• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Bulletproofing Customer Data: Legislative and Practice ...

Bulletproofing Customer Data: Legislative and Practice ...






Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    Bulletproofing Customer Data: Legislative and Practice ... Bulletproofing Customer Data: Legislative and Practice ... Presentation Transcript

    • Bulletproofing Customer Data: Legislative and Practice Developments Eddie Schwartz Chief Security Architect [email_address]
    • Agenda
      • Legislative Update: Security Breach Legislation
        • Current State
        • Understanding the Framework
        • Implementing the Guidance
      • PCI Update
      • Continuing Areas of Risk
      • Emerging Risk Areas
      • Recommended Approach
    • Why Should I Care About Data Assurance?
      • Data Drives the Normal Course of Retail Business
        • Data/systems-dependent operations/products/services, business intelligence, HR, outsourcing management, many more
      • Data-Dependent Compliance (Data Integrity, Compliance Reporting, Systems Controls)
        • EEOC, PATRIOT, Sarbanes-Oxley, Reg E, NACHA, other
      • Data Compliance Regulation & Standards (Data Use, Data/Data Subject Protection)
        • GLB, HIPAA, Telemarketing Rule & DNC, PCI Security Standard, FCRA/FACTA EU/Canada, web trust seals
      • Potential Enforcement Impact/Incident Response
        • Consent orders, state security breach notification laws
    • Regulatory Issues
      • Since last year, there are many more state laws on the books – mostly in the area of security breach disclosure
      • There are a number of nuances that are State-specific
      • Focus for today’s discussion:
        • Security breach disclosure requirements
    • Relevant Laws and Regulations
      • Sarbanes-Oxley Act
      • PCAOB Rel. 2004-001 Audit Section
      • SAS94
      • Fair Credit Reporting Act (FCRA)
      • AICPA Suitability Trust Services Criteria
      • SEC CFR 17: 240.15d-15 Controls and Procedures
      • NASD/NYSE 240.17Ad-7 Transfer Agent Record Retention
      • GLBA (15 USC Sec 6801-6809) 16 CFR 314
      • Appendix: 12 CFR 30, 208, 225, 364 & 570
      • Federal Financial Institutions Examination Council (FFIEC) Information Security
      • FFIEC Business Continuity Planning
      • FFIEC Audit
      • FFIEC Operations
      • Health Insurance Portability and Accountability Act (HIPAA) § 164
      • 21 CFR Part 11 – FDA Regulation of Electronic Records and Electronic Signatures
      • Payment Card Industry Data Security Standard (PCI-DSS)
      • Federal Trade Commission (FTC)
      • CC1798 (SB1386)
      • Federal Information Security Management Act (FISMA)
      • Community Choice Aggregation (CCA)
      • Federal Information System Controls Audit Manual (FISCAM)
      • General Accounting Office (GAO)
      • FDA 510(k)
      • Federal Energy Regulatory Commission (FERC)
      • Nuclear Regulatory Commission (NRC) 10CFR Part 95
      • Critical Energy Infrastructure Information (CEII)
      • Communications Assistance for Law Enforcement Act (CALEA)
      • Digital Millennium Copyright Act (DMCA)
      • Business Software Alliance (BSA)
      • New Basel Capital Accord (Basel-II)
      • Customs-Trade Partnership Against Terrorism (C-TPAT)
      • Video Privacy Protection Act of 1988 (codified at 18 U.S.C. § 2710 (2002))
    • High-level International Overview
      • New Basel Capital Accord (Basel-II)
      • Payment Card Industry Data Security Standard (PCI-DSS)
      • Society for Worldwide Interback Funds Transfer (SWIFT)
      • Personal Information Protection Act (PIPA) – Canada
      • Personal Information and Electronic Documents Act (PIPEDA) – Canada
      • Personal Information Privacy Act (JPIPA) – Japan
      • SafeSecure ISP – Japan
      • Federal Consumer Protection Code, E-Commerce Act – Mexico
      • Privacy and Electronic Communications (EC Directive) Regulations 2003
      • Directive 95/46/EC Directive on Privacy and Electronic Communications – European Union
      • Central Information System Security Division (DCSSI) Encryption – France
      • Federal Data Protection Act (FDPA - Bundesdatenschutzgesetz - BDSG) of 2001 – Germany
      • Privacy Protection Act (PPA) of Schleswig-Holstein of 2000 – Germany
      • US Department of Commerce “Safe Harbor”
    • Security Breach Regulations
      • 33 States have adopted data breach notification laws:
        • http://www.ncsl.org/programs/lis/CIP/priv/breach.htm
      • Originally developed as a countermeasure to deal with identity theft cases
      • Has proliferated in light of numerous financial services and retail mistakes
      • A full chronology of data breaches can be found here:
        • http://www.privacyrights.org/ar/ChronDataBreaches.htm
    • Scope of Data Breach Regulations
      • Includes any entity that collects, uses or handles personal information as defined in the laws
      • Some exemptions or “safe harbors” for entities subject to certain federal regulation
        • e.g., GLBA, HIPAA
      • The definition of “personal information” varies from state to state
        • Delaware and Arkansas include medical information
        • Indiana and North Carolina include non-computerized records in the scope
      • California can be used as a model for the purpose of discussing the framework
      • FDIC also has a useful set of recommendations
        • http://www.fdic.gov/news/news/financial/2005/fil2705.html
    • Basic Framework for Data Breach Compliance
      • Regulated parties : State agencies, persons or businesses that conduct business in California and that own or license computerized data that includes personal information as defined
      • Covered information :
        • Unencrypted computerized data including certain personal information.
        • Personal information that triggers the notice requirement is name (first name or initial and last name) plus any of the following:
          • Social Security number,
          • Driver’s License or California Identification
          • Card number, or financial account number, credit or debit card number
    • Breach Framework (Con’t)
      • Notice Trigger : Unauthorized acquisition of computerized data that compromises the security, confidentiality or integrity of personal information
      • Whom to Notify : Any resident of California whose data was, or is reasonably believed to have been, acquired by an unauthorized person
        • Where the entity reporting the breach does not own the data, the owner or licensee of the data if data was, or is reasonably believed to have been, acquired by an unauthorized person
    • Breach Framework (Con’t)
      • Notification must occur in the most expedient time possible and without unreasonable delay
        • Guidelines indicate no later than 10 days after it is determined that there has been unauthorized access to covered data
      • Timing may be delayed if notice would impede a criminal investigation, or in order to take necessary means to determine the scope of the breach and restore reasonable integrity to the system
      • Notice may be provided in writing, electronically, or by substitute notice
        • If cost exceeds $250,000 or more than 500,000 people need to be notified
    • Guidance: Governance
      • Define role or functional accountability for key data governance objectives (guidance for SB 1386 defines “Data owner” and “Data custodian,” for example)
      • Design a comprehensive, multilayered program to protect confidentiality of all personal data handled, in electronic or paper form
      • Inventory assets, identifying those handling personal data
      • Employee training on security and privacy policies
      • Contractual requirements and monitoring of appropriate security controls for third parties with whom data is shared
      • Review security plan at least annually or whenever there is a material change in business practices that affect data use or security
      • Maintain an incident response plan; include procedures for incidents involving regulated or high-risk data; review annually
      • Document response actions taken on incidents
    • Guidance: Security
      • Confidentiality
      • Classify data according to sensitivity; identify notice-triggering data
      • Use of encryption where feasible (NIST standard)
      • Integrity
      • Intrusion detection procedures and technologies
      • Monitor and enforce third party agreements
      • Maintain complete, current, accurate contact information for individuals whose notice-triggering data is managed
      • Accurately determine notice recipients (avoid “false positives”); procedures to determine who should receive notice
      • Availability
      • Classify data according to sensitivity; identify notice-triggering data
      • Design and monitor appropriate access controls
    • Guidance: Privacy and Ethics
      • Collect the minimum amount of data necessary for specific purposes
      • Adopt written procedures for notification in event of breach
    • Guidance: Retention
      • Retain data for minimum time necessary
      • Dispose of records and physical assets containing personal data in a secure manner
    • Encrypted Data
      • Good news: Exempt in many states from disclosure requirements
      • Not as good news: Make sure you have solid encryption and key management policies
        • i.e., encryption keys must be protected or you will be required to disclose the breach
    • PCI Update
      • PCI standards are still basically the same as last year
      • In July 2006, merchant level definitions changed:
      <20K e-commerce transactions per year or up <1MM non-e-commerce Visa transactions per year 4 20K to 1MM e-commerce transactions per year 3 1MM to 6MM Visa transactions per year 2 > 6MM Visa transactions per year, or if you’ve been hacked, or if Visa says so.... 1
    • PCI Compliance Validation Requirements Validation requirements and dates are determined by the merchant's acquirer Merchant       Qualified Independent Scan Vendor Annual PCI Self-Assessment Questionnaire and Quarterly Network Scan 4* 6/30/05 Merchant     Qualified Independent Scan Vendor Annual PCI Self-Assessment Questionnaire and Quarterly Network Scan 3 New level 2 merchants: 9/30/2007 Merchant     Qualified Independent Scan Vendor Annual PCI Self-Assessment Questionnaire and Quarterly Network Scan 2 9/30/04 New level 1 merchants have up to one year from identification to validate. Qualified Data Security Company or Internal Audit if signed by Officer of the company Qualified Independent Scan Vendor Annual On-site PCI Data Security Assessment and Quarterly Network Scan 1 Due Date Validated By Validation Action Level
    • PCI Basic Principles
      • Build and maintain a secure network
      • Protect cardholder data
      • Maintain a vulnerability management program
      • Implement strong access control measures
      • Regularly monitor and test networks
      • Maintain an information security policy
    • Upcoming PCI Changes
      • Additional focus on application layer security issues
        • Prior focus was network security
        • New focus: Web application threats such as SQL injection attacks, cross-site scripting flaws, error-handling problems and validation errors
      • Within the next two years there will be a requirement to use payment systems / application vendors who can meet all the security requirements
    • What is Data Assurance?
      • Appropriate integration and alignment of business data requirements with information privacy and security objectives & processes
      • This outcome is achieved through common frameworks for:
        • Governance
        • Risk Management
        • Compliance
      • Coordinated process implementation through an information security and privacy management program
    • Common Roadblocks to Meeting Challenges & Objectives
      • Process silos- privacy, security, compliance, IT management, risk management, etc.
        • Increases segregation of core data assurance competencies
      • Multiple compliance initiatives with different ownership for regulations & standards
        • More points of accountability, more decision layers to manage
      • Communication gaps
        • Various initiatives duplicate effort, reporting channels aren’t effectively coordinated, reporting content isn’t appropriately defined or analyzed
    • Managing Internal Issues
      • The most important internal issue is the lack of appropriate governance and controls
      • Data assurance program components must be blended into the following corporate programs:
        • Corporate governance (COSO)
        • I/T governance (COBIT)
        • Enterprise architecture (ETWA)
        • SDLC models (RUP)
        • Operational SLAs (ITIL)
        • Quality management functions (ISO 17799, 9000)
        • Compliance
    • How “Best” Are Your Best Practices? LEVEL 1 Neutrality or Lack of awareness For example, Information Security and Privacy roles and responsibilities are not defined; Policies, Standards and Procedures do not exist Management Recognition and Acknowledgement with supporting actions being informal For example, Discussion of security topics at business meetings is in response to critical issues only; Awareness activities have been discussed but not carried out Partial formalized documentation and implementation For example, Personnel security procedures are documented but not consistently followed; Awareness activities are not carried out for all users Consistent documentation, implementation and common acceptance For example, Awareness and training activities are routinely performed for the whole user population; Security planning activities are integrated into the business planning process Continuous improvement process For example, There exists a budgetary review cycle that confirms that security and privacy funding is adequate; Incident response plan is tested and modified on an on-going basis LEVEL 2 LEVEL 3 LEVEL 4 LEVEL 5
    • Characteristics of a Good Security Program
      • Deals with all areas of threat and vulnerability – i.e., all areas that require bulletproofing
      • Center-led by one person, but decentralized in terms of roles and responsibilities
      • Contains lifecycle Plan/Build/Run components and is architecture-based
      • The value of data is assessed and managed throughout its lifecycle
      • Embedded in I/T and corporate governance initiatives
    • Benefits & Opportunities
      • Consolidates & coordinates multiple information risk management and compliance efforts
      • Aligns best practices- more organizations are implementing ISO, ITL, CMM, COBIT frameworks to standardize data governance, risk management & compliance
      • BS 7799/ISO 17799 increasingly viewed as satisfying multiple regulatory requirements around data security, internal controls to manage operation, technical & compliance risk
    • Bulletproofing Your Data
      • “ Bullets” come from many directions
      • External sources
        • Business partners, regulations, laws
        • Hackers, malcode, criminals
      • Internal sources
        • Errors, misconfiguration, negligence
        • Bad actors, ignorance
      • New and emerging technologies
        • RFID
      • Caveat emptor: there is no way to completely bulletproof your environment – but you MUST demonstrate a clear standard of due care
    • Dealing with Process Gaps (Example)
      • Managing vulnerabilities within systems and networks
        • Un-patched and badly-configured systems
        • Lack of due diligence and follow-up
      • Recommendations:
        • Develop a broad range of asset scanning and baselining capabilities for network services and functions
        • Treat vulnerabilities (configuration, bugs, patches, etc.) as a problem that requires end-to-end management
        • Measure improvements over time
    • Maintain Positive Control Over Customer Data
      • Map the manner in which data is acquired, transported, stored, accessed, and retired
      • With security and data privacy requirements and policies in mind, apply the most basic security principles to the data, i.e.:
        • Confidentiality (“least privilege”)
        • Integrity
        • Availability
      • Manage the program across the enterprise – avoiding the typical pitfalls
    • Planning for Growth and Change
      • Deal with growing complexity
        • New systems and technologies
        • Complex business rules and data uses
        • Comprehensive internal controls
      • Velocity of change
        • Policies and business requirements
        • New products and sales channels
        • New uses for data and analytics
      • Volume of data
        • Create useful outcome, mindful of security and privacy requirements
    • To-Do List
      • Work from a plan of attack
        • Strategic vision and data assurance architecture
        • Create achievable tactical objectives (that can be measured easily)
        • Build success stories
      • Improve security posture
      • Embed data assurance (i.e., security and privacy) into repeatable, scalable, measurable, defensible, sustainable, and cost effective processes
      • Establish and justify program financials
      • Report status and progress to senior management
    • Q&A Eddie Schwartz [email_address] 703-932-9550