9/23/2013
www.pwc.com
Cyber Compliance October 4, 2013
Cyber Security Hot Topics
PwC
2
1
9/23/2013
Threats advance faster than security
While information security risks have dramatically evolved, security strategies— typically compliance-based and perimeter-oriented—have not kept pace. In other words, most organizations are now defending yesterday, even as their adversaries exploit the threats of tomorrow. Consequently, sophisticated intruders can bypass perimeter defenses to perpetrate dynamic attacks that are highly targeted and difficult to detect. Many use well-researched phishing exploits that target top executives. Similarly, the attack surface—partners, suppliers, customers, and others—has expanded as an ever-greater volume of data flows through multiple channels. The result? Safeguarding all data at an equally high level is no longer practical.
*Global State Of Information Security 2014 Introduction
PwC
3
Index of IT Risks / Strategies
PwC
CIO Strategy
Security Architecture
Data integrity
Cloud computing
Social Media
Disaster Recovery
Intellectual Property
ERP Optimization
Data loss prevention
Data privacy
Mobile devices (BYOD)
System implementations / upgrades
Business continuity management
Mergers & Acquisitions
Changes in COSO components
Threat & Vulnerability management
Information sharing
Security Management
SOX compliance
SDLC Validation
Regulatory Compliance
Identity Management
Security Awareness
4
2
9/23/2013
Cyber Security hot topics: Data Privacy
•
Customers are more willing to provide personal information - With the expectation that corporations will be accountable for its safekeeping
•
Cloud technologies are requiring stronger data protection and security measures
•
Privacy by design - privacy is embedded into new technologies and business practices, from the outset - as an essential component of fundamental privacy protection
•
Social networking - increasing new risks for organizations (i.e. security) and individuals (i.e. consumer privacy)
•
Online behavioral advertising – self-regulatory principles (transparency, consumer control and accountability)
PwC
5
Personal Data Breaches Background • Since legislation was passed, starting with CA SB-1386, requiring disclosure of breaches of certain personal information, we have been able to get a picture of where breaches are happening, and have some feel for the causes. • Legislation proliferated at the State level, but still no Federal Data Breach law (except in Healthcare, as part of the HITECH amendments to HIPAA). • Approximately 855 publicized breaches of personal information in 2011 with the total known number of compromised data records reaching 174 million. * • …and that’s just the ones that companies know about and disclosed. Additionally, this doesn’t include breaches of non-personal (but sensitive) information such as Intellectual Property. *Source: Verizon Business’ PwC
“2012 Data Breach Investigations Report” 6
3
9/23/2013
Data Breaches The Current Breach Landscape The graph below depicts the number of breaches identified per year and disclosed through public sources.
Source: datalossdb.org/statistics Note: 2013 numbers through Sep 21st 2013 PwC
7
Cyber Security hot topics: Data Privacy Questions for discussion Privacy / Regulatory / Data Protection: •
How do you get your arms around where data is, how data flows, and who has access to data within your organization?
•
What tools and/or techniques has your company employed to develop and maintain a sensitive data asset inventory?
•
How do you balance the use of emerging technologies with regulatory requirements?
PwC
8
4
9/23/2013
Cyber Security hot topics: Threat and Vulnerability Management • Brand risk related to cyber attacks appearing in the newspaper on a daily basis • The value of data is now widely recognized, leading to highly professional and sophisticated attacks • Emerging technologies and reliance on 3rd parties have created a borderless infrastructure; security strategies and investment have not kept pace • The volume and pervasiveness of sensitive data is increasing. • Socially motivated "hacktivists" have actively targeted and discredited a wide range of organizations to express their displeasure with mainstream ideas Example Security Incidents* •
Privacy Rights Clearinghouse reported in 2011 there were 535 breaches involving 30.4 million sensitive records
•
A social networking website was hacked and 6.5 million passwords were leaked.
•
Backup tape containing 5.1 million client records was stolen from an employee’s car. $4.9 billion lawsuit filed, aimed to award $1,000 for each person affected by the breach
*http://www.informationweek.com/news/security/attacks/232301079
PwC
9
Cyber Security hot topics: Threat and Vulnerability Management - Questions for discussion Threat and vulnerability management: •
How do you assess the company’s security posture and gain comfort around security management as a whole?
•
How do you ensure your enterprise isn’t currently being exploited or breached?
•
Are you ever truly prepared to respond to a serious cyber incident?
PwC
10
5
9/23/2013
Cyber Security hot topics: Cloud Security Defined Virtualization and Cloud Computing generally go hand-in-hand as cloud providers are frequently using virtualization for their services Cloud Computing The delivery of computing and storage capacity as a service to a community of end users. Cloud computing entrusts services with a user’s data, software and computation over a network. Users generally access cloud based services via a web browser or lightweight desktop application. Business software and data are stored on servers at a remote location. Virtualization The process by which a virtual version of something – a hardware platform, an operating system, a storage device or a network resource – is created in lieu of an actual version. The goal of virtualization is to centralize administrative tasks, improve scalability and hardware utilization.
PwC
11
Cloud Security Issues
• Reliance on third parties have created a borderless infrastructure; security strategies and investment have not kept pace. • Third parties traditionally have not been considered likely suspects in data breaches. This is changing fast. • Organizations have difficulty understanding the access third parties have to their sensitive data and systems. • The cloud computing model can help organizations achieve lower costs, reduced complexity, and improved flexibility. However, this poses real security risks . • A successful cloud implementation requires a new mindset and new tools to help ensure that security meets business needs. • Independent business units are purchasing cloud services without the involvement of Legal, Security, or Audit.
PwC
12
6
9/23/2013
Cyber Security hot topics: Cloud computing Questions for discussion Cloud computing: •
How does your company plan to navigate “the cloud” and all of the service offerings on the market?
•
Does your company have Cloud Security Policies already documented?
•
Does your company specify what types of data are allowed in the cloud as well as those that are prohibited?
•
How are risk assessments performed for cloud services? Who performs the risk assessments?
•
What types of strategies have you implemented related to cloud computing?
PwC
13
Cyber Security hot topics: Social media •
Competition, Can be used by competitors to damage your brand value.
•
Retaliation, Current and former employees, vendors, suppliers, special interest groups, etc can use of social media to generate negative content
•
Identification, Difficult to identify negative content, even more difficult to have it removed
•
Compliance, Employees can post information using social media that can signal compliance or regulatory risks
Example Security Incidents •
Major News Organizations hacked Twitter account resulted in postings that announced President Obama had died.
•
Ex-employee, a rogue ex-employee began blogging and emailing sensitive information and alleging the former company did not disclose a security breach that impacted 400,000 customers.
•
WikiLeaks: (2006-present) website that publishes secret and none public information on government agencies and military activities. Shutdown and restrictions of WikiLeaks has lead to numerous corporate and governmental agencies being hacked into.
PwC
14
7
9/23/2013
Cyber Security hot topics: Social media Questions for discussion Social media: •
What types of strategies have you implemented related to social media; including employee use and as a marketing tool?
•
What Security controls have been evaluated to manage the risks of social media to your business?
•
Can you currently detect or respond to negative or potentially damaging social media postings?
•
Are you aware of how you are currently positioned and viewed on social media?
PwC
15
Cyber Security hot topics: Mobile Devices Number One Threat •56% of us misplace our cell phone or laptop each month •113 cell phones are lost or stolen every minute in the U.S. •120,000 cell phones are lost annually in Chicago taxi cabs •25% of Americans lose or damage their cell phone each year •Major city transit authorities receive over 200 lost items per day
Source: MicroTrax Study, 2011 PwC
16
8
9/23/2013
Mobile Devices Other Notable Threats to Mobile Devices • August 2012 – First variants of Zeus malware detected on Blackberry devices. • Feb 2012 – Mobile social network Path caught uploading users’ address books to their network without approval. Class action lawsuit against 18 companies filed in March 2012. • Jan 2012 – Up to 5 million Android users download 13 malware infected applications from Google’s Android Market • Jan 2012 – QR Codes used to trick users to visit mobile spam sites • Dec 2011 – CarrierIQ tracking software found on a wide range of devices • Sept 2011 – German security firm G Data reports mobile malware increased 270% during the first six months of 2011 with 1.2 million new variants • March 2011 – “Droid Dream” – malicious code was delivered to more than 260,000 mobile devices within 58 downloaded applications from the Android Market • February 2011 – Malware “Zeus Mitmo” combined traditional PC malware with mobile phone malware sent by a bogus SMS message which appeared to originate from the user’s bank to steal bank log-on passwords 17
PwC
Security Hot Topics: Mobile Devices Questions for discussion Mobile devices •
Do you have policies, standards and processes for using mobile devices? What about employee owned devices (BYOD)?
•
Does the current Data Loss Prevention solution address mobile devices?
•
How do you protect corporate data?
•
Can you enforce corporate standards? Do you have the ability to remotely manage or wipe devices?
PwC
18
9
9/23/2013
The fundamental safeguards you’ll need for an effective security program. Effective security requires implementation of numerous technical, policy, and people safeguards. Based on a regression analysis of survey responses and PwC’s experience in global security practices, the following are ten key strategies. Essential safeguards for effective security
1
A written security policy
2
Back-up and recovery/business continuity plans
3
Minimum collection and retention of personal information, with physical access restrictions to records containing personal data
4
Strong technology safeguards for prevention, detection, and encryption
5
Accurate inventory of where personal data of employees and customers is collected, transmitted, and stored, including third parties that handle that data
6
Internal and external risk assessments of privacy, security, confidentiality, and integrity of electronic and paper records
7
Ongoing monitoring of the data-privacy program
8
Personnel background checks
9
An employee security awareness training program
10
Require employees and third parties to comply with privacy policies
PwC
19
What Compliance Departments should do:
PwC
Action Items
Likely Results
Risk Assessment – Define IT audit universe/inventory risk/understand risk/rank risks/ align with corporate strategy
Update Policies & Procedures to include social media, cloud computing, etc.
Meet with CIO – Gain an understanding of future technology direction of organization
Build out IA roadmap for next several years to assess future technologies and risks
Evaluate data inventories and data handling processes and procedures
Gaps in data inventories will be identified and remediated, processes will be updated
Cloud Computing – Validate service provider offering will meet organizational security/privacy requirements
Cloud services already in use or being procured will introduce new risks to the organization which will require remediation
Training – Evaluate training programs against regulatory burden of organization
Current training programs may not provide sufficient coverage of all regulations, programs will require updates 20
10
9/23/2013
Specific testing to be performed IT Risk
Specific Testing
Social Media
Evaluate current social media policies and procedures. Verify that employees are following social media posting requirements /guidance.
IT Security
Execute an external penetration test of the IT environment considering the vulnerabilities associated with both external and internal network access.
Mobile Devices
Evaluate mobile device policies and supported technologies. Validate that employees are utilizing approved (supported) platforms to conduct company business. Evaluate technological controls to protect corporate data.
Cloud Computing
Perform a cloud service provider security assessment. Validate controls in place at provider meet organizational requirements. Leverage CSF or similar framework to compare evaluate vendor controls against industry peers.
Privacy & Data Protection
Evaluate current privacy and data protection practices against regulatory requirements. Identify gaps in processes and work with impacted groups to enact corrective measures.
Threat and Vulnerability Management
Evaluate current practices to determine if identified vulnerabilities are consistently remediated per policy to address critical and high risk vulnerabilities.
PwC
21
Third Party Risk Management
PwC
22
11
9/23/2013
In the US, many organizations lack an understanding of risks associated with third parties. The 2013 US State of Cybercrime Survey3 found that many respondents do not have policies and tools to assess security risks of third parties. More than ever, company leaders should not view cybersecurity as simply a technology problem; it is now a risk-management issue. Does your organization: Conduct incident response planning with third-party supply chain?
Evaluate the security of third parties with which the organization shares data or network access?
23%
20%
More than once a year
26%
22%
No
Once a year or less
22%
Yes
Do not know
Do not evaluate third parties
35%
52%
Do not know/not sure
PwC
23
Definitions •
Third Party is any entity not under direct business control of a given organization. Many people equate third parties with vendors, but that’s not always the case; consider: -
Vendors/suppliers of products or services
-
Strategic consultants
-
Government agencies
-
Business partners (JV partners, alliances, etc.)
-
Regulatory bodies
-
Marketing partners
-
Customers
•
Third Party risk management encompasses vendor risk management, but is more broadly focused on gaining a understanding of organizational risks and understanding which of those risks may be either positively or negatively affected by third-parties.
•
Third Party inventory is a comprehensive list of third parties from across the company.
PwC
24
12
9/23/2013
Definitions (continued) •
Third Party Risk Profile is the combination of: -
Entity risk – risk associated with the third-party organizational structure and characteristics (e.g. size/complexity, past experience, etc)
-
Service risk – risk associated with the product or service provided (e.g. regulated data provided, availability requirements, etc)
PwC
25
Trust but Verify
PwC
26
13
9/23/2013
Trust but Verify - Continued
Alright, not so bad!
PwC
27
Trust but Verify - Continued
PwC
28
14
9/23/2013
Trust but Verify – This Is Why!
PwC
29
Why are we discussing?
$50bn estimated annual losses to business from data and identity theft • 500+ publicized breaches of personal information in 2012
•
• In just the last year and a half, a breach of personal health information occurred, on average, •
every other day.
Audits of security / privacy requirements are coming
here
Breaches and non-compliance can lead to significant impacts : brand, reputation, fines, lost revenue and/or regulatory sanctions Companies often face direct financial impacts: investigations, legal fees, credit monitoring services for victims, reissuance of credit cards, government fines, and regulatory sanctions
PwC
30
15
9/23/2013
Inventory third parties – A multi-faceted approach 3. Analyze Accounts Payable 4. Business Questionnaire
2. Review Contracts
Develop Inventory
1. Existing Inventories
Design Assessment Strategy
5. Conduct Meetings
Inventory Profile Against Defined Risks
Analyze & Categorize Determine Assessment Type
Execute Strategy
Perform Self-Assessment, Desktop Review or On-site Assessment
Review Risks Against Assessment Results
PwC
31
Profile third parties – Define risk components
Third Party Risk Profile Entity Profile Experience & size etc. (20%)
Familiarity with Company (Includes contract status) (40%)
Depicts Category Weighting
PwC
Service Profile Prior Reviews (40%)
Service Operation
Service Scope (15%)
Service Type (15%)
Regulatory/ Legal
Data & Information
Data Access (10%)
Data Sensitivity (20%)
Availability Impact (10%)
Uptime Req. (5%)
SOX GxP PCI SPI HIPAA (25%)
32
16
9/23/2013
Profile third parties – Narrow the focus
Total Third Party inventory
Entity Risk
On-site assessment Filter services Prioritize Remove with risk higher risk categories that Third don’t pose risk managed by other means Parties
Desktop review
Self assessment
Service Risk
33
PwC
Develop an efficient assessment approach
Third Party Risk Profile Self Assessment • Third party responds to questionnaire • Least resource intensive
On-site assessment
Desktop Review • Off-site assessment consisting of interviews and limited document review • Conducted using any-shore model
• On-site assessment consisting of interviews and document review • Most resource intensive
Risk & complexity Risk & Complexity Resources required Resources Required Comfort Obtained
PwC
34
17
9/23/2013
Develop an efficient assessment approach (continued)
PwC
35
Example – Third party performance scorecard
PwC
36
18
9/23/2013
Track, report and respond to assessment results
1. Profile
2. Assess Preliminary Entity Profiling
Third Party Data Collection
Preliminary Third Party Rating
• Business Sponsor • Previous Assessments • Third party contacts • Contracts
Preliminary Service Profiling
Output: • Assessment Type • Assessment Scope
3. Review and Decide Periodic Review
Residual Risk Rating and Score
Technical Security Assessment
Third Party Processes and Controls
Assessment Report
Remediation and Reassessment
Business Action: • Accept • Share/Transfer • Reduce
PwC
Third Party Report Inherent Risk Rating and Score
37
Questions & contact information John Maynor Director, IT Risk & Security Assurance
[email protected] (937)469-3042
PwC
38
19
9/23/2013
Not for further distribution without the permission of PwC. These materials are for general information purposes only, and are provided "as is", with no guarantee of completeness, accuracy, timeliness or of the results obtained from the use of this information, and without warranty of any kind, express or implied, including, but not limited to warranties of performance, merchantability and fitness for a particular purpose. The information contained in this document is shared as a matter of courtesy and for information or interest only. PwC has exercised reasonable professional care and diligence in the collection, processing, and reporting of this information. However, data used may be from third-party sources and PwC has not independently verified, validated, or audited such data. PwC does not warrant or assume any legal liability or responsibility for the accuracy, adequacy, completeness, availability and/or usefulness of any data, information, product, or process disclosed in this document; and is not responsible for any errors or omissions or for the results obtained from the use of such information. PwC gives no express or implied warranties, including, but not limited to, warranties or merchantability or fitness for a particular purpose or use. In no event shall PwC be liable for any indirect, special, or consequential damages in connection with use of this document or its content. Information presented herein by a third party is not authored, edited or reviewed by PwC and PwC is not endorsing third parties or their views. Reproduction of this document or recording of its presentation, in whole or in part, in any form, is prohibited except with the prior written permission of PwC. Before making any decision or taking any action, you should consult a competent professional adviser. This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PricewaterhouseCoopers LLP, its members, employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it. © 2013 PricewaterhouseCoopers LLP. All rights reserved. PwC refers to the United States member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details.
20