Plugging the gap' Data Security Safeguarding consumer information - PowerPoint PPT Presentation

1 / 15
About This Presentation
Title:

Plugging the gap' Data Security Safeguarding consumer information

Description:

Globalisation and the 24/7 news cycle reactivity to leakage ... Headline news reports in business press - Overseas call centre fraud. Reputation ... – PowerPoint PPT presentation

Number of Views:36
Avg rating:3.0/5.0
Slides: 16
Provided by: dominic74
Category:

less

Transcript and Presenter's Notes

Title: Plugging the gap' Data Security Safeguarding consumer information


1
Plugging the gap. Data Security - Safeguarding
consumer information
  • Simon Owen, Partner.
  • 27 February 2008

2
Plugging the gapHere is the news...
3
Plugging the gapContents
  • The environment and drivers
  • Commercial environment
  • Regulatory environment
  • Drivers for safeguarding consumer information
  • Security challenges, threats, and trends
  • Key issues and challenges
  • Where can consumer information be exposed?
  • What are the risks and threats?
  • Reducing the risk
  • Is this a technology problem?
  • A multi-layered approach
  • Implementing effective controls
  • Conclusions

4
Plugging the gapA changing commercial environment
  • The market
  • Rapid change web economy
  • Globalisation and the 24/7 news cycle
    reactivity to leakage
  • New regulatory requirements data savvy rule
    makers
  • The customer
  • Expectations
  • Awareness
  • Interaction
  • The organisation
  • Complexity / connectivity
  • Changing threat
  • Silos mentality
  • Cultural issues (Generation M employee)
  • Board level awareness

5
Plugging the gapAn increasingly complex
regulatory environment
Switzerland Federal Act on Data Protection
South Korea Act on Promotion of Information and
Communications Network Utilisation and Data
Protection
European Union EU Data Protection Directive, EU
Privacy and Electronic Communications Directive
as implemented by 27 different Member State Data
Protection Laws
Canada PIPEDA and Provincial Privacy Laws
Russia Federal Law of July 27tth 2006 No 152-FZ
on personal data
US Federal HIPAA, GLBA, COPPA, CAN-SPAM, Do Not
Call, Safe Harbor Principles
Japan Personal Information Protection Act (PIPA)
Effective April 1, 2005
Taiwan Computer-Processed Personal Data
Protection Law
Dubai Data Protection Act 2007
Hong Kong Personal Data Privacy Ordinance
California California Online Privacy Protection
Act 2003, Security Breach Notice (Civil Code 1798
Formerly SB 1386)
Chile Law for the Protection of Private Life
India Legislative proposals under discussion
New Zealand Privacy Act
Argentina Personal Data Protection Law,
Confidentiality of Information Law
South Africa Electronic Communications and
Transactions Act
Australia Amended Privacy Act Spam Act
Philippines Data Privacy Law proposed by ITECC
6
Plugging the gapDrivers for safeguarding
consumer information
  • Data Protection Act 1998
  • - ICO focusing on/requiring compliance with DPA
  • Computer Misuse Act 1990
  • California SB-1386 requiring notification (how
    soon in EU?)
  • Financial Service Markets Act (2000)

Legislation
  • PCI Data Security Standards e.g. TJX acquiring
    bank fined
  • ICO in promoting and enforcing Data Protection
    regime
  • Privacy and Electronic Communications Regulations
    (EU)
  • Industry regulators focusing on information
    security e.g. Nationwide fined by FSA

Regulation
Reputation
  • Erosion of customer trust (expectation of data
    protection)
  • Negative publicity
  • - Dispatches and Watchdog investigations
  • - Headline news reports in business press
  • - Overseas call centre fraud

7
Plugging the gapSecurity issues and challenges
  • The 2007 Deloitte Security Survey highlighted
    some of the key issues and challenges that
    organisations are facing
  • Just under half of the companies surveyed
    reported that their systems had been breached in
    the past 12 months by attacks
  • 86 of companies have not performed an inventory
    to understand where their sensitive data (i.e.
    consumer information) is stored and how it is
    transmitted
  • 53 of respondents have no security incident
    management solutions in place
  • 60 have not trained their employees to detect
    and report suspicious activities
  • 80 outsource certain security activities, but
    64 fail to carry out checks before engagement
    with third parties
  • 28 fail to check on third parties once they have
    been engaged

8
Plugging the gapWhere can consumer information
be exposed?
Physical
Endpoints
Wireless devices USB/CD/DVD Keyloggers /
Trojans PDAs and Bluetooth devices iPODs
Printers Backup tapes Fax/photocopiers Lost
mobile devices Phones
Data at rest
Data in motion
Internal networks External network (e.g. the
Internet) Email Telephony Instant messaging
Databases File systems Voicemail Mass storage and
backup systems File servers
Social engineering
Dumpster diving Contractors/cleaners Tailgating Ea
vesdropping
9
Plugging the gapWhat are the risks and threats?
  • Hacking for profit (cyber-extortion) vs
    traditional robbery
  • State-sponsored electronic espionage
  • New technologies are increasing the exposure of
    organisations to new risks e.g. mobile devices
    social networking sites
  • Most organisations are struggling to keep up with
    the basics let alone keep pace with these new and
    emerging threats

10
Plugging the gapReducing the risk Is this a
technology problem?
  • Some organisations believe that using the latest
    and greatest IT security technology across the
    network is a solution.
  • In reality, if deployed as the solution, such
    technology can give a false sense of security.
  • Most organisations (86 of those surveyed by
    Deloitte) have not performed an inventory of
    sensitive data and cannot accurately answer the
    following
  • What consumer/sensitive data is held?
  • Where does it come from?
  • Where and how is it being stored?
  • Who can access it?
  • Where is it being sent?
  • Technology solutions are invaluable in this data
    discovery phase, interviews alone will not
    identify all sensitive information.
  • The key to achieving good security is through a
    multi-layered approach that builds an IT
    security-conscious culture within an organisation.

11
Plugging the gapA multi-layered approach
  • Organisations need to have a comprehensive
    security approach to address
  • Understand your current environment, apply the
    right controls and build a sustainable control
    environment through a five step process
  • Understand
  • What data do we have and where is it stored?
  • What are the risks/potential vulnerabilities for
    that data? (both in storage and in transit)
  • Control
  • What controls need to be applied and to what
    level?
  • How do we monitor and report control
    effectiveness?
  • Sustain
  • How do we stay in control? (policies, procedures,
    awareness etc.)

Governance
People
Process
Technology
Understand
Control
Sustain
Discover Classify Information
Assess Channel Vulnerabilities
Create - Sustain Capabilities
Implement Monitor Controls
Assess Information Lifecycle Vulnerabilities
12
Plugging the gapImplementing effective controls
This is not easy! Activities are difficult to
measure and goal posts are constantly moving New
technology or new threats new challenges
13
Plugging the gapConclusions
  • Know where your data is
  • The people aspect is critical and often not
    given sufficient attention
  • Identifying and changing behaviour
  • Embedding behaviours into day-to-day working
  • Publication of incidents
  • Cultural change takes time
  • One-off or short-term awareness and training
    activities are rarely effective
  • Security should be embedded into new business
    applications and systems from day one
  • Its cheaper and more effective to consider
    security from day one
  • Tackle problem at all levels

14
Plugging the gapTen questions to ask internally
  • What sensitive/consumer data do we have and where
    is it stored?
  • Where is our data coming from and where is it
    being sent? (both electronically and by other
    means)
  • Who has access to our sensitive data?
    (particularly what third parties/partners?)
  • (in other words questions 1, 2 and 3 are have we
    performed a data discovery exercise?)
  • What are our regulatory requirements for
    protecting the data we store?
  • What are the expectations of our
    customers/clients when it comes to protecting
    their information?
  • Whats the level of data security awareness among
    our own employees?
  • What are the specific risks and threats to our
    consumer data?
  • Are the controls we currently have in place
    adequate for meeting these requirements and
    protecting this data?
  • Would we know if our consumer data had been
    breached? (i.e. how do we monitor and report on
    our data security) and how would we react?
  • Do we have the right governance structure in
    place to maintain control over our data?
    (policies, procedures and organisational
    structure/roles)

15
Questions
Write a Comment
User Comments (0)
About PowerShow.com