Developing National Frameworks & Engaging the Private Sector

Developing National

Frameworks & Engaging

the Private Sector

Focus on Information/Cyber Security

Risk Management

www.pwc.com

American Red Cross

Disaster Preparedness Summit Chicago, IL

September 19, 2012 Dan Fitzgerald

Agenda

Section 1.

Introduction:

The Business View of Information Security Risk

Section 2.

Innovation & Emerging Security Risks

Section 3.

Discussion/ Wrap-Up

PwC

1. Introduction:

The Business View of Information

Security Risk

CEOs/Boards are no longer ignoring cyber security

Security Hot Topics: Balancing Business Enablers vs Business Risks

Company‟s reputation is paramount and the risk of loss of sensitive customer data threaten this fragile asset.

Organizations looking to improve privacy management in the event of a breach "have to continually plan and prepare.

Organizations in all industries are under increased scrutiny by regulatory governance bodies.

While risks associated with third parties continue to increase,

many companies are less prepared to

Privacy

Regulatory

Data Loss Prevention

3rd Parties

A Major bank‟s share price dropped three percent after Wiki Leaks threatened to „take down a major American bank and reveal an ecosystem of corruption‟ using documents from an executive‟s hard drive

Social media can make or break a brand and the fine line between the two must be managed.

Cloud computing, Mobile platforms and accelerated product life cycles are just the latest contributors to risk of an enterprise.

The cyber threat landscape continues to yield an increasingly sophisticated underworld of criminals. Companies

Social Media

Mobile & Emerging Tech

Threat & Vulnerability Management

Cyber Crisis Management

PwC

The opportunities and risks of the cyber world

Key Management Stakeholders (CEO, CIO, Internal Audit, CFO, CTO, Compliance, Legal) have influence and risks in the following functional areas:

5

C – Suite Focus Areas

Secure information is power

CFO, CTO,CIO CIO,CTO,CISO CIO,CTO, CISO General Auditor CIO,CTO, CISO Security Strategy Security Governance & Control Business Continuity Management Architecture Network Security & Identity Incident Response & Forensics Threat & Vulnerability Management Enterprise-wide IT Risk & Security Assessment Setting Direction

• Security strategy development • Organizational design • Management reporting Building In Resilience • Business continuity management • Disaster recovery • Crisis Management Creating a Sound Framework of Control

• Risk, policy and privacy review

• Regulatory compliance assessment

• Data loss prevention • Awareness programs • Third Party Vendors

Building Secure Systems and Infrastructure

• Security architecture • Network security

• Cloud computing security • Mobile computing • Identity and access

management solutions

Managing Incidents

• Incident response review • Corporate and regulatory

investigations

• Forensic investigation and readiness

• Crisis response Managing Exposure

• Penetration testing • Vulnerability scanning and

remediation

• Continuous and global threat monitoring

CEOs/Boards are no longer ignoring cyber security

Cyber Security is an enterprise-wide issue. Specific types of Cyber Security risks organizations are facing include:

• Increase in Privacy and Security regulatory mandates in recent years, as well as expected changes in upcoming years.

• Boards are no longer willing to accept the risk that technology can pose to the business.

• Growing demand by business leaders to understand how security integrates with privacy (“what” data is sensitive to the business) and security (“how” they protect the data deemed sensitive)

• Increase in threats and vulnerabilities to sensitive data and corporate assets.

• Businesses continue to struggle to maintain accountability to their stakeholders and establish effective strategies and standards for security risk management and privacy control activities.

PwC

Risks to Consider

Financial Risks

• Companies face several financial risks associated with a breach:

― Federal/state regulatory fines

― Stock price decline

― Incident response efforts ― Remediation efforts

Legal Risks

• Companies are experiencing increasing lawsuits from:

― Employees ― Customers ― Investors 7 Risk Factors Financial Legal Regulatory Reputational

Risks to Consider

Regulatory Risks

• Enforcement actions from federal and state agencies such as:

― Federal Trade Commission (FTC)

― Health and Human Services - Office of Civil Rights (HHS-OCR)

― State Attorneys General

• Regulatory inquires may require long-term third party remediation in order to verify regulatory compliance

Reputational Risks

• Negative impact to the brand

• Loss of employee/customer/investor confidence Risk Factors Financial Legal Regulatory Reputational

PwC

Risks are ‘more risky’

Risk profiles are changing

• Complexity: Linkages between global trade, financial markets and supply chains

• Unpredictability: Privacy breaches, environmental factors, financial uncertainty

• Variety: Global diversification, culture challenges

• Speed: Social media, reputation

9

“…perhaps we feel risk is growing simply

because we know more.”

-Stakeholder respondent

2. Innovation & Emerging Security

Risks

PwC

Mobile devices and social media: New rules and

new risks

Organizations are beginning to implement strategies to keep pace with employee

adoption of mobile devices and social networking, as well as use of personal technology within the enterprise. Yet much remains to be done: Less than half of respondents have implemented safeguards to protect the enterprise from the security hazards that mobile devices and social media can introduce.

43% 37% 32% 10% 20% 30% 40% 50%

Have a security strategy for employee use of personal devices

Have a security strategy for mobile devices

Have a security strategy for social media

Question 17: “What process information security safeguards does your organization currently have in place?” (Not all factors shown. Total does not add up to 100%.)

Advanced Persistent Threat is a dangerous – and

increasingly common – threat. Yet few organizations

are prepared to combat it.

Question 28: “Which of the following elements, if any, are included in your organization‟s security policy?” Question 17: “What process

This year, significant percentages of respondents from various industries agree that APT drives their organization’s security spending, yet only 16% say their company has a

security policy that addresses APT. Worse, implementation of certain tools and processes crucial to combatting this new threat has slowed over the past year.

53% 45% 49% 48% 38% 47% 41% 43% 43% 38% 0% 20% 40% 60% Network access control software Identity management technology Employee security awareness training program Centralized security information management process Penetration tests 2010 2011

PwC

1 • Target a specific organization or entire industry 2 • Spam email address space and/or spear phish 3 • Exploit a discovered vulnerability

4 • Install of custom developed malware: sniffers, beacons, backdoors, password crackers, counter-forensic file deletion

5 • Enumeration of network nodes, identify target systems & information 6 • Obtain Domain Admin credentials

7 • Use of services available within the environment to move laterally 8 • Collect data, exfiltrate, securely delete files

9 • Persistence: maintain remote access via beacon malware

Advance Persistent Threat (APT) Attack Sequence

Managing security risks associated with customers,

partners, and suppliers is becoming an increasingly

serious issue.

Customers and “insiders” like partners and suppliers traditionally have not been considered likely suspects in data breaches. That’s changing – fast. Over the past 24

months, the number of security incidents attributed to customers, partners, and suppliers has nearly doubled.

15% 17% 11% 12% 8% 10% 0% 5% 10% 15% 20% Partner or supplier Customer 2009 2010 2011

PwC

Some additional data points on third-parties and

security

 39% have established security baselines for

partners/customers/vendors. Taking this one step further, only 23.6% of respondents stated they have security procedures partners/suppliers must comply with.

 69% of respondents said somewhat to very confident when asked

how confident they are in partners'/suppliers' information security.  35% of the time, respondents state their organizations were

informed of security breaches by customers or suppliers, government officials, the media or perpetrator.

 What is the greatest security risk to your outsourced strategy?

• Uncertain ability to enforce provider site security policies - 31.8%

• Questionable privileged access control at provider site - 14.7%

• Proximity of your data to someone else's - 11.0%

• Uncertain ability to recover data - 19.0%

• Uncertain continued existence of provider - 3.7% • Uncertain provider regulatory compliance - 3.5% • Uncertain ability to audit provider - 2.8%

• Access across an untrusted network - 4.1%

Mobile devices and social media: New rules and

new risks

Organizations are beginning to implement strategies to keep pace with employee

adoption of mobile devices and social networking, as well as use of personal technology within the enterprise. Yet much remains to be done: Less than half of respondents have implemented safeguards to protect the enterprise from the security hazards that mobile devices and social media can introduce.

43% 37% 32% 10% 20% 30% 40% 50%

Have a security strategy for employee use of personal devices

Have a security strategy for mobile devices

Have a security strategy for social media

PwC

Common Frameworks/ Assessment Tools &

Certifications

17

•Customized questionnaire developed internally •Customized questionnaire developed by third parties •GRC tool assessment packages

•Assessment framework developed by member s. Based on ISO27000, incorporates privacy principals and is easily customized.

•Agreed Upon Procedures assessments may also be performed on service providers and result in a formal report. AUPs are typically done by third parties.

•“Report of Compliance” aka ROC issued by QSA firm.

•Self-assessment questionnaires (SAQ) may be used directly or incorporated into a custom questionnaire.

•Prioritized Approach documents also helpful

•Common Security Framework (CSF) aggregates a set of security principles to assess and certify compliance.

•27000 series of standards incorporates information security and risk principles. 27002 provides framework for assessing 13 key security domains.

•ISO 27001 certification certifies an entities security management posture..

•Generally Accepted Privacy Principles (GAPP). Set of best practices created by AICPA. compliance

The implication for your business

What does this mean for you? How can you use this information to improve your security, protect your assets and operations, and improve your business?

• Use this information to define a vision for your information security program.

• Ask us for more information on this bracket of leaders in areas critical to your business. • Then define – and refine – your information security strategy.

• At minimum, focus acutely on (1) leadership, (2) strategy including business alignment, (3) testing and monitoring and (4) focus on sensitive data.

PwC

Questions for discussion

Security Risk/ Threat & Vulnerability Management:

• How does your organization align its security posture

to support its business goals?

1

• How do you assess the company’s security posture

and gain comfort around security management as a whole?

2

• How does your organization manage information

security risk?

• Do you use a formal methodology?

3

• How do you ensure your enterprise isn’t currently

being exploited or breached?

4

• Are you ever truly prepared to respond to a serious

cyber incident?

PwC

Questions for discussion

21 Data Protection & Third Party Security Risk Management

•What is most important to your organization? •a) Confidentiality of Data

•b) Integrity of Data •c) Availability of Data

1

•How do you get your arms around where data is, how data

flows, and who has access to data within your organization?

2

•What works well or not well about how your organization

protects its data?

3

•How are you protecting sensitive data at third parties?

Dan Fitzgerald, CISSP

[email protected]

312-298-6063

Director, PwC IT Security & Risk Assurance Practice

• 13 + years of information security experience • CISSP and a former QSA

Dan Fitzgerald is a Director in the IT Risk & Security Assurance practice and is based in Chicago. Dan has more than 13 years of experience in information security and IT governance, risk and compliance. He has developed strategic security and compliance approaches and led delivery of large security programs for numerous multinational businesses.

He has experience with control frameworks including PCI DSS, ISO 27002, FISMA/ NIST and COBIT. Dan has

developed and implemented technical and procedural solutions enabling customers to achieve and sustain compliance efficiently across differing standards. He has a background in network and infrastructure security and is skilled in emerging technologies such as encryption, tokenization and virtualization.

Dan has experience in industry verticals including retail, the energy sector, technology and public service and has worked overseas on several engagements. He focuses on providing strategic security solutions that align to business outcomes.