Cyber Security Compliance

Transcription

1 Cyber Security Compliance How to protect enterprise data appropriately? Digital Transformation, Cyber Security & Compliance 3. May 2016

2 What I will cover in this «Afterwork Event»: The current Megatrends: The digital future: The Challenges: My tasks for enablement: Apply to your enterprise Digital Transformation Misuse of services and data More data My personnel digital assistant The Internet of Things (IoT) What data to protect? Threats? Increase in regulation Digital Privacy Verify process, classification Cyber threat analysis Apply appropriate measures Adapt to my situation Adapt to my environment Ready for the digital future 2

3 Where we currently are on the crossroad to lose control over our digital data Industry 4.0 / IoT Cyber Abuse / Crime (I 1 ) Identity (I 2 ) Infrastructure End Point Server, Database Machin, Sensor (I 3 ) Information Megatrends influencing your enterprise Business Process of your enterprise Your Enterprise Appropriate protection of digital data Privacy Regulatory Compliance Cyber Security 3

4 Regulation is increasing incompliance is a big risk GDPR (EU) has a maximum fine of 4% of global turnover Strategy Policy Framework Regulatory requirements to consider: Data Protection Law (CH/ EU GDPR) Business Law (GeBüV / MwSt. ElDI-V) FINMA (Financlial Services) Industry Standards (egov, ehealth, etc.) PCI-DSS Etc Applied Abgebildet in den Business Prozessen ihrer Firma Where are my crown jewels along my business processes? Employee Data (standard, enhanced protection, profile) Client / Partner Identifiable Data Intellectual property, corporate confidential 4

5 The rule how to find the sensitive data? «appropriate» means to understand the business impact on data loss Business Process Vison Mission Values Data Governance Data classification policy Data ownership Risk management & appetite IT & Security Architecture IT applications IT system & platforms Network & Interfaces Information At rest (end point, cloud) In transit Processed 5

6 I 3 Identity Infrastructure Information Data analytics to detect incompliance and misuse Identity IT Infrastructure Information Identity & Access Management User who wants to access Device used to access Hardware, Software, Platform, Application and Network with eco systems used to manage Universe of enterprise data and lake of security and management data Who Person (Employee, Client, Partner) Role (User, Admin, etc.) Device How Trusted / untrusted? Person, Device / Application Purpose Is there a legitimate use case behind? HW, SW, Eco-System, Management Interconnects components Data security measures Accountability (log files) Processed At rest In Transit 6

7 Approach: «Digital Trust & Compliance by design» integrated in the business process not amended Process Trust & Compliance Measure Measure Measure Data Access Data Process Data Transaction Data Data Analytics/BIG DATA Process integrated Compliance Reports Guiding Principles: 1. Design a process in a way, that only permissible transactions are possible 2. Process steps include measures and enforcement of boundaries and collect meaningful data to monitor effectiveness 3. Data analytics and continuous auditing enable compliance relevant data is collected, processed and monitored 7

8 Step by step approach to protect enterprise data appropriately: 1. Identify «Crown jewels» in your enterprise in particular: Personally, Client Identifiable Data, Intellectual Property 2. Create and maintain an asset register to have a clear view what application / platforms process and store PID / CID and who has access to that data 3. Nominate a Data Owner responsible for classification and protection measures according regulation and risk appetite 4. Risk register of cyber threat scenarios along 5-8 business processes where sensitive data are processed 5. Draft an overarching Security Architecture with coordinated security measures operated by a motivated and skilled team 6. Establish a SOC with: Monitoring, Event Management, Incident Management and Response Process 8

9 Kontakte Lorenz Neher Zürich Senior Manager Tel Reto Häni Bern Partner Tel

10 Applied Digital Trust & Compliance erfordert das Sammeln und Aufbereiten von relevanten Daten People, Processes, Technology Governance & Control Framework Infrastructure, Device, Data Mgmt. User and devices trusted? Compliant? Compliance Layer 1: user and device identification ICT Infrastructure on premise, outsourced or in the cloud Compliance Layer 2: Infrastructure and data access Compliance Layer 3: Gateways and zone transitions Digital Data classified, separated in Compliance Mgmt. Regulation & Standards Requirements & policies Data analytics (SIEM, etc.) Strategy and risk appetite Security, Privacy, Compliance Information (big data) Compliance & Security Dashboard(s) 10

11 General Data Protection Regulation (GDPR): 11

12 Was kann passieren, wenn ich meine Aufgabe als Compliance Officer / CISO nicht wahrnehme? Slide 12

13 Personendaten klar unterscheiden und angemessen schützen Gesetz und Verordnung VDSG (Verordnung zum DSG) Slide 13

14 Security Management und Daten Governance Slide 14