Data Centric Security Management Protecting information in a rapidly evolving and interconnected future
Speakers Bio Clint Jensen Director (San Francisco) IT Security Privacy & Risk Mobile: (415) 498-7344 E-mail: clinton.m.jensen@us.pwc.com Talha Tariq Manager (San Francisco) IT Security Privacy & Risk Mobile: (415) 728-7952 E-mail: talha.bin.tariq@us.pwc.com Clint is a Director with over 12 years of experience with information security strategy, IT security risk management program design and execution, security controls design and review, and data protection program design and execution. He currently focuses on assisting organizations with the following types of engagements: Security Program Development and Process Design Data Protection Program Design, Remediation, and Enabling Technology Deployment Privacy, PCI, and Other Regulatory Assessment and Remediation Threat & Vulnerability Assessment and Remediation ISO27001 Readiness Strategy Planning and Execution IT Security Control Framework Customization, Adoption, and Controls Audit Technical Configuration Definition, Testing, Deployment, and Monitoring Talha is a Manager in PwC's IT Security, Privacy & Risk practice with more than 7 years of international experience in information security strategy, design and technical security assessments. He is a contributing member of the OWASP Mobile Security project, member of the PwC Attack & Penetration and Mobile Security Core Team, He is also the west region Subject Matter Specialist on malware trends, Advanced Persistent Threats and leads the Attack and Penetration testing teams on the west coast. Prior to joining PwC, Talha worked at Microsoft and Sun Microsystems and has Research & Development experience in Secure Operating Systems, Virtualization and Secure Cloud computing. His work has been published in renowned conferences and tech magazines and he holds a patent in building trusted platforms.
Speakers Bio Chris Toohey Partner (San Francisco) Internal Audit Mobile: (925) 872-2965 E-mail: christopher.j.toohey@us.pwc.com Mike Corey Partner (San Francisco) IT Risk & Security Mobile: (415) 505-2482 E-mail: michael.j.corey@us.pwc.com Chris is a Partner in PwC s San Francisco office and leads the Internal Audit Services Practice. He has been engaged to perform a wide array of governance, risk and controls related services during his 26-year professional career. This experience includes conducting internal and external audits on public companies, non-public companies and quasi governmental agencies and serving as the Audit Committee Chairman and on the Boards of several non-profit organizations. Chris specializes in assisting clients understand and manage complex operational processes, IT, accounting, and financial reporting requirements. His overall responsibilities focus on providing leadership in the planning and execution of risk based internal audit services encompassing governance, IT, regulatory, compliance process and controls analyses. More specifically, he provides thought leadership; manages groups of professionals to identify, monitor and mitigate risk; and participates in process improvement and project management support, as necessary. He also assists company management in executing its business objectives while also aiding the Audit Committee of the Board of Directors in discharging its fiduciary responsibilities. Mike is a Partner with over 20 years of experience leading internal audit, IT internal audit, information security strategy, IT security risk management, data protection and privacy engagements. Mike is responsible for our West Region IT Risk and Security practice. This practice specializes in providing IT risk and information security services to our internal audit clients. Mike s experience includes leading numerous IT Internal Audit outsourcing and co-sourcing engagements and is a CPA and CISA. Prior to joining PwC, Mike led the IT Internal Audit department for a large Midwestern financial service company.
The new reality 4
Breaches are frequent and large 47,000+ reported security incidents *Source: Verizon 2013 Data Breach Investigations Report 700m+ records lost last year 44m+ compromised data records Organizations reporting losses of $10M or greater increasing 75% from 2011. * 2014 PwC Global State of Information Security Average cost of data breach is approximately $5.4m Average cost per record: $188 *Source: Ponemon Institute s 2013 Annual Study: U.S. Cost of a Data Breach 5
Significant Data Breaches in 2013 Company Breach Stats Details Target 110 million records A data breach over a three week period capturing credit and debit card records. Encrypted PIN information also stolen. Other Customer Information may also have been stolen. Schnuck Markets CorporateCar Online.com Adobe 2.4 million records In October, Schnucks agreed to a proposed class-action settlement stemming from the breach of its computer systems. 850,000 records Hackers stole and stored information online related to customers who used limousine and other ground transportation for this St Louis based limo software provider. The online information included plain text archives of credit card numbers, expiration dates, names, and addresses. Many of the customers were wealthy and used credit cards that would be attractive to identity thieves. Some of the big names on the list include Tom Hanks, Sen. Tom Daschle, and Donald Trump. 38 million customer accounts 3 million credit card accounts Originally just thought to be a compromise of 3 million PII records, the loss of a vast trove of login credentials was subsequently, and, more also its source code for various applications LivingSocial 50 million accounts Computer systems were hacked, resulting in unauthorized access. The company updated its password encryption method after the breach. Names, email addresses, dates of birth, and salted passwords were stolen. Advocate Medical Group 4 million patient records stolen The theft of four computers from offices owned by this medical company exposed more than 4 million patient records. One of the largest losses of unsecured health information since notification to the Department of Health and Human Services became mandatory in 2009. 6
The actors and the information they target Adversary What s most at risk? Nation State Industrial Control Systems (SCADA) Emerging technologies Hacktivists $ Payment card and related information / financial markets Advanced materials and manufacturing techniques Organized Crime Military technologies Healthcare, pharmaceuticals, and related technologies Business deals information R&D and / or product design data Insiders Health records and other personal data Information and communication technology and data Input from Office of the National Counterintelligence Executive, Report to Congress on the Foreign Economic Collection and Industrial Espionage, 2009-2011, October 2011. Adversary motives and tactics evolve as business strategies change and business activities are executed; crown jewels must be identified and their protection prioritized, monitored and adjusted accordingly. 7
Risk and Impact Evaluation Why organizations have not kept pace Years of underinvestment in certain areas has left organizations unable to adequately adapt and respond to dynamic cyber risks. Board, Audit Committee, and Executive Leadership Engagement Business Alignment and Enablement Insider Threat Physical Security Operational Technology Security Secure Mobile and Cloud Computing Patch & Configuration Management Critical Asset User Identification and Administration Protection Ecosystem & Supply Chain Security Product & Service Security Technology Adoption and Enablement Threat Modeling & Scenario Planning Monitoring and Detection Threat Intelligence Global Security Operations Public/Private Information Sharing Breach Investigation and Response Notification and Disclosure Incident and Crisis Management Privileged Access Management Compliance Remediation Process and Technology Fundamentals Security Technology Rationalization Technology Debt Management Security consectetur Culture and adipiscing Mindset elit Resource Prioritization Security Strategy and Roadmap Security Program, Functions, Resources and Capabilities 8
Risk and Impact Evaluation Has your organization kept pace? Questions to consider when evaluating your ability to respond to the new challenges. Identify, prioritize, and protect the assets most essential to the business Have you identified your most critical assets and know where they are stored and transmitted? How do you evaluate their value and impact to the business if compromised? Do you prioritize the protection of your crown jewels differently than other information assets? Insider Threat Critical Asset User Identification and Administration Protection Ecosystem & Supply Chain Security Product & Service Security Technology Adoption and Enablement Board, Audit Committee, and Executive Leadership Engagement Physical Security Threat Modeling & Scenario Planning Monitoring and Detection Understand the threats to your industry and your business Who are your adversaries and what are their motivations? Business What information Alignment are they and targeting Enablement and what tactics are they using? How are you anticipating and adapting your strategy and controls? Threat Intelligence Global Security Operations Operational Technology Security Public/Private Information Sharing Breach Investigation and Response Notification and Disclosure Incident and Crisis Management Privileged Access Management Compliance Remediation Evaluate and improve effectiveness of existing processes and technologies Have you patched and upgraded your core platforms and technology? How are you securing new technology adoption and managing vulnerability with your legacy technology? Have you evolved your security architecture and Secure Mobile associated processes? Patch & and Cloud Configuration Computing Management Process and Technology Fundamentals Security Technology Rationalization Technology Debt Management Security consectetur Culture and adipiscing Mindset elit Resource Prioritization Enhance situational awareness to detect and respond to security events How are you gaining visibility into internal and external security events and activities? Are you applying correlation and analytics to identify patterns or exceptions? How do you timely and efficiently determine when to take action? Develop a cross-functional incident response plan for effective crisis management Security Strategy and Roadmap Have your business leaders undertaken cyberattack scenario planning? Do you have a defined cross functional structure, process and capability to respond? Are you enhancing and aligning your plan to ongoing business changes? Security Program, Functions, Resources and Capabilities Establish values and behaviors to create and promote security effectiveness How is leadership engaged and committed to addressing cyber risks facing the business? What sustained activities are in place to improve awareness and sensitivity to cyber risks? How have your business practices evolved to address the threats to your business? 9
The security challenge now extends beyond the enterprise Global Business Ecosystem Traditional boundaries have shifted; companies operate in a dynamic environment that is increasingly interconnected, integrated, and interdependent. The ecosystem is built around a model of open collaboration and trust the very attributes being exploited by an increasing number of global adversaries. Constant information flow is the lifeblood of the business ecosystem. Data is distributed and disbursed throughout the ecosystem, expanding the domain requiring protection. Adversaries are actively targeting critical assets throughout the ecosystem significantly increasing the exposure and impact to businesses. Years of underinvestment in security has impacted organizations ability to adapt and respond to evolving, dynamic cyber risks. Pressures and changes which create opportunity and risk 10
Protecting Data & Role of IA 11
Data Privacy & Information Security Risks Compliance with government or industry regulations / enforcements (HIPAA, PCI, GLBA, COPPA, FTC Act) Compliance with selfregulatory frameworks (i.e., U.S.-EU Safe Harbor, TRUSTe, DMA OBA Principles) Compliance Financial Companies face several financial risks associated with a breach: Federal/state regulatory fines Stock price decline Remediation efforts Reputational Risk Factors Legal Companies are experiencing increasing lawsuits from: Employees Customers Investors Negative impact to the brand Loss of employee, customer, & investor confidence Regulatory Enforcement actions from federal and state agencies Regulatory inquires may require long-term third party remediation in order to verify regulatory compliance 12
Risks generally not perceived as well managed Risks seen as increasing the most in the last year Economic uncertainty Regulations and government IT security/cyber security Data privacy Government spending and taxation Competition Commercial market shifts Financial markets Large Programs (such as ERP) Talent and labor Risks seen as the most well managed last year Talent & Labor Competition Reputation/brand Financial markets Fraud and ethics Government spending and taxation Mergers, acquisitions and JVs Regulations and government policies IT / Cyber Security Economic uncertainty 85% believe security threats are increasing, yet only 12% think their organization manages risks extremely well. Source: PwC s 2013 State of the Internal Audit Profession Study 13
Organizations with high-performing internal audit functions manage risk better than others Source: PwC s 2013 State of the Internal Audit Profession Study 14
What you should be thinking 15
Having a Program In Place to Protect Data A comprehensive program is needed to address the myriad of compliance requirements, and to protect consumer information and sensitive company information. Incident Response Governance Monitoring & Auditing Risk Assessment Training & Awareness Processes & Controls Technical Security & Controls 16
Strategic Approach : End to End Data Lifecycle Protection Organizations have historically focused on protecting the perimeter to prevent intrusion (and therefore data loss). The organizations should start by looking at various stages of the Information Lifecycle and understand the best way to protect sensitive data in each of these stages. 17
Engage your Stakeholders Data protection and privacy is a relatively new consideration within the Risk Management disciplines. As a result, the manner with which organizations address this risk could differ widely. Some of the typical stakeholders associated with data protection and privacy concerns are listed below: Process Area Legal Marketing Information Security Internal Audit Compliance Privacy Office Concern (examples) FTC complaints Records Management ecommerce initiatives CRM Social media campaigns Audit findings PCI readiness Data breaches Board or Audit Committee requests Increasing the enterprise risk scope HIPAA (healthcare), GLBA (financial) Regulatory examination Governance structure Operating privacy, how to live by the privacy policy 18
Data Protection and Privacy Program Monitoring Ongoing auditing or monitoring of a company s data protection and privacy program is essential. Example of areas that auditing and monitoring activities should focus on include: Data protection and privacy program gap assessment Evaluation of, or assistance with, the company s periodic data protection and privacy risk assessment process Compliance with established data protection and privacy policies and procedures Data protection and privacy training and awareness programs Data protection and privacy related remediation Third party/vendor data protection and privacy practices 19
Considerations for Your Organization Understanding threats Has your data been exposed and would you know if it were? Do you know what breach indicators you should be monitoring? Building protections Has the company established formal governance and controls to protect the sensitive data? Are the controls and safeguards periodically tested? Have the controls and safeguards been updated to respond to changing business models? Responding to incidents Are you prepared to respond to legal actions? If a Regulator were to inquire or investigate the company, would the company be prepared to respond? Has the company established formal plans to respond to incidents when they occur? PwC 20
Considerations for Your Organization Understanding Company Governance & Awareness What are the company s compliance requirements? What is the culture of the company and what is the philosophy regarding information security and privacy? Who leads the efforts for information security (e.g., Steering Committee)? How does the company ensure alignment between the management and staff? What is the company trying to achieve with their information security/privacy program? Understanding sensitive data What sensitive data do you have that needs to be protected? Has the company classified and inventoried that data? Who has access to sensitive data internally and externally? Who is responsible for protecting your sensitive data? Who is responsible for the oversight of vendors that may hold sensitive data? PwC 21
Coordinated lines of defense Senior management Board/audit committee 1st 2nd 3rd Line of defense: Management Functional and line management are responsible for operationalizing risk management and internal controls Line of defense: Risk Mgmt & Compliance Risk management and compliance functions are responsible for establishing and monitoring effective risk management policies & standards Line of defense: Internal Audit Internal audit is responsible for providing objective assurance and advice on governance, risk, and compliance to the board and executive management 22
The role of internal audit Internal Audit can play a role in the ongoing independent monitoring of a company s data protection and privacy program. Keep the board abreast of emerging security and privacy risks Embed yourself in key activities that roll out new business processes, products or information systems (i.e., privacy by design) Communicate with the board and executive management Privacy/Security program gap assessment Evaluation of, or assistance with, the company s periodic privacy/security risk assessment process Audits of established privacy/security policies and procedures and/or controls Audits of privacy/security training and awareness programs Audits of third party/vendor data protection and privacy practices 23
Questions you should be asking 1. Is our cybersecurity program aligned with our business strategy? Enhancing security strategy and capability Understanding and adapting to changes in the security risk environment Advance their security posture through a shared vision and culture 2. Do we have the capabilities to identify and advise on strategic threats and adversaries targeting us? 3. Can we explain our cybersecurity strategy to our stakeholders? Our investors? Our regulators? Our ecosystem partners? 1. Do we know what information is most valuable to the business? 2. Do we know what our adversaries are after / what would they target? 3. Do we have an insider threat program? Is it inter-departmental? 4. Are we actively involved in relevant public-private partnerships? 1. How was our last security crisis identified; in-house or government identified? 2. Who leads our incident and crisis management program? Is our program cross functional / inter-departmental? 3. How often are we briefed on our cyber initiatives? Do we understand the cyber risks associated with certain business decisions and related activities? 24
What is important to regulators Accountability and program ownership Considerations of data protection, privacy and security throughout the organization and its processes Training and awareness programs Risk assessment processes Policies/procedures Data protection controls Monitoring technologies and capabilities Focus is on transparency in notice to consumers Do the systems and controls process data as described by your privacy notice? Do consumers have choice, and do they consent? 25
Additional Questions? This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, [insert legal name of the PwC firm], its members, employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it. 2013 PricewaterhouseCoopers LLP All rights reserved. In this document, PwC refers to PricewaterhouseCoopers LLP which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity.
Appendix Slides PwC Global State of Information Security Survey 2014 27
A US-only survey shows that, even when in place, security technologies and policies often do not prevent incidents. Respondents to the 2013 US State of Cybercrime Survey, 1 co-sponsored by PwC, say security incidents increased 33%, despite implementation of security practices. For many, existing security technologies and policies are simply not keeping pace with fast-evolving threats. Security technologies and policies in place (US only) Use policy-based network connections to detect and/or counter security incidents 68% Inspect inbound and outbound network traffic 61% Use account/password management in an attempt to reduce security incidents 60% Have an acceptable-use policy 55% Use malware analysis as a tool to counter advanced persistent threats (APTs) 51% Use data loss prevention technology to prevent and/or counter security incidents 51% Use security event management to detect and/or counter security incidents 50% Use cyber-threat research in an attempt to reduce security incidents 25% Do not allow non-corporate-supplied devices in the workplace/network access 17% 1 2013 US State of Cybercrime Survey, co-sponsored by CSO magazine, CERT Coordination Center at Carnegie Mellon University, Federal Bureau of Investigation, PwC, and the US Secret Service, March-April 2013 28
Despite the potential consequences, many respondents do not adequately safeguard their high-value information. It is imperative that organizations identify, prioritize, and protect their crown jewels. Many, however, have not yet implemented basic policies necessary to safeguard intellectual property (IP). Have policies to help safeguard IP and trade secrets 37% 22% 22% 16% 17% 20% 20% 29% 24% 26% 32% 31% Classifying business value of data Procedures dedicated to protecting IP Inventory of assets/ asset management Regular review of users and access 2011 2012 2013 29
Technology Reliance/Complexity Evolution of the Security Paradigm Shift Assumed State of Compromise Significant and evolving cyberthreats unlike ever before. Highly skilled/motivated, and yet patient adversaries, including nation states. Increasing speed of business, digital transformation, and hyper connectivity across supply chain and to customers. Massive consumerization of IT and reliance on mobile technologies. Increasing regulatory compliance requirements (e.g., SEC Cyber Guidance). Perimeter Security Layered Security Inclusion & Exclusion Security Focus on security technology for the perimeter. Focus on enhanced layers of security, adoption of incremental security solutions. Heavy focus on identity management right people, right place, right access. 1980s 1990s Time 2000s 2012+ 30
What is this thing on my external network? 31
Internet Cencus 32
Project Sonar 33