Data Security: Recent Events, Trends and Best Practices

Transcription

1 EXPLORE OUR WORLD Data Security: Recent Events, Trends and Best Practices Presented to: IAOP, London By: Tony Lucas EMEA Head of Compliance, Sitel Date: 8 th October 2008

2 Data Security Challenges for the Outsourcer National, EU & International Legislation e.g. Data Protection, Sarbanes Oxley, Computer Misuse, Software Copyright, etc Sector Specific Industry Regulations e.g. Telecommunications, Financial Services Industry Standards e.g. Direct Marketing, Basel2, PCI Corporate Security Policies Client Security Policies International Standards ISO27001 Security, ISO25999 (BCP), ISO19770(Software)

3 Data Security The real cost of a security breach Data breaches cost UK companies an average of 47 for every record lost The average cost to a company which suffers a data breach is 1.4m From a total of 47 per record, the cost from lost business in the wake of a data disaster is 36 per cent or 17 * Source Ponemon Institute study

4 Data Security Recent Events TJX - Parent company of TJMaxx (2008) TJX announces unauthorized intrusion, potentially compromising cardholder data back to 2003 Estimated 100 million records compromised TJX suffered an outright $256 million USD loss, and could face an even higher penalty based upon the maximum penalty of $500k/incident of customer data lost (yes, $500k * 94 million) and/or the complete loss of rights to process credit card transactions J.C. Penney (2008) JC Penney announces unencrypted back-up tape missing from archive facility since October 2007 Estimated 650,000 records compromised HMG (2008) The loss of a USB stick containing unencrypted data on 84,000 prisoners by a management consultancy firm working for the Home Office HSBC (2006) Call centre worker at HSBC's Bangalore offshore operation arrested on hacking charges relating to theft of 233,000 from the accounts of some of the bank's UK customers HSBC alerted to the fraud by its internal security systems, which discovered that confidential account information of a small number of UK customers had been accessed and leaked by a member of staff at the data processing centre in Bangalore Reports claim that worker was paid just under 1,000 to leak the confidential account details by a criminal gang in the UK, which used the information to set up money transfers from the victims' accounts

5 Data Security - Trends Economic downturn forces reduction in corporate operating costs Outsource non-core business functions Cost of maintaining security compliance internally Staff Recruitment and Retention costs Requirement for security compliance used to differentiate BPO s Compliance to client security policies Complexities of compliance often not fully understood PCI SAS70 ISO27001

6 Payment Card Industry Data Security Standard (PCI- DSS) Card schemes (Amex, MasterCard, Visa, JCB, Discover) have their own security standard, making it challenging for organisations to become/remain compliant with the needs of each, so PCI DSS was created Payment Card Industry - Security Standards Council (PCI SSC) Formed on 15 December 2004 Fundamental principle of providing a single standard for the protection of payment cardholder data (stored, processed, transmitted) Payment Card Industry - Data Security Standard Comprising 12 twelve principle requirements Version 1.2 announced on 1 October 2008 Certification Requirement to maintain compliant and complete annual re-certification Third-party auditor (QSA) or self assessment for low transaction volume businesses Why now? Card schemes are spreading risk & cost of fraud to merchants and service providers who take the payments Challenges with compliance to a number of Card issuer standards, so card schemes agreed a common standard Legislation requiring disclosure of credit card/personal data loss Increase in electronic fraud risks and volume of electronic fraud

7 Data Security Understanding Fraud Risk Controls Workforce management Training & Awareness Managing applications and tools Physical security controls Personally identifiable and financial data Incident management

8 Managing Data Security within an outsource arrangement Perform security risk assessment prior to outsource Understand the risks associated with the outsource activity Applications and tools Data flows Processes and procedures Early engagement Mutual understanding of the risks Testing and training Clarify bi-directional responsibilities and accountability Managing security risk throughout the contract lifecycle Communicate openly Establish compliance and incident management programme Brand and corporate reputation and financial accountability remains with the client

9 EXPLORE OUR WORLD