Successfully reported this slideshow.

Risks Beyond the Boundary: Data Protection & Privacy Challenges, OpRiskAsia 27 June 2013

1,019 views

Published on

My presentation at OpRiskAsia Singapore on 27 June 2013

Published in: Business, Technology
  • Be the first to comment

Risks Beyond the Boundary: Data Protection & Privacy Challenges, OpRiskAsia 27 June 2013

  1. 1. RISKS BEYOND THE BOUNDARY: DATA PROTECTION & PRIVACY PARAG DEODHAR CHIEF RISK OFFICER BHARTI AXA GENERAL INSURANCE, INDIA
  2. 2. Making headlines…g 27 Jun 2013 2PARAG DEODHAR ‐ OP RISK ASIA
  3. 3. Data Breaches OF BREACHES  Source: Verizon TOOK > 6  MONTHS TO  DISCOVER Are your defenses breached?   Probably Yes! You just don’t know it yet!   OF INSIDER BREACHES  WERE BY  EX‐ EMPLOYEES TAKING  ADVANTAGE OF OLD  ACCOUNTS OR  BACKDOORS THAT  WEREN’T DISABLED IP THEFT CASES WEREN T DISABLED. NETWORK INTRUSIONS EXPLOITED WEAK OR STOLEN BY INTERNAL PEOPLE TOOK PLACE  WITHIN 30 DAYS OF  ANNOUNCING CREDENTIALS ANNOUNCING THEIR RESIGNATION 27 Jun 2013 3PARAG DEODHAR ‐ OP RISK ASIA
  4. 4. Impact of data breach Reputation  Risk p Risk Business  Continuity Financial  Risk RegulatoryRegulatory  Risk Fraud Risk 27 Jun 2013 4PARAG DEODHAR ‐ OP RISK ASIA
  5. 5. Global Data Protection & Privacy   RegulationsRegulations  27 Jun 2013 5PARAG DEODHAR ‐ OP RISK ASIA
  6. 6. Data Protection & Privacyy Protection PrivacyProtection ‐ All confidential data – company, IP, clients,  partners employee Privacy ‐ Personally identifiable  information,  t / lpartners, employee ‐ Information Security  Policy customer/employee  confidential information – credit card, social security  numbers health records DATA ‐ CISO ‐ Information Security  Assessment numbers, health records,  employment records ‐ Data Privacy Policy D P i Offi ‐ Standards – ISO 27001,  laws & regulations ‐ Data Privacy Officer ‐ Laws & regulations 27 Jun 2013 6PARAG DEODHAR ‐ OP RISK ASIA
  7. 7. Who owns data?  Is data protection only about IT risk?  If ll IT it t l i l t d illIf all IT security controls are implemented, will  there be no security breach?  Who uses data?Who uses data? What about people and processes? Whose  responsibility it that? People are weakest link Processes may not change in line with business  and technologand technology. Who controls data? 27 Jun 2013 7PARAG DEODHAR ‐ OP RISK ASIA
  8. 8. Where is the data?  Creation /  Acquisition Data Processing E l Data Storage E lAcquisition • Employees • Partners • Customers • Employees • Partners • Outsourcing • Printing • Employees • Partners • Outsourcing • Datacenters Data TransferData RetentionData Destruction • Physical form • Email • Internet M di • Data Centers • DR Sites • Backup media Ph i l i • Regulations • Backup media • Devices / Servers Ph i l i • Media• Physical copies ‐ offsite • Physical copies 27 Jun 2013 8PARAG DEODHAR ‐ OP RISK ASIA How can you protect DATA if you don’t know where it is?
  9. 9. Emerging Risks in the borderless  enterpriseenterprise 27 Jun 2013 9PARAG DEODHAR ‐ OP RISK ASIA
  10. 10. Social Media Data Leakage  Intentional – Posting data   Unintentional – Malware, Spyware, Phishing External Attacks – Spam, Virus bringing down  network, servers, APTs – Advanced Persistent Threats  Targeted attacks Targeted attacks  Cyber espionage 27 Jun 2013 10PARAG DEODHAR ‐ OP RISK ASIA
  11. 11. Mobile Computingp g Laptops Other devices – Tabs / Smartphones  Company Owned  BYOD Risks!!!  Lost, Stolen  Data segregation  Data Leakage  Personal Data on device 27 Jun 2013 11PARAG DEODHAR ‐ OP RISK ASIA
  12. 12. Factors impacting mobile security Source: Checkpoint p g y 27 Jun 2013 12PARAG DEODHAR ‐ OP RISK ASIA
  13. 13. Cloud Computing Source: ISACA p g IT Department  l h d is no longer the provider… SAAS, IAAS… Ri k !!!Risks!!!  Regulatory compliance ‐ storage, outsourcing, privacy  regulationsregulations  Shared environment  Identity & Access managementy g  Unencrypted data transfer  Data Destruction 27 Jun 2013 13PARAG DEODHAR ‐ OP RISK ASIA
  14. 14. Proactive & Preemptive measuresp Technology Process People New threats are emerging every day! We can’t run away from it…  • Basic measures  like – Anti‐Virus,  ll • Use frameworks  and standards as  f • Background  verification Firewalls,   Encryption are no  longer enough a foundation • Risk Assessment ‐ Data Flow /  • Continuous  monitoring &  incident response • Tools like SIEM,  IPS, DLP, DRM…  are now standard  Privacy  Assessments • Regular audits p • Awareness!  Awareness!!  Awareness!!! requirement • MDM / MAM is a  MUST! Regular audits  and tests Awareness!!! MUST!  27 Jun 2013 14PARAG DEODHAR ‐ OP RISK ASIA
  15. 15. It’s not a Goal – But a journey THANK YOU It s not a Goal  But a journey…

×