Cyber Security Compliance

(1)

www.pwc.ch/cybersecurity

Cyber Security Compliance

How to protect enterprise data

appropriately?

Digital Transformation, Cyber Security & Compliance 3. May 2016

(2)

What I will cover in this «Afterwork Event»:

3. Mai 2016 SIGS Afterwork Event in Basel – Data Classification & DLP

My tasks for

enablement:

The current

Megatrends:

The digital

future:

The

Challenges:

Apply to your

enterprise

• Digital

Transformation

• Misuse of

services and

data

• More data

• My personnel

digital assistant

• The Internet of

Things (IoT)

• What data to

protect?

• Threats?

• Increase in

regulation

• Digital Privacy

• Verify process,

classification

• Cyber threat

analysis

• Apply

appropriate

measures

• Adapt to my

situation

• Adapt to my

environment

• Ready for the

(3)

(I

1

_{) Identity}

(I

2

_{) Infrastructure}

• End Point • Server, Database • Machin, Sensor • Network

(I

3

_{) Information}

Megatrends influencing your enterprise

Business Process of your enterprise

Where we currently are

on the crossroad to lose control over our digital data

Appropriate protection of digital data

Privacy

Cyber Security

Regulatory

Compliance

Your Enterprise @

(4)

Applied

Regulation is increasing – incompliance is a big risk

GDPR (EU) has a maximum fine of 4% of global turnover

Regulatory requirements to consider:

• Data Protection Law (CH/ EU GDPR)

• Business Law (GeBüV / MwSt. ElDI-V)

• FINMA (Financlial Services)

• Industry Standards (eGov, eHealth, etc.)

• PCI-DSS

• Etc…

Strategy

Abgebildet in den Business Prozessen ihrer Firma

Policy

Framework

Where are my ‘crown jewels’ along my

business processes?

• Employee Data (standard, enhanced

protection, profile)

• Client / Partner Identifiable Data

(5)

• Vison

• Mission

• Values

The 80 – 20 rule – how to find the sensitive data?

«appropriate» means to understand the business impact on data loss

Business

Process

Data

Governance

IT & Security

Architecture

Information

• Data classification policy

• Data ownership

• Risk management & appetite

• IT applications

• IT system & platforms

• Network & Interfaces

• At rest (end point, cloud)

• In transit

(6)

I

3 _{Identity – Infrastructure – Information}

Data analytics to detect incompliance and misuse

Identity

IT Infrastructure

Information

Identity & Access Management

• User who wants to access

• Device used to access

Hardware, Software, Platform,

Application and Network with eco

systems used to manage

Universe of enterprise data and lake

of security and management data

Who

• Person (Employee, Client,

Partner)

• Role (User, Admin, etc.)

• Device

How

• Trusted / untrusted?

• Person, Device / Application

Purpose

• Is there a legitimate use case

behind?

Processed

At rest

In Transit

• HW, SW,

• Eco-System, Management

• Interconnects components

• Data security measures

• Accountability (log files)

(7)

Approach: «Digital Trust & Compliance by design»

integrated in the business process – not amended

Guiding Principles:

1. Design a process in a way, that only permissible transactions are possible

2. Process steps include measures and enforcement of boundaries and collect meaningful data to monitor effectiveness

3. Data analytics and continuous auditing enable compliance relevant data is collected, processed and monitored

Process integrated Compliance

Data Analytics/BIG DATA

Data

Access Data Process Data Transaction Data

Trust & Compliance

Measure

Measure Measure

Process

(8)

Step by step approach to protect enterprise data

appropriately:

1. Identify «Crown jewels» in your enterprise – in particular: Personally, Client

Identifiable Data, Intellectual Property

2. Create and maintain an asset register to have a clear view what application /

platforms process and store PID / CID and who has access to that data

3. Nominate a Data Owner responsible for classification and protection measures

according regulation and risk appetite

4. Risk register of 10-15 cyber threat scenarios along 5-8 business processes

where sensitive data are processed

5. Draft an overarching Security Architecture with coordinated security measures

operated by a motivated and skilled team

6. Establish a SOC with: Monitoring, Event Management, Incident Management

(9)

Kontakte

PwC Zürich

Senior Manager

[email protected]

Tel. +41 58 792 47 85

Lorenz Neher

PwC Bern

Partner

[email protected]

Tel. +41 58 792 75 12

Reto Häni

(10)

Applied Digital Trust & Compliance erfordert das

Sammeln und Aufbereiten von relevanten Daten

Security, Privacy, Compliance

Information

(big data)

Digital Data

classified, separated

in trust-domains

ICT Infrastructure

on premise, outsourced

or in the cloud

User and devices

trusted? Compliant?

Compliance Layer 2:

Infrastructure and data access

Compliance Layer 1:

user and device identification

Compliance &

Security

Dashboard(s)

Strategy and

risk appetite

In

fr

a

st

ru

ct

u

re

, D

ev

ic

e, D

a

ta

Mg

m

t.

Requirements

& policies

Regulation &

Standards

@

Compliance Layer 3:

Gateways and zone transitions

People, Processes, Technology

Co

m

p

li

a

n

ce

Mg

m

t.

Data

analytics

(SIEM, etc.)

Governance & Control Framework

(11)

(12)

Was kann passieren, wenn ich meine Aufgabe als

Compliance Officer / CISO nicht wahrnehme?

(13)

Personendaten klar unterscheiden und

angemessen schützen – Gesetz und Verordnung

(14)

Security Management und Daten Governance