ERM Symposium April Moderator Nancy Bennett

Transcription

1 ERM Symposium April 2009 RI4-Implementing a Comprehensive Privacy Program John Kelly Joseph Nocera Moderator Nancy Bennett

2 Data & Identity Theft: Keeping sensitive data out of the wrong hands Presented by: Joe Nocera PricewaterhouseCoopers LLP Agenda The facts Evolving business risks The changing landscape Understanding your risk profile Data & Identity protection framework What you should be considering Our recommendations Benefits for having a strategy in place

3 The facts The Federal Trade Commission estimates that the annual losses to business from data and identity theft amount to almost $50 billion. Nearly 90% of our ethical hacking tests are successful in gaining access to highly sensitive information. High profits and sophisticated techniques are making data and identity theft more lucrative, easier to conduct, and more difficult to police. Weak international laws make it difficult to prosecute thieves. Business collaboration networks exchange vast amounts of information globally, yet protection methods have not kept pace. Evolving business risks U.S. private company data and identities are increasingly at risk of theft Data is portable, and can be easily transferred and replicated - once distributed, all subsequent media Insert are potential breach Title points Copy Here Economic incentives to commit counterfeiting and piracy activities contributed to the growth in data and identity theft in recent years Shifting business models that emphasize collaboration with 3rd parties make traditional protection methods inadequate (e.g., Application Security, Perimeter Controls) Compliance is merely the minimum level of security needed compliance does not equal security An unpleasant fact is that most company security measures are compliance-focused, which are inadequate against today's sophisticated threats.

4 The changing landscape This is an IT issue The old way: This will never happen to us Risk exposures are small and manageable Disorganized, amateurish hackers working out of their homes, doing it for fun rather than money Negligible impact on customers, employees, and company costs We trust our employees to secure our information. The new way of viewing it: Companies of all sizes and across all industries confront a real, growing, and strategic risk from data and identity theft. Theft is a lucrative business for sophisticated, organized criminal enterprises based worldwide. Data loss commonly occurs through physical loss, data exchanges, fraud, and human error; rather than just IT breaches. Loss of personal data leaves customers and employees at risk of fraud and personal identity theft. Employees and collaboration networks are the most common data leak sources. Risks are substantial, including customer lawsuits, erosion of future revenue, loss of brand reputation and customers, government fines, and new regulation. We passed our audit, so we re safe Data protection is a CEO-level concern. Understanding your risk profile Data Proliferation: Determine the inventory, locations, classification levels and states of Highly Sensitive company information. Understand the uses of this data and how well is safeguarded through its life-cycle. Breach Indicators: Analysis of suspicious activity that seeks to identity evidence of targeted attacks or compromise of highly-sensitive company data. Protection Capabilities: End-to-end safeguards applied to highlysensitive data. These protections should exist for all data stores and users of high-risk data; including data centers and on mobile devices. Active Response: Actions taken to determine the scope; collect and protect evidence; minimize the business impact; and resume business as usual operations.

5 Data & Identity protection framework Data Proliferation Proactive Breach Indicators Protection Capabilities Reactive Active Response Threat modeling Data Identification Data Classification Data Inventory (structured and unstructured) Data Governance Identification of suspicious files and applications Identification of suspicious data flows Company intelligence Structured Data Controls Unstructured Data Controls Security Training and Awareness Governance Security Monitoring Recommend Remediate Incident Handling Investigations and Forensics Post Settlement Management Incident Response Physical Testing What you should be considering Where is your most sensitive data and who has access to it? What regulations and standards apply to your data? Do your safeguards alert you to ongoing security threats? Do your employees, customers, and business partners understand their role in protecting sensitive information? Do your safeguards provide data with end-to-end protection, including mobile devices? Does your collaborative business model put your data at risk? What is the likelihood that you have been a target of data and identity theft?

6 Our recommendations An effective approach to mitigating data and identity theft risk would include these elements: Develop and implement a detailed data security plan. Identify and classify data according to sensitivity and risk. Know where it resides and flows. Understand the threats that are specific to your data and your organization. Implement protection capabilities to safeguard your sensitive data end to end. Test your protection capabilities. Monitor them continually and update them as necessary. Plan for a controlled and coordinated response to incidents when they occur. Benefits for having a strategy in place Gain control over sensitive data Reduce the cost of data breaches Achieve greater visibility into how data are used throughout the organization Help secure a company's reputation, competitiveness, and financial well-being

7 Thank You Joseph J Nocera PricewaterhouseCoopers LLP Office: (312) joseph.nocera@us.pwc.com 2009 PricewaterhouseCoopers LLP. All rights reserved. "PricewaterhouseCoopers" refers to PricewaterhouseCoopers LLP (a Delaware limited liability partnership) or, as the context requires, other member firms of PricewaterhouseCoopers International Ltd., each of which is a separate and independent legal entity. *connectedthinking is a trademark of PricewaterhouseCoopers LLP.