Plugging the gap' Data Security Safeguarding consumer information

1
Plugging the gap. Data Security - Safeguarding
consumer information

• Simon Owen, Partner.
• 27 February 2008

2
Plugging the gapHere is the news...
3
Plugging the gapContents

• The environment and drivers
• Commercial environment
• Regulatory environment
• Drivers for safeguarding consumer information
• Security challenges, threats, and trends
• Key issues and challenges
• Where can consumer information be exposed?
• What are the risks and threats?
• Reducing the risk
• Is this a technology problem?
• A multi-layered approach
• Implementing effective controls
• Conclusions

4
Plugging the gapA changing commercial environment

• The market
• Rapid change web economy
• Globalisation and the 24/7 news cycle
  reactivity to leakage
• New regulatory requirements data savvy rule
  makers
• The customer
• Expectations
• Awareness
• Interaction
• The organisation
• Complexity / connectivity
• Changing threat
• Silos mentality
• Cultural issues (Generation M employee)
• Board level awareness

5
Plugging the gapAn increasingly complex
regulatory environment
Switzerland Federal Act on Data Protection
South Korea Act on Promotion of Information and
Communications Network Utilisation and Data
Protection
European Union EU Data Protection Directive, EU
Privacy and Electronic Communications Directive
as implemented by 27 different Member State Data
Protection Laws
Canada PIPEDA and Provincial Privacy Laws
Russia Federal Law of July 27tth 2006 No 152-FZ
on personal data
US Federal HIPAA, GLBA, COPPA, CAN-SPAM, Do Not
Call, Safe Harbor Principles
Japan Personal Information Protection Act (PIPA)
Effective April 1, 2005
Taiwan Computer-Processed Personal Data
Protection Law
Dubai Data Protection Act 2007
Hong Kong Personal Data Privacy Ordinance
California California Online Privacy Protection
Act 2003, Security Breach Notice (Civil Code 1798
Formerly SB 1386)
Chile Law for the Protection of Private Life
India Legislative proposals under discussion
New Zealand Privacy Act
Argentina Personal Data Protection Law,
Confidentiality of Information Law
South Africa Electronic Communications and
Transactions Act
Australia Amended Privacy Act Spam Act
Philippines Data Privacy Law proposed by ITECC
6
Plugging the gapDrivers for safeguarding
consumer information

• Data Protection Act 1998
• - ICO focusing on/requiring compliance with DPA
• Computer Misuse Act 1990
• California SB-1386 requiring notification (how
  soon in EU?)
• Financial Service Markets Act (2000)

Legislation

• PCI Data Security Standards e.g. TJX acquiring
  bank fined
• ICO in promoting and enforcing Data Protection
  regime
• Privacy and Electronic Communications Regulations
  (EU)
• Industry regulators focusing on information
  security e.g. Nationwide fined by FSA

Regulation
Reputation

• Erosion of customer trust (expectation of data
  protection)
• Negative publicity
• - Dispatches and Watchdog investigations
• - Headline news reports in business press
• - Overseas call centre fraud

7
Plugging the gapSecurity issues and challenges

• The 2007 Deloitte Security Survey highlighted
  some of the key issues and challenges that
  organisations are facing
• Just under half of the companies surveyed
  reported that their systems had been breached in
  the past 12 months by attacks
• 86 of companies have not performed an inventory
  to understand where their sensitive data (i.e.
  consumer information) is stored and how it is
  transmitted
• 53 of respondents have no security incident
  management solutions in place
• 60 have not trained their employees to detect
  and report suspicious activities
• 80 outsource certain security activities, but
  64 fail to carry out checks before engagement
  with third parties
• 28 fail to check on third parties once they have
  been engaged

8
Plugging the gapWhere can consumer information
be exposed?
Physical
Endpoints
Wireless devices USB/CD/DVD Keyloggers /
Trojans PDAs and Bluetooth devices iPODs
Printers Backup tapes Fax/photocopiers Lost
mobile devices Phones
Data at rest
Data in motion
Internal networks External network (e.g. the
Internet) Email Telephony Instant messaging
Databases File systems Voicemail Mass storage and
backup systems File servers
Social engineering
Dumpster diving Contractors/cleaners Tailgating Ea
vesdropping
9
Plugging the gapWhat are the risks and threats?

• Hacking for profit (cyber-extortion) vs
  traditional robbery
• State-sponsored electronic espionage
• New technologies are increasing the exposure of
  organisations to new risks e.g. mobile devices
  social networking sites
• Most organisations are struggling to keep up with
  the basics let alone keep pace with these new and
  emerging threats

10
Plugging the gapReducing the risk Is this a
technology problem?

• Some organisations believe that using the latest
  and greatest IT security technology across the
  network is a solution.
• In reality, if deployed as the solution, such
  technology can give a false sense of security.
• Most organisations (86 of those surveyed by
  Deloitte) have not performed an inventory of
  sensitive data and cannot accurately answer the
  following
• What consumer/sensitive data is held?
• Where does it come from?
• Where and how is it being stored?
• Who can access it?
• Where is it being sent?
• Technology solutions are invaluable in this data
  discovery phase, interviews alone will not
  identify all sensitive information.
• The key to achieving good security is through a
  multi-layered approach that builds an IT
  security-conscious culture within an organisation.

11
Plugging the gapA multi-layered approach

• Organisations need to have a comprehensive
  security approach to address
• Understand your current environment, apply the
  right controls and build a sustainable control
  environment through a five step process
• Understand
• What data do we have and where is it stored?
• What are the risks/potential vulnerabilities for
  that data? (both in storage and in transit)
• Control
• What controls need to be applied and to what
  level?
• How do we monitor and report control
  effectiveness?
• Sustain
• How do we stay in control? (policies, procedures,
  awareness etc.)

Governance
People
Process
Technology
Understand
Control
Sustain
Discover Classify Information
Assess Channel Vulnerabilities
Create - Sustain Capabilities
Implement Monitor Controls
Assess Information Lifecycle Vulnerabilities
12
Plugging the gapImplementing effective controls
This is not easy! Activities are difficult to
measure and goal posts are constantly moving New
technology or new threats new challenges
13
Plugging the gapConclusions

• Know where your data is
• The people aspect is critical and often not
  given sufficient attention
• Identifying and changing behaviour
• Embedding behaviours into day-to-day working
• Publication of incidents
• Cultural change takes time
• One-off or short-term awareness and training
  activities are rarely effective
• Security should be embedded into new business
  applications and systems from day one
• Its cheaper and more effective to consider
  security from day one
• Tackle problem at all levels

14
Plugging the gapTen questions to ask internally

• What sensitive/consumer data do we have and where
  is it stored?
• Where is our data coming from and where is it
  being sent? (both electronically and by other
  means)
• Who has access to our sensitive data?
  (particularly what third parties/partners?)
• (in other words questions 1, 2 and 3 are have we
  performed a data discovery exercise?)
• What are our regulatory requirements for
  protecting the data we store?
• What are the expectations of our
  customers/clients when it comes to protecting
  their information?
• Whats the level of data security awareness among
  our own employees?
• What are the specific risks and threats to our
  consumer data?
• Are the controls we currently have in place
  adequate for meeting these requirements and
  protecting this data?
• Would we know if our consumer data had been
  breached? (i.e. how do we monitor and report on
  our data security) and how would we react?
• Do we have the right governance structure in
  place to maintain control over our data?
  (policies, procedures and organisational
  structure/roles)

15
Questions