Auditing in a digital environment Building digital trust

Transcription

1 Auditing in a digital environment Doris Davis CIIA Exeter Met Office 9 th March 2016

2 So what is the digital security issue? 89% of large businesses identified a security breach in the last year 42% of large organisations which suffered a breach had customer confidential data compromised 25% of large organisations which suffered a breach also had their brand and reputation compromised 82% of small businesses identified a security breach in the last year 35% of small organisations which suffered a breach had customer confidential data compromised 33% of small businesses identified current employees as a source of a security incident Global State of Information Security Survey 2016 conducted by Slide 2

3 So what is the digital security issue? 91% of businesses have adopted a risk-based Cyber Security framework 65% of organisations collaborate with others to mitigate information security threats 45% of boards actively participate in the overall security strategy 52% of businesses have established security standards or baselines for third-parties Global State of Information Security Survey 2016 conducted by Slide 3

4 What information really matters To your business and your adversaries? What is most at risk? Business deals information Military technologies Healthcare, pharmaceuticals, and related technologies Clean technologies Energy and other natural resources information Personal data Macroeconomic information Advanced materials and manufacturing techniques Information and communications technologies Agricultural technologies Business need to understand: What are their most valuable information assets (e.g. IP, client data) Where are they located in the business ecosystem at any given time (e.g. 3rd parties, partners)? Understand what are the main cyber threats to their businesses, and who the adversaries are To address this increasing threat Businesses must act proactively through prioritising and allocating resources to effectively protect the information assets today and into the future. Slide 4

5 The global business ecosystem Where else are the risks? Evolving use of technology Distribution Manufacturing Adoption of cloud-enabled services; Internet of Things ( IoT ) security implications; BYOD usage Industry/ Competitors Procurement Suppliers Logistics Value chain collaboration and information sharing Persistent third party integration; third party access requirements; usage and storage of critical assets throughout interconnected ecosystem Customer service Sales and marketing ABC Co. Materials Productions Operational complexity and reliance R&D Customers Strategic alliances Partners Joint Ventures Real-time operations; product manufacturing; service delivery Advertising Delivery and logistics Governmental Equity partnerships Slide 5

6 A change in historical perspectives Historical IT security perspectives Today s digital security insights Scope of the challenge Your business, your data Interconnected global business ecosystem with third-party relationships Ownership and accountability IT led and operated Business-aligned and owned; CEO and board accountable Adversaries characteristics One-off and opportunistic; motivated by notoriety, technical challenge, and individual gain Organised, funded and targeted; motivated by economic, monetary and political gain Information asset protection One-size-fits-all approach Prioritise and protect your crown jewels Defence posture Protect the perimeter; respond if attacked Prepare, monitor, and rapidly respond for when attacked Security intelligence and information sharing Keep to yourself Public/Private partnerships; collaboration with industry working groups Slide 6

7 General Data Protection Regulation Overview The EU General Data Protection Regulation ( GDPR ) will impose a radical, much tougher data protection regulatory framework on Europe and the wider world for the processing of personal data. The adoption of the GDPR will present many entities with numerous new challenges. Key issues to be aware of include: Compliance Strict new compliance requirements will be imposed. For example, entities will have to perform Data Protection Impact Assessments and data protection audits as a matter of course. They will have to implement Data Protection by Design and by Default methodologies into their business, so that compliance is baked-in to everything they do. They will have to deliver on a new Accountability obligation, which means, for example, creating written compliance plans and documenting processing activity and data flows, which they will have to deliver to regulators on demand. Usage controls Consent Bundling Aggregation Supervision Breach disclosure Fines Litigation Personal data will be subject to strict new usage controls. These include data minimisation, data portability and right to be forgotten principles, which will require entities to limit the use of data, to enable individuals to take their data with them at the end of a relationship and to delete and destroy data on request. Obtaining consent to use personal data will be much harder to achieve and to prove. The provision of a service that is conditional upon the individual giving permission for their data to be used for nonessential purposes (such as marketing) will be banned. The ability to aggregate data to enable an individual to be profiled (a common objective in new digital projects) will be severely curtailed. Regulators will also be empowered to carry out audits and inspections of entities on demand. Entities will be required to report serious contraventions of the law to the regulators and to people affected. Public disclosure of failure is likely to fuel regulatory sanctions and compensation claims, as well as causing damage to brand and reputations. Serious contraventions of the law will be punishable by fines of up to 20m or 4% of annual worldwide turnover for groups of companies (whichever is higher). Citizens and pressure groups will be given the right to engage in group litigation ( class actions ) to recover compensation for mere distress caused by contraventions of the law. Slide 7

8 GDPR Implementation Timeline July 2009 Consultation launched on challenges for personal data protection. After over 4,000 amendments, regulation is finalised and published. Early 2016 Early 2018 Time regulation is required to be implemented in all EU Member States. Slide 8

9 Protecting Your Information What does good look like and how do you prove it? You have an organisational view on what Privacy means to you Example: a high level Vision and Values statement, with Board buy-in. You have a clear understanding of what data is held, where it is and who has access to it Example: create of data flow maps. You understand how Privacy and Data Protection fit into your overall business strategy Example: an analysis of the business impact of getting privacy right or wrong. You know how well you are protecting the data, and where you are not Example: undertaking penetration testing You understand and manage the risks introduced to the data by third parties Example: a vendor due diligence process Your Privacy model is designed with agility in mind given the ever changing Privacy landscape Example: support for anonymisation and suppression You are using the data for the purpose that you have committed to and nothing more Example: purpose limitations trained on and monitored You understand your legal obligations here and abroad and are tracking developments in regulatory enforcement actions and case law Example: General Counsel engagement 1. In an operational sense what does legal compliance and risk management look like? 2. How are the desired operational outcomes actually achieved? 3. How do you prove that they have been achieved? 4. What positions will you actually advance when challenged? Slide 9

10 Cyber Security confidences You can t secure everything Set the right priorities: Protect what matters Strategy, organisation, governance and enterprise security architecture Threat intelligence Seize the advantage Exploit the next digital opportunity with confidence: Compliance with privacy and regulation Digital trust is embedded in the strategy Risk management and risk appetite It s not if but when Build an intelligence-led defence, enabling rapid cyber response: Continuity and resilience Crisis management Incident response Monitoring and detection Fix the basics Use technology to your advantage, maximising return from technology investments: Identity and access management Information technology hygiene Information technology, operations technology and consumer technology Security intelligence and analytics People matter Their risk is your risk Understand and manage risk in your interconnected business ecosystem: Digital channels Partner and supplier management Robust contracts Build and maintain a secure culture, where people are aware of their critical security decisions: Insider threat management People and Moments that Matter Security culture and awareness Slide 10

11 Key areas for auditing in the digital age Data Protection Cyber Hygiene Threat Awareness and Response Assess policies and procedures related to: The identification and protection of crown jewels through data classification Monitoring and Visibility of systems Storage and transfer of Sensitive Data Assess for the following: Change and patch management Maximise systems availability Control of Super Users, Segregation of Duties, access removal and recertification Backups and Disaster Recovery Assess policies and procedures related to: Intrusion Detection & Prevention Understand threats and identify key threat actors Business Continuity and Disaster Recovery Regulation and Compliance The Mobile Workforce Third-Parties Assess compliance with the following: Data Protection Regulation State Breach notification laws Regulatory requirements of other countries SOX compliance FCA Compliance Assess efficiency and/or accuracy of: Policies and processes for Remote Access, Connection & Data Transmission BYOD policies and encryption for remote devices Employee awareness and training Assess the security environments of third-parties as you would your own: Request/ produce controls reports (SAS70, SSAE16 or ISAE 3402) Ask for/ obtain information security accreditation (Cyber Essentials or ISO27001) Slide 11

12 10 Questions boards and CEO s should be asking Enhancing their cybersecurity strategy and capability 1. Is our cybersecurity program aligned with our business strategy? 2. Do we have the capabilities to identify and advise on strategic threats and adversaries targeting us? 3. Can we explain our cybersecurity strategy to our stakeholders? Our investors? Our regulators? Our ecosystem partners? Understanding and adapting to changes in the security risk environment 4. Do we know what information is most valuable to the business? 5. Do we know what our adversaries are after/what would they target? 6. Do we have an insider threat program? Is it inter-departmental? 7. Are we actively involved in relevant public-private partnerships? Advance their security posture through a shared vision and culture 8. How was our last major event identified; in-house or government identified? 9. Who leads our incident and crisis management program? Is our program cross functional/inter-departmental? 10. How often are we briefed on our cyber initiatives? Do we understand the cyber risks associate with certain business decisions and related activities? Slide 12

13 UK Government initiative CESG 10 Steps to Cyber Security GCHQ, the Security Service (MI5) and the Department for Business, Innovation and Skills (BIS) are encouraging businesses to focus on securing their information Cyber Essentials Scheme: Requirements for Basic technical protection from Cyber Attacks The initiative focuses on measuring board and audit committee awareness of cyber security to help them mitigate associated risks, along with the other top 5 accountancy firms, has been engaged to help drive forward this initiative Basic information risk management can stop up to 80% of cyber attacks seen today, allowing companies to concentrate on managing the other 20% involvement has comprised of making our FTSE 350 audit clients aware of our support for the initiative. GCHQ (CESG 10 Steps to Cyber Security) Slide 13

14 Recap The global business ecosystem has changed the risk landscape Business models have evolved creating a dynamic environment that is increasingly interconnected, integrated, and interdependent Necessitating the transformation of your security practices to keep pace. Focus on securing high value information and protecting what matters most Rather than treating everything equally, companies should identify and enhance the protection of their crown jewels in line with Data Protection law s while maintaining a consistent security baseline within their environment. Know your threats Motives, means, and methods Sophisticated adversaries are actively exploiting cyber weaknesses in the business ecosystem for economic, monetary or political gain Requiring threat intelligence, proactive monitoring and deep response capabilities. Embed cyber security into board and executive-level decision making Creating an integrated, business aligned security strategy and program requires awareness and commitment from the highest executive levels of the organisation In order to apply the appropriate resources and investments. Slide 14

15 Questions? Slide 15

16 Wales and West Cyber Security Doris Davis Wales and West IT Risk and Governance Lead E: M: Rhodri Evans Wales and West Cyber Security Lead E: M: Ed Pocock Wales and West Cyber Security team member E: M: Slide 16

17 This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PricewaterhouseCoopers LLP, its members, employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it PricewaterhouseCoopers LLP. All rights reserved. In this document, refers to PricewaterhouseCoopers LLP (a limited liability partnership in the United Kingdom) which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity.