9/23/2013

www.pwc.com

Cyber Compliance October 4, 2013

Cyber Security Hot Topics

PwC

2

1

9/23/2013

Threats advance faster than security

While information security risks have dramatically evolved, security strategies— typically compliance-based and perimeter-oriented—have not kept pace. In other words, most organizations are now defending yesterday, even as their adversaries exploit the threats of tomorrow. Consequently, sophisticated intruders can bypass perimeter defenses to perpetrate dynamic attacks that are highly targeted and difficult to detect. Many use well-researched phishing exploits that target top executives. Similarly, the attack surface—partners, suppliers, customers, and others—has expanded as an ever-greater volume of data flows through multiple channels. The result? Safeguarding all data at an equally high level is no longer practical.

*Global State Of Information Security 2014 Introduction

PwC

3

Index of IT Risks / Strategies

PwC

CIO Strategy

Security Architecture

Data integrity

Cloud computing

Social Media

Disaster Recovery

Intellectual Property

ERP Optimization

Data loss prevention

Data privacy

Mobile devices (BYOD)

System implementations / upgrades

Business continuity management

Mergers & Acquisitions

Changes in COSO components

Threat & Vulnerability management

Information sharing

Security Management

SOX compliance

SDLC Validation

Regulatory Compliance

Identity Management

Security Awareness

4

2

9/23/2013

Cyber Security hot topics: Data Privacy



Customers are more willing to provide personal information - With the expectation that corporations will be accountable for its safekeeping



Cloud technologies are requiring stronger data protection and security measures



Privacy by design - privacy is embedded into new technologies and business practices, from the outset - as an essential component of fundamental privacy protection



Social networking - increasing new risks for organizations (i.e. security) and individuals (i.e. consumer privacy)



Online behavioral advertising – self-regulatory principles (transparency, consumer control and accountability)

PwC

5

Personal Data Breaches Background • Since legislation was passed, starting with CA SB-1386, requiring disclosure of breaches of certain personal information, we have been able to get a picture of where breaches are happening, and have some feel for the causes. • Legislation proliferated at the State level, but still no Federal Data Breach law (except in Healthcare, as part of the HITECH amendments to HIPAA). • Approximately 855 publicized breaches of personal information in 2011 with the total known number of compromised data records reaching 174 million. * • …and that’s just the ones that companies know about and disclosed. Additionally, this doesn’t include breaches of non-personal (but sensitive) information such as Intellectual Property. *Source: Verizon Business’ PwC

“2012 Data Breach Investigations Report” 6

3

9/23/2013

Data Breaches The Current Breach Landscape The graph below depicts the number of breaches identified per year and disclosed through public sources.

Source: datalossdb.org/statistics Note: 2013 numbers through Sep 21st 2013 PwC

7

Cyber Security hot topics: Data Privacy Questions for discussion Privacy / Regulatory / Data Protection: •

How do you get your arms around where data is, how data flows, and who has access to data within your organization?



What tools and/or techniques has your company employed to develop and maintain a sensitive data asset inventory?



How do you balance the use of emerging technologies with regulatory requirements?

PwC

8

4

9/23/2013

Cyber Security hot topics: Threat and Vulnerability Management • Brand risk related to cyber attacks appearing in the newspaper on a daily basis • The value of data is now widely recognized, leading to highly professional and sophisticated attacks • Emerging technologies and reliance on 3rd parties have created a borderless infrastructure; security strategies and investment have not kept pace • The volume and pervasiveness of sensitive data is increasing. • Socially motivated "hacktivists" have actively targeted and discredited a wide range of organizations to express their displeasure with mainstream ideas Example Security Incidents* •

Privacy Rights Clearinghouse reported in 2011 there were 535 breaches involving 30.4 million sensitive records



A social networking website was hacked and 6.5 million passwords were leaked.



Backup tape containing 5.1 million client records was stolen from an employee’s car. $4.9 billion lawsuit filed, aimed to award $1,000 for each person affected by the breach

*http://www.informationweek.com/news/security/attacks/232301079

PwC

9

Cyber Security hot topics: Threat and Vulnerability Management - Questions for discussion Threat and vulnerability management: •

How do you assess the company’s security posture and gain comfort around security management as a whole?



How do you ensure your enterprise isn’t currently being exploited or breached?



Are you ever truly prepared to respond to a serious cyber incident?

PwC

10

5

9/23/2013

Cyber Security hot topics: Cloud Security Defined Virtualization and Cloud Computing generally go hand-in-hand as cloud providers are frequently using virtualization for their services Cloud Computing The delivery of computing and storage capacity as a service to a community of end users. Cloud computing entrusts services with a user’s data, software and computation over a network. Users generally access cloud based services via a web browser or lightweight desktop application. Business software and data are stored on servers at a remote location. Virtualization The process by which a virtual version of something – a hardware platform, an operating system, a storage device or a network resource – is created in lieu of an actual version. The goal of virtualization is to centralize administrative tasks, improve scalability and hardware utilization.

PwC

11

Cloud Security Issues

• Reliance on third parties have created a borderless infrastructure; security strategies and investment have not kept pace. • Third parties traditionally have not been considered likely suspects in data breaches. This is changing fast. • Organizations have difficulty understanding the access third parties have to their sensitive data and systems. • The cloud computing model can help organizations achieve lower costs, reduced complexity, and improved flexibility. However, this poses real security risks . • A successful cloud implementation requires a new mindset and new tools to help ensure that security meets business needs. • Independent business units are purchasing cloud services without the involvement of Legal, Security, or Audit.

PwC

12

6

9/23/2013

Cyber Security hot topics: Cloud computing Questions for discussion Cloud computing: •

How does your company plan to navigate “the cloud” and all of the service offerings on the market?



Does your company have Cloud Security Policies already documented?



Does your company specify what types of data are allowed in the cloud as well as those that are prohibited?



How are risk assessments performed for cloud services? Who performs the risk assessments?



What types of strategies have you implemented related to cloud computing?

PwC

13

Cyber Security hot topics: Social media •

Competition, Can be used by competitors to damage your brand value.



Retaliation, Current and former employees, vendors, suppliers, special interest groups, etc can use of social media to generate negative content



Identification, Difficult to identify negative content, even more difficult to have it removed



Compliance, Employees can post information using social media that can signal compliance or regulatory risks

Example Security Incidents •

Major News Organizations hacked Twitter account resulted in postings that announced President Obama had died.



Ex-employee, a rogue ex-employee began blogging and emailing sensitive information and alleging the former company did not disclose a security breach that impacted 400,000 customers.



WikiLeaks: (2006-present) website that publishes secret and none public information on government agencies and military activities. Shutdown and restrictions of WikiLeaks has lead to numerous corporate and governmental agencies being hacked into.

PwC

14

7

9/23/2013

Cyber Security hot topics: Social media Questions for discussion Social media: •

What types of strategies have you implemented related to social media; including employee use and as a marketing tool?



What Security controls have been evaluated to manage the risks of social media to your business?



Can you currently detect or respond to negative or potentially damaging social media postings?



Are you aware of how you are currently positioned and viewed on social media?

PwC

15

Cyber Security hot topics: Mobile Devices Number One Threat •56% of us misplace our cell phone or laptop each month •113 cell phones are lost or stolen every minute in the U.S. •120,000 cell phones are lost annually in Chicago taxi cabs •25% of Americans lose or damage their cell phone each year •Major city transit authorities receive over 200 lost items per day

Source: MicroTrax Study, 2011 PwC

16

8

9/23/2013

Mobile Devices Other Notable Threats to Mobile Devices • August 2012 – First variants of Zeus malware detected on Blackberry devices. • Feb 2012 – Mobile social network Path caught uploading users’ address books to their network without approval. Class action lawsuit against 18 companies filed in March 2012. • Jan 2012 – Up to 5 million Android users download 13 malware infected applications from Google’s Android Market • Jan 2012 – QR Codes used to trick users to visit mobile spam sites • Dec 2011 – CarrierIQ tracking software found on a wide range of devices • Sept 2011 – German security firm G Data reports mobile malware increased 270% during the first six months of 2011 with 1.2 million new variants • March 2011 – “Droid Dream” – malicious code was delivered to more than 260,000 mobile devices within 58 downloaded applications from the Android Market • February 2011 – Malware “Zeus Mitmo” combined traditional PC malware with mobile phone malware sent by a bogus SMS message which appeared to originate from the user’s bank to steal bank log-on passwords 17

PwC

Security Hot Topics: Mobile Devices Questions for discussion Mobile devices •

Do you have policies, standards and processes for using mobile devices? What about employee owned devices (BYOD)?



Does the current Data Loss Prevention solution address mobile devices?



How do you protect corporate data?



Can you enforce corporate standards? Do you have the ability to remotely manage or wipe devices?

PwC

18

9

9/23/2013

The fundamental safeguards you’ll need for an effective security program. Effective security requires implementation of numerous technical, policy, and people safeguards. Based on a regression analysis of survey responses and PwC’s experience in global security practices, the following are ten key strategies. Essential safeguards for effective security

1

A written security policy

2

Back-up and recovery/business continuity plans

3

Minimum collection and retention of personal information, with physical access restrictions to records containing personal data

4

Strong technology safeguards for prevention, detection, and encryption

5

Accurate inventory of where personal data of employees and customers is collected, transmitted, and stored, including third parties that handle that data

6

Internal and external risk assessments of privacy, security, confidentiality, and integrity of electronic and paper records

7

Ongoing monitoring of the data-privacy program

8

Personnel background checks

9

An employee security awareness training program

10

Require employees and third parties to comply with privacy policies

PwC

19

What Compliance Departments should do:

PwC

Action Items

Likely Results

Risk Assessment – Define IT audit universe/inventory risk/understand risk/rank risks/ align with corporate strategy

Update Policies & Procedures to include social media, cloud computing, etc.

Meet with CIO – Gain an understanding of future technology direction of organization

Build out IA roadmap for next several years to assess future technologies and risks

Evaluate data inventories and data handling processes and procedures

Gaps in data inventories will be identified and remediated, processes will be updated

Cloud Computing – Validate service provider offering will meet organizational security/privacy requirements

Cloud services already in use or being procured will introduce new risks to the organization which will require remediation

Training – Evaluate training programs against regulatory burden of organization

Current training programs may not provide sufficient coverage of all regulations, programs will require updates 20

10

9/23/2013

Specific testing to be performed IT Risk

Specific Testing

Social Media

Evaluate current social media policies and procedures. Verify that employees are following social media posting requirements /guidance.

IT Security

Execute an external penetration test of the IT environment considering the vulnerabilities associated with both external and internal network access.

Mobile Devices

Evaluate mobile device policies and supported technologies. Validate that employees are utilizing approved (supported) platforms to conduct company business. Evaluate technological controls to protect corporate data.

Cloud Computing

Perform a cloud service provider security assessment. Validate controls in place at provider meet organizational requirements. Leverage CSF or similar framework to compare evaluate vendor controls against industry peers.

Privacy & Data Protection

Evaluate current privacy and data protection practices against regulatory requirements. Identify gaps in processes and work with impacted groups to enact corrective measures.

Threat and Vulnerability Management

Evaluate current practices to determine if identified vulnerabilities are consistently remediated per policy to address critical and high risk vulnerabilities.

PwC

21

Third Party Risk Management

PwC

22

11

9/23/2013

In the US, many organizations lack an understanding of risks associated with third parties. The 2013 US State of Cybercrime Survey3 found that many respondents do not have policies and tools to assess security risks of third parties. More than ever, company leaders should not view cybersecurity as simply a technology problem; it is now a risk-management issue. Does your organization: Conduct incident response planning with third-party supply chain?

Evaluate the security of third parties with which the organization shares data or network access?

23%

20%

More than once a year

26%

22%

No

Once a year or less

22%

Yes

Do not know

Do not evaluate third parties

35%

52%

Do not know/not sure

PwC

23

Definitions •

Third Party is any entity not under direct business control of a given organization. Many people equate third parties with vendors, but that’s not always the case; consider: -

Vendors/suppliers of products or services

-

Strategic consultants

-

Government agencies

-

Business partners (JV partners, alliances, etc.)

-

Regulatory bodies

-

Marketing partners

-

Customers



Third Party risk management encompasses vendor risk management, but is more broadly focused on gaining a understanding of organizational risks and understanding which of those risks may be either positively or negatively affected by third-parties.



Third Party inventory is a comprehensive list of third parties from across the company.

PwC

24

12

9/23/2013

Definitions (continued) •

Third Party Risk Profile is the combination of: -

Entity risk – risk associated with the third-party organizational structure and characteristics (e.g. size/complexity, past experience, etc)

-

Service risk – risk associated with the product or service provided (e.g. regulated data provided, availability requirements, etc)

PwC

25

Trust but Verify

PwC

26

13

9/23/2013

Trust but Verify - Continued

Alright, not so bad!

PwC

27

Trust but Verify - Continued

PwC

28

14

9/23/2013

Trust but Verify – This Is Why!

PwC

29

Why are we discussing?

$50bn estimated annual losses to business from data and identity theft • 500+ publicized breaches of personal information in 2012



• In just the last year and a half, a breach of personal health information occurred, on average, •

every other day.

Audits of security / privacy requirements are coming

here

Breaches and non-compliance can lead to significant impacts : brand, reputation, fines, lost revenue and/or regulatory sanctions Companies often face direct financial impacts: investigations, legal fees, credit monitoring services for victims, reissuance of credit cards, government fines, and regulatory sanctions

PwC

30

15

9/23/2013

Inventory third parties – A multi-faceted approach 3. Analyze Accounts Payable 4. Business Questionnaire

2. Review Contracts

Develop Inventory

1. Existing Inventories

Design Assessment Strategy

5. Conduct Meetings

Inventory Profile Against Defined Risks

Analyze & Categorize Determine Assessment Type

Execute Strategy

Perform Self-Assessment, Desktop Review or On-site Assessment

Review Risks Against Assessment Results

PwC

31

Profile third parties – Define risk components

Third Party Risk Profile Entity Profile Experience & size etc. (20%)

Familiarity with Company (Includes contract status) (40%)

Depicts Category Weighting

PwC

Service Profile Prior Reviews (40%)

Service Operation

Service Scope (15%)

Service Type (15%)

Regulatory/ Legal

Data & Information

Data Access (10%)

Data Sensitivity (20%)

Availability Impact (10%)

Uptime Req. (5%)

SOX GxP PCI SPI HIPAA (25%)

32

16

9/23/2013

Profile third parties – Narrow the focus

Total Third Party inventory

Entity Risk

On-site assessment Filter services Prioritize Remove with risk higher risk categories that Third don’t pose risk managed by other means Parties

Desktop review

Self assessment

Service Risk

33

PwC

Develop an efficient assessment approach

Third Party Risk Profile Self Assessment • Third party responds to questionnaire • Least resource intensive

On-site assessment

Desktop Review • Off-site assessment consisting of interviews and limited document review • Conducted using any-shore model

• On-site assessment consisting of interviews and document review • Most resource intensive

Risk & complexity Risk & Complexity Resources required Resources Required Comfort Obtained

PwC

34

17

9/23/2013

Develop an efficient assessment approach (continued)

PwC

35

Example – Third party performance scorecard

PwC

36

18

9/23/2013

Track, report and respond to assessment results

1. Profile

2. Assess Preliminary Entity Profiling

Third Party Data Collection

Preliminary Third Party Rating

• Business Sponsor • Previous Assessments • Third party contacts • Contracts

Preliminary Service Profiling

Output: • Assessment Type • Assessment Scope

3. Review and Decide Periodic Review

Residual Risk Rating and Score

Technical Security Assessment

Third Party Processes and Controls

Assessment Report

Remediation and Reassessment

Business Action: • Accept • Share/Transfer • Reduce

PwC

Third Party Report Inherent Risk Rating and Score

37

Questions & contact information John Maynor Director, IT Risk & Security Assurance [email protected] (937)469-3042

PwC

38

19

9/23/2013

Not for further distribution without the permission of PwC. These materials are for general information purposes only, and are provided "as is", with no guarantee of completeness, accuracy, timeliness or of the results obtained from the use of this information, and without warranty of any kind, express or implied, including, but not limited to warranties of performance, merchantability and fitness for a particular purpose. The information contained in this document is shared as a matter of courtesy and for information or interest only. PwC has exercised reasonable professional care and diligence in the collection, processing, and reporting of this information. However, data used may be from third-party sources and PwC has not independently verified, validated, or audited such data. PwC does not warrant or assume any legal liability or responsibility for the accuracy, adequacy, completeness, availability and/or usefulness of any data, information, product, or process disclosed in this document; and is not responsible for any errors or omissions or for the results obtained from the use of such information. PwC gives no express or implied warranties, including, but not limited to, warranties or merchantability or fitness for a particular purpose or use. In no event shall PwC be liable for any indirect, special, or consequential damages in connection with use of this document or its content. Information presented herein by a third party is not authored, edited or reviewed by PwC and PwC is not endorsing third parties or their views. Reproduction of this document or recording of its presentation, in whole or in part, in any form, is prohibited except with the prior written permission of PwC. Before making any decision or taking any action, you should consult a competent professional adviser. This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PricewaterhouseCoopers LLP, its members, employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it. © 2013 PricewaterhouseCoopers LLP. All rights reserved. PwC refers to the United States member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details.

20