complex concept. It is multi-dimensional, multi-layered, and exists in almost every economic event…The current business environment is heavily influenced by globalization, the Internet and information technology. The Information Age has increased asymmetry of organizations and actors correspondingly with political, social and business volatility.
Cynthia Claybrook, CPAThe IIA Research Foundation
PAGE 5
Trust and Societies: Quantifiable Impact
“If you take a broad enough definition of trust, then it would explain basically all the difference between the per capita income of the United States and Somalia,” ventures Steve Knack, a senior economist at the World Bank who has been studying the economics of trust for over a decade. That suggests that trust is worth $12.4 trillion dollars a year to the U.S., which, in case you are wondering, is 99.5% of this country’s income (2006 figures). If you make $40,000 a year, then $200 is down to hard work and $39,800 is down to trust” (http://www.forbes.com/2006/09/22/trust-economy-markets-tech_cx_th_06trust_0925harford.html)
Trust is essential to maintaining the social and economic benefits that networked technologies bring to the United States and the rest of the world” (Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy, February, 2012: White House)
Trust is at the heart of today’s complex global economy. But, paradoxically, trust is also in increasingly short supply in many of our societies, especially in our attitudes towards big business, parliaments and governments. This decline threatens our capacity to tackle some of today’s key challenges (http://www.oecd.org/forum/the-cost-of-mistrust.htm)
PAGE 6
Trust is Critical for an Information Economy Tr
ust =
Eco
nom
ic V
alue
IA
Security
Privacy
Cultural Norms
PAGE 7
International Data Flows: The Global Currency“The Growth of the Internet and the ability to move data rapidly and globally has been a key building block of the global economic order” (The Internet, Cross-Border Data Flows and International Trade, Joshua Meltzer, The Brookings Institute, February, 2013)
“Exports (emphasis mine) of cloud computing services were estimated to be worth approximately $1.5b in 2010 (and this is likely a conservative figure and the market for cloud computing services is anticipated to grow by up to 600 percent by 2015” (Policy Challenges of Cross-Border Computing” – Journal of International Commerce and Economics, November 2012).
Over 2 Billion Individual have access to the Internet More devices will be connected than people – billions of devices Nearly free transaction costs The days of information arbitrage are over Barriers to innovation & exploitation are equally low
Critical Shared Data Sets Weather & Climate data Census data Healthcare and Disease Control data Financial & Currency data Trade data
A McKinsey Global Institute study estimated that the Internet contributed over 10 percent to GDP growth in the last five years to the world’s top ten economies and for every job lost as a result of the Internet, 2.6 jobs have been created.
PAGE 8
Open Government Initiatives: Public Sector Data
Governments across the globe recognize that information is both:
A national resource that requires protection A public good that should be readily disseminated
Key areas of focus within the Open Government community include: Transparency with budgets & procurement Private/Public Sector data sharing Innovation
“The original and essentially libertarian nature of the Internet is increasingly being challenged by assertions by government of jurisdiction over the Internet or the development of rules that restrict the ability of individuals and companies to access the Internet and move data across borders” (The Internet, Cross-Border Data Flows and International Trade, Joshua Meltzer, The Brookings Institute, February, 2013)
PAGE 9
How Trust Impacts Our Daily Lives
PAGE 10
When Trust is Lost…
http://www.youtube.com/watch?v=uw_Tgu0txS0
PAGE 11
The SEC is Concerned about Trust w/Public Firms
The Security and Exchange Commission (SEC) is, not surprisingly, concerned about the impact of trust on public markets given security issues. Of note:
• Risk Alert: CyberSecurity Initiative 4/15/2014 - The U.S. Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) is “examining” 50 broker dealers with prescriptive guidance on expected practices and documentation
• Division of Corporate Finance (CF) Disclosure Guidance 10/13/2011 – guidance on impairment of goodwill, materiality thresholds preventing or detecting events, cyber-risk focused ERM, recommended disclosures
PAGE 12
Why Information Assurance Matters…
We rarely question the quality of the information we use to make decisions…putting our organizations, economies, and personal lives at risk
Information is the most valuable asset in our economy and fuels innovation & growth (data is the raw material of the global economy)o Commerce o Scienceo Government
Our dependencies on accurate and timely information are increasing exponentially
Massive asymmetries in IA practices Gap between laws & regulations and practice
PAGE 13
Why Information Assurance is Critical Now!Here’s just a quick sampling of what’s occurring on a daily basis. This is just the US public sector.
https://www.privacyrights.org/data-breach/new (Must see site)
Anthem – 80 million records (2/5/2015http://money.cnn.com/2015/02/04/technology/anthem-insurance-hack-data-security/
Organized Criminals in Russia Steal 1b Passwords (8/5/2014)http://www.nytimes.com/2014/08/06/technology/russian-gang-said-to-amass-more-than-a-billion-stolen-internet-credentials.html?_r=0
JP Morgan Potentially Compromised (8/18/2014)http://online.wsj.com/articles/fbi-probes-possible-computer-hacking-incident-at-j-p-morgan-1409168480
Hospital Hacked – 4.5 Million Records Compromised (8/18/2014) http://money.cnn.com/2014/08/18/technology/security/hospital-chs-hack/
Home Depothttp://www.forbes.com/sites/quickerbettertech/2014/09/22/why-the-home-depot-breach-is-worse-than-you-think/
Targethttp://online.wsj.com/news/articles/SB10001424052702304773104579266743230242538
The Car (2014 Moving Forward)http://money.cnn.com/2014/06/01/technology/security/car-hack/
PAGE 14
The Assault on Healthcare & ePHI
According to a Ponemon Institute Study, criminal attacks on healthcare systems have risen 100% since 2010 with an average cost of a breach is $2m (US)
Over 90% of healthcare organizations have had a breach in the last two years with 38% having had more than five incidents (down from 45% the previous year)
Risks with mandated health information exchanges (third-party considerations) / weakest link despite security standards from HIPAA-HITECH
Bring Your Own Device (BYOD) - nearly 50% of breaches attributed to a lost or stolen device and over 88% of organizations allow the use of BYOD
Fortunately, the number of records compromised has decreased based on earlier detection and incident response – we’re getting better at handling security breaches…practice makes perfect?
PAGE 15
Information is an easy target…
Our information is at risk. Knowing how information can be impacted is important to developing the right strategy. Key vectors include:
Integrity: Modification Fabrication Repudiation
Availability: Interruption Denial of Service (DoS) / Distributed Denial of Service (DDoS)
Confidentiality Interception Breach Loss
PAGE 16
Information Lifecycle & IA
Tech Target: http://searchdatamanagement.techtarget.com/feature/Information-assurance-Dependability-and-security-of-networked-information-systems
Cloud Security Alliance
PAGE 17
Security Today: From Prevention to Detection
We are witnessing a sea change in security practices within larger organizations…there is a recognition that prevention activities appear inadequate and that now the metric that counts is: From Infection to Detection.
Working Definitions
• Security • Privacy• Information Assurance
PAGE 19
Security - Defined
The easiest way to think about security is to think about the outcome of what good security provides: confidentiality, integrity, and availability of information (CIA).
Confidentiality is the end-state of ensuring that information is only viewed and acted upon by those individuals, organizations, or systems that are authorized to see such information. “A loss of confidentiality is the unauthorized disclosure of information” – FIPS 199.Integrity is the end-state of information and its processing such that the information is believed to be complete, accurate, valid and subject to restricted access (CAVR)…essentially un tampered with or otherwise modified by unauthorized activity. “A loss of integrity is the unauthorized modification or destruction of information” – FIPS 199.Availability is simply that…that the information is available for its required use without delay or loss. “A loss of availability is the disruption of access to or use of information or an information system” – FIPS 199.
Collectively, IT security is the set of processes that are involved with ensuring that data and information meet the confidentiality, integrity, and availability objectives of business.
PAGE 20
Privacy - Defined
Definitions of privacy are growing more nuanced over time.
Privacy is “the right to be left alone” (Samual Warren & Louis Brandeis: The Right to Privacy, Harvard Law Review, 1890).
Privacy is “the right of the individual to be protected against the intrusion into his (her) personal life or affairs, or those of his (her) family, by direct physical means or by publication of information” (UK, Calcutt Committee: 1997)
Privacy has contextual considerations: Information Privacy Bodily Privacy Territorial / Physical Privacy Communications Privacy (Foundations of Information Privacy and Data Protection, Swire, et. al., IAPP, 2012)
PAGE 21
Information Assurance: Three PerspectivesNational Defense: Information Assurance as a concept is strongly influenced by the defense and national security communities and the concept of network centric warfare techniques:
“Measures that protect and defend information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. This includes providing for restoration of information systems by incorporating protection, detection, and reaction capabilities” (Department of Defense Directive Number 8500.1: October 24, 2002)
Corporate View: Intellectual Property, Financial, Client & Partner Data, is subject to appropriate governance & controlled – CAVR.
Consumer View: Personal Health, Financial and other UII Data is controlled by the individual and disclosure is also controlled by the individual.
PAGE 22
Bringing It All Together: IA, Security, and Privacy
If we agree that information is the new global currency and that innovation and growth are predicated on the quality of the information and data we use, it’s important that we couple IA, Security, and Privacy and make information governance a top priority for our organizations.
Let’s think about how these disciplines impact our profession!
PAGE 23
Privacy & Security – Inextricably Linked
Security can exist without privacy but privacy cannot exist without security. Consequently, privacy frameworks offer insights into good governance and security practices though many standards and frameworks have been challenged by recent events – notably the Payment Card Industry – Data Security Standard (PCI-DSS).
Privacy Laws & StandardsBy Country / Region• Mexico• Canada• US• EU• APEC
By Industry HIPAA-HITECH Financial Services
PAGE 25
Laws & Regulations: Mexico, Canada and USMexico – National Privacy Lawhttp://www.diputados.gob.mx/LeyesBiblio/pdf/LFPDPPP.pdf
Canada – National Privacy Lawhttps://www.priv.gc.ca/index_e.asphttps://www.priv.gc.ca/leg_c/leg_c_p_e.asp
US – Sectoral Approach (Federal Trade Commission)http://www.whitehouse.gov/sites/default/files/privacy-final.pdf
StatesMassachusetts - http://www.mass.gov/ocabr/docs/idtheft/201cmr1700reg.pdfCalifornia - http://oag.ca.gov/ecrime/databreach/reportingNevada - http://www.leg.state.nv.us/NRS/NRS-603A.html
PAGE 26
Laws & Regulations: Australia, APEC & Europe (EU)
Australiahttp://www.oaic.gov.au/privacy/privacy-act/the-privacy-acthttp://www.oaic.gov.au/privacy/privacy-resources/privacy-fact-sheets/other/privacy-fact-sheet-17-australian-privacy-principles
APEChttp://www.apec.org/About-Us/About-APEC/Fact-Sheets/APEC-Privacy-Framework.aspx
European Unionhttp://europa.eu/about-eu/countries/member-countries/index_en.htmhttp://ec.europa.eu/dataprotectionofficer/legal_framework_en.htmhttps://safeharbor.export.gov/list.aspx (Safe Harbor Registrants)
PAGE 27
International Privacy Regimes: APEC & OECD
APEC - 2004 OECD - 1980Preventing Harm Collection Limitation PrincipleNotice Data Quality Principle Collection Limitation Purpose Specification PrincipleUses of Personal Information Use Limitation PrincipleChoice Security Safeguards Principle Integrity of Personal Information Openness Principle Security Safeguards Individual Participation PrincipleAccess and Correction AccountabilityAccountability
PAGE 28
International Privacy (Cont.): FIPS & Madrid
FIPS (1973) Madrid Resolution (2009)No Secret Repositories Principle of Lawfulness & FairnessIndividual Control Over Use Purpose Specification PrincipleIndividual Consent Proportionality PrincipleCorrection Data Quality Precautions Against Misuse Openness Principle
Accountability
PAGE 29
HIPAA-HITECT: Administrative, Physical & Technical
Security Management Process 164.308(a)(1)
Risk Analysis Risk ManagementSystem Review
Assigned Security Responsibility 164.308(a)(2)
Accountability
Workforce Security164.308(a)(3)
Authorization and/orSupervision, Clearance & TerminationProcedures
Information Access Management164.308(a)(4)
RBAC Procedures
Security Awareness and Training164.308(a)(5)
Anti-malware, log-in procedures, password management
Security Incident Procedures164.308(a)(6)
Incident Response Procedures
PAGE 30
HIPAA-HITECT: Administrative, Physical & Technical
Contingency Plan164.308(a)(7)
Backup & RecoveryBC/DR Procedures & Testing Applications and Data Criticality Analysis
Evaluation164.308(a)(8)
Review of Systems
Business Associate Contracts andOther Arrangements164.308(b)(1)
Contractual Obligations with Service Providers (Business Associates)Cascading Liability
Facility Access Controls164.310(a)(1)
Access Controls, Maintenance of Records, Contingency Operations
Access Control164.312(a)(1)
Encryption, Decryption, Log-off, Emergency Access*
Audit Controls164.312(b)
Evidence of Review
Transmission Integrity Controls (A)Security 164.312(e)(1)
Security and Integrity
PAGE 31
Gramm-Leach-Bliley (GLB) – FTC Enforcement
Financial Services Firms have an obligation to safeguard non-public information (NPI) such as full account numbers, social security numbers (SSNs), etc.
Obligations:
Privacy Notices Non-Affiliated Third Parties & Opt Out Ensure the Security & Confidentiality of Customer Records Protect Against Anticipated Threats or Hazards Protect Against Unauthorized Access
The FTC has established a clear expectation of security as a corporate obligation. The SEC, as we saw earlier, is also focused on the cyber posture of broker dealers.
Technology and IA
Internet of Things (IoT)
Cloud Computing
How will our professions change?
PAGE 33
Internet of Things (IoT)
http://www.theregister.co.uk/2014/05/07/freescale_internet_of_things/
PAGE 34
Internet of Things (IoT) – The Numbers Count
PAGE 35
Auditing the IoT
How prepared is our industry to address these new technologies?
• How do you audit an algorithm?• How do you audit transaction volumes
numbering in the billions or tens of billions?• Can our existing audit tools capture data and
interface with IoT systems?
We are heading into a new world of IT and system audit.
PAGE 36
Cloud & Service Providers
Traditional IT (and IT audit) are changing…
PAGE 37
On Site
Applications
Database
O/S
Hypervisors
Servers
Storage
Networks
Backups
Infrastructure(as a Service)
Applications
Database
O/S
Hypervisors
Servers
Storage
Networks
Backups
Platform(as a Service)
Applications
Database
O/S
Hypervisors
Servers
Storage
Networks
Backups
Software(as a Service)
Applications
Database
O/S
Hypervisors
Servers
Storage
Networks
Backups
Cloud Services & Service Demarcation
Roles & Responsibilities are Crucial Regardless of the Service Model
Security, Monitoring & Governance: Critical Foundation
PAGE 38
Application
Database
OS
Hypervisors
Servers
Storage
Network
Backups
Application
SE
CU
RIT
Y
MO
NIT
OR
ING
ITIL/S
ER
VIC
E M
AN
GE
ME
NT
• Audit Trail• Client • SaaS
• Segregation of Duties • What is logged?• Who’s responsible for
the application is based on the service model
• How is the application impacted by other layers?
• What information is shared among layers?
• Shared administrative accounts?D a t a C e n t e r
PAGE 39
Auditing the Cloud – We Face Serious Challenges
Our ability to audit cloud – third-party services – is fundamentally challenged:
• How do you audit APIs and orchestration layer software?• How do you control for multi-tenancy?• How do you audit SaaS sans SSAE?• How do you assess SOD in an IAM / Control Panel world?
As more than 50% of IT workloads move to the cloud, our industry has important work ahead in preparing to offer assurance in a cloud context.
PAGE 40
Quick Wins
Information Assurance begins with:
• Know Legal Obligations • Data Classification • Data Inventory• Data Retention• Privacy Impact Assessment • Security / Vulnerability Assessment• Keep The Board Informed – No Surprises• Assume a Breach!
PAGE 41
Common Themes
• Inventory of Information• Inventory of Critical Assets • Supply-Chain / Vendor assessments • Risk Assessments • Security Assessments • Board of Directors• Executive Responsibility • Investment in Training & Competencies
PAGE 42
References
Privacyhttps://privacyassociation.org/https://www.privacyrights.org/data-breach/newhttp://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.htmlhttps://www.enisa.europa.eu/activities/identity-and-trust/risks-and-data-breaches/dbn
Security https://www.isaca.org http://www.sans.org/http://www.nist.gov/cybersecurity-portal.cfmhttps://cloudsecurityalliance.org/
us.redit.com
Matt Stamper, MPIA, MS, CISA, ITIL, CIPP-UST 858.836.02224M 760.809.2164E [email protected]
