A New Era of Compliance: Raising the Bar for Organizations Worldwide
Upcoming SlideShare
Loading in...5

A New Era of Compliance: Raising the Bar for Organizations Worldwide



A New Era of Compliance:

A New Era of Compliance:
Raising the Bar for Organizations Worldwide



Total Views
Views on SlideShare
Embed Views



1 Embed 3

http://www.docshut.com 3



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

A New Era of Compliance: Raising the Bar for Organizations Worldwide A New Era of Compliance: Raising the Bar for Organizations Worldwide Document Transcript

  • Report based ondiscussions with the volume 3 , fall 2 0 1 0Security for Business Innovation Council An industry initiative sponsoredt by RSA A New Era of ComplianCeABN-AMRODr. Martijn Dekker,Senior Vice President, ChiefInformation Security OfficerADP INC. Raising the BarrolanD Cloutier, VicePresident, Chief SecurityOfficerBHARTI AIRTELFelix Mohan, Senior VicePresident, CISO & Chief for Organizations WorldwideArchitectCSO CONFIDENTIAL QQQQ Recommendations fRom Global 1000 executivesProFessor Paul Dorey,Founder and Director andFormer Chief InformationSecurity Officer, BPCIGNACraig shuMarD, ChiefInformation Security OfficerDIAGEODr. ClauDia natanson,Chief Information SecurityOfficerEBAYDave Cullinane, ChiefInformation Security Officerand Vice PresidentEMCDave Martin, ChiefSecurity OfficerFEDEXDenise WooD, ChiefInformation SecurityOfficer and Corporate VicePresidentGENZYMEDaviD kent, VicePresident, Global Risk andBusiness ResourcesJPMORGAN CHASEanish BhiMani, ChiefInformation Risk OfficerNOKIAPetri kuivala, ChiefInformation Security OfficerHDFC BANKvishal salvi, ChiefInformation Security Officerand Senior Vice PresidentT-MOBILE USABill Boni, CorporateInformation SecurityOfficer, VP EnterpriseInformation SecurityTIME WARNERrenee guttMann, VicePresident, InformationSecurity & Privacy Officer insiDe this rePort:WITH GUEST CONTRIBUTOR:steWart rooM, Partner, Evidence of The rapid Business StrategiesPrivacy and Information four emerging shift toward impact: for aligningLaw Group, Field Fisher trends in informa- a new predictions complianceWaterhouse LLP tion protection era of and programs to regulations compliance analysis the new era
  • * Contents The Complete Compendium to the New Era I. INTRODUCTION The End of Business As Usual >>>>>>>>>>>>>>>>>>>>>>>>>>>>>2 II. THE CHANGING COMPLIANCE LANDSCAPE Strengthened Enforcement>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>4 Global Spread of Data Breach Notification Laws >>>>>>>>>>>>>>>>6 More Prescriptive Regulations >>>>>>>>>>>>>>>>>>>>>>>>>>>>>7 Growing Requirements Regarding Business Partners >>>>>>>>>>>>8 III. BUSINESS IMPACT Gets Management Attention >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 10 Increases Costs >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 11 Creates Greater Consequences for Data Breaches >>>>>>>>>>>>>> 11 Gives Rise to More Third-party Risks >>>>>>>>>>>>>>>>>>>>>>> 12 Compliance and the Move to the Cloud >>>>>>>>>>>>>>>>>>>>>> 13 IV. RECOMMENDATIONS 1 Embrace risk-based compliance >>>>>>>>>>>>>>>>>>>>>>>>> 14 2 Establish an enterprise controls framework >>>>>>>>>>>>>>>> 16 3 Set/adjust your threshold for controls >>>>>>>>>>>>>>>>>>>>> 16 4 Streamline and automate compliance processes >>>>>>>>>>>>> 18 5 Fortify third-party risk management >>>>>>>>>>>>>>>>>>>>>20 Managing cloud service providers >>>>>>>>>>>>>>>>>>>>>>>>> 21 6 Unify the compliance and business agendas >>>>>>>>>>>>>>>> 21 7 Educate and influence regulators and standards bodies >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 22 V. CONCLUSION Get it Right and Reap the Rewards >>>>>>>>>>>>>>>>>>>>>>>>> 23 VI. APPENDICES About the Security for Business Innovation Initiative >>>>>>>>>>> 24 Security for Business Innovation Report Series >>>>>>>>>>>>>>>> 25 Biographies >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 26
  • Report Highlights “TEN YEARS ago, security wasn’t a common business practice. But compliance has made security a business imperative. Enterprises today are expected to have mature disciplines of privacy and risk in order to do business in an international environment.” rolanD Cloutier, Vice President, Chief Security Officer, Automatic Data Processing, Inc.Recently there have the neW era oF CoMPli- toDay, the neW era is ForC-been major shifts ance creates formidable ing all compliance programs toin the compliance challenges for organizations the next level.landscape. worldwide. as the reCoMMenDations For Many, striCter CoMPli- reveal, to reach higher levels ofalthough enForCeMent oF ance could help focus manage- maturity, organizations mustexisting regulations has been ment attention on security answer hard-hitting questionsweak in many jurisdictions but if they take a “check-list about their compliance pro-worldwide, regulators and approach” to compliance it will gram such as:standards bodies are now tight- detract from actually manag- D Have we developed the neces-ening enforcement through ing risk and may not improve sary governance structureexpanded powers, higher pen- security. and competency in riskalties and harsh enforcement management?actions. the neW CoMPlianCe lanD- D Do we have a consistent scape will drive up costs and controls framework across thegoing ForWarD it Will Be risks. For example, it takes time entire enterprise?more difficult to hide informa- and resources to substantiate D Are we able to judge thetion security failings wherever compliance. Increased require- materiality of risk and deter-organizations do business: legis- ments for service providers mine the appropriate level oflators are forcing transparency gives rise to more third-party controls?through the introduction of risks. D Can we articulate and defendbreach notification laws in Eu- our risk decisions and con-rope, Asia and North America With More transParenCy, trols threshold to auditors?as data breach disclosure be- there are now greater conse- D Have we streamlined pro-comes a global principle. quences for data breaches. For cesses enabling a single as- example, expect to see more sessment to produce multipleas More regulations are litigation as customers and reports for different purposes?introduced, there is a trend to- business partners seek compen- D Do we have a plan for automa-wards increasingly prescriptive sation for compromised data. tion to reduce the numberrules. For example, two recent But the harshest judgments of hours spent on repetitivestate laws are arguably two of will likely come from the court tasks and manual data col-the most prescriptive informa- of public opinion — with the lection?tion protection regulations potential to permanently dam- D Would the due diligence weever. Any global enterprise that age an enterprise’s reputation. perform in assessing servicedoes business in the U.S. today providers stand up in court?will likely be covered by these D Does our vendor oversight this rePort providesregulations. a comprehensive set of program satisfy the rigor of concrete recommen- regulation?oF late regulators are dations from 15 of the D Is compliance fully embeddedalso making it clear that en- world’s leading security in our business processes orterprises are on the hook for officers and an expert in something we do on the side?ensuring the protection of their data protection to help D Are we making sure thatdata when it is being processed organizations align their the next round of upcomingby a business partner including programs to the height- regulations won’t cripple ourcloud service providers. ened demands of today’s business? compliance landscape and prepare for tomorrow. RSA, The Security Division of EMC | secuRity foR business innovation council RepoRt | 1 View slide
  • 1 Introduction The End of Business As Usual “It’s a very interesting time to be active in this field because so much is changing. An innovative or clever approach to compliance actually gives a competitive advantage, because compliance applies to everyone now and it’s really survival of the fittest.” Dr. Martijn Dekker, Senior Vice President, Chief Information Security Officer, ABN AmroW ith the DaWn of the Inter- net age, huge few years, which have dominated the headlines and caused public outcry. volumes of business New breach notifica- transactions and per- tion laws are spreading sonal data moved online. across the globe, forcing About 10 years ago, gov- more transparency for ernment and industry information security realized that organiza- failures. Enforcement of tions should be held re- regulations is on the rise. sponsible for protecting On the litigation front, this digital information some of the first test and started mandating cases and class action safeguards. Since then, lawsuits are making there has been a con- their way through the stant flow of regulations U.S. courts as consum- and standards globally ers, shareholders and (see taBle 1). business partners are Now regulators seeking legal retribution around the world are from organizations that upping the ante, prompt- failed to safeguard data ed by massive data protected by law. Since decade into compliance, business in the 21st breaches over the last many more jurisdic- we are entering a new century. More and more tions are implementing era characterized by companies will be left breach notification laws, higher levels of scrutiny out of lucrative deals there will likely be more and greater responsi- if they are unable to incidents disclosed fol- bilities for protecting demonstrate compliance lowed by more lawsuits. information. with information protec- Many organizations Increasingly, even or- tion mandates. have embraced exist- ganizations not directly Heightened com- ing mandates and have covered by regulation pliance obligations made great strides in or standards will have are emerging just as developing compliance to meet the require- economic conditions programs. The shifting ments through contracts. motivate organizations “COMPANIES ARE increas- ingly disqualifying compliance landscape Enterprises are becom- to become even more de- business partners because now adds urgent new ing more accountable for pendent on third parties. they’re not able to meet the challenges for these the information security Much of today’s business due diligence standards, players. Other organi- practices of their service innovation involves new based on data privacy and other regulatory require- zations have skated by providers. Being able to business models and IT ments. So it is certainly with lackadaisical efforts comply with informa- environments that rely impacting business.” because they faced mini- tion security and privacy heavily on the use of DaviD kent, Vice Presi- mal oversight. Those regulations has become external service provid- dent, Global Risk and Busi- days are gone. Today, a a prerequisite for doing ers and cloud computing. ness Resources, Genzyme2| secuRity foR business innovation council RepoRt | RSA, The Security Division of EMC View slide
  • ‘‘ The regulators are moving away from light-touch to more interventionist regulation. That’s clear in all senses of society and economy so it’s not surprising regulation is tightening up in the data protection field. As I see it, the trajectory of the law here is one way only, which is towards more frequent regulatory intervention, more disputes, more arguments, and more litigation.” Stewart room, Partner, Privacy and Information Law Group, Field Fisher Waterhouse LLP TABLE 1: A DECADE OF REGULATION GROWTH* DATES REGULATION OR STANDARD GEO APPLIES TO Late 90s-2005 Data Protection Directive Europe- All organizations operating member country imple- an Union in the 27 member countries mentations (EU) 2000-04 Personal Information Canada All organizations in Canada Protection and Electronic Documents Act (PIPEDA) 2001-03 Gramm Leach Bliley Act U.S. All financial institutions in (GLBA) FTC and Inter- the U.S. agency Rules 2003-05 Healthcare Insurance Por- U.S. All healthcare organizations tability and Accountability in the U.S. Act (HIPAA) Privacy and Security Rules 2003 SB-1386 (privacy law with Califor- All organizations handling notification) nia data on Californian residents 2003-05 Personal Information Japan Government or private enti- Protection Act (PIPA) ties handling personal info on 5,000+ individuals 2004-05 Sarbanes-Oxley (SOX) U.S. All publicly traded compa- Section 404 on Internal nies in U.S. (exemption for Controls smaller reporting companies)And all of this is occur- 2004-07 Basel II Operational Risk Global All internationally-activering against a backdrop Requirements banks with assets of $250B+of escalating threats. This new era of 2004-10 Payment Card Industry Global All organizations processing Data Security Standards credit card datacompliance will have (PCI DSS)significant impact onbusiness. Organizations 2006-10 North American Elec- North Users, owners and operators tric Reliability Council America of the bulk electric powernot meeting prevailing (NERC) Critical Infra- systemstandards will have to structure Protection Cyberramp up quickly in order Security Standardsto survive as a player IT (Amendment) Act India All organizations 2008-9in international busi-ness. Enterprises that *Sampling of regulations with information protection requirements; dates listed are time periods for effective dates and/or compliance deadlineshave been diligent inachieving relatively highstandards and build- Innovation Council will recommendations drawning mature compliance look at how the changing from discussions with 15programs will need to compliance landscape is top security executives ofrapidly address new raising the bar for organiza- some of the world’s largestchallenges. tions worldwide and how companies as well as one of The seventh report of to meet the challenges. It the world’s foremost expertsthe Security for Business offers a set of seven concrete on data protection laws.• RSA, The Security Division of EMC | secuRity foR business innovation council RepoRt | 3
  • 2 The Changing Compliance Landscape Four emerging trends usher in the new eraA Fter a DeCaDe oF inFor- mation protection man- dates, compliance is still a major focus for enterprises worldwide. The latest E&Y as a top priority.1 Most large global enterprises today must comply with a lengthy list —even up to hundreds — of regulations and standards with and the geographies in which they operate. Every organization’s list is continuously getting longer as new regulations appear on the scene. For example, many organi- Global Information Security requirements for information zations will be affected by the new Survey found 77 percent of IT and protection. An organization’s “Dodd-Frank Law” in the U.S. security executives rated achiev- particular list depends on their or “Solvency II” in the European ing compliance with regulations type of business, vertical industry, Union (EU). Besides the constant flow of new regulations, organizations must now contend with a new era of compliance. Over the past 18 months the compliance landscape has significantly shifted. Specifi- cally, four emerging trends are now ushering in this new era: D Strengthened enforcement D Global spread of data breach notification laws D More prescriptive regulations D Growing requirements regard- ing business partners Strengthened Enforcement Although enforcement of infor- mation protection legislation has been weak in many jurisdictions worldwide, regulators are now QQQQ “IT GETS more and more complex. If you’re a public company, you’ve got SOX. If you take credit cards you’ve got PCI. Then there are the privacy laws. A company like ours has operations in 37 countries around the world. Global organizations have to comply with all the variations of privacy laws in the US, the EU and Asia — and there are new laws and new requirements all the time.” Dave Cullinane , Chief Information Se- curity Officer and Vice President, eBay4| secuRity foR business innovation council RepoRt | RSA, The Security Division of EMC
  • TABLE 2: STRENGTHENED ENFORCEMENT IN EUROPEstrengthening it through expand- Germany in late 2009 the Federal Data Protection Act was amend-ed powers, higher penalties and ed to increase maximum fines for violations and to grant greater powers to Data Protection Authorities.harsh enforcement actions.European Union UK in aPril 2010, the Information Commissioner’s Office (ICO) was given new powers that include the ability toOriginally issued in 1995, the hand out significant fines to firms that commit seriousEU Data Protection Directive is breaches of the Data Protection Act, conduct compulsorycurrently undergoing a complete compliance assessments and the potential to impose civil monetary penalties on data controllers.overhaul. In reviewing the law, theEuropean Commission has stated the stateD oBjeCtives are to “Take purposeful risk-that strengthened enforcement based enforcement action where obligations are ignored,is one of the major objectives.2 where codes or guidance are not followed and wherePlans for the new legislation will examples need to be set or issues clarified.”be published in late 2010 with the in MarCh, 2010, the Senate overwhelmingly approved a Francenew proposed law to be promul- draft bill which would reinforce the obligations of datagated in 2011.3 Recommendations processors, expand the powers of France’s national Datafor strengthening enforcement Protection Authority (known as “CNIL”) and double the potential fines for infringements.include providing Data ProtectionAuthorities with full powers to the stateD goal is to update the data protection laws “toinvestigate (e.g. conduct audits), in- better guarantee the right to privacy in the digital age.”tervene (e.g. halt data processing)and engage in legal proceedings.4 the DraFt laW is currently under review by the National Assembly. Ahead of the EU’s plannedoverhaul of the Directive, some ofthe individual member countriesincluding Germany5, the UK6and France7, have recently been TABLE 3: STRENGTHENED ENFORCEMENT IN U.S.strengthening enforcement of HITECH HIPAA now includes mandatory investigations oftheir existing national laws (see Act complaints, compliance reviews and higher penalties.taBle 2). In addition to the Department of Health and HumanUSA Services, state attorney generals can now enforce HIPAA.Recently there have also been In July 2010, Attorney General’s Office of Connecticutefforts to tighten enforcement of issued a $250,000 fine and a “Corrective Action Plan” to ainformation protection legisla- company for failing to protect health information.tion in the U.S. (see taBle 3). For NERC is now under statutory authority to enforce NERCorganizations in healthcare, the compliance among all market participants.HITECH Act of 2009 updatedHIPAA’s enforcement provi- NERC will monitor compliance using regularly scheduled audits, random spot checks, and investigations.sions.8 This includes expandingenforcement powers to include FTC FTC investigation of two security incidents determinedstate attorney generals who can that Twitter failed to implement adequate security mea- sures.now fine organizations for HIPAAinfractions, incentivizing states to Twitter subjected to independent security audits for tenenforce HIPAA standards. In July years and FTC oversight for 20 years.2010, Connecticut became the first FTC investigation found that RiteAid failed to protectstate to use these new enforce- customer and employee information.ment powers.9 The energy industry faces a RiteAid required to establish an information security program and agreed to pay $1 million and is subject tostricter regime as well. By the end third-party security audits for the next 20 years.of June 2010, covered entities —generally owners, operators andusers of any portion of the bulkpower system — were expected to (NERC) Critical Infrastructure ance and have the power to levyprove compliance with all provi- Protection (CIP) Cyber Security fines as well as sanctions.10 Tosions of the North American Standards. NERC and its regional increase awareness and help en-Electric Reliability Corporation authorities will monitor compli- force compliance with the Federal RSA, The Security Division of EMC | secuRity foR business innovation council RepoRt | 5
  • • THE CHANGING COMPLIANCE LANDSCAPE Trade Commission (FTC) stan- Standard (PCI DSS) is also getting PCI Security Standards Coun- dards, this year the FTC has lev- more serious. While the PCI cil appointed the first European ied high-visibility sanctions. For standards have been widely imple- director specifically to increase example, Twitter11 and RiteAid12 mented and enforced in the Unit- awareness and “strongly encour- were subject to harsh FTC actions ed States, so far compliance in Eu- age” European companies to adopt that received a lot of media atten- rope and Asia has been relatively the PCI standard.15 tion. In July 2010, FTC Chairman weak. But Visa and MasterCard Jon Leibowitz testified before intend to step up enforcement Global Spread of Data Breach Congress regarding the FTC’s and are imposing compliance Notification Laws intentions to continue focusing deadlines for European and Asian Regulators are not just looking at on privacy13, which likely means organizations. The card compa- ways to tighten up existing laws, more investigations and sanctions nies set global 2010 deadlines for they are introducing new laws in the future. all Level-1 and Level-2 merchants aimed at forcing more transpar- worldwide, including annual on- ency. Data breach disclosure is PCI in Europe and Asia site audits by a Qualified Security becoming a global principle as Global enforcement of the Pay- Assessor (QSA) and increased fees jurisdictions worldwide adopt ment Card Industry Data Security for non-compliance.14 Recently the privacy and data protection laws “TO UNDERSTAND the impact of breach QQQQ disclosure you have to understand what breach disclosure is about in a philosophical sense. It’s about changing the pow- er relationship between the regulator and the regulated. The classic failure of regulation is that the regulator doesn’t know as much about the regulated entity as the entity itself. Breach disclosure is a transpar- ency mechanism that equips the regulator with information and therefore empowers the regulator.” steWart rooM, Partner, Privacy and Information Law Group, Field Fisher Waterhouse LLP 6| secuRity foR business innovation council RepoRt | RSA, The Security Division of EMC
  • TABLE 4: DATA BREACH NOTIFICATION GOES GLOBALthat include a general obligationto notify government agencies, YEAR COUNTRY DATA BREACH NOTIFICATION LAWSindividuals, and/or other authori-ties such as law enforcement of 2003 U.S. California’s landmark SB-1386 sets off wave of state lawsunauthorized access or use of per-sonal data (see taBle 4). Require- 2003- U.S. 46 states enact notification lawsments vary including who must 2010be notified, the type of data that 2008 UK Information Commissioner’s Office issues atriggers notification, and if there is best practice guidance requiring notificationa risk-of-harm threshold. 2009 EU e-Privacy Directive amended to include notifi- California’s landmark SB-1386 cation requirements for electronic communi-set off a wave of state breach cations sectornotification laws that now coveralmost the entire U.S. Recently, Germany National privacy law amended to include notificationthis trend has hit the EU. ThePrivacy and Electronic Communi- 2010 Austria National privacy law amended to includecations Directive (e-Privacy Direc- notificationtive) was amended in late 2009 to France Draft legislation passed in Senate would makeinclude data breach notification.16 notification mandatoryIt is now mandatory for telcos and Canada National privacy law amended to includeInternet service providers in the notificationEU to inform national regulatoryauthorities of any data security Mexico New privacy law enacted that includes notifi-breach. Depending on the effects cationof the breach, they may also be re- Ireland Code of Practice issued regarding notificationquired to inform subscribers. Thedeadline for transposition of theDirective by member states is May Hong Privacy Commissioner issues guidance note Kong on breach notification25, 2011. The upcoming overhaulof the EU Data Protection Direc- EU Data Protection Directive under review fortive is expected to include data revision; proposed law expected by 2011 to include notification requirements for allbreach notification requirements, industries; to be implemented in all 27 EUwhich would broaden breach member countriesdisclosure to cover all industriesin all 27 member countries in theEU.17 Meanwhile, several countries customers and business partners becoming an established globalin Europe have proceeded to issue with the necessary information to principle, it will be difficult to hidetheir own legislation or guidance make decisions regarding further information risk managementon notification ahead of the EU’s purchasing or partnering, as well failures no matter where an orga-planned notification requirement as to initiate litigation and com- nization does business.for the updated Data Protection pensation claims. One possibleDirective. These include the UK18, drawback to the spread of noti- More Prescriptive RegulationsGermany19, Austria20, France21, fication laws is that as more and Another emerging trend is theand the Republic of Ireland.22 more breaches are disclosed, the tendency for legislation to getBeyond Europe, other countries public may just get numb. Today more prescriptive. Two of the lat-have recently enacted new rules the Privacy Clearinghouse web est examples are new state privacyincluding Canada23, Mexico24 and site already shows that around laws from Massachusetts andHong Kong.25 500 million people’s records have Nevada, which became effective Breach disclosure laws are con- been breached since they started in 2010. They are arguably two ofsidered an effective legal instru- keeping their records in 2005.26 the most prescriptive informationment that leverages the powers of However many argue that it protection regulations faced bythe marketplace. Notification not was the rise of breach notification enterprises to date (see taBle 5).only equips the regulator with the that really made a difference in These state laws do not just applynecessary information to exercise elevating information security to companies based in these statesstatutory powers, but it also pro- awareness and practices in the but extend to all organizationsvides other stakeholders such as U.S. With breach notification that handle personal informa- RSA, The Security Division of EMC | secuRity foR business innovation council RepoRt | 7
  • • THE CHANGING COMPLIANCE LANDSCAPE TABLE 6: MASSACHUSETTS PRIVACY LAW’S REQUIREMENTS tion regarding their REGARDING THIRD-PARTIES residents. Any global enterprise that does D Select and retain third-party service business in the U.S. providers that are capable of maintaining will likely be covered appropriate security measures to protect information consistent with the regula- by these regulations. tions The Massachusetts law puts forth some D Contractually obligate third-party service of the most compre- providers to implement and maintain ap- propriate security measures. hensive information security requirements yet to be imposed on businesses by a legislature. As the first state breach notification well, Nevada and Massachusetts law enacted by California, have are two of the first jurisdictions in a nationwide affect. Already the the world to mandate encryption state of New Jersey has released of personally identifiable informa- its “Pre-Proposal” for similar tion (PII). regulations.28 These new state privacy laws reflect a growing concern among Growing Requirements American state legislators about Regarding Business Partners continued large-scale data breach- Many existing regulations and es and the resulting identity theft. standards call for organizations to It is widely believed that these assure that any third-parties that more prescriptive state laws are handle protected data employ ad- harbingers of things to come. The equate security measures. A recent “In a regulated environment, you essen- state of Washington has already wave of regulatory activity goes tially have to vouch for the fact that you’ve partnered with organizations which can followed Nevada’s lead in mak- even further in establishing legal handle the information in a secure fashion, ing PCI law.27 Since there is still requirements for enterprises as consistent with regulation.” David Kent, no overarching federal informa- well as their business partners to Vice President, Global Risk and Business tion protection legislation in the ensure the security of information. Resources, Genzyme U.S., the Massachusetts law could influence other states and, like New obligations The new Massachusetts privacy law sets up more substantial obli- gations to engage in pre-contract TABLE 5: PRESCRIPTIVE REGULATION evaluation and ongoing monitor- ing of the security practices of EXAMPLES REQUIREMENTS third parties than most other Nevada’s Adds expanded encryption requirements for data in previous legislation in the U.S.A updated privacy transmission and on portable devices and elsewhere29 (see taBle 6). law Recent modifications to Makes PCI compliance law for all businesses that ac- cept credit cards HIPAA, through the HITECH Act, mean that more organiza- Massachusetts’ Encompasses a lengthy list of security tions are now covered by HIPAA: new privacy law requirements such as: the definition of a business as- • Written information security program sociate has been broadened to explicitly include sub-contractors, • Physical and logical access controls providers of health data trans- • Monitoring of unauthorized access mission services, and vendors of personal health records.30 As • Service provider oversight well, business associates now have • Encryption of data in transmission and on portable direct responsibility and liability devices (minimum 128-bit) for a breach, including notification and remediation, and are subject • Includes penalties and injunctive relief (i.e. court order can be issued to stop violations) to the Act’s civil and criminal penalties. 8| secuRity foR business innovation council RepoRt | RSA, The Security Division of EMC
  • TABLE 7: GERMAN DPA GUIDELINES ON CLOUD SERVICE PROVIDER ASSURANCEEnforcement actionThis concept — that a covered Exert “regular control” over the cloud vendor’s technical and organi-entity is ultimately responsible for zational measures used to protect the data.the actions of its third parties — is Two ways to exert “regular control” were suggested:reinforced by a recent FTC en-forcement action involving mort- • Obtain an expert opinion in the form of audits or certificates indi- cating that the service provider is observing the legal restrictions.gage lender Premier Capital Lend-ing. In that case, the FTC brought • Obtain a binding guarantee declaration in which the service pro- vider makes a comprehensive commitment to meet the obligationsan action for, among other things, imposed by the law.violating the Safeguards Rule byengaging with a business partnerthat did not employ “reason-able and appropriate” security tosafeguard sensitive data, to accessconsumer credit reports throughPremier’s system.31Guidance on cloud serviceproviderIn July 2010, a Data ProtectionAuthority (DPA) in Germanyissued the first statement by aregulator regarding assuringcloud computing service provid-ers.32 According to the guidelines,companies or qualified externalthird parties must exert “regu-lar control” over whether cloudcomputing service providers areobserving the restrictions of thefederal privacy laws in Germany(see taBle 7). This first state-ment from a regulator provides anindication that organizations willbe held legally accountable for as-suring that their cloud computingservice providers have adequatesecurity. • “THE REGULATORS in general QQQQ seem to be heading towards more prescriptive regulations. When standards get too prescriptive they can be a hindrance. They start to impose things that may not be relevant to an organization’s risk management. The organiza- tion may do things in a different way, yet manage risk well. But that wouldn’t be acceptable to the prescriptive regulator.” ProFessor Paul Dorey, Founder and Director, CSO Confi- dential and Former Chief Informa- tion Security Officer, BP RSA, The Security Division of EMC | secuRity foR business innovation council RepoRt | 9
  • 3 Business Impact Only the Strongest May Survive “Heightened scrutiny of other people and by other people is going to cost you. Besides regulators, customers or partners who are working with you are going to demand more of you. That’s going to add cost.” Stewart Room, Partner, Privacy and Information Law Group, Field Fisher Waterhouse LLPS inCe inForMation ProteCtion regulations first appeared a decade ago, compliance has af- fected enterprise IT and business strategies. The new era of compliance will add to the already formidable challenges and force a renewed focus level issue. Compliance often enables the necessary investment in the resources and people required to protect information. It creates a willingness to change business processes and helps drive a cultural change. Ten years ago, many information security or- on compliance. ganizations did not have the mindshare, funding, or technology they do today. Recent research indicates Gets Management Attention that 64 percent of IT and security executives sur- A major impact of compliance is that it gets the veyed believe regulatory compliance has increased attention of executive management. The new more the effectiveness of information security.33 stringent regulatory regime may help motivate But whether compliance helps to improve se- management in organizations which have not taken curity depends on an organization’s approach. If security that seriously yet. management simply meets the requirements of the In many organizations, compliance has elevated regulation or standard rather than managing risk, information security to become a C-suite and board- information security will not necessarily improve. Compliance is the best and worst thing that ever happened to security. It’s a combination. It gives you awareness. It gives you real life justification for good security practices. But at the same time, especially when regulations get prescriptive, it can make it more difficult to have a truly risk-based program where your highest risk items always get your financial investment.” DeniSe wooD, Chief Information Security Officer and Corporate Vice President, FedEx Corporation10 |
  • TABLE 8: DATA SECURITY BREACH LITIGATION*Information security cannot be treated as a TYPE OFfixed state. It is an ongoing process that must LITIGA- EXAMPLES FROM 2009-2010respond to a changing environment. TION Investor A retailer settled a lawsuit brought by an employees’Increases Costs law suit pension plan alleging that the retailer failed to protectIn the new era of compliance, costs are customers’ personal data resulting in a breach.sure to rise. In a recent survey, 55 percent Class Five financial institutions filed a class action suit al-of IT and security executives indicated that action law leging that two acquiring banks should be included asregulatory compliance costs accounted for suits defendants and share responsibility for damages causedmoderate to significant increases in their by a data breach which impacted millions of credit andoverall information security costs.34 As the debit cards.compliance landscape gets more complex, Two class actions were filed against various defen-demonstrating compliance gets more time dants including a payment processor, arising out of anconsuming and costly. Enterprises must con- unauthorized intrusion into the processor’s computer systems.stantly update their compliance programs toaccount for new requirements. For a global A bank settled a lawsuit, which alleged that it failedenterprise, another major struggle is dealing to limit access to and/or adequately safeguard privatewith international laws that actually have customer information, agreeing to pay identify theft insurance and free credit monitoring reimbursementconflicting requirements. One country tells for millions of customers.you to do one thing; while another tells youcan’t do that. It makes it difficult to have a B2B Law A lawsuit filed by a manufacturing company alleged Suits that a bank opened the manufacturer’s customers toglobal model for compliance. Organizations phishing attacks by sending e-mails asking customersend up having to duplicate functions across to click on a link to update the bank’s security software.sovereign boundaries to stay compliant, add- A lawsuit filed by a restaurant chain is seeking compen-ing costs. sation from a point-of-sales system vendor and reseller Another reason costs go up is that the alleging that problems with the system and installationnumber of requests to demonstrate compli- led to a security breach.ance continually increases — not only are re- *Lawsuits caused by a breach of information protected under privacy legislation or PCIquests coming from regulators and auditors,but also from customers and partners. Mostorganizations continue to rely mostly onmanual efforts and reams of paper for data little to mitigate them. But even a diligent organiza-collection and reporting, which consumes inordinate tion may experience a breach. If a breach occurs andamounts of resources. the data involved is governed by law, there could be Increased responsibility for information security regulatory actions and fines. With breach notificationacross the extended enterprise also has a significant now a requirement in more and more jurisdictions,cost impact on organizations. For example, organiza- it is increasingly likely that an organization willtions must undertake exhaustive work to evaluate also have to disclose the breach to authorities and/orand oversee service providers’ security practices. At those affected.the same time, service providers must invest in de- Generally, it’s not the regulatory fines or actionsveloping assessment processes so that they can give that are the most dreaded consequences of a breachcustomers the required assurances. — fines won’t push most companies out of business Generally, if regulations call for a risk-based — it’s the resulting public stigma. The more signifi-approach, organizations are investing in security cant fallout stems from having to disclose an incidentcontrols based on an analysis of their risks weighed and can include:against their appetite for risk. Their investment D Direct costs of notification, damage control activitiesaddresses their business needs to protect informa- and breach investigation and clean-up;tion. It is when regulations get more prescriptive D Damage to reputation caused by negative media;that compliance creates additional costs for security D Loss of customer, business partner and investor trust;controls. Organizations have to spend budget dollars D Legal costs of litigation;implementing technology specified by regulatory D Decline in shareholder value;requirements rather than technology which helps to D Loss of business;manage risks. D Heightened scrutiny by business partners and cus- tomers through more detailed assessments; andCreates Greater Consequences for Data Breaches D Higher costs of meeting future contract requirements.The chances of having a data breach will be muchhigher for those organizations that ignore risks or do Some of the first test cases involving data breaches RSA, The Security Division of EMC | secuRity foR business innovation council RepoRt | 11
  • • BUSINESS IMPACT are making their way through the U.S. court system from $750,000 to $31 million. Organizations are also (see taBle 8). Many claims of compensation do not spending more on legal defense costs than in previ- make it into the public realm as businesses instead ous years.36 choose to settle out of court. When a breach involves In a follow-on study comparing costs of data data processed by many organizations along a value breaches internationally, it was found that the aver- chain, there will be disputes about who is to blame. age cost per incident worldwide was $3.43 million In fact, with more breach notification laws and re- USD. The costs are higher for organizations that quirements for business partners, the climate is ripe suffer a data breach in countries with notification for commercial litigation. laws compared to incidents that occur in countries Monumental or repeated information security without. For example, in the U.S., costs related to lost failures may actually take down a company. For ex- records were 43 percent higher than in countries ample, CardSystems, a payment processor, suffered without notification laws.37 Going forward, costs may a catastrophic data breach when 40 million credit go up in other countries as other jurisdictions add card records were stolen in 2005.35 The credit card notification requirements. companies withdrew their business and CardSys- Ultimately, in today’s relentlessly competitive tems eventually ceased to operate. In the future, the global marketplace, the judgment to fear most could types of companies at greatest risk of failure may be be the court of public opinion. In July 2010, a lead- the outsourcers or cloud computing service provid- ing PC manufacturer had an incident involving the ers that handle regulated data, have contractual distribution of motherboards infected with malware, obligations to protect it, but ultimately do not have which was reported in the press. However the more adequate safeguards. damaging coverage was the highly critical editorials The fifth annual Ponemon research study, which in the blogosphere. In our ultra-connected society, looked at the costs of data breaches in the U.S., found people now have the means to know what is going on that 42 percent of all incidents studied involved third- at companies and broadcast their opinions about it to party organizations and these were the most costly the world. due to additional investigation and consulting fees. The study also found that costs in general continue Gives Rise to More Third-party Risks to rise. The average cost per incident in the U.S. was The sheer volume of external service providers that $6.75 million USD, with resolution costs ranging enterprises must oversee is huge and the number QQQQ “TODAY IF a company suffers a significant data breach, it’s going to go viral and stay viral. And once it gets on the web, it doesn’t go away.” Bill Boni, Corporate Information Security Officer, VP Enterprise Information Security, T-Mobile USA “BEFORE SECURITY was almost like a pet peeve of the security department. Compliance makes it everyone’s responsibility, which makes a huge differ- ence. Now it’s easier to go about embedding security into the business.” Dr. ClauDia natanson, Chief Information Security Officer, Diageo 12 | secuRity foR business innovation council RepoRt | RSA, The Security Division of EMC
  • The deficit reduction plan in Europe and the States is going to mean loads of outsourcing. But if you’re an outsourced service provider you have no hope of getting government contracts — no hope whatsoever — unless you’re able to demonstrate very good systems and operations for security.” Stewart room, Partner, Privacy and Information Law Group, Field Fisher Waterhouse LLPcontinues to grow. One of the main reasons that Compliance and the Move to the Cloudenterprises are increasing their use of third-parties When it comes to third-party risk, one of the big-is because it helps reduce costs. For example, even gest issues affected by compliance is the use of cloudwith the economy slowly turning around, enterprises service providers. Cloud computing is moving fromare aiming to reduce costs through outsourcing. The marketing buzz to prime time, as many organiza-findings of the “Outsourcing 2010” report by the tions actively explore solutions. A recent TPI surveyInternational Association of Outsourcing Profession- of more than 140 global IT decision makers revealedals (IAOP) show an upward trend with 70 percent of that 18 percent are already in discussions with cloudcompanies now planning on expanding their future service providers, and an additional 45 percent planoutsourcing programs.38 to do so within the next 6 months.39 Several Fortune Unfortunately, the increasing use of third-parties 500 companies have already moved their e-mailis on a collision course with the increasing demands systems to the cloud; and according to analysts, manyof compliance. Nowadays, enterprises are responsible others will be turning to cloud e-mail in droves.40for the whole value chain — wherever their data Providing the necessary levels of assurance ingoes. With more and more service providers and ven- cloud environments will be difficult. Even largedors in the chain, there is an increased chance that cloud service providers could have trouble meet-one of them will fail; resulting in non-compliance ing compliance requirements. For example, Googleand/or a data breach. signed a landmark deal to provide e-mail and other This creates challenges for both sides. For en- applications, such as document archiving and spread-terprises contracting out to service providers, it sheets, to the City of Los Angeles. Originally themeans developing effective oversight mechanisms. contract imposed a deadline of June 30, 2010 to haveAlthough companies in heavily regulated sectors the migration to the cloud completed. But Google issuch as financial services firms are accustomed to having some difficulty meeting the stringent securityhigh-level scrutiny of their suppliers, this burden is requirements set by the state Justice Departmentsomething new for many others. For service provid- and the Los Angeles Police. Therefore the deadlineers who are not up to the standards required for has been extended.41 It is not surprising that compli-regulated environments, it will be more and more ance is placing hurdles on the road to the cloud.difficult to do business with large enterprises or gov- For some jurisdictions, compliance strikes at theernment agencies. For some, coming up to speed on very heart of the cloud service provider’s businesscompliance will be a matter of survival. Increasingly, model in which data processing moves around toorganizations are walking away from service provid- the physical locations where the lowest-cost capacityers that cannot meet standards. is available. The EU Directive places limitations as An unfortunate casualty may be the smaller to where data can live and move — i.e., it has to beservice providers that cannot afford high levels of within the borders of the European Union membersecurity controls and/or the processes necessary for states or strict contractual arrangements are requiredcustomer assessments. To reduce the costs of testing to transfer data outside of the EU. Meeting thesefor compliance, large enterprises may look to larger requirements may negate the cost savings offered byproviders that can supply multiple services. the cloud. • RSA, The Security Division of EMC | secuRity foR business innovation council RepoRt | 13
  • 4 Recommendations Best practices go to the next level “Security practitioners must link the compliance program to the strategy of the organization. Doing compliance for compliance sake is just using up your resources. Ensure that whatever you’re doing for compliance actually derives value for your organization and is not just something which pleases a regulator.” Vishal Salvi, Chief Information Security Officer and Senior Vice President, HDFC Bank LimitedO ver the last DeCaDe, Many organiza- tions’ compliance programs have been evolving and are at various stages of maturity (see taBle 9). Where they are at presently on the maturity curve depends on company size, vertical indus- implemented keep those risks at an acceptable level to protect and enable the business.”42 An acceptable level of risk is determined by an organization’s appe- tite for risk. In the compliance context, an acceptable level of risk must ensure that all regulatory require- try, and level of management attention. Today a con- ments are met and the controls put in place can be fluence of factors is forcing all compliance programs defended as commercially “reasonable and appropri- to the next level. This set of recommendations helps ate.” A fundamental, expectation of most regulations organizations to align their programs to the height- is that organizations implement “reasonable and ened demands of today’s compliance landscape and appropriate” measures to protect information. Except prepare for tomorrow. for the very prescriptive, most regulations don’t’ specify controls. A risk-based approach is the basis 1. | Embrace risk-based compliance for determining what is adequate. A data collection and reporting ability is required A risk-based compliance program is an operating to demonstrate compliance with internal information model with three main components: security policies as well as external regulations and D A governance process standards. For most large global enterprises, this is D An information risk management competency ultimately where the burden of compliance is found; D A data collection and reporting ability it is not in putting controls in place. At present most large global enterprises have already put in place In the past decade, regulations have often provid- controls and are adjusting them on an ongoing basis ed the impetus for organizations to put these systems in response to the risk environment. Testing the con- in place. Most regulations specifically call for taking trols and providing evidence of the controls — over a “risk-based approach.” However these systems are and over — is what takes its toll on the organization. not exclusively for compliance; rather they address a Often it is the interpretation of an on-site auditor business need to manage risk and ensure the protec- that determines whether an organization is “compli- tion of an organization’s information assets. ant” or not, but an effective compliance program is A governance process establishes oversight, for- not audit-driven. Decisions regarding the implemen- malizes decision-making and creates organizational tation of security controls should be focused on risk structures for approvals. Information risk manage- management, not audits. This requires an organiza- ment is “identifying and measuring the risks to tion to engage with the auditor to explain context information and ensuring that the security controls and to ensure he/she can make the link between As you move up the maturity curve, integrating compliance to become part of business processes is towards the top. The ability to measure it, track it, and report on it outside the context of security alone and making it part of board-level reporting is another obvious sign of maturity.” rolanD Cloutier, Vice President, Chief Security Officer, Automatic Data Processing, Inc.14 | secuRity foR business innovation council RepoRt | RSA, The Security Division of EMC
  • TABLE 9: COMPLIANCE PROGRAM STAGES OF MATURITY First stages Focus is on building awareness Investing in developing competencies, processes, and security controls Piecemeal approach to each regulation and standard Compliance is viewed as a project and is assessment-oriented Audit-driven and reactive: preparing for and responding to audits Ad-hoc checklist processes Informal management by various silos including information security More mature Focus is on building ownership across the business stages Streamlining processes and controls, looking for ways to create efficiencies Framework approach to multiple regulations Risk management-driven and proactive: evaluates risks and determines level of controls based on risk appetite Compliance is viewed as a process and is reporting-oriented Formalized processes Implementing automation of data collection and reporting for select assets or categories of controls Governance by a cross-functional information risk or compliance council Vendor/partner assurance program Advanced Adds to more mature stages: stages Focus is on building personal responsibility with all stakeholders across the enterprise Integrating compliance with business processes Implementing automation of compliance processes system-wide Achieving continuous-controls monitoring Integrating with Enterprise Risk Management and Compliance programsregulatory requirements and the organization’s risk technologists who understand nuances of legal re-decisions. Auditors should not be dictating what to quirements and the business/risk environment; anddo, but rather validating that expectations are being lawyers who are able to understand and articulatemet. As an organization’s program matures, auditors particular technology risks. You need people who arewill expect continuous improvement. comfortable working across the various domains. Having someone with an IT audit background Compliance also requires highly adaptive per-on the security team can help frame discussions sonnel as new regulations come up and new riskswith auditors including: what is the measurement emerge. One approach to ensuring the security teamof control effectiveness, what is the residual risk and has the right skills is to invest in career developmentwhat is the level of risk the business has accepted? and support certifications in various disciplines. ThisSomeone with an IT audit background can also help helps to build the team’s know-how to re-engineerthe auditor to focus on examining the most critical processes and tweak models to fit the changing envi-controls and to understand risk-based scoping. ronment.Auditors are important allies working collaboratively Successfully building a risk-based compliancewith security to ensure that compliance efforts en- program requires that executive management isable rather than hinder business. willing to make the necessary investments in people, In general, an effective compliance program process and technology. It also requires commitmentrequires the right caliber of personnel: for example to achieving higher levels of maturity and an under- RSA, The Security Division of EMC | secuRity foR business innovation council RepoRt | 15
  • • RECOMMENDATIONS RECOMMENDATIONS standing of the challenges at 1. Embrace risk-based compliance practices such as, “Passwords every stage. Early on, the main 2. Establish an enterprise controls framework should be changed at regular focus is creating awareness of 3. Set/adjust your threshold for controls intervals.” the need to protect information As a basis for developing 4. Streamline and automate compliance and how to protect it. Over time processes a customized controls frame- the focus evolves to getting the 5. Fortify third-party risk management work, many organizations use business and stakeholders to standards such as: 6. Unify the compliance and business take ownership of compliance. agendas D Control Objectives for Infor- A key step is moving from in- 7. Educate and influence regulators and mation and related Technology formal management of compli- standards bodies (COBIT) from the Information ance through siloed activities Systems Audit and Control As- to formal management by a sociation (ISACA); cross-functional team — typically an enterprise risk D ISO 27001/2 Information Security Management or compliance committee. System and Code of Practice Standards from the Information protection regulations are only International Standards Organization; and a small subset of an enterprise’s total regulatory D The Standard of Good Practice for Information Secu- regime. Besides regulations governing information rity from the Information Security Forum (ISF). protection, organizations must adhere to quality standards, labor rules, safety codes and environmen- Developing a controls framework to create a tal legislation, etc. To effectively align with busi- consistent set of controls across an entire enterprise ness strategy, a compliance program that addresses can be an immense task. It is a cross-organizational, information protection regulations must integrate cross-functional effort often driven by the informa- with the governance, risk management and reporting tion security team with oversight by the enterprise efforts that are put in place to address all regulations. risk or compliance committee. Once an initial An effective enterprise program provides everyone in framework is established, this committee keeps track the chain — from individual business process owners of changes to regulatory or business requirements to the board of directors — with all of the multi-fac- and determines any necessary modifications to the eted information needed to make risk decisions. An control framework. effective enterprise program provides everyone in the With this method, many large enterprises are chain — from individual business process owners to able to track pending legislation and upcoming the board of directors — with all of the multi-faceted requirements and then implement changes ahead of information needed to make risk decisions. regulatory mandates, achieving compliance pre- regulation. The more mature compliance programs 2. | Establish an enterprise controls often require only minor modifications to their framework existing controls when a new law comes out because they have already implemented the relevant security Most organizations toDay FaCe MultiPle measures based on their risk analysis and business regulations regarding information protection. It is requirements. inefficient and unsustainable to manage compliance by maintaining a separate list of requirements for 3. | Set/adjust your threshold for every regulation. Instead, develop one overall list of controls information security controls that satisfies all of the various regulations and addresses business require- in a risk-BaseD CoMPlianCe PrograM, Con- ments. The end result should be much more than trols are applied to particular classes of information just a list but an “enterprise controls framework,” assets based on an assessment of risk. Different that encompasses the organization’s model of secu- classes of risk might include internal information, rity controls. It is typically a matrix with controls confidential data, or customer records. How does an mapped to the various regulations and business organization determine what level of security control needs such as protection of intellectual property. In a is appropriate for a particular level of risk? For exam- converged security environment, it may include not ple, what’s the “right” level of authentication when a only information security controls but also controls call center employee is accessing customer records related to physical security, product quality, disaster over the local network? Or a contractor is access- recovery and business continuity, etc. ing corporate data from his home PC? Or a service At the highest level, the framework often has provider is accessing credit card data over a Virtual broad controls such as “Authentication,” with sub- Private Network? Is the “right” level a password? A controls providing more detail such as “Keep au- smart card? A biometric? What’s the “right” level of thentication mechanisms effective.” It may also have encryption to apply? Encrypt all data transmissions? 16 | secuRity foR business innovation council RepoRt | RSA, The Security Division of EMC
  • Implementing baseline controls around the systems that process credit card or customer-sensitive information to achieve compliance is not sufficient to achieve security. It’s necessary but not sufficient. Compliance is typically a subset of the necessary controls. Legislation lags the state of technology and threats because the institutional and bureaucratic operations that codify the standards take so much time.” Bill Boni, Corporate Information Security Officer, VP Enterprise Information Security, T-Mobile USAUsing 128-bit encryption? Should it be higher for have been given more specific direction regardingsome transmissions? how to determine the “industry standard.” The “IT Determining the “right” level of security controls (Amendment) Act”, which came into effect in 2009,to meet compliance requirements and business calls for organizations to take “reasonable securityobjectives is complex. Where does an organization practices and procedures” to protect information, andset its threshold? Ultimately it is a judgment call that specifically mentions that this would be prescribed inconsiders security and legal risks. A critical aspect consultation with the concerned professional bodiesof these decisions is asking what would be deemed or associations, such as the “Confederation of Indiancommercially “reasonable and appropriate.” The en- Industry” and the “Data Security Council of India”.terprise must take a position on the current industry What are the consequences of not keeping up withstandard. In other words, “What is the prevailing the industry standard? An audit may find that con-standard of practice in the industry given the current trols are not sufficient, resulting in a fine by a regula-risks and costs?” Of course organizations cannot be tor or creating a dispute with a business partner. Notexpected to implement such a high level of security keeping up with an industry standard also puts thecontrols that they can no longer compete in their organization at greater risk for a data breach. Shouldindustry. a data breach occur, it leaves the organization with The “industry standard” is not going to be con- a less legally-defensible position if the company isveniently laid out in a manual nor located on a web pulled into court.site. Security officers and information risk managers Organizations need to set the threshold highwill need to get a sense of the prevailing standard enough to guard against the current threat level.by networking with peers from other companies Compliance does not equal security and beingto find out what everyone else is doing, as well as compliant does not eliminate risk. Doing the bareby understanding the relevant trends. Over time as minimum to meet compliance requirements will beexpectations rise, the threshold will need to be reset. setting a threshold for security controls that is moreGenerally in every industry the baseline for security than likely going to be “behind-the-times.”controls will likely continue to go up. The threshold When dealing with multiple regulations, one ap-is pushed up because of advances in technology, proach is to set the threshold based on the strictestimprovements in the practice of security, escalat- regulation. As other jurisdictions issue requirementsing threats and increased data sharing with third- to match, the organization will already be covered.parties. For example, Massachusetts’ new encryption re- In some jurisdictions such as India, companies quirements call for 128-bit encryption when personal RSA, The Security Division of EMC | secuRity foR business innovation council RepoRt | 17
  • • RECOMMENDATIONS information regarding Massachusetts residents is D Monitoring, measuring and testing the security transmitted. Many organizations are implementing controls; these types of encryption controls not only for data D Collecting all of the data on the controls; and pertaining to Massachusetts residents, but also for D Generating reports on the controls with respect to the residents of other states. Some organizations are requirements of regulations and standards and in the setting this threshold globally. Other organizations context of the organization’s risk decisions. make these encryption controls available globally as a service to be used at the discretion of business Filling out self-assessment questionnaires is a units. Where the organization sets the threshold common way to demonstrate compliance. Another depends on their risk assessment and business objec- is to have an auditor come on site to read documenta- tives. tion; actually look inside applications and networks; and possibly test controls. Whatever the method, for 4. | Streamline and automate most organizations today, even those with relatively compliance processes mature compliance programs, it is a huge, time- consuming and labor-intensive task to maintain organizations are inCreasingly CalleD uPon the documentation, collect the data and create the to prove compliance to regulators, internal and reports. external auditors as well as customers and business And costs continue to rise as the compliance partners. How do organizations prove compliance? landscape gets more complex and organizations are Essentially by proving that information security con- subject to a growing number of requests to prove trols exist and that they are effective. This involves: compliance. Typically as a compliance program D Documenting the compliance program, including matures, organizations aim for creating efficiencies, policies and processes; streamlining processes and using more automated To provide evidence of compliance for all of the regulations, it’s the same data pool. It’s the same information about your controls; you just have to produce different reports for different regulators. It makes sense to combine your efforts for compliance, security and risk. Not only is that approach more efficient, the outputs will also be of higher quality due to cross pollination.” Dr. martijn Dekker, Senior Vice President, Chief Information Security Officer, ABN Amro 18 |
  • methods. At present most organizations still struggle automation of control validation and the majority ofwith manual efforts. Moving to more automated organizations have not attained this level yet. In amethods can help not only reduce costs, but also recent survey, only 36 percent of organizations hadincrease consistency in reporting. deployed a solution for continuous monitoring of Automation involves multiple stages. It often be- security controls.43 But many are working towardsgins by replacing disparate spreadsheets, file shares it, with the expectation that investments in automa-and binders with a content management system. A tion will help reduce costs and improve compliancecentral repository is used for: posture over the course of the long term. D Policies The approach to automation depends on the orga- D Regulatory requirements nization’s needs. Some opt to build their own custom- D Enterprise control framework designed solution while others turn to an off-the- D Control testing processes shelf “Enterprise Governance, Risk and Compliance” D Inventory of assets with classification (eGRC) platform. This platform ties into enterprise • Mapped to organizational structure (i.e. asset owners, applications and infrastructure, consolidating all business process owners) of the information necessary to manage risk and • Possibly including third-party systems compliance. For many organizations, the objective D Risk assessments of an eGRC deployment goes beyond managing risk D Self-assessment questionnaires and compliance related to information protection. D Audit results and remediation plans An eGRC platform can help integrate information from all of the various risk and regulatory domains The next stage is adding a work flow engine to de- to provide a complete picture of risk and compliancevelop and maintain the content; including approvals across the entire enterprise.and escalation. The objective is to have an integrated By providing a “CISO dashboard” and creatingview of all this information so you can look at and quarterly reports that go out to business units on themanage your governance, risk management and status of security, an eGRC platform can deliver thecompliance program in a holistic way. kind of visibility into compliance that is needed for This approach requires investment in training in the business to take ownership. Ideally, implement-order to ensure data quality. Staff members who are ing eGRC technology can help provide a commonrequired to input information into the system should methodology, thought process and language for allunderstand the rigor required for data quality. Care- compliance stakeholders.ful planning is also necessary to keep the manage- One of the challenges of automated data collectionment load to a minimum. Developing or deploying a will be interoperability across different applicationstechnology solution will only save time if in conjunc- and platforms. Taking data feeds in from a hugetion, organizations think through all of the various number and variety of systems is a tall order. All theprocesses involved in substantiating compliance and data formats from all of the various feeds have to bedevelop a plan to streamline them. Understand what readable by the eGRC platform and consumed andcan be automated and what will still require human presented in a useful format. Open standards mightintervention. help solve some of these issues. Often the vision for the third stage is to automate Implementing an eGRC platform, either throughdata collection and report generation. The goal is a custom-built or an off-the-shelf solution, will needto answer questions via automatic system queries to done be in multiple steps. Given the number ofrather than have application owners manually input systems that need to feed into an eGRC platform, itthe information. For example, consider the ques- is typically not feasible to integrate every individualtion — “Have access rights for terminated employees data source. Standard middleware is often requiredbeen removed from the system?” In this case, a list which allows feeds from a whole series of systemsof terminated employees would be checked against a like security management, configuration manage-database of access rights and a report automatically ment, privilege management and access controlgenerated. systems, etc. Achieving a level of automation whereby all the For a single information asset, there may be 20necessary data is harvested through system que- controls; an organization can start by automating oneries to produce a specific metric that demonstrates or two of them and then automate more over time.compliance is a massive data integration, correla- Another approach is to look at the common sets oftion and business intelligence problem. Ultimately requirements that run across all regulations andthe objective is “continuous controls compliance” business needs, such as identity and access manage-— continuously monitoring effectiveness of controls ment. Implement automation for one set of require-and highlighting compliance exceptions. It is often ments then the next.a multi-year project to get to this kind of “hands-off” Today there is still no “plug-and-play” eGRC tech- RSA, The Security Division of EMC | secuRity foR business innovation council RepoRt | 19
  • Due Diligence D Taking a potential partner through an extensive review, with an on-site audit and rigorous line of questioning regarding security policy, architecture and controls QQQQ D Possibly have the on-site audit done by an expert third-party assessor D Possibly require certifications like ISO 27001/2 or “YOU NEED a whole process set up for evaluating vendors. SAS 70 In every organization, business units are contracting out data processing to service providers all of the time. So it’s very hard to keep track of it all. You have to work with Thorough contractual agreement your purchasing department and put a system in place to D Detailed requirements for meeting regulatory compli- ensure that you know which vendors are getting customer ance and reaching a certain standard with respect to information.” security controls Dave Cullinane, Chief Information Security Officer D Reporting requirements and Vice President, eBay D Contracts contain “right to audit” clause D Contractual indemnification — liabilities if there is a nology; solutions must be customized and tailored data breach to an organization’s business processes. However, D Breach notification requirements and process commercial solutions are available that provide D Incident management procedures out-of-the-box policies and workflows mapped to specific regulations so that organizations don’t have Consequence management to start from scratch. Over time eGRC technology D Extending disciplinary processes into partner’s orga- will continue to evolve, possibly making integra- nization tion easier and masking the complexity. One route the technology may take is vertical industry-based Governance including regular reviews and surprise audits toolsets which build in functionality for the specific D Service providers should be regularly audited; how business processes of a particular sector. Another often and how deep into the infrastructure the is appliances which cover multiple functions in one customer’s examination will go should be discussed device such as appliances for unified threat manage- during contract negotiations ment. It should be noted that even as the technology evolves, compliance will never be completely auto- Sharing information on security with business mated simply because people will always be involved partners is paramount to a successful relationship. at some level of decision-making. On the one hand, service providers are reluctant to reveal detailed information about their security poli- 5. | Fortify third-party risk cies and procedures because this information may be management misused. On the other hand, data owners cannot rely on imprecise descriptions of security measures from With regulations arounD the WorlD extenD- service providers. Achieving an appropriate balance ing responsibility for the security of data across the is crucial. value chain, organizations need to develop a solid It is important for enterprises in both positions (as third-party strategy for mitigating risks throughout data owners and/or service providers) to find an ef- the extended enterprise. A common approach in fective way to ensure that their contractual relation- the past has been to develop “boilerplate” security ships satisfy the required regulations. For managing requirements for service provider contracts and leave service providers, organizations should consider it at that. But given the increased risk, enterprises creating a “community of practitioners,” with a goal can no longer rely solely on agreements and contracts of creating consistent practices across the whole and must take a more active role in verifying that extended enterprise. For performing assessments, an their partner’s capabilities are up to the required alternative is the retention of reputable independent standards. auditors to analyze service provider security practic- A comprehensive third-party strategy would es. As the number of service providers continues to include the following components: climb for most enterprises, at a certain point having Diversification an internal team do all of the required assessments D Using multiple service providers to handle different may no longer be sustainable. aspects of a business process A challenge faced by many organizations is that D Not giving all the data to one service provider to service providers are often contracted outside of the process standard purchasing process — for example a busi-20 | secuRity foR business innovation council RepoRt | RSA, The Security Division of EMC
  • ness unit sends employee data to an HR outsourc- authorizations and continuous security monitoring ofing company without going through the standard shared IT services for federal departments and agen-process. With the expanded regulatory requirements cies that enter contracts with outside providers. 44for service providers, security officers will now have The lack of a consistent way to assess IT servicethe added weight of compliance to help create more providers has been a problem for at least a decade.awareness and oversight capability for those stray The cloud may force the whole industry to solve thissystems that were previously outsourced without problem. As more and more companies move to aproper information security assessments. This may common set of cloud service providers, shared ac-ultimately reduce risks. creditation will be an obvious requirement. There are interesting possibilities for approachingManaging cloud service providers a “compliant cloud.” One possible model, based onAdoption of cloud services has begun, albeit initially market acceptance, will see cloud providers proac-primarily for non-regulated data processing. How- tively invest in the ability to host large volumes ofever, cloud computing offers an attractive business data with specific controls and assurance to meet aand operational proposition for companies to process particular regulation. This model is already emerg-large volumes of data, including regulated data. ing, with clouds such as the recent introduction ofMany companies are aiming to use cloud services Google’s FISMA compliant cloud for the federal gov-even for data subject to compliance obligations. ernment.45 Other such clouds, like a “HIPAA cloud”, As a “new” member of the portfolio of third-party etc, may follow.providers, organizations need to put cloud providers Another developing model is a “hybrid” orthrough the same rigorous due diligence and audit- “multi-zone” environment, in which sensitive dataing strategies described above. In addition, they will will reside within the customer’s physical premisesneed to deconstruct the architecture around who’s or under contractual control in a hosted separateresponsible for data, maintenance, access, privileged datacenter, while non-critical data will reside whereuse, etc. to determine how many layers on which to there is the lowest-cost capacity. Another route thatconduct due diligence. many organizations are taking is using a “private On their end, cloud providers will need to estab- cloud” model which gives control over where the datalish processes and controls that generate legal and will travel within the enterprise datacenter.regulatory confidence. Ideally they need an “attesta- Security organizations need to work closely withtion” process that proves they have the right controls their cloud providers and adopt a cloud model thatin place. The Trusted Cloud Initiative (within Cloud matches the organization’s risk profile. They needSecurity Alliance) is creating a reference archi- to incorporate cloud providers into their third-partytecture to enable cloud vendors to have an outside management strategies to mitigate the risk of theauditor attest to the fitness of their controls (similar extended enterprise.to a SAS70 type of certification for a cloud serviceprovider). 6. | Unify the compliance and Many other initiatives are aimed at solving the business agendascloud assurance problem. “A6”, which stands for Au-tomated Audit, Assertion, Assessment, and Assur- in the Past, CoMPlianCe Was oFten seen asance API, also known as CloudAudit, is led by Cisco. the security and compliance teams’ responsibly andThe Common Assurance Maturity Model (CAMM) it was an isolated function. Now a fundamental shiftis a 24-member consortium of mostly vendors which is taking place in many organizations. Compliance isalso includes the European Network and Informa- increasingly recognized as an essential component oftion Security Agency (ENISA). The Federal Risk and doing business.Authorization Management Program (FedRAMP) More and more, compliance teams are being in-is co-chaired by NIST. It intends to provide joint vited to the table at the start of a project. Compliance We need an open-standards way for cloud computing providers to measure their controls. The idea is for the providers to measure how well they are complying against certain requirements and then display the results publicly on their websites. This could eventually reduce the need to measure those particular controls.” Petri kuivala, Chief Information Security Officer, Nokia
  • QQQQ “COMPLIANCE REQUIRES an organization to establish a cultural change. People themselves should be able to distinguish compliant behavior and incompliant behavior. Compliance will always be there. There will always be regulation. It’s not an incident that you can just react to and then it’s gone. Compliance should be considered part of doing business-as-usual.” Dr. Martijn Dekker, Senior Vice President, Chief Information Security Officer, ABN Amro is more often integrated into business innovation ecutives to staff members and contractors — to fully processes early on, for example when a business be- understand their role in compliance. The challenge gins an M&A due diligence. Business process owners is that the topic of compliance is so huge; there are are recognizing that compliance should be dealt with so many regulations and it’s a complex landscape. It in the same way as other business risks; up front and is not feasible to have everyone read and understand not at the 11th hour, in order to ensure proper assess- all the laws. Find ways to ensure people know a suf- ment, planning and funding. ficient amount. Then focus on creating processes for Organizationally, having a compliance function them to follow that have compliance built-in. Compli- within each business unit is crucial to aligning com- ance should just be part by-product of people follow- pliance to business. The responsibility for compli- ing procedures, acting in a professional manner and ance should not rest solely within the information doing their jobs properly. For example, HR manag- security and compliance departments; it should be ers should understand that they an important role moved out to the business-line and division mangers. in compliance by conscientiously keeping the HR With the right check and balance structure, the cor- database up to date. porate compliance group establishes the standards; Although compliance creates challenges many while the business units, which have profit and loss organizations have found that it can also provide ben- responsibility, implement the standards. This way efits. The goal of compliance initiatives is improved the right trade-offs can be made between the busi- information practices; but the end result can often ness needs and the enterprise legal risks. also deliver improved IT operations and business A central feature of a relatively mature compli- processes. For example, without the urging of regula- ance program is a corporate risk or compliance com- tions, many organizations would not have adopted mittee made up the Head of Compliance, the General better systems to manage identity and access man- Counsel, Chief Security Officer (or Risk Officer), agement or patch management. Now organizations Chief Auditor, and the Controller’s Office. This group can reap the benefits of efficient on-boarding and often reports to the Head of Finance or the Chief off-boarding of employees and contractors; and more Administrative Officer. This committee manages reliable IT systems. risk and compliance issues across the enterprise in the context of business strategy. 7. | Educate and influence regulators Besides the right organizational structure, to and standards bodies embed compliance into the business you also need everyone in the enterprise at every level — from ex- it is WiDely reCognizeD that although regu- lators for the most part have benign intentions as they develop and fine tune the rules, they don’t understand the “real world” environment and theTABLE 10: EXAMPLES OF CURRENT complexity of implementation. After a decade ofLEGISLATIVE INITIATIVES experience complying with information protection regulations, organizations have a wealth of knowl- National Strategy for Trusted Identities in Cyberspace 2010 edge of what works and what is not effective. It is Data Security Act of 2010 critical that security leaders are part of the conver- sation as a whole host of new legislation regarding Data Security and Breach Notification Act of 2010 identity theft, privacy and critical infrastructure is The Protecting Cyberspace as a National Asset Act of 2010 entering the scene (see taBle 10). Security and business leaders need to develop 2010 Dodd-Frank Wall Street Reform and Consumer Protection credible ways to educate legislators and construc- Act tively affect regulation. Internally they need to work 2010 European Union Reference Network for Critical Infra- closely with the Government Affairs function and structure Protection (ERN-CIP) join forces with them. Externally they need to par- ticipate in groups like TechAmerica’s information 2010 European Union Digital Single Market Initiative security council, which gives companies an opportu- 2010 European Union Solvency II Directive nity to provide insight into legislation. •22 | secuRity foR business innovation council RepoRt | RSA, The Security Division of EMC
  • 5 Conclusion Get it right and reap the rewardsA successful compliance program in a large global enterprise today takes a holistic approach to Compliance does not have to be a hindrance to business innovation. If it is done right, it won’t be a drag on meeting the requirements resources. If organizations of multiple regulations. A focus compliance efforts on successful program embeds building core risk management compliance in business strength, compliance can processes. It uses automation actually enable innovation. as much as possible; and The key is to have a risk-based has the risk management compliance program that competency to make puts fewer resources towards defensible decisions about non-productive compliance materiality of risk. Leveraging activities and leaves more for continuous compliance an organization to invest in monitoring technologies business innovation. will allow organizations to reduce the amount they spend “ON BALANCE I don’t think compli- ance hinders innovation. Compli- demonstrating compliance. ance just changes the game a bit. It offers an opportunity to innovate This will enable organizations in a new more compliant space. It offers new challenges to do what we to reduce their overall security do more securely.” investment and/or focus it on Denise WooD, Chief Information Security Officer and Corporate Vice more value-added information President, FedEx Corporation security services. “IN A way, because regulations mandate organizations to mitigate risks, regulators are actually provid- ing opportunities for innovation. When you build core strength in risk management, it enables you to for example, be first movers in an industry with a new business line. You’re already prepared to manage any new risks.” Felix Mohan , Senior Vice Presi- dent, CISO & Chief Architect, Bharti Airtel Ltd. RSA, The Security Division of EMC | secuRity foR business innovation council RepoRt | 23
  • 6 Appendices About the Security for Business Innovation InitiativeB uSineSS innovation has reached the top of the agenda at most enterprises, as the C-suite strives to harness the power of globalization and technology to create new value and efficiencies. Yet there is still a missing link. Though business innovation is powered by information; protecting information is typically not considered strategic; even as enterprises face mounting regulatory pressures and escalating threats. In fact, information security is often an afterthought, tacked on at the end of a project or — even worse — not addressed at all. But without the right security strategy, business innovation could easily BUSINESS INNOVATION be stifled or put the organization DEFINED at great risk. At RSA, we believe that if se- Enterprise strategies to enter new markets, launch new products curity teams are true partners in or services, create new business the business innovation process, models, establish new channels or partnerships, or transform operations they can help their organizations achieve unprecedented results. The time is ripe for a new ap- interviews with the Council, proach; security must graduate publishing their ideas in a series from a technical specialty to a of reports and sponsoring inde- business strategy. While most pendent research that explores security teams have recognized this topic. RSA invites you to join the need to better align security the conversation. Go to www.rsa. with business, many still struggle com/securityforinnovation/ to to translate this understanding view the reports or access the re- into concrete plans of action. They search. Provide comments on the know where they need to go, but reports and contribute your own are unsure how to get there. This ideas. Together we can accelerate is why RSA is working with some this critical industry transforma- of the top security leaders in the tion. world to drive an industry conver- sation to identify a way forward. RSA has convened a group of highly successful security execu- tives from Global 1000 enterprises in a variety of industries which we call the “Security for Busi- ness Innovation Council.” We are conducting a series of in-depth24 | secuRity foR business innovation council RepoRt | RSA, The Security Division of EMC
  • Security for Business Innovation Report Series QQQQ Go to www.rsa.com/ securityforinnovation The Time is Now: Making Information Security Strategic to Business Innovation Recommendations from Global 1000 Executives Mastering the Risk/Reward Equation: Optimizing Information Risks to Maximize Business Innovation Rewards Recommendations from Global 1000 Executives Driving Fast and Forward: Managing Information Security for Strategic Advantage in a Tough Economy Recommendations from Global 1000 Executives Charting the Path: Enabling the “Hyper-Extended” Enterprise in the Face of Unprecedented Risk Recommendations from Global 1000 Executives Bridging the CISO-CEO Divide Recommendations from Global 1000 Executives The Rise of User-driven IT: Re-calibrating Information Security for Choice Computing Recommendations from Global 1000 ExecutivesRSA, The Security Division of EMC | secuRity foR business innovation council RepoRt | 25
  • Contributors Top information security leaders from Global ANISH BHIMANI, CISSP, BILL BONI, CISM, CPP, ROLAND CLOUTIER, DAVE CULLINANE, Chief Information Risk CISA, Corporate Informa- Vice President,Chief Secu- Chief Information Se- Officer, JPMorgan Chase tion Security Officer, VP rity Officer, aUToMaTiC curity Officer and Vice Enterprise Information DaTa ProCessing, inC. President, ebay ANISH HAS global respon- Security, T-Mobile Usa ROLAND HAS functional and DAVE HAS more than 30 sibility for ensuring the security and resiliency AN INFORMATION protection operational responsibility years of security experience. of JPMorgan Chase’s IT specialist for 30 years, Bill for ADP’s information, risk Prior to joining eBay, Dave infrastructure and supports joined T-Mobile in 2009. and crisis management; was the CISO for Washing- the firm’s Corporate Risk Previously he was Corporate and investigative security ton Mutual and held leader- Management program. Security Officer of Motorola operations worldwide. Previ- ship positions in security Previously, he held senior Asset Protection Services. ously, he was CSO at EMC at nCipher, Sun Life and roles at Booz Allen Ham- Throughout his career Bill andheld executive positions Digital Equipment Corpora- ilton and Global Integrity has helped organizations with consulting and man- tion.Dave is involved with Corporation and Predictive design and implement cost- aged services firms. He has many industry associations Systems. Anish was selected effective programs to protect significant experience in including as current Past “Information Security Ex- both tangible and intangible government and law enforce- International President ecutive of the Year for 2008” assets. He pioneered the appli- ment, having served in the of ISSA. He has numer- by the Executive Alliance cation of computer forensics U.S. Air Force during the ous awards including SC and named to Bank Technol- and intrusion detection to Gulf War and later in federal Magazine’s Global Award ogy News’ “Top Innovators deal with incidents directed law enforcement agencies. as CSO of the Year for of 2008” list. He authored against electronic business Roland is a member of High 2005 and CSO Magazine’s “Internet Security for Busi- systems. Bill was awarded Tech Crime Investigations 2006 Compass Award as ness” and is a graduate of CSO Magazine’s “Compass Association, State Depart- a “Visionary Leader of the Brown and Carnegie-Mellon Award” and “Information ment Partnership for Criti- Security Profession.” Universities. Security Executive of the cal Infrastructure Security Year – Central” in 2007. and Infragard.Universities. PETRI KUIVALA, DAVE MARTIN, CISSP FELIX MOHAN, DR. CLAUDIA NATANSON, Chief Information Secu- Chief Security Officer, Senior Vice President, Chief Information Secu- rity Officer, nokia eMC CorPoraTion CISO & Chief Architect, rity Officer, Diageo bharTi airTel lTD PETRI HAS been CISO at DAVE IS responsible for CLAUDIA SETS the strategy, Nokia since 2009. Previ- managing EMC’s industry- AT AIRTEL, Felix ensures policy and processes for ously he led Corporate Secu- leading Global Security information security and information security across rity operations globally and Organization (GSO) focused IT aligns with changes to Diageo’s global and diver- prior to that in China. Since on protecting the company’s the risk environment and gent markets. Previously, joining Nokia in 2001, he has multibillion dollar assets business needs. Previously she was Head of Secure also worked for Nokia’s IT and revenue. Previously, he he was CEO at a security Business Service at British Application Development led EMC’s Office of Informa- consulting firm, an advisor Telecom, where she founded organization and on the tion Security, responsible for with a Big-4 consulting the UK’s first commercial Nokia Siemens Networks protecting the global digital firm, and head of IT and globally accredited Com- merger project. Before enterprise. Prior to joining security in the Indian puter Emergency Response Nokia, Petri worked with the EMC in 2004 Dave built Navy. He was a member of Team. Claudia is Chair of Helsinki Police department and led security consult- India’s National Task Force the Corporate Executive beginning in 1992 and was ing organizations focused on Information Security, Programme of the World a founding member of the on critical infrastructure, Co-chair of the Indo-US Forum of Incident Response Helsinki Criminal Police technology, banking and Cybersecurity Forum, and and Security Teams. She IT- investigation depart- healthcare verticals. He awarded the Vishisht Seva holds an MSc. in Computer ment. He holds a degree in holds a B.S. in Manufactur- Medal by the President of Science and a Ph.D. in Com- Masters of Law. ing Systems Engineering India for innovative work in puters and Education. from the University of Hert- Information Security. fordshire in the U.K.26 | secuRity foR business innovation council RepoRt | RSA, The Security Division of EMC
  • 1000 enterprises DR. MARTIJN DEKKER, PROFESSOR PAUL DOREY, RENEE GUTTMANN, DAVID KENT, Senior Vice President, Founder and Director, Vice President, Informa- Vice President, Global Chief Information Secu- CSO Confidential and tion Security & Privacy Risk and Business Re- rity Officer, abn aMro Former Chief Information Officer, TiMe Warner sources, genzyMe Security Officer, bP inC. MARTIJN WAS appointed DAVID IS responsible for the Chief Information Security PAUL IS engaged in RENEE IS responsible for design and management of Officer of ABN Amro in consultancy,training and establishing an information Genzyme’s business-aligned early 2010. Previously he research to help vendors, risk management pro- global security program, held several positions in end-user companies and gram that advances Time which provides Physical, In- information security and IT governments in developing Warner’s business strategies formation, IT and Product including Head of Informa- their security strategies. for data protection. She Security along with Busi- tion Security and Head of Before founding CSO Confi- has been an information ness Continuity and Crisis Technology Risk Manage- dential, Paul was respon- security practitioner since Management. Previously, he ment in the Netherlands. sible for IT Security and 1996. Previously, she led was with Bolt Beranek and Other positions included IT Information and Records the Information Security Newman Inc. David has 25 Architect, Program/Portfolio Management at BP. Previ- Team at Time Inc., was a years of experience aligning Manager, and IT Outsourc- ously, he ran security and security analyst for Gartner security with business goals. ing/Offshoring Specialist. risk management at Morgan and worked in information He received CSO Magazine’s Martijn joined ABN Amro Grenfell and Barclays Bank. security at Capital One and 2006 “Compass Award” for in 1997 after completing his Paul was a founder of the Glaxo Wellcome. Renee visionary leadership in the Ph.D. in Mathematics at the Jericho Forum, is Chairman received the 2008 Compass Security Field. David holds University of Amsterdam of the Institute of Informa- Award from CSO Magazine a Master’s degree in Man- and a Masters of Mathemat- tion Security Professionals and in 2007 was named a agement and a Bachelor of ics at the University of and a Visiting Professor at “Woman of Influence” by the Science in Criminal Justice. Utrecht. Royal Holloway College, Executive Women’s Forum. University of London. { GUEST CONTRIBUTOR STEWART ROOM, VISHAL SALVI, CISM CRAIG SHUMARD, DENISE WOOD, Partner, Privacy and Chief Information Secu- Chief Information Chief Information Secu- Information Law Group, rity Officer and Senior Security Officer, Cigna rity Officer and Corporate FielD Fisher Vice President, hDFC CorPoraTion Vice President, FeDex WaTerhoUse bank liMiTeD CorPoraTion CRAIG IS responsible for WITH 19 years experience VISHAL IS responsible for corporatewide information DENISE IS responsible for as a litigator and advocate, driving the Information protection at CIGNA. He security and business con- Stewart is a recognized Security strategy and its im- received the 2005 Informa- tinuity strategies, processes expert in data protection; plementation across HDFC tion Security Executive of and technologies that secure ranked at the forefront of this Bank and its subsidiaries. the Year Tri-State Award FedEx as a trusted business field by the legal directories Prior to HDFC he headed and under his leadership partner. Since joining in Chambers UK and Legal Global Operational Infor- CIGNA was ranked first 1984 she has held several In- 500. He is also President of mation Security for Stan- in IT Security in the 2006 formation Technology officer the National Association of dard Chartered Bank (SCB) Information Week 500. A positions supporting key cor- Data Protection Officers and where he also worked in IT recognized thought leader, porate initiatives, including a Director of Cyber Security Service Delivery, Gover- he has been featured in development of fedex.com; Challenge UK. Stewart nance & Risk Management. The Wall Street Journal and was the first Chief In- was Financial Times Legal Previously, Vishal worked and InformationWeek. formation Officer for FedEx Innovator of the Year 2008 at Crompton Greaves, De- Previously, Craig held Asia Pacific in 1995. Prior and is the author of several velopment Credit Bank and many positions at CIGNA to FedEx, Denise worked for books including his latest Global Trust Bank. He holds including Assistant VP of Bell South, AT&T and U.S. Data Security Law and a Bachelors of Engineering International Systems and West. Denise was a recipient Practice. degree in Computers and a Year 2000 Audit Director. of Computerworld’s“Premier Masters in Business Admin- He is a graduate of Bethany 100 IT Leaders for 2007” istration in Finance from College. award. NMIMS University. RSA, The Security Division of EMC | secuRity foR business innovation council RepoRt | 27
  • References 1 “Outpacing Change”, Ernst 10 What is NERC CIP, 22 “Irish Data Protection 33 “Outpacing Change”, & Young’s 12th Annual Global and IT’s role in critical Commissioner introduces draft Ernst & Young’s 12th Annual Information Security Survey infrastructure protection?”, code of practice on breach Global Information Security Report SearchCompliance.com notification”, SC Magazine, Survey Report June 10, 2010 2 “Viviane Reding Member 11 “Twitter, FTC settle 34 “Outpacing Change”, of the European Commission on charges of data security 23 “Canada’s newly Ernst & Young’s 12th Annual responsible for Information lapses”, InfoSecurity.com, June introduced data breach law is Global Information Security Society and Media Privacy: 24, 2010 a start, but it lacks teeth”, SC Survey Report the challenges ahead for the Magazine 12 “Rite Aid Settles FTC 35 “Visa cuts CardSystems European Union”, Keynote Case”, WSJ, July 27, 2010 24 “Mexico passes new law over security breach”, The Speech at the Data Protection aimed at data-leak prevention Register, July 19, 2005 Day 28 January 2010, 13 “FTC Testifies on Efforts for individuals and private European Parliament, Brussels to Protect Consumer Privacy”, 36 “Ponemon Study Shows companies”, Security & Smart-Grid, July 28, 2010 the Cost of a Data Breach 3 “Commission defends data Compliance News, July 19, Continues to Increase”, protection review timetable”, 14 “PCI DSS requirements 2010 Ponemon Institute, January The Register, August 10, 2010 still baffling as compliance 25 “Privacy Commissioner 25, 2010 deadline approaches”, 4 “Data Protection in Publishes Guidance Note SearchSecurity.co.UK, March 37 “Infosecurity Europe the European Union: on Data Breach Handling 8, 2010 2010: Survey says US boasts the role of National Data and the Giving of Breach highest data breach costs”, Protection Authorities”, FRA 15 “Exclusive PCI DSS Notifications”, Privacy InfoSecurity, April 28, 2010 European Union Agency for news: EU regional director Commissioner for Personal Fundamental Rights, 2010 rallies UK merchants”, Data (PCPD) Hong Kong 38 “Outsourcing 2010: SearchSecurity.co.UK, July Media Statement, June 21, 2010 Summary of Findings from 5 “Germany Strengthens 9, 2010 IAOP’s State of the Industry Data Protection Act, 26 “500 Million Sensitive Survey”, IAOP Accenture Introduces Data Breach 16 “European Commission Records Breached Since 2005”, Report Notification Requirement”, passes new e-Privacy Directive Privacy Rights Clearinghouse, Jones Day, Oct 2009 requiring mandatory data August 26, 2010 39 “TPI Index — An breach notification by public Informed View of the State of 6 “Firms unprepared for new 27 “FAQ on Washington communications providers”, the Commercial Outsourcing ICO powers”, V3.co.uk, April State’s PCI Law”, Lexicology, February, 2010 Market — Second Quarter 4, 2010 INFORMATIONLAWGROUP, 2010”, TPI, July 26, 2010 17 “Viviane Reding Member March 24, 2010 7 “French Senate’s proposed of the European Commission 40 “Enterprises Ready to Bill to amend Data Protection 28 “New Jersey Publishes responsible for Information Turn to Cloud E-Mail”, CIO, Act”, dataprotectionlaw&policy, Pre-Proposal of Rules Society and Media Privacy: August 18, 2010 Feb 2, 2010 Protecting Personal the challenges ahead for the Information”, Privacy & Data 41 “Google-City of Los 8 “United States: HIPAA European Union”, Keynote Security Law Journal, April Angeles deal delayed”, Privacy, Security, and Speech at the Data Protection 2009 American Public Media Enforcement Rules Modified Day 28 January 2010, Marketplace, July 26, 2010 Under the HITECH Act”, European Parliament, Brussels 29 “Enterprises Should Mondaq, July 20, 2010 Beware the Pitfalls of 42 “Mastering the Risk/ 18 “Guidance on data security Compliance with the Reward Equation: Optimizing 9 “Connecticut Attorney breach management”, ICO, Massachusetts Information Information Risks to Maximize General Reaches First State March 27, 2008 Security Regulations”, Hogan Business Innovation Rewards”, HIPAA Settlement with 19 “Germany Strengthens Lovells Chronicles of Data Security for Business Health Net”, Security, Privacy Data Protection Act, Protection, March 2, 2010 Innovation Council Report & the Law, July 7, 2010 Introduces Data Breach 30 “United States: HIPAA 43 “Outpacing Change”, Notification Requirement”, Privacy, Security, and Ernst & Young’s 12th Annual Jones Day, October 2009 Enforcement Rules Modified Global Information Security RSA invites 20 “New data breach Under the HITECH Act”, Survey Report notification duty introduced Mondaq, July 20, 2010 you to join the 44 “Cloud computing risks in the 2010 Amendment to 31 “FTC Consent Decree and how to manage them the Data Protection Act”, conversation Preslmayr Rechtsanwa Lte., Alleges Mortgage Lender Failed to Ensure the Data Issue”, Information Security Magazine, June 2010 March 2010 Protection of ConsumerQQQQ Go to www.rsa.com/ 21 “French Senate’s proposed Information Provided to a 45 “Google Receives FISMA Certification for Cloud securityforinnovation Bill to amend Data Protection Third Party”, Global Financial Services”, ExecutiveGov, July Act”, dataprotectionlaw&policy, Market Watch Blog, January 27, 2010 Feb 2, 2010 28, 2009 32 “Cloud computing may violate German data privacy laws”, Lexology, July 20, 2010 28 | secuRity foR business innovation council RepoRt | RSA, The Security Division of EMC
  • Quotable Highlights from the ongoing conversationBill Boni, Corporate Information Petri Kuivala, Chief Information Dr. Claudia Natanson, ChiefSecurity Officer, VP Enterprise Security Officer, Nokia Information Security Officer,Information Security, T-Mobile “IF YOU have implemented your DiageoUSA security procedures by following “AN ORGANIZATION will never, ever“WE HAVE a legal and regulatory for example, the ISF Standard achieve compliance unless the “I”system that is accustomed to of Good Practice or some other is part of it. So every person in thethings like physical presence and common methodology, whenever organization must know the partvisible control. For cloud-based there is a question with regards to they must play to be able to achievesolutions, developing equivalent whatever new law, you can answer true compliance.”levels of confidence within legal that question based on yourand regulatory bodies is going to be current approach.” Stewart Room, Partner, Privacychallenging. The providers of new and Information Law Group, Fieldcloud solutions have to embrace the Dave Martin, Chief Security Fisher Waterhouse LLPlevel of rigor required by regulation Officer, EMC Corporationand need to better understand what “THERE WILL be commercialauditors are asking them in order “CONTINUOUS CONTROL contracting consequences that flowto demonstrate compliance.” monitoring is going to become vital from you being named, shamed in cloud-based datacenters. It’ll and ‘outed’ for bad data handling. be essential for putting regulated Organizations might seek tighterDave Cullinane,Chief Information data in the cloud. Stuff’s going to indemnities from you or theySecurity Officer and Vice be moving around. You’re going might refuse to work with you.”President, eBay to need the ability to constantly“YOU NEED a broad perspective make sure that your regulated data Vishal Salvi, Chief Informationof all of the various legislation in is in the right place with the right Security Officer and Senior Vicethe US and elsewhere. Legislators controls.” President, HDFC Bank Limitedand people in Congress don’t “YOU DEVELOP effective controls “REGULATION HAS been a primaryoften understand the nuances of by working with the business, driver for the implementation ofthings like identity theft. They understanding the details of information risk managementmight pass all sorts of legislation the process and building in and it has made a significantthat’s actually not going to reduce compliance instead of bolting it impact. For example if you look atidentity theft but just create a on. But the process owners have the various sectors that are highlywhole bunch of requirements. It’s to have a willingness to improve regulated — like financial servicesimportant for security officers to be their process to ensure compliance. or telcos — their security practicesparticipating in that conversation Make sure they’ve got some skin in are more mature than those inand provide insight into draft the game.” general industry.”legislation.” Felix Mohan, Senior Vice Craig Shumard, ChiefProfessor Paul Dorey, Founder President, CISO & Chief Architect,and Director, CSO Confidential and Information Security Officer, Bharti Airtel Ltd. CIGNA CorporationFormer Chief Information SecurityOfficer, BP “THERE ARE many regulations “THE IMPACT of HITECH is and internal policies; and these just beginning to be felt. For“THE FACT that the compliance will keep increasing. If you look at example outsourcers have reallyissues extend along the supply them closely, they are all basically gotten a wake-up call in the lastchain means that people are addressing a similar set of risks. year. They’ve started to realizebecoming very sensitized to the Put in place a framework based the impact the extension of thecompliance implications of using on best practices like ISO 27001/2 business associate in HIPAA isthird parties. It actually restricts to address the risks and you can going to have on their business.”certain third parties from being map your framework to any newsuppliers, because they can’t reach “FROM A business standpoint regulation that comes along.”the high compliance threshold for example, protecting ourrequired of the end-customer customers’ identities is importantcompany.” to us. Protecting our business“YOU NEED a process that pricing information is importantsubstantiates your decisions to the to us. There are a lot of corporateauditor. You need complete and objectives that are also met withdefensible clarity about the risk the security controls that get put indecisions you’ve taken. A good place to satisfy the regulations.”compliance team is therefore ableto fully articulate the issues tocreate a defensible position.”
  • Successfully building a risk-based compliance program requires that executive management is willing to make the necessary investments in people, process and technology. “IT’S NOT enough to hold people responsible for compliance; you need to make them truly accountable. To do this you need visibility into the controls through real-time monitoring. You need to go from asking people to show you that their systems are compliant at a point-in-time to proactive alerting of compliance gaps in real-time.” Dave Martin, Chief Security Officer, EMC Corporation©2010 EMC Corporation. All rights reserved. EMC, RSA and the RSA logo are registered trademarks or trademarks of EMC Corporation in the U.S. and/orother countries. All other trademarks mentioned herein are the property of their respective owners. Ciso rPt 1010