SlideShare a Scribd company logo

Isaca csx2018-continuous assurance

F
François Samarcq

Continuous assurance using data threat modeling

Technology
1 of 30
Download to read offline
Fouad Khalil, Vice President Compliance, SecurityScorecard Continuous Assurance Using Data Threat Modeling
Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. • What’s new? • All about the Data • Background • Current state • Regulatory perspective • Threat Modeling Case Study • Continuous Assurance • Putting all this into practice • Q & A Agenda
Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. • Facebook prime example of privacy scandals (dating back to 2005) most recent potential $1.6B fine – Ireland Data Regulator • British Airways (September 2018) PCI compliant but breached… • Bupa fined for malicious insider privacy breach (£175,000 by UK regulators for “systematic data protection failures”) • Google exposed private data of 1000s of Google+ users. Still under investigation. Latest Headlines
Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. • Connected clouds (private, public, hybrid) • Blockchain finally understood but a mess • Data analytics à Machine Learning à AI • GDPR Global trend – companies measured by compliance • Economy boom into 2019 but 2020 is a bit questionable A Quick Look Ahead
Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. • 45% of IoT buyers concerned about security (Bain & Co) • 90% say IoT devices pose moderate to significant risk (Bain & Co) • IoT market size expected to reach $457B by 2020 (Growthenabler) • SaaS application security architectures are broken • New Compliance requirements and penalties drive pain level higher • So many open or misconfigured servers in the cloud (Tesla, Walmart) Are We Exposed?
Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. Best example of protected data? GDPR of course!!
Big Data Mobile Subscriptions Social Media Users Enterprise Using Cloud Internet Users IoT Connected Devices Tablets Smartphones 1.5 Exabyte/yr 740M 0 0 400M 200M 0 0 1 Exabyte/day 5B 1B 15% 2B 1B 18M 300M 3 Exabytes/day 7.5B 3B 70% 4B 10B 1.3B 2.5B Dot Com 2010 Today
Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. • Enterprise competitiveness, regulatory considerations, process maturity • Data key consideration to manage and monitor risk • Manage changes to minimize risk • Applying application threat modeling principles to data • Methodically analyze applications to identify and map threats in post-prod – Take an attacker’s viewpoint. Background – All About the Data
Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. All About the Data Competition Regulations Customer Engagements Pursuit of new Markets Maturity & Resiliency Factor in everything of significance The DATA!!
Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. • Continuous changes impact level of risk to data • Changes in context, environmental factors and threat landscape • What data changes to monitor (listing a few) – How the data is used – How data is protected (new, changed or removed controls) – Threats of which data is likely to be exposed – New or modified business activities change impact if a compromise may now occur What Data changes to monitor
Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. • Fairly easy to understand why • Enterprises want to know how to realize the hacker’s vision • Attacker sees data as a target accessible through a number of pathways • Data is profit for hackers and breach potential for us • Threat modeling exercise can help systematically evaluate an application • Application threat modeling discipline has developed as an application security strategy Adopt a Hacker’s view
Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. • Assists in developing applications that are robust, resilient and hardened • Maps the threats applications might encounter in production • Enables addressing threats and monitoring conditions impacting data over time • Enable better tracking of changes in data that impact risk • Provides better visibility into data that intersects with the supply chain • Enterprises use this model to understand state of data (stored, transmitted or processed). How Does Application Threat Modeling help?
Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. • Best to understand exiting conditions that pertain to data • Two parallel transformations that make a thorny problem • Practical challenges in data management as data proliferates • Legal, regulatory and other mandatory requirements that govern how data is (or can be) used • Practical challenges – how data is stored, processed an transmitted is changing: • Data consolidation: Denser data due to new data processing methods and increased analytical capabilities. • Data ubiquity: Data becoming more pervasive - spreads throughout the enterprise • Data expansion: Data becoming more plentiful. • Processing parallelization: Data increasingly being processed in parallel The Current State
Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. • Organizations are witnessing transformations depending on business activities, industry and regulatory constraints. • Organizations with even an accurate and solid inventory of assets, may have less clear idea of data processing. • Poor data inventory leads to challenges ranging from resources and time and the problem data tends to compound over time. • Enterprises become more externalized (supply chain) challenges may compound as new players come into play Beyond the current state
Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. • Several regulations and standards impact data in difficult ways • GDPR pertains to data that intersects with operations performed in EU • CA first state to enact GDPR like Privacy law • Breach disclosure requirements specify the what, how and when to notify of a breach • Industry specific standards add to the challenge such as PCI DSS, HIPAA, HITECH. Regulatory requirements add to challenges
Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. Objectives: 1. Case Study Example based on by Antonio Fontes (Threat Modeling, Detecting Web Application Threats Before Coding) 2. Understand the concept of Threat Modeling 3. Build an actionable Threat Model 4. Know when to build a threat model and how to document it Threat Modeling Case Study
Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. Newspaper that uses standard news distribution channel • They host a website on which articles are posted all day by the online editor • They Distribute a printed journal every day of the week. • Content on the website is free • The printed version is sold Threat Model Case Study
Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. • The company has decided to also sell an electronic edition of the newspaper • Access to the content must be restricted to authorized customers • The team is designing a feature to enable users to authenticate to access their account for payment. • The board is worried about the threats associated with this decision. Threat Model Case Study - Continued
Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. • Understand the application – Review Business Requirements – Comprehend application configuration (technologies, architecture, functionalities components) – Role of application in the organization – Be Clear on the objective/drivers » Stay compliant » Protect against hackers » Never want system to be compromised » Protect user privacy » Avoid system downtime Threat Modeling Steps
Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. • Understand the application… » What are the use cases (how is the application used)? » How are users authenticated? » Understand the data classification » Understand the data flow…especially financial flow Threat Modeling Steps
Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. • Identify Potential Threat Sources – Based on what we know who might be interested in compromising the system – Perform research to identify other sources (media, business owners, users) – List all potential Threats – Hackers – Untrained employees – Disgruntled employees – Government – And so on... Threat Modeling Steps
Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. • Identify Major Threat Sources – Identify Threat Triggers – Understand complete scenario – Understand the likelihood – Understand the impact – Finalize major threat model – Threat, Source, Description of attack Threat Modeling Steps
Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. • Identify Controls – Document Threat with identified sources and attack description – Develop controls to mitigation the likelihood and impact of the threat – Ensure controls are designed effectively – Make recommendation on controls and prioritization – Based on asset criticality and threat likelihood and impact Threat Modeling Steps
Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. Threat Model - Sample Threat Source Description Likelihood Control Denial of Service Attack Hacker perpetrator seeks to make a system unavailable by disrupting services of a host connected to the Internet Stealing Intellectual Property Disgruntled Employee Copying data due to authorized access Stealing Customer Data Competitor Social Engineering attack
Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. • Case study shows how data can be used to analyze threats • We need to move to continuous assurance understanding of the threats • Point-in-time view compared to continuous auditing (ongoing validation) • Continuous monitoring provides near real-time status of security controls • Continuous assurance notifies of changes that impact threats to data Continuous Assurance
Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. • We need something to measure • Perform that measurement in an ongoing way • A retailer has different risks to measure than a bank • First step is to determine what to measure • Map out the threats of greatest risk • Set up and monitor the security controls to mitigate these risks • Automation is key – such as data shared with supply chain Continuous view (KRIs)
Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. • What KRI to use to measure control efficiencies? • How will enterprises know about changes impacting threats to data? • How to evaluate control performance at 3rd, Nth parties? • How to stay informed of changes at the supply chain? • Who owns and maintains the continuous view? • Amount of effort enterprises are prepared to invest in this? Putting all this into practice
Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. • Continuous assurance makes risk decisions easier • Start small with narrow scope and build from there • Determine approach that is best for you • Enterprises struggling with data protection greatly benefit from threat modeling • No hidden problems go unexamined • Near real-time view of what hackers see • Flexible approach that works for every environment In Conclusion
Thank You Fouad Khalil VP Compliance 585 472 2356 fkhalil@securityscorecard.com 214 West 29th St, 5th Floor New York, NY 10001

Recommended

Resume: The Complete Guide to Cybersecurity Risks and Controls
Resume: The Complete Guide to Cybersecurity Risks and ControlsResume: The Complete Guide to Cybersecurity Risks and Controls
Resume: The Complete Guide to Cybersecurity Risks and ControlsRd. R. Agung Trimanda
 
Get Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security SolutionGet Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security SolutionPrecisely
 
3GRC approach to GDPR V 0.1 www.3grc.co.uk
3GRC approach to GDPR V 0.1 www.3grc.co.uk3GRC approach to GDPR V 0.1 www.3grc.co.uk
3GRC approach to GDPR V 0.1 www.3grc.co.uk►David Clarke FBCS CITP
 
An Essential Guide to EU GDPR
An Essential Guide to EU GDPRAn Essential Guide to EU GDPR
An Essential Guide to EU GDPRTripwire
 
Data Privacy
Data PrivacyData Privacy
Data Privacycliff_rudolph
 
Data Privacy & Security
Data Privacy & SecurityData Privacy & Security
Data Privacy & SecurityEryk Budi Pratama
 
Using international standards to improve US cybersecurity
Using international standards to improve US cybersecurityUsing international standards to improve US cybersecurity
Using international standards to improve US cybersecurityIT Governance Ltd
 
GDPR and ISO27001 mapping EL
GDPR and ISO27001 mapping ELGDPR and ISO27001 mapping EL
GDPR and ISO27001 mapping ELEugene Lee
 

Recommended

Resume: The Complete Guide to Cybersecurity Risks and Controls
Resume: The Complete Guide to Cybersecurity Risks and ControlsResume: The Complete Guide to Cybersecurity Risks and Controls
Resume: The Complete Guide to Cybersecurity Risks and ControlsRd. R. Agung Trimanda
 
Get Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security SolutionGet Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security SolutionPrecisely
 
3GRC approach to GDPR V 0.1 www.3grc.co.uk
3GRC approach to GDPR V 0.1 www.3grc.co.uk3GRC approach to GDPR V 0.1 www.3grc.co.uk
3GRC approach to GDPR V 0.1 www.3grc.co.uk►David Clarke FBCS CITP
 
An Essential Guide to EU GDPR
An Essential Guide to EU GDPRAn Essential Guide to EU GDPR
An Essential Guide to EU GDPRTripwire
 
Data Privacy
Data PrivacyData Privacy
Data Privacycliff_rudolph
 
Data Privacy & Security
Data Privacy & SecurityData Privacy & Security
Data Privacy & SecurityEryk Budi Pratama
 
Using international standards to improve US cybersecurity
Using international standards to improve US cybersecurityUsing international standards to improve US cybersecurity
Using international standards to improve US cybersecurityIT Governance Ltd
 
GDPR and ISO27001 mapping EL
GDPR and ISO27001 mapping ELGDPR and ISO27001 mapping EL
GDPR and ISO27001 mapping ELEugene Lee
 
GDPR in practice
GDPR in practiceGDPR in practice
GDPR in practiceZoneFox
 
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...PECB
 
GDPR what you should know and how to minimize impact on your business
GDPR what you should know and how to minimize impact on your businessGDPR what you should know and how to minimize impact on your business
GDPR what you should know and how to minimize impact on your businessOlivier BARROT
 
Gdpr and ISMS Quick Map Framework EL
Gdpr and ISMS Quick Map Framework ELGdpr and ISMS Quick Map Framework EL
Gdpr and ISMS Quick Map Framework ELEugene Lee
 
GDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksGDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksIT Governance Ltd
 
GDPR and Irish SMEs May 2017
GDPR and Irish SMEs May 2017GDPR and Irish SMEs May 2017
GDPR and Irish SMEs May 2017Amarach Research
 
20170323 are you ready the new gdpr is here
20170323 are you ready the new gdpr is here20170323 are you ready the new gdpr is here
20170323 are you ready the new gdpr is hereRichard Hogg,Global GDPR Offerings Evangelist
 
[Presentation] GDPR - How to Ensure Compliance
[Presentation] GDPR - How to Ensure Compliance[Presentation] GDPR - How to Ensure Compliance
[Presentation] GDPR - How to Ensure ComplianceAIIM International
 
Privacy and the GDPR: How Cloud computing could be your failing
Privacy and the GDPR: How Cloud computing could be your failingPrivacy and the GDPR: How Cloud computing could be your failing
Privacy and the GDPR: How Cloud computing could be your failingIT Governance Ltd
 
EU GDPR: The role of the data protection officer
EU GDPR: The role of the data protection officer EU GDPR: The role of the data protection officer
EU GDPR: The role of the data protection officer IT Governance Ltd
 
Data Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRData Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRIT Governance Ltd
 
How does GDPR affect your business?
How does GDPR affect your business?How does GDPR affect your business?
How does GDPR affect your business?Christiana Kozakou
 
ABM Display Advertising Success in the World of GDPR [PPT]
ABM Display Advertising Success in the World of GDPR [PPT]ABM Display Advertising Success in the World of GDPR [PPT]
ABM Display Advertising Success in the World of GDPR [PPT]Kwanzoo Inc
 
GDPR: Requirements for Cloud Providers
GDPR: Requirements for Cloud ProvidersGDPR: Requirements for Cloud Providers
GDPR: Requirements for Cloud ProvidersIT Governance Ltd
 
GDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceGDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceIT Governance Ltd
 
How IBM Supports Clients around GDPR and Cybersecurity Legislation
How IBM Supports Clients around GDPR and Cybersecurity LegislationHow IBM Supports Clients around GDPR and Cybersecurity Legislation
How IBM Supports Clients around GDPR and Cybersecurity LegislationIBM Security
 
Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...IT Governance Ltd
 
GDPR security services - Areyou ready ?
GDPR security services - Areyou ready ?GDPR security services - Areyou ready ?
GDPR security services - Areyou ready ?Frederick Penaud
 
The GDPR and its requirements for implementing data protection impact assessm...
The GDPR and its requirements for implementing data protection impact assessm...The GDPR and its requirements for implementing data protection impact assessm...
The GDPR and its requirements for implementing data protection impact assessm...IT Governance Ltd
 
GDPR in the Healthcare Industry
GDPR in the Healthcare IndustryGDPR in the Healthcare Industry
GDPR in the Healthcare IndustryEMMAIntl
 
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoftHow Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoftOSIsoft, LLC
 
Improve IT Security and Compliance with Mainframe Data in Splunk
Improve IT Security and Compliance with Mainframe Data in SplunkImprove IT Security and Compliance with Mainframe Data in Splunk
Improve IT Security and Compliance with Mainframe Data in SplunkPrecisely
 

More Related Content

What's hot

GDPR in practice
GDPR in practiceGDPR in practice
GDPR in practiceZoneFox
 
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...PECB
 
GDPR what you should know and how to minimize impact on your business
GDPR what you should know and how to minimize impact on your businessGDPR what you should know and how to minimize impact on your business
GDPR what you should know and how to minimize impact on your businessOlivier BARROT
 
Gdpr and ISMS Quick Map Framework EL
Gdpr and ISMS Quick Map Framework ELGdpr and ISMS Quick Map Framework EL
Gdpr and ISMS Quick Map Framework ELEugene Lee
 
GDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksGDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksIT Governance Ltd
 
GDPR and Irish SMEs May 2017
GDPR and Irish SMEs May 2017GDPR and Irish SMEs May 2017
GDPR and Irish SMEs May 2017Amarach Research
 
[Presentation] GDPR - How to Ensure Compliance
[Presentation] GDPR - How to Ensure Compliance[Presentation] GDPR - How to Ensure Compliance
[Presentation] GDPR - How to Ensure ComplianceAIIM International
 
Privacy and the GDPR: How Cloud computing could be your failing
Privacy and the GDPR: How Cloud computing could be your failingPrivacy and the GDPR: How Cloud computing could be your failing
Privacy and the GDPR: How Cloud computing could be your failingIT Governance Ltd
 
EU GDPR: The role of the data protection officer
EU GDPR: The role of the data protection officer EU GDPR: The role of the data protection officer
EU GDPR: The role of the data protection officer IT Governance Ltd
 
Data Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRData Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRIT Governance Ltd
 
How does GDPR affect your business?
How does GDPR affect your business?How does GDPR affect your business?
How does GDPR affect your business?Christiana Kozakou
 
ABM Display Advertising Success in the World of GDPR [PPT]
ABM Display Advertising Success in the World of GDPR [PPT]ABM Display Advertising Success in the World of GDPR [PPT]
ABM Display Advertising Success in the World of GDPR [PPT]Kwanzoo Inc
 
GDPR: Requirements for Cloud Providers
GDPR: Requirements for Cloud ProvidersGDPR: Requirements for Cloud Providers
GDPR: Requirements for Cloud ProvidersIT Governance Ltd
 
GDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceGDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceIT Governance Ltd
 
How IBM Supports Clients around GDPR and Cybersecurity Legislation
How IBM Supports Clients around GDPR and Cybersecurity LegislationHow IBM Supports Clients around GDPR and Cybersecurity Legislation
How IBM Supports Clients around GDPR and Cybersecurity LegislationIBM Security
 
Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...IT Governance Ltd
 
GDPR security services - Areyou ready ?
GDPR security services - Areyou ready ?GDPR security services - Areyou ready ?
GDPR security services - Areyou ready ?Frederick Penaud
 
The GDPR and its requirements for implementing data protection impact assessm...
The GDPR and its requirements for implementing data protection impact assessm...The GDPR and its requirements for implementing data protection impact assessm...
The GDPR and its requirements for implementing data protection impact assessm...IT Governance Ltd
 
GDPR in the Healthcare Industry
GDPR in the Healthcare IndustryGDPR in the Healthcare Industry
GDPR in the Healthcare IndustryEMMAIntl
 

What's hot (20)

GDPR in practice
GDPR in practiceGDPR in practice
GDPR in practice
 
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
 
GDPR what you should know and how to minimize impact on your business
GDPR what you should know and how to minimize impact on your businessGDPR what you should know and how to minimize impact on your business
GDPR what you should know and how to minimize impact on your business
 
Gdpr and ISMS Quick Map Framework EL
Gdpr and ISMS Quick Map Framework ELGdpr and ISMS Quick Map Framework EL
Gdpr and ISMS Quick Map Framework EL
 
GDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksGDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risks
 
GDPR and Irish SMEs May 2017
GDPR and Irish SMEs May 2017GDPR and Irish SMEs May 2017
GDPR and Irish SMEs May 2017
 
20170323 are you ready the new gdpr is here
20170323 are you ready the new gdpr is here20170323 are you ready the new gdpr is here
20170323 are you ready the new gdpr is here
 
[Presentation] GDPR - How to Ensure Compliance
[Presentation] GDPR - How to Ensure Compliance[Presentation] GDPR - How to Ensure Compliance
[Presentation] GDPR - How to Ensure Compliance
 
Privacy and the GDPR: How Cloud computing could be your failing
Privacy and the GDPR: How Cloud computing could be your failingPrivacy and the GDPR: How Cloud computing could be your failing
Privacy and the GDPR: How Cloud computing could be your failing
 
EU GDPR: The role of the data protection officer
EU GDPR: The role of the data protection officer EU GDPR: The role of the data protection officer
EU GDPR: The role of the data protection officer
 
Data Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRData Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPR
 
How does GDPR affect your business?
How does GDPR affect your business?How does GDPR affect your business?
How does GDPR affect your business?
 
ABM Display Advertising Success in the World of GDPR [PPT]
ABM Display Advertising Success in the World of GDPR [PPT]ABM Display Advertising Success in the World of GDPR [PPT]
ABM Display Advertising Success in the World of GDPR [PPT]
 
GDPR: Requirements for Cloud Providers
GDPR: Requirements for Cloud ProvidersGDPR: Requirements for Cloud Providers
GDPR: Requirements for Cloud Providers
 
GDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceGDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to compliance
 
How IBM Supports Clients around GDPR and Cybersecurity Legislation
How IBM Supports Clients around GDPR and Cybersecurity LegislationHow IBM Supports Clients around GDPR and Cybersecurity Legislation
How IBM Supports Clients around GDPR and Cybersecurity Legislation
 
Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...
 
GDPR security services - Areyou ready ?
GDPR security services - Areyou ready ?GDPR security services - Areyou ready ?
GDPR security services - Areyou ready ?
 
The GDPR and its requirements for implementing data protection impact assessm...
The GDPR and its requirements for implementing data protection impact assessm...The GDPR and its requirements for implementing data protection impact assessm...
The GDPR and its requirements for implementing data protection impact assessm...
 
GDPR in the Healthcare Industry
GDPR in the Healthcare IndustryGDPR in the Healthcare Industry
GDPR in the Healthcare Industry
 

Similar to Isaca csx2018-continuous assurance

How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoftHow Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoftOSIsoft, LLC
 
Improve IT Security and Compliance with Mainframe Data in Splunk
Improve IT Security and Compliance with Mainframe Data in SplunkImprove IT Security and Compliance with Mainframe Data in Splunk
Improve IT Security and Compliance with Mainframe Data in SplunkPrecisely
 
Legal Issues Associated with Third-Party Cyber Risk
Legal Issues Associated with Third-Party Cyber RiskLegal Issues Associated with Third-Party Cyber Risk
Legal Issues Associated with Third-Party Cyber RiskShawn Tuma
 
Final presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit planFinal presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit planCameron Forbes Over
 
Final presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit planFinal presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit planCameron Forbes Over
 
Leveraging Compliance to “Help” Prevent a Future Breach
Leveraging Compliance to “Help” Prevent a Future BreachLeveraging Compliance to “Help” Prevent a Future Breach
Leveraging Compliance to “Help” Prevent a Future BreachKevin Murphy
 
Proactive Risk Management and Compliance in a World of Digital Disruption
Proactive Risk Management and Compliance in a World of Digital DisruptionProactive Risk Management and Compliance in a World of Digital Disruption
Proactive Risk Management and Compliance in a World of Digital DisruptionMike Wons
 
Impact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A SecurityImpact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A SecurityEQS Group
 
IBM i Security SIEM Integration
IBM i Security SIEM IntegrationIBM i Security SIEM Integration
IBM i Security SIEM IntegrationPrecisely
 
Big Data LDN 2018: ACCELERATING YOUR ANALYTICS JOURNEY WITH REAL-TIME AI
Big Data LDN 2018: ACCELERATING YOUR ANALYTICS JOURNEY WITH REAL-TIME AIBig Data LDN 2018: ACCELERATING YOUR ANALYTICS JOURNEY WITH REAL-TIME AI
Big Data LDN 2018: ACCELERATING YOUR ANALYTICS JOURNEY WITH REAL-TIME AIMatt Stubbs
 
Machine Learning for Auditors
Machine Learning for AuditorsMachine Learning for Auditors
Machine Learning for AuditorsAndrew Clark
 
Internet of things ecosystem: The quest for value
Internet of things ecosystem: The quest for valueInternet of things ecosystem: The quest for value
Internet of things ecosystem: The quest for valueDeloitte United States
 
A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...Judith Beckhard Cardoso
 
IMA meeting accounting for big data
IMA meeting accounting for big dataIMA meeting accounting for big data
IMA meeting accounting for big dataJames Deiotte
 
Tim Willoughby - Presentation to Innovation Masters 2016
Tim Willoughby - Presentation to Innovation Masters 2016Tim Willoughby - Presentation to Innovation Masters 2016
Tim Willoughby - Presentation to Innovation Masters 2016Tim Willoughby
 
Legal vectors - Survey of Law, Regulation and Technology Risk
Legal vectors - Survey of Law, Regulation and Technology RiskLegal vectors - Survey of Law, Regulation and Technology Risk
Legal vectors - Survey of Law, Regulation and Technology RiskWilliam Gamble
 
The Countdown is on: Key Things to Know About the GDPR
The Countdown is on: Key Things to Know About the GDPRThe Countdown is on: Key Things to Know About the GDPR
The Countdown is on: Key Things to Know About the GDPRCase IQ
 
IBM i Security: Identifying the Events That Matter Most
IBM i Security: Identifying the Events That Matter MostIBM i Security: Identifying the Events That Matter Most
IBM i Security: Identifying the Events That Matter MostPrecisely
 
The Insider Threat
The Insider ThreatThe Insider Threat
The Insider Threatillustro
 
TrustArc-Webinar-Slides-2022-02-22-Incorporating privacy when leveraging AI
TrustArc-Webinar-Slides-2022-02-22-Incorporating privacy when leveraging AITrustArc-Webinar-Slides-2022-02-22-Incorporating privacy when leveraging AI
TrustArc-Webinar-Slides-2022-02-22-Incorporating privacy when leveraging AITrustArc
 

Similar to Isaca csx2018-continuous assurance (20)

How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoftHow Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
 
Improve IT Security and Compliance with Mainframe Data in Splunk
Improve IT Security and Compliance with Mainframe Data in SplunkImprove IT Security and Compliance with Mainframe Data in Splunk
Improve IT Security and Compliance with Mainframe Data in Splunk
 
Legal Issues Associated with Third-Party Cyber Risk
Legal Issues Associated with Third-Party Cyber RiskLegal Issues Associated with Third-Party Cyber Risk
Legal Issues Associated with Third-Party Cyber Risk
 
Final presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit planFinal presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit plan
 
Final presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit planFinal presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit plan
 
Leveraging Compliance to “Help” Prevent a Future Breach
Leveraging Compliance to “Help” Prevent a Future BreachLeveraging Compliance to “Help” Prevent a Future Breach
Leveraging Compliance to “Help” Prevent a Future Breach
 
Proactive Risk Management and Compliance in a World of Digital Disruption
Proactive Risk Management and Compliance in a World of Digital DisruptionProactive Risk Management and Compliance in a World of Digital Disruption
Proactive Risk Management and Compliance in a World of Digital Disruption
 
Impact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A SecurityImpact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A Security
 
IBM i Security SIEM Integration
IBM i Security SIEM IntegrationIBM i Security SIEM Integration
IBM i Security SIEM Integration
 
Big Data LDN 2018: ACCELERATING YOUR ANALYTICS JOURNEY WITH REAL-TIME AI
Big Data LDN 2018: ACCELERATING YOUR ANALYTICS JOURNEY WITH REAL-TIME AIBig Data LDN 2018: ACCELERATING YOUR ANALYTICS JOURNEY WITH REAL-TIME AI
Big Data LDN 2018: ACCELERATING YOUR ANALYTICS JOURNEY WITH REAL-TIME AI
 
Machine Learning for Auditors
Machine Learning for AuditorsMachine Learning for Auditors
Machine Learning for Auditors
 
Internet of things ecosystem: The quest for value
Internet of things ecosystem: The quest for valueInternet of things ecosystem: The quest for value
Internet of things ecosystem: The quest for value
 
A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...
 
IMA meeting accounting for big data
IMA meeting accounting for big dataIMA meeting accounting for big data
IMA meeting accounting for big data
 
Tim Willoughby - Presentation to Innovation Masters 2016
Tim Willoughby - Presentation to Innovation Masters 2016Tim Willoughby - Presentation to Innovation Masters 2016
Tim Willoughby - Presentation to Innovation Masters 2016
 
Legal vectors - Survey of Law, Regulation and Technology Risk
Legal vectors - Survey of Law, Regulation and Technology RiskLegal vectors - Survey of Law, Regulation and Technology Risk
Legal vectors - Survey of Law, Regulation and Technology Risk
 
The Countdown is on: Key Things to Know About the GDPR
The Countdown is on: Key Things to Know About the GDPRThe Countdown is on: Key Things to Know About the GDPR
The Countdown is on: Key Things to Know About the GDPR
 
IBM i Security: Identifying the Events That Matter Most
IBM i Security: Identifying the Events That Matter MostIBM i Security: Identifying the Events That Matter Most
IBM i Security: Identifying the Events That Matter Most
 
The Insider Threat
The Insider ThreatThe Insider Threat
The Insider Threat
 
TrustArc-Webinar-Slides-2022-02-22-Incorporating privacy when leveraging AI
TrustArc-Webinar-Slides-2022-02-22-Incorporating privacy when leveraging AITrustArc-Webinar-Slides-2022-02-22-Incorporating privacy when leveraging AI
TrustArc-Webinar-Slides-2022-02-22-Incorporating privacy when leveraging AI
 

Recently uploaded

Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????blackmambaettijean
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 

Recently uploaded (20)

Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 

Isaca csx2018-continuous assurance

  • 1. Fouad Khalil, Vice President Compliance, SecurityScorecard Continuous Assurance Using Data Threat Modeling
  • 2. Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. • What’s new? • All about the Data • Background • Current state • Regulatory perspective • Threat Modeling Case Study • Continuous Assurance • Putting all this into practice • Q & A Agenda
  • 3. Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. • Facebook prime example of privacy scandals (dating back to 2005) most recent potential $1.6B fine – Ireland Data Regulator • British Airways (September 2018) PCI compliant but breached… • Bupa fined for malicious insider privacy breach (£175,000 by UK regulators for “systematic data protection failures”) • Google exposed private data of 1000s of Google+ users. Still under investigation. Latest Headlines
  • 4. Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. • Connected clouds (private, public, hybrid) • Blockchain finally understood but a mess • Data analytics à Machine Learning à AI • GDPR Global trend – companies measured by compliance • Economy boom into 2019 but 2020 is a bit questionable A Quick Look Ahead
  • 5. Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. • 45% of IoT buyers concerned about security (Bain & Co) • 90% say IoT devices pose moderate to significant risk (Bain & Co) • IoT market size expected to reach $457B by 2020 (Growthenabler) • SaaS application security architectures are broken • New Compliance requirements and penalties drive pain level higher • So many open or misconfigured servers in the cloud (Tesla, Walmart) Are We Exposed?
  • 6.
  • 7. Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. Best example of protected data? GDPR of course!!
  • 8. Big Data Mobile Subscriptions Social Media Users Enterprise Using Cloud Internet Users IoT Connected Devices Tablets Smartphones 1.5 Exabyte/yr 740M 0 0 400M 200M 0 0 1 Exabyte/day 5B 1B 15% 2B 1B 18M 300M 3 Exabytes/day 7.5B 3B 70% 4B 10B 1.3B 2.5B Dot Com 2010 Today
  • 9. Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. • Enterprise competitiveness, regulatory considerations, process maturity • Data key consideration to manage and monitor risk • Manage changes to minimize risk • Applying application threat modeling principles to data • Methodically analyze applications to identify and map threats in post-prod – Take an attacker’s viewpoint. Background – All About the Data
  • 10. Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. All About the Data Competition Regulations Customer Engagements Pursuit of new Markets Maturity & Resiliency Factor in everything of significance The DATA!!
  • 11. Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. • Continuous changes impact level of risk to data • Changes in context, environmental factors and threat landscape • What data changes to monitor (listing a few) – How the data is used – How data is protected (new, changed or removed controls) – Threats of which data is likely to be exposed – New or modified business activities change impact if a compromise may now occur What Data changes to monitor
  • 12. Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. • Fairly easy to understand why • Enterprises want to know how to realize the hacker’s vision • Attacker sees data as a target accessible through a number of pathways • Data is profit for hackers and breach potential for us • Threat modeling exercise can help systematically evaluate an application • Application threat modeling discipline has developed as an application security strategy Adopt a Hacker’s view
  • 13. Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. • Assists in developing applications that are robust, resilient and hardened • Maps the threats applications might encounter in production • Enables addressing threats and monitoring conditions impacting data over time • Enable better tracking of changes in data that impact risk • Provides better visibility into data that intersects with the supply chain • Enterprises use this model to understand state of data (stored, transmitted or processed). How Does Application Threat Modeling help?
  • 14. Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. • Best to understand exiting conditions that pertain to data • Two parallel transformations that make a thorny problem • Practical challenges in data management as data proliferates • Legal, regulatory and other mandatory requirements that govern how data is (or can be) used • Practical challenges – how data is stored, processed an transmitted is changing: • Data consolidation: Denser data due to new data processing methods and increased analytical capabilities. • Data ubiquity: Data becoming more pervasive - spreads throughout the enterprise • Data expansion: Data becoming more plentiful. • Processing parallelization: Data increasingly being processed in parallel The Current State
  • 15. Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. • Organizations are witnessing transformations depending on business activities, industry and regulatory constraints. • Organizations with even an accurate and solid inventory of assets, may have less clear idea of data processing. • Poor data inventory leads to challenges ranging from resources and time and the problem data tends to compound over time. • Enterprises become more externalized (supply chain) challenges may compound as new players come into play Beyond the current state
  • 16. Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. • Several regulations and standards impact data in difficult ways • GDPR pertains to data that intersects with operations performed in EU • CA first state to enact GDPR like Privacy law • Breach disclosure requirements specify the what, how and when to notify of a breach • Industry specific standards add to the challenge such as PCI DSS, HIPAA, HITECH. Regulatory requirements add to challenges
  • 17. Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. Objectives: 1. Case Study Example based on by Antonio Fontes (Threat Modeling, Detecting Web Application Threats Before Coding) 2. Understand the concept of Threat Modeling 3. Build an actionable Threat Model 4. Know when to build a threat model and how to document it Threat Modeling Case Study
  • 18. Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. Newspaper that uses standard news distribution channel • They host a website on which articles are posted all day by the online editor • They Distribute a printed journal every day of the week. • Content on the website is free • The printed version is sold Threat Model Case Study
  • 19. Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. • The company has decided to also sell an electronic edition of the newspaper • Access to the content must be restricted to authorized customers • The team is designing a feature to enable users to authenticate to access their account for payment. • The board is worried about the threats associated with this decision. Threat Model Case Study - Continued
  • 20. Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. • Understand the application – Review Business Requirements – Comprehend application configuration (technologies, architecture, functionalities components) – Role of application in the organization – Be Clear on the objective/drivers » Stay compliant » Protect against hackers » Never want system to be compromised » Protect user privacy » Avoid system downtime Threat Modeling Steps
  • 21. Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. • Understand the application… » What are the use cases (how is the application used)? » How are users authenticated? » Understand the data classification » Understand the data flow…especially financial flow Threat Modeling Steps
  • 22. Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. • Identify Potential Threat Sources – Based on what we know who might be interested in compromising the system – Perform research to identify other sources (media, business owners, users) – List all potential Threats – Hackers – Untrained employees – Disgruntled employees – Government – And so on... Threat Modeling Steps
  • 23. Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. • Identify Major Threat Sources – Identify Threat Triggers – Understand complete scenario – Understand the likelihood – Understand the impact – Finalize major threat model – Threat, Source, Description of attack Threat Modeling Steps
  • 24. Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. • Identify Controls – Document Threat with identified sources and attack description – Develop controls to mitigation the likelihood and impact of the threat – Ensure controls are designed effectively – Make recommendation on controls and prioritization – Based on asset criticality and threat likelihood and impact Threat Modeling Steps
  • 25. Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. Threat Model - Sample Threat Source Description Likelihood Control Denial of Service Attack Hacker perpetrator seeks to make a system unavailable by disrupting services of a host connected to the Internet Stealing Intellectual Property Disgruntled Employee Copying data due to authorized access Stealing Customer Data Competitor Social Engineering attack
  • 26. Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. • Case study shows how data can be used to analyze threats • We need to move to continuous assurance understanding of the threats • Point-in-time view compared to continuous auditing (ongoing validation) • Continuous monitoring provides near real-time status of security controls • Continuous assurance notifies of changes that impact threats to data Continuous Assurance
  • 27. Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. • We need something to measure • Perform that measurement in an ongoing way • A retailer has different risks to measure than a bank • First step is to determine what to measure • Map out the threats of greatest risk • Set up and monitor the security controls to mitigate these risks • Automation is key – such as data shared with supply chain Continuous view (KRIs)
  • 28. Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. • What KRI to use to measure control efficiencies? • How will enterprises know about changes impacting threats to data? • How to evaluate control performance at 3rd, Nth parties? • How to stay informed of changes at the supply chain? • Who owns and maintains the continuous view? • Amount of effort enterprises are prepared to invest in this? Putting all this into practice
  • 29. Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. • Continuous assurance makes risk decisions easier • Start small with narrow scope and build from there • Determine approach that is best for you • Enterprises struggling with data protection greatly benefit from threat modeling • No hidden problems go unexamined • Near real-time view of what hackers see • Flexible approach that works for every environment In Conclusion
  • 30. Thank You Fouad Khalil VP Compliance 585 472 2356 fkhalil@securityscorecard.com 214 West 29th St, 5th Floor New York, NY 10001