bulletproofing customer data: legislative and practice
TRANSCRIPT
1
Bulletproofing Customer Data:Legislative and Practice Developments
Eddie Schwartz
Chief Security Architect
2
Agenda
• Legislative Update: Security Breach Legislation– Current State– Understanding the Framework– Implementing the Guidance
• PCI Update• Continuing Areas of Risk• Emerging Risk Areas• Recommended Approach
3
Why Should I Care About Data Assurance?
• Data Drives the Normal Course of Retail Business– Data/systems-dependent operations/products/services,
business intelligence, HR, outsourcing management, many more
• Data-Dependent Compliance (Data Integrity, Compliance Reporting, Systems Controls)– EEOC, PATRIOT, Sarbanes-Oxley, Reg E, NACHA,
other
• Data Compliance Regulation & Standards (Data Use, Data/Data Subject Protection)– GLB, HIPAA, Telemarketing Rule & DNC, PCI Security
Standard, FCRA/FACTA EU/Canada, web trust seals
• Potential Enforcement Impact/Incident Response– Consent orders, state security breach notification laws
4
Regulatory Issues
• Since last year, there are many more state laws on the books – mostly in the area of security breach disclosure
• There are a number of nuances that are State-specific
• Focus for today’s discussion:– Security breach disclosure requirements
5
Relevant Laws and Regulations
• Sarbanes-Oxley Act• PCAOB Rel. 2004-001 Audit Section• SAS94• Fair Credit Reporting Act (FCRA)• AICPA Suitability Trust Services Criteria• SEC CFR 17: 240.15d-15 Controls and
Procedures• NASD/NYSE 240.17Ad-7 Transfer Agent
Record Retention• GLBA (15 USC Sec 6801-6809) 16 CFR 314• Appendix: 12 CFR 30, 208, 225, 364 & 570• Federal Financial Institutions Examination
Council (FFIEC) Information Security• FFIEC Business Continuity Planning• FFIEC Audit• FFIEC Operations• Health Insurance Portability and Accountability
Act (HIPAA) § 164• 21 CFR Part 11 – FDA Regulation of Electronic
Records and Electronic Signatures• Payment Card Industry Data Security Standard
(PCI-DSS)
• Federal Trade Commission (FTC)• CC1798 (SB1386)• Federal Information Security Management Act
(FISMA)• USA PATRIOT• Community Choice Aggregation (CCA)• Federal Information System Controls Audit
Manual (FISCAM)• General Accounting Office (GAO)• FDA 510(k)• Federal Energy Regulatory Commission (FERC)• Nuclear Regulatory Commission (NRC) 10CFR
Part 95• Critical Energy Infrastructure Information (CEII)• Communications Assistance for Law
Enforcement Act (CALEA)• Digital Millennium Copyright Act (DMCA)• Business Software Alliance (BSA)• New Basel Capital Accord (Basel-II)• Customs-Trade Partnership Against Terrorism
(C-TPAT)• Video Privacy Protection Act of 1988 (codified at
18 U.S.C. § 2710 (2002))
6
High-level International Overview
• New Basel Capital Accord (Basel-II)
• Payment Card Industry Data Security Standard (PCI-DSS)
• Society for Worldwide Interback Funds Transfer (SWIFT)
• Personal Information Protection Act (PIPA) – Canada
• Personal Information and Electronic Documents Act (PIPEDA) – Canada
• Personal Information Privacy Act (JPIPA) – Japan
• SafeSecure ISP – Japan
• Federal Consumer Protection Code, E-Commerce Act – Mexico
• Privacy and Electronic Communications (EC Directive) Regulations 2003
• Directive 95/46/EC Directive on Privacy and Electronic Communications – European Union
• Central Information System Security Division (DCSSI) Encryption – France
• Federal Data Protection Act (FDPA - Bundesdatenschutzgesetz - BDSG) of 2001 – Germany
• Privacy Protection Act (PPA) of Schleswig-Holstein of 2000 – Germany
• US Department of Commerce “Safe Harbor”
7
Security Breach Regulations
• 33 States have adopted data breach notification laws:– http://www.ncsl.org/programs/lis/CIP/priv/breach.htm
• Originally developed as a countermeasure to deal with identity theft cases
• Has proliferated in light of numerous financial services and retail mistakes
• A full chronology of data breaches can be found here:– http://www.privacyrights.org/ar/ChronDataBreaches.htm
8
Scope of Data Breach Regulations
• Includes any entity that collects, uses or handles personal information as defined in the laws
• Some exemptions or “safe harbors” for entities subject to certain federal regulation– e.g., GLBA, HIPAA
• The definition of “personal information” varies from state to state– Delaware and Arkansas include medical information– Indiana and North Carolina include non-computerized
records in the scope• California can be used as a model for the purpose of
discussing the framework• FDIC also has a useful set of recommendations
– http://www.fdic.gov/news/news/financial/2005/fil2705.html
9
Basic Framework for Data Breach Compliance
• Regulated parties: State agencies, persons or businesses that conduct business in California and that own or license computerized data that includes personal information as defined
• Covered information: – Unencrypted computerized data including certain
personal information.– Personal information that triggers the notice requirement
is name (first name or initial and last name) plus any of the following:
• Social Security number,• Driver’s License or California Identification• Card number, or financial account number, credit or
debit card number
10
Breach Framework (Con’t)
• Notice Trigger: Unauthorized acquisition of computerized data that compromises the security, confidentiality or integrity of personal information
• Whom to Notify: Any resident of California whose data was, or is reasonably believed to have been, acquired by an unauthorized person– Where the entity reporting the breach does not own the
data, the owner or licensee of the data if data was, or is reasonably believed to have been, acquired by an unauthorized person
11
Breach Framework (Con’t)
• Notification must occur in the most expedient time possible and without unreasonable delay– Guidelines indicate no later than 10 days after it is
determined that there has been unauthorized access to covered data
• Timing may be delayed if notice would impede a criminal investigation, or in order to take necessary means to determine the scope of the breach and restore reasonable integrity to the system
• Notice may be provided in writing, electronically, or by substitute notice– If cost exceeds $250,000 or more than 500,000 people
need to be notified
12
Guidance: Governance
• Define role or functional accountability for key data governance objectives (guidance for SB 1386 defines “Data owner” and “Data custodian,” for example)
• Design a comprehensive, multilayered program to protect confidentiality of all personal data handled, in electronic or paper form
• Inventory assets, identifying those handling personal data
• Employee training on security and privacy policies
• Contractual requirements and monitoring of appropriate security controls for third parties with whom data is shared
• Review security plan at least annually or whenever there is a material change in business practices that affect data use or security
• Maintain an incident response plan; include procedures for incidents involving regulated or high-risk data; review annually
• Document response actions taken on incidents
13
Guidance: Security
Confidentiality• Classify data according to
sensitivity; identify notice-triggering data
• Use of encryption where feasible (NIST standard)
Integrity• Intrusion detection
procedures and technologies
• Monitor and enforce third party agreements
• Maintain complete, current, accurate contact information for individuals whose notice-triggering data is managed
• Accurately determine notice recipients (avoid “false positives”); procedures to determine who should receive notice
Availability• Classify data according to
sensitivity; identify notice-triggering data
• Design and monitor appropriate access controls
14
Guidance: Privacy and Ethics
• Collect the minimum amount of data necessary for specific purposes
• Adopt written procedures for notification in event of breach
15
Guidance: Retention
• Retain data for minimum time necessary• Dispose of records and physical assets
containing personal data in a secure manner
16
Encrypted Data
• Good news: Exempt in many states from disclosure requirements
• Not as good news: Make sure you have solid encryption and key management policies– i.e., encryption keys must be protected or you will
be required to disclose the breach
17
PCI Update
• PCI standards are still basically the same as last year
• In July 2006, merchant level definitions changed:
1 > 6MM Visa transactions per year, or if you’ve been hacked, or if Visa says so....
2 1MM to 6MM Visa transactions per year
3 20K to 1MM e-commerce transactions per year
4 <20K e-commerce transactions per year or up <1MM non-e-commerce Visa transactions per year
18
PCI Compliance Validation Requirements
Level Validation Action Validated By Due Date
1
Annual On-site PCI Data Security Assessment and Quarterly Network Scan
Qualified Data Security Company or Internal Audit if signed by Officer of the company Qualified Independent Scan Vendor
9/30/04
New level 1 merchants have up
to one year from identification to
validate.
2
Annual PCI Self-Assessment Questionnaire and Quarterly Network Scan
Merchant Qualified Independent Scan Vendor
New level 2 merchants:
9/30/2007
3
Annual PCI Self-Assessment Questionnaire and Quarterly Network Scan
Merchant Qualified Independent Scan Vendor
6/30/05
4*
Annual PCI Self-Assessment Questionnaire and Quarterly Network Scan
Merchant Qualified Independent Scan Vendor
Validation requirements and
dates are determined by the
merchant's acquirer
19
PCI Basic Principles
• Build and maintain a secure network• Protect cardholder data• Maintain a vulnerability management
program• Implement strong access control measures• Regularly monitor and test networks• Maintain an information security policy
20
Upcoming PCI Changes
• Additional focus on application layer security issues– Prior focus was network security– New focus: Web application threats such as SQL
injection attacks, cross-site scripting flaws, error-handling problems and validation errors
• Within the next two years there will be a requirement to use payment systems / application vendors who can meet all the security requirements
21
What is Data Assurance?
• Appropriate integration and alignment of business data requirements with information privacy and security objectives & processes
• This outcome is achieved through common frameworks for:– Governance– Risk Management– Compliance
• Coordinated process implementation through an information security and privacy management program
22
Common Roadblocks to Meeting Challenges & Objectives
• Process silos- privacy, security, compliance, IT management, risk management, etc.– Increases segregation of core data assurance
competencies
• Multiple compliance initiatives with different ownership for regulations & standards – More points of accountability, more decision layers
to manage
• Communication gaps – Various initiatives duplicate effort, reporting
channels aren’t effectively coordinated, reporting content isn’t appropriately defined or analyzed
23
Managing Internal Issues
• The most important internal issue is the lack of appropriate governance and controls
• Data assurance program components must be blended into the following corporate programs:– Corporate governance (COSO)
– I/T governance (COBIT)
– Enterprise architecture (ETWA)
– SDLC models (RUP)
– Operational SLAs (ITIL)
– Quality management functions (ISO 17799, 9000)
– Compliance
How “Best” Are Your Best Practices?
LEVEL 1LEVEL 1LEVEL 1LEVEL 1
Neutrality or Lack of awareness
For example, Information Security and Privacy roles and responsibilities are not defined; Policies, Standards and Procedures do not exist
Management Recognition and Acknowledgement with supporting actions being informal
For example, Discussion of security topics at business meetings is in response to critical issues only; Awareness activities have been discussed but not carried out
Partial formalized documentation and implementation
For example, Personnel security procedures are documented but not consistently followed; Awareness activities are not carried out for all users
Consistent documentation, implementation and common acceptance
For example, Awareness and training activities are routinely performed for the whole user population; Security planning activities are integrated into the business planning process
Continuous improvement process
For example, There exists a budgetary review cycle that confirms that security and privacy funding is adequate; Incident response plan is tested and modified on an on-going basis
LEVEL 2LEVEL 2LEVEL 2LEVEL 2 LEVEL 3LEVEL 3LEVEL 3LEVEL 3 LEVEL 4LEVEL 4LEVEL 4LEVEL 4 LEVEL 5LEVEL 5LEVEL 5LEVEL 5
25
Characteristics of a Good Security Program
• Deals with all areas of threat and vulnerability – i.e., all areas that require bulletproofing
• Center-led by one person, but decentralized in terms of roles and responsibilities
• Contains lifecycle Plan/Build/Run components and is architecture-based
• The value of data is assessed and managed throughout its lifecycle
• Embedded in I/T and corporate governance initiatives
26
Benefits & Opportunities
• Consolidates & coordinates multiple information risk management and compliance efforts
• Aligns best practices- more organizations are implementing ISO, ITL, CMM, COBIT frameworks to standardize data governance, risk management & compliance
• BS 7799/ISO 17799 increasingly viewed as satisfying multiple regulatory requirements around data security, internal controls to manage operation, technical & compliance risk
27
Bulletproofing Your Data
• “Bullets” come from many directions• External sources
– Business partners, regulations, laws– Hackers, malcode, criminals
• Internal sources– Errors, misconfiguration, negligence– Bad actors, ignorance
• New and emerging technologies– RFID
• Caveat emptor: there is no way to completely bulletproof your environment – but you MUST demonstrate a clear standard of due care
28
Dealing with Process Gaps (Example)
• Managing vulnerabilities within systems and networks– Un-patched and badly-configured systems– Lack of due diligence and follow-up
• Recommendations:– Develop a broad range of asset scanning and
baselining capabilities for network services and functions
– Treat vulnerabilities (configuration, bugs, patches, etc.) as a problem that requires end-to-end management
– Measure improvements over time
29
Maintain Positive Control Over Customer Data
• Map the manner in which data is acquired, transported, stored, accessed, and retired
• With security and data privacy requirements and policies in mind, apply the most basic security principles to the data, i.e.:– Confidentiality (“least privilege”)– Integrity– Availability
• Manage the program across the enterprise – avoiding the typical pitfalls
30
Planning for Growth and Change
• Deal with growing complexity– New systems and technologies– Complex business rules and data uses– Comprehensive internal controls
• Velocity of change– Policies and business requirements– New products and sales channels– New uses for data and analytics
• Volume of data– Create useful outcome, mindful of security and
privacy requirements
31
To-Do List
• Work from a plan of attack– Strategic vision and data assurance architecture
– Create achievable tactical objectives (that can be measured easily)
– Build success stories
• Improve security posture• Embed data assurance (i.e., security and privacy) into
repeatable, scalable, measurable, defensible, sustainable, and cost effective processes
• Establish and justify program financials• Report status and progress to senior management
