1

LIVING IN THE CLOUD IN A COMPLIANT, RISK-BASED, AND

LEGALLY DEFENSIBLE APPROACHYou can outsource functions and activities,

but not responsibility.

Michael Cox, CIPP, PresidentSoCal Privacy ConsultantsAITP SD Cloud Computing Conference 2014San Diego Marriott La JollaThursday, 13Nov2014

2

BIO: Michael Cox, CIPP/US

President, SoCal Privacy Consultants Confidential clients include private and public customer-centric organizations in health care,

Internet, technology services, financial services, bitcoin ATMs, etc. For an FTC consent order client, established multi-state information security programs and

provides ongoing consulting - resulting in four consecutive satisfactory audits certifying compliance to the order

Conducts gap assessments and establishes lean, sustainable and legally defensible privacy and security programs for partners, service providers, and M&A buyers and sellers

Obtains executive commitment; operationalizes governance with clear roles and responsibilities; develops policies; conducts training; advises on implementation; and provides tools and an effective transfer of knowledge

Chief Privacy Officer, Pathway Genomics Corporation, an international genetics testing laboratory Previous experience

VP of Enterprise Risk Management, Goal Financial Business Risk Officer, Capital One Auto Finance VP of Operations – multiple organizations, including 2 Fortune 200 companies

Certified Information Privacy Professional (CIPP/US) Member, International Association of Privacy Professionals (IAPP) Member, IAPP Professional Privacy Faculty Member, two privacy think-tank groups, Lares Institute Co-author, Security chapter for HIMSS Good Informatics Practices (GIP) Frequent speaker on privacy and security subjects B.S., Business Administration, Virginia Tech Contact information: mcox@socalprivacy.com or (619) 318-1263

 

3

What markets represented here?

Organizations Public International

Markets Health care Financial services Retail Technology service providers Others _________________

4

Data Innovation Pledge: “I will promote the Ethical and Innovative Use of Data to improve people’s lives”

Too often there is perceived tension between

privacy, technology and innovation

Rather than just co-exist, they can

thrive and drive innovation as a team

Privacy should be thought of as a functional requirement,

like sales and revenue, and not just a quality attribute

Without privacy, there is no customer trust

Together, privacy, technology and innovation bring unparalleled

value, opportunity, efficiency, service, and connectivity 

5

California is a privacy leader

2003 - 1st state breach notification law

2012 - law amended to require notifications to CA State AG when 500+ CA citizens data compromised

From 2012 to 2013, reported compromised breach records increased 600%

Data breaches expected to keep climbing

6

FTC Consent Order client impacts 20 year consent order

CEO will likely want another executive to sign the order, e.g. GC, CFO or CRO

A copy of the order must be delivered to / receipt acknowledged by all current / future: subsidiaries, principals, officers, directors, managers, employees, agents, and representatives having responsibilities relating to the order

Increased cost of compliance Provide 30 days notice of change to corporation, e.g., dissolution, assignment, sale,

merger or like action

Within 90 days of order, provide a report of compliance to the order Respond within 10 days to additional information requests

Expensive independent biennial audits by CISSP, CISA, or GIAC (not be CPA) Demonstrate compliance on any given day during biennial period

Retain specified compliance documentation for a period of 5 years Any documents that “contradict, qualify, or call into question compliance with” the order;

risk assessments; consumer complaints; plans, reports, studies, reviews, audits, audit trails, training materials, and assessments; statements disseminated to consumers re: privacy/security

Compliance is elevated due to: FTC expectations, e.g. privacy/security training occurs prior to providing new hires access to PII

Being on the FTC’s radar screen and wanting to avoid another breach

7

Key takeaways

Compelling business case for Privacy, yet many compliant organizations continue to suffer breaches

Achieving a legally defensible posture better protects an organization and its customers

ERM establishes a legally defensible system by creating accountability for risk and making informed decisions within company’s risk tolerance

Risk associated with subcontractors, including cloud services providers, must be addressed in a legally defensible manner

8

FIRST, A FEW CONCEPTS

To ensure alignment

9

What is privacy?

Is about individual rights and choices around data privacy lifecycle

Requires information governance around PII Onward transfer (x-border transfer rules), notice/consent-choice,

collection, purpose/use, access/availability/correction/quality, disclosure/sharing/transfer, storage/retention and secure disposal

Includes security of PII Administrative, physical, and technical controls

10

Privacy is complex and evolving

Continually challenged by emerging issues:

New threats and vulnerabilities

Snowden/NSA surveillance

New technologies, e.g. mobile apps/devices, biometrics, wearable computing

Big Data, e.g. bio-banks, predictive analytics

Internet of Things (IoT)

Defined by:

Laws, regulations, guidance, enforcement actions

Context – e.g., purpose

Social norms – “rules of civility” - what would the “reasonable person” expect? - different markets have different expectations – data sensitivity

11

Why is there this seemingly endless parade of breaches?

Question: Why are so many “compliant organizations” suffering breaches and the resulting regulatory fines and enforcement actions, class action lawsuits, and adverse brand and equity impacts?

Answer: 1. Treating strictly as a compliance risk

2. Underestimating the risk or not aware they are assuming a risk

3. Not pursuing a risk-based, legally defensible strategy

4. Not implementing governance

12

COMPELLING BUSINESS CASE

For Privacy

13

Calculating breach risk

risk = probability x impact

Risk Levels

Probability of Occurrence

Impact Severity

Insignificant Minor Significant Damaging Serious Critical

Negligible Very Low Very Low Low Low Low Low

Very Low Very Low Low Low Low Moderate Moderate

Low Very Low Low Moderate Moderate High HighMedium Very Low Low Moderate High High Very High

High Low Moderate High High Very High Very High

Very High Low Moderate High High Very High Very High

Extreme Low Moderate High Very High Very High Very High

Note: even a low probability with a serious impact equals a high risk

But the probability of a breach is usually underestimated – Businesses in last 12 months had: 90% one or more breaches; 59% multiple breaches (Ponemon Institute)

14

Continually under attack from rapidly growing threats A managed security services provider can monitor external and internal threats

15

Impacts can be catastrophicPrivacy is more than a compliance risk

Regulatory risk

Legal risk

Financial risk (Ponemon Institute) Revenue loss $5.4-7.2 million avg. per incident cost over last 7 years 12-22% avg. loss in brand value

Reputation/brand risk

Operational risk CEOs lost 1-1.5 years of productivity (interviews)

Officer liability risk (Target CEO and board)

16

Yet, cost to protect is lowand creates legally defensible posture

Avg. protection cost ($16) is less than 7% of avg. breach costs ($204) per compromised record (Gartner)

Avg. breach cost reductions per record (Poneman Institute)

$23 for CPO/CISO $42 for incident response plan

97-99% of breaches are avoidable with reasonable (simple/intermediate) controls (Verizon Business Data Breach Investigation Reports)

Legal defensibility is getting to 97-99% avoid-ability, not “absolute privacy/security”, as there is no such thing

17

While we’re taking about costs …What are the postponement costs?

Cost for doing it later is 17 times higher than the incremental cost to do it now (Capital One)

Plus the risk exposure from not being in a legally defensive posture … Stephen Covey calls that a “Lose-Lose” situation

Purpose of brakes on a car is … ?

not to slow a car down …

but to allow it to go fast!

18

But the cyber security gap is growing

19

Security goals are also bigger than compliance

Protect from theft, business disruption and compromise:

Company technology and infrastructure

Intellectual property and trade secrets

PII data

20

Key types of theft:

Which is worth more on the black market and why?

When customers are compromised, so is the businessLife changing impact on compromised individuals

Privacy can be an asset for gaining competitive edgeBy building and maintaining stakeholder trust and loyalty

Privacy Builds and Maintains Company Brand

80% of CEOS believe good data protection increases brand / marketplace value*

Privacy Enables Achievement of Business Objectives

Win partner business

Secure investor confidence

Secure acquiring company bid

Obtain cyber risk insurance when ready (no absolute security)

*Ponemon Institute survey

22

Expectations of public company boardsCyber attacks affect integrity of capital market infrastructure, public companies and investors

SEC Commissioner Aguilar: “… boards who choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at their own peril.”

Fiduciary duty breach in managing/monitoring material risks Duty of due care – knowledgeable and active, direct role Duty of oversight – board minutes/reports should document this

10K cybersecurity disclosures: SEC’s 2011 guidance to adequately inform shareholders Disclose material events that would affect operational results,

liquidity and financial condition, or cause financial information not to be indicative of future operating results

23

Recommendations to protect against liabilityBoard members should mitigate business/D&O liability and class action lawsuit risk

Ensure establishment of a legally defensible program

Governance and oversight

- Ensure comprehensive policies/procedures/standards, including vendor management

- Become well-informed of company’s policies/practices/gaps and industry standards

- Recruit and hire at least one “cybersecurity (tech-savvy) director”; use outside experts and auditors

- Appoint well-qualified privacy and security officers and periodically meet with them

- Establish a senior, cross-functional privacy and security steering (oversight) committee

Monitoring and reporting

- Ensure company: maintains data mapping; conducts controls evaluations and risk assessments; reviews vendors; monitors for external, internal and third party threats

- Require regular reporting to the board

Make appropriate public cybersecurity disclosures

Consider cybersecurity risk insurance

24

ACHIEVING A LEGALLY DEFENSIBLE POSTURE

Achieving Privacy/Security-by-Design through ERM

25

Imagine this not-so-improbable scenario1. IT reports malware has been discovered on computer systems and it is likely that PHI,

business plans and intellectual property have been exposed.

2. U.S. state data security breach notification laws have been triggered. Chief Privacy Officer advices that once the required notices go out, expect media inquiries and letters from the HHS, FTC and State Attorneys General seeking information about the breach and the company’s cybersecurity practices.

3. A letter comes from a prominent legislator asking questions about the breach.

4. Corporate partners inquire about contractual data security and privacy obligations, and the potential impact of the breach on their systems, data, and business.

5. Investors and plaintiffs’ lawyers are organizing to pursue actions related to the breach and its effect on the company, its operations and revenues, and individuals’ privacy.

6. (If public: SEC 8k requires evaluating whether to report the incident as a material risk.

7. And the Board wants to know what steps the company has taken to assess and mitigate the legal risks.

Is the organization in a legally defensible position and ready to appropriately and quickly respond?

Scenario originally described by Harriet Pearson, partner with Hogan Lovells US LLP: “Cybersecurity: The Corporate Counsel’s Agenda.”

26

Compliance vs. legally defensible strategy

Check-the-box compliance is not defensible

Standards establish a minimum baseline, but are not enough

Standards cannot keep up with emerging threats, new technologies, changing laws/regulations, and guidance/enforcement actions

Many compliant organizations continue to suffer breaches

Fundamental principles to preserve and build long-term value

When, not if – presumption that breach will occur and will be subject to legal proceedings to defend itself and its assets

Be able to make legally sound/compelling arguments from view of a plaintiff’s attorney/judge/jury/regulator that entity has done everything reasonable

27

ERM = Privacy/Security-by-Design = Legal Defensibility

Enterprise Risk Management

Establish governance

Establish ownership of and accountability for risks

Continually anticipate foreseeable risks

Design reasonable controls to mitigate privacy risks

Implement and test controls prior to roll-out

Monitor controls to determine risk mitigation effectiveness

Repeatable, sustainable manner

Avoid major business disruptions and breach costs

Privacy/Security-by-Design enables Legal Defensibility

28

Risk-based privacy practicesEmbed ERM into daily decision-making for legal defensibility

Principle Explained Examples / Comments

Legal Defensibility

Compliance is not adequate privacy / security, however there is no absolute privacy / security – more on this in a moment

Understand common root causes of breaches (VB DBIR – Top 20 CSC)

Risk Governance Model

Institutionalize accountability and clear roles and responsibilities

Governance Committee, Privacy and Security Officials, clear roles and responsibilities

Data Flow, Locations and Inventory Mapping

Document end-to-end privacy data flows and locations (resources) and identify highest data sensitivity – informs risk assessment

Document owner, swim lane process owners, resource owners, resource custodians

Data Sensitivity Drives a Risk-Based Approach

Determine strength of controls based on data sensitivity levels: highly sensitive, sensitive, slightly sensitive, not sensitive

Pre-contract due diligence and periodic monitoring of service providers, roles-based access controls

Privacy/Security-by-Design

Embed risk assessments in daily decision-making (not just annually)Use privacy impact analysis in SLDC

FTC / Dep’t of Commerce argued for this vs. more prescriptive EU regulations (self-regulatory – be responsible)

Overarching Risk Prevention Strategies

Establish key strategies that mitigate risk

Thin Client to access PII (solves many risks), isolate PII to a separate network, encryption by default

29

Adopt an integrated privacy risk management & control frameworkA continuous process for optimizing reward vs. emerging risks and strengthening posture

GovernanceRegulatory coverage mapStrategy setting / planning

Risk toleranceRisk policy

Risk owners and accountabilityTraining and education

Risk AssessmentRisk identification

Controls effectiveness review

Risk probability and impact

Risk ranking

Risk Response / ManagementAvoid, transfer, monitor, accept risk

Mitigation planning and execution

Privacy / security-by-design

Control activities

Monitoring and AdaptingControls evaluation in RM tiers

Controls effectiveness monitoring

Event / incident / breach analysis

Identifying and closing gaps

Information and CommunicationKey risk indicator review

Privacy Steering Committee

Board of Directors

Internal EnvironmentExecutive commitment

Management support

Simplified COSO RM & C Framework adapted to manage privacy / security risks

30

Regulators – not an exhaustive list

SEC Public – breach disclosures on 8k form 10k disclosures of material risks Cybersecurity Alert – broker-dealers, investment companies, hedge funds

FTC Section 5, FTC Act

- Deceptive trade practice – over-stated / omitted privacy / security practices- Unfair trade practice - inadequate privacy / security

Enforcement actions help establish reasonability standards

FCC

HHS

State AGs CA State AG Kamala Harris – Privacy Protection and Enforcement Bureau; issues guidance

CT and MA State AGs

EU / other countries’ DPAs – require approval before cross border transfers

31

Determining “reasonable safeguards”Use a standards stack to strengthen policies/SOPs and ensure no gaps

Write policies to a framework of appropriately stacked standards for legal defensibility:

HIPAA Security Rule (10 years old)

7 Elements of the U.S. Sentencing Guidelines for an Effective Compliance Program

Top 20 Critical Security Controls - Council on Cyber Security (VB DBIR)

State requirements, e.g., MA’s requirement that PII be encrypted on mobile devices

Contractual requirements, e.g., Shared Assessments SIG

Regulatory guidance and enforcement actions, e.g. mobile apps, peer-to-peer file sharing

PCI:DSS Standards

ISO 27002: 2013

32

ESTABLISHING A LEGALLY DEFENSIBLE CLOUD STRATEGY AND

IMPLEMENTATIONThree steps

33

Cloud introduction

Offers significant advantages: No-capex/low cost-subscription model Inherent agility, efficiency, and accessibility

Tend to reduce Company’s direct control over: Location, transfer and handling of its data Contract negotiations

Gartner’s research: cloud services buyers are finding security inadequate So why are they finding this out after starting to use the service?

34

Know how you are using a Cloud Service Provider

• Amazon EC2• Microsoft Azure• Google Compute Engine

• AWS Elastic Beanstalk• Google App Engine• Force.com

• Microsoft 365• Google Apps• Salesforce.com

35

Accountabilities using the cloudDefining responsibilities between your organization and the Cloud Service Providers

Role Accountability

Data owner Customer

Data controller Cloud client - trusted organization

Data processor Cloud services provider

You can outsource functions and activities,

but not responsibility!

You need to extend the ERM processes system-wide to include trading partners and subcontractors

You can’t just sign a contract and assume you are protected

36

Establishing a legally defensiblecloud strategy and implementation

1. Develop cloud plana. objectives/strategy

b. business case/risk assessment

c. requirements

2. Select and properly contract with cloud service provider (CSP)

3. Govern, monitor and manage cloud services

37

Establishing a legally defensiblecloud strategy and implementation

Step 1. Develop cloud plan

a. Identify cloud resource owner/sponsor and custodian; assemble decision team

b. Understand laws/regs (regulatory compliance map)

c. Define cloud objectivesi. Data location; multi/single tenancy; exit strategy/portability - single/multiple clouds;

public/community/hybrid/private (onsite/outsourced); IaaS/PaaS/SaaS

d. Define sensitivity of data and processes outsourced (use cases)i. Develop data flow and resource mapping

ii. Conduct privacy risk impact assessment and develop mitigation plans

e. Define security responsibilities/requirements: who develops/tests/deploys/manages/monitors

i. Cloud client: encrypt data in transit/at rest (retain keys); secure communications; secure configuration/network segmentation; access controls/IAM integration; backups/data replication; monitoring - vulnerability scans, periodic RBAC reviews; F/W egress filtering; consider 3rd party tools to add features/functionality and ease to move to alternative CSP 

ii. CSP: acceptable contract terms, e.g. breach notification, etc.; independent audit to specific regulatory standards; privileged identity management; logs enabled and correlation/response; F/W, IDS/IPS

38

Establishing a legally defensiblecloud strategy and implementation

Step 2. Select and properly contract with CSPa. Assess contracts of finalists, e.g. breach notification, right to audit, security

requirements

b. Verify acceptable risk tolerance to plan

c. Select and contract with CSP – only after competitive evaluation of finalists’ agreements

Step 3. Govern, monitor and manage cloud servicesa. Implement cloud client responsibilities, including management and monitoring of

CSP

b. Establish policies/SOPs

c. Securely migrate data/applications

d. Monitor to ensure implementation matches objectives/requirements

39

Develop a regulatory coverage map

Applicable laws/regs/standards determined by:

Consumer residency- Consumer protection laws tend to protect residents of a

jurisdiction

Data location - NSA/Snowden causing some countries to not want data to

leave their country, e.g. Russia’s new law - Some international mega-companies, including cloud service

providers, rapidly building data centers in these countries

40

Identify applicable laws re: outsourced PI

Privacy laws GLBA, HIPAA, etc.

Data breach notification laws U.S. state laws generally (but not all) provide an exception for encryption Tend to focus on SSNs, driver’s license #s, and credit/card #s Consider sensitive data privacy laws – genetic information International developing breach notification laws

Cross-border data transfer rules restrictions Consent EU/EEA

- U.S./EU Safe Harbor, U.S./Switzerland Safe Harbor - Model contract clauses / binding corporate rules (CBRs)

APEC - Cross-Border Privacy Rules System agreement Other countries, e.g. Morocco, Israel, Argentina, Uruguay, South Korea

41

Regulatory coverage map - federal, state, local and international

Accountability Jurisdictions Competency Implementation Maturity

# Regulation/law Risk owner

Internal SME

Need to know stakeholders

Risk owner

Internal SME

Stakeholders Policy / SOP

Training Risk assessment

Controls evaluation

Monitoring / sanctions

COMPETENCY LEGEND: 4 = Highly Competent; 3 = Competent; 2 - General Understanding; 1 = No Experience

List all laws/regulations based data locations and customer residency jurisdictions

42

Use modified SIPOC to develop data flow diagramSix Sigma tool for getting a process under control; data locations = resources

Data Suppliers / Sources

Data Location Data Inputs Data Flow Process Step

Data Outputs Data Location Data Customers

Notice

Data Collection

Data Use / Handling

Data Use / Handling

Data Transfer - Sharing

Data Storage - Retention

Data Backup / Retention

Data Disposal - Destruction

Create a data flow diagram with swim lane process owners - informs risk assessment

Interview process owners and document end-to-end privacy data flows / locations

43

Data flow, locations and inventory mapping

Maintain to reflect changes to data flow process and/or data locations

44

Data inventory and locations mapData Locations Database Shared folder Box Share point File cabinet

Resource owner

Resource custodian

Data inventory

Highly sensitive

Sensitive

Less sensitive

Non-sensitive

Executives should assign owners to resources within their organizational control (or by default they become the owner)

Resources – products/services, processes, applications, internal / external systems, technologies, service providers/partners

Resource Owners are responsible for ensuring RBAC design, authorizing RBAC rights, and periodically reviewing RBAC rights for accuracy

Resource Custodians are responsible for the Privacy/Security-by-Design of assigned resources

Match protection to data sensitivityEither do not move sensitive data to public cloud or ensure adequate protection if you do

Quartile 4 Data Sensitivity Classifications

Examples may vary by country of jurisdiction

4 Highly Sensitive includes any of the following: SSN, payment card info, user ID/password, security question/answer (mother’s maiden name, DOB, place of birth, etc.), health insurance ID #; genetic info (defined by GINA), medical/health info, background check info, biometric record or identifiers

3 Sensitive PII that does not fall into quartile 4 or 2, such as other personally identifiable dates, account #, vehicle ID/serial #, driver’s license/certificate #, other unique ID#/characteristic/code, geo-location data, other personnel file info

2 Slightly Sensitive

published contact info: name plus address, phone#; email address, fax#, instant message user ID, URL address, IP address, photo/video/audio file, persistent device/processor/serial ID; any other PII used for marketing purposes (see CA’s “Shine the Light Law”)

1 Non-Sensitive non-personal information, such as session identifiers/cookiesbusiness lead contact info is not sensitive in U.S., but is in Canada, EU, and elsewhere

45

Data sensitivity is largely determined by whether if compromised requires breach notification Operational examples – adjust processes based on data sensitivity levels, e.g. pre-contract due diligence and periodic monitoring of BAs, roles-based access controls (RBAC), encryption, etc.

Controls effectiveness scaleThe greater the risk, the stronger the controls should be

46

Scale Controls Effectiveness Examples

10 preventive, detective & corrective controls

IPS, account lock-out on failed log-ins

7-9 preventive and detective controls

4-6 preventive controls privacy/security-by-design, policies/SOPs, training (awareness/on-the-job), keycards, authentication, RBAC system controls, encryption, hardening, firewalls/IDS, real-time log correlation/response, white/black listing, code testing prior to release, DLP, database activity monitoring

1-3 detective controls risk assessments, control evaluations, alerts, reports, periodic review of logs, file integrity monitoring, vulnerability scans, penetration testing, threat watch

0 no controls

Controls must be documented in a procedure, implemented, tested, monitored, and trained on where appropriate.

Higher control effectiveness rankings within a category are based on multiple layers of controls - defense in depth.

Controls can take into account: company’s size, complexity and capabilities; reasonability standard; costs vs. benefit; company’s administrative, physical and technical infrastructure.

Types of controlsTo manage cause-risk event-effect relationship

Preventive Controls are proactive controls established to stop or deter risk events/causes from occurring. Examples include:Procedures/process maps, Access Control PolicySegregation of Duties, e.g., dual control

Preventive Controls Detective Controls

Risk Event

Cause 1

Cause 2

Cause 3

Effect 1

Effect 2

Effect 3

Preventive Controls

Detective Controls

Detective Controls are established to discover errors that have occurred and can be used to determine when/if a preventative control breaks down. Examples include: Alarms, e.g., email notification signaling error/out-of-pattern situation

Reports, e.g., monitoring reports for validation/comparison purposes

Sampling, e.g., quality assurance sampling

Inherent Risk

Net / Residual

Risk

Management Review, e.g., sign-off on expense report

Training programs, e.g., new hire or skill training

Corrective Controls automatically manage/mitigate in response to an alert, e.g., IPS

48

Assessing and mitigating risk

Annual risk assessment Enterprise-oriented

Privacy (risk) impact assessment (PIA) Conduct for new / enhanced resources to define requirements

and implement and test prior to rollout (Privacy-by-Design) Cloud services is of course a resource

49

Qualifying and managing subcontractorsRegulators’ expectations of due diligence - ongoing

Assess subcontractor’s compliance Audits

- ISO 27001/27002:2013 - SSAE 16 SOC 2 Type II 5 Trust Service Principles- PCI-DSS- HIPAA- CSA- FedRAMP

InfoSec due diligence Questionnaire Include analysis of cloud provider agreements

Properly contract re: privacy / security requirements

Continuously manage and monitor compliance Avoid/report a pattern of improper activity Additional periodic due diligence if sensitive data Monitor cloud provider’s security

50

Many cloud computing agreements are take-it-or-leave-itCompensate by obtaining/reviewing contracts as part of due diligence and determining

what controls need to be integrated with and wrapped around the cloud service

All cloud agreements should include appropriate security measures Data locations – all instances including backups Secure access controls via console and APIs

Dedicated connection using 802.1q VLANs IPsec VPN tunnel via private subnet

Identity and access management tools Unique user IDs/passwords

- Multi-factor authentication for sensitive data RBAC roles

Encrypted data in transit and at rest Client should retain keys

Built-in firewalls to control ingress Manage F/Ws to control egress

Cooperation with cloud client Logging

24x7 correlation and response management for sensitive data Monitoring – patches, vulnerabilities

Determine whether to use cloud provider’s tools or independent tools with additional features and functionality that improve data portability from cloud to cloud

Consider a managed cloud services provider who resells and understands, for example AWS cloud services, and can help you successfully implement it for your use

51

Cloud Select Industry Group (CSIG) SLA standards guidanceCloud Security Alliance, ENISA, DLA Piper, Amazon, Google, IBM, Microsoft, etc.

Guidance regarding what business should seek to have in place: 6/20/2014 - 41 pages

1. Standards or certification mechanisms the cloud service provider complies with

2. Precise description of purposes of processing

3. Clear provisions regarding retention and erasure of data

4. Reference to instances of disclosure of personal data to law enforcement and notification to the customer of such disclosures

5. A full list of subcontractors involved in the processing and inclusion of a right of the customer to object to changes to the list, with special attention to requirements for processing of special or sensitive data

6. Description of data breach policies implemented by the cloud service provider including relevant documentation suitable to demonstrate compliance with legal requirements

7. Clear description of geographical location where personal data is stored or processed, for purposes of implementing appropriate cross-border transfer mechanisms

8. Time period necessary for a cloud service provider to respond to access, rectification, erasure, blocking, or objection requests by data subjects

Broad recommendations to be trialed by EU Commission and hopefully evolve into an ISO standard

52

Summary

Key points

53

Summary of key points

Compelling business case for Privacy, yet many compliant organizations continue to suffer breaches

Achieving a legally defensible posture better protects an organization and its customers

ERM establishes a legally defensible system by creating accountability for risk and making informed decisions within a company’s risk tolerance

The risk associated with subcontractors, including cloud services providers, must be addressed in a legally defensible manner

54

QUESTIONS?

55

Appendix

Supplementary Slides

56

ICAEW Audit Insights: Cyber Security 2015The work of a group of audit experts from the 6 largest audit firms - pub. Oct. 2014

Growing gap between business and cyber attacker capabilities Threats rapidly growing in scale and record numbers Economic growth leads to new business activity creating new cyber risks Focus finite resources in the right places, e.g. in monitoring, detection and response Coordinate system-wide actions, e.g. trading partners and service providers Social media exposes business with poor breach response capabilities

Viewing security as a compliance issue creates a significant barrier Heavy planning and not enough commitment and action to real change View as a competitive advantage as a trusted partner in the digital economy

2013 report: Embed cyber in all activities with appropriate responsibility/accountability

recognizing people as weakest link Accept that security will be compromised and consider use of 3rd party advisors Focus on critical information assets, where stored and who has access Get the basics right and demonstrate commitment to a strong security culture and

show leadership to encourage behavioral change

57

ICAEW Audit Insights: Cyber Security 2015: Board recommendationsTo ensure a commitment and priority to deliver real change

Continue to build cyber security knowledge/confidence and challenge officials to explain security strategy and risk mitigation plans

Should ensure they can explain their critical data and associated risks, even where regulatory pressure does not exist

Ensure security is designed into strategy and operations, especially new activities

Focus attention on monitoring, detection and response capabilities, including ad hoc cyber simulations, and not just consider preventive actions

Focus on making a positive case for security, based around being a trusted partner in the digital economy

Determine information needs regarding cyber risks and track progress of security activities

Drive adoption system-wide, including trading partners and supply chains

58

Information governance takes a villageActor High level responsibilities

Board of Directors

Duty to protect corporate assets : information(PII, trade secrets, IP) and critical infrastructure. SEC cybersecurity risk disclosure.

Executives Program commitment; establish as a strategic imperative; provide resources/budget

Privacy Governance Steering Committee – charter & standing agenda

Provide strategic guidance and ensure management support Help establish risk tolerance through risk related decision-making/guidance (risk assessments) Ensure privacy/security officials are engaged by their staff/resource owners for privacy/security

related design or other issues – be their “eyes and ears”

Privacy & Security Officials

Program leadership and establishment; SEC cybersecurity disclosure sign-off if public

Management Program support; on-the-job privacy/security training; ID staff AUP violations; ID prospective service providers to CPO early for due diligence; own Privacy/Security-by-Design for non-engineering activities

Privacy Liaisons Liaisons for each privacy data lifecycle function ensure adherence to privacy policy

HR Identify/schedule new hires for privacy/security training; conduct background checks

Legal / Compliance

Ensure proper contracting with service providers Keep the Board abreast of privacy and cybersecurity risk exposure and posture

InfoSec Team Implementation working group: regular review of RBAC rights; ensure implementation of risk mitigation activities and report status to Steering Committee

Domain Owners Application security; technical controls; physical controls; administrative controls (or 13 domains in ISO 27002:2013)

Resource Owners Authorize RBAC roles; grant rights; periodically review rights for accuracy

Resource Custodians

Implement approved RBAC rights; ensure Privacy/Security-by-Design for resources

Engineering Director / Program Manager

Provide Privacy/Security-by-Design guidance to engineers and SQA as well as code review teams for data driven initiatives, new / enhanced resources, and as changes are made to data flow process and/or data locations

Workforce Members

Adhere to AUP and other policies/SOPs

59

Risk assessment and management Formal risk assessment process

Invite appropriate participants and appoint a facilitator and record keeper Identify risks through brainstorming using data mapping and other tools Determine effectiveness of existing controls Determine likelihood of occurrence and severity of impact Rank based on total risk value and determine material risks requiring response Assign risk owner and agree on risk response based on organization risk tolerance

Risk mitigation planning and execution Develop risk mitigation plans including milestones Ensure mitigation plans are developed into requirements, implemented and tested prior

to roll-out

Approval and tracking by Privacy Steering Committee Obtain approval of identified and material risks, risk owners, risk response, and

mitigation plans Track / report on implementation progress of mitigation plans

Update policies/SOPs and training as appropriate

60

Basic risk assessment template

Risk Scope Controls Evaluation Risk Valuation

# Risk Scope In/Out

Domain / Domain Owner

Key Potential Root Causes

Existing Key

Controls

Controls Effectiveness

1-10

Potential Effects / Impacts

Net Likelihood

1-7

Net Impact

1-6

Net Loss

1-7

5 Medium Damaging High

Net Loss: Negligible, Very Low, Low, Medium, High, Very High, Extreme

61

5 risk responses

Accept – Business decides to accept the current level of risk because: a) the mitigation costs outweigh the benefits; or b) the key causes are out of its control (inescapable part of doing business)

Avoid - Eliminate a process or product to avoid the risk or condition as the risks outweigh the rewards E.g., eliminate installing a faulty slide that could hurt children from the project

plan

Transfer/Share - Contractually shift or share the consequences of a risk to a third party or insure the risk

Monitor – Temporarily delay selecting another response until more information, usually research, is obtained Timeframe should be agreed upon, usually no more than 30-60 days and

tracked

Mitigate – Improve control effectiveness to control the risk to an acceptable threshold, either by reducing the frequency and/or the effect

Rationales and approving authorities must be documented for all responses

62

RM tiers in NIST Cyber Security Framework Tier Definitions

1 PARTIAL RM Process Informal, ad-hoc (and sometimes reactive) RM practices. Prioritization of RM may not be directly informed by

organizational risk objectives, the threat environment, or business requirements. Integrated RM Program Limited RM awareness. RM implemented on an irregular, case-by-case basis. Processes do not enable risk

information to be shared within the organization. External Actions No processes in place to share information with other entities.2 RISK INFORMED RM Process Management approved RM practices are not established in policy. Prioritization of RM is directly informed by

organizational risk objectives, threat environment, or business/mission requirements. Integrated RM Program Risk awareness but informal RM. RM procedures are implemented. Staff has adequate resources to perform

their RM duties. Risk information is informally shared within the organization. External Actions Awareness, but no formalized capabilities to interact and share information externally.3 REPEATABLE

RM Process Formal RM practices in policy. RM practices are regularly updated based on changes in business requirements and a changing threat and technology landscape.

Integrated RM Program Formal RM and policies/procedures are implemented/reviewed and respond effectively to changes in risk. Personnel possess knowledge/skills to perform appointed roles/responsibilities.

External Actions Understanding of dependencies and collaborates and receives information with other entities.4 ADAPTIVE

Risk Management Process

Lessons learned and predictive indicators inform RM practices. Actively adapts to a changing risk landscape and responds to evolving/sophisticated threats in a timely manner.

Integrated RM Program RM is part of the culture and evolves from an awareness of previous activities, information shared by other sources, and continuous awareness of activities on systems/networks.

External Actions Collaborate to ensure accurate, current information to improve RM actions before events occur.

63

Basic risk mitigation planning templateRisk Response Risk Mitigation Status Update Post Mitigation Valuation

# Risk Risk Response

Mitigation Plan

Owner

Mitigation Strategy

Action Plans

Planned Due Date

On-Track Completion Progress:

G, Y, R

Controls Effectiveness

1-10

Post Mitigation

Likelihood: 1-7

Post Mitigation Impact:

1-6

Post Mitigation Loss:

1-7

On-Track Completion Progress: Green, Yellow, Red – allows a quick status update to inquire abut issues/obstacles where appropriate

Post Mitigation Loss: Negligible, Very Low, Low, Medium, High, Very High, Extreme

64

Risk-based controls evaluationUsing NIST Cyber Security Framework’s RM maturity tiers

# Standard Control requirements Current profile RM tier Target profile RM tier

1 Existing controls New or strengthened controls

2

3

4

5

6

7

Risk Management (“RM”) Maturity Tiers 1. Partial2. Risk informed3. Repeatable4. Adaptive

65

Regulators interview to reveal -

Executive (VPs+) commitment is demonstrated through participation in the Privacy Steering Committee for purposes of: Reviewing program reporting and providing appropriate guidance and approvals. For

example: risk assessment approval, breach/security incident updates, etc. Reviewing and approving policies as appropriate Allocating adequate resources and budget Ensuring management support and engagement to implement policy

Management (Dir + anyone w/ direct reports) shall actively support information security and company’s adherence to the requirements of all program policies by: Ensuring “Privacy/Security-by-Design” when creating requirements for new/enhanced

products, services, systems, and engagements with vendors and partners Ensuring implementation of adequate privacy/security controls across the company Providing oversight of users to ensure compliance with the Acceptable Use Policy and

other policies Requesting CPO conducts due diligence of service providers / vendors who may

have access to PHI/PII and properly contracting with same prior to granting access. Such contracts shall include the Business Associate Agreement and Information Security Agreement as appropriate.

Reporting non-compliance with the program’s policies to either the CPO or another InfoSec Team member

66

Cross Border Transfer Rules (mechanisms)

Available options Applies even for companies with international offices transferring data to a U.S. facility

1. De-identified data– Pathway is implementing this option March 1, 2014– Consent updated; reject non-de-identified samples and destroy at 60 day cycle

2. Safe Harbor– EU proposes 13 changes to strengthen accountability and enforcement (NSA reaction)

3. Consent – clear and unambiguous– Disclose data transfer is to country with inadequate privacy safeguards

4. Data transfer agreements, e.g., to deliver a product/service – Model Contract Clauses– Binding Corporate Rules (BCRs)

EU believes its jurisdiction applies when: (contractual “choice of law” in privacy policies” does not override this reach)

Corporate presence or agent in EU/EEA Cookies are placed on their citizen’s computers (not legally tested)

Proposed new EU law exerts jurisdiction if goods/services offered to or the monitoring of its citizens

U.S. Sentencing Guidelines for Effective Compliance ProgramsFor remedying harm from criminal conduct, and effective compliance and ethics program

Seven criteria used by state AGs and regulatory authorities to determine corporate culpability and impose appropriate sanctions

1. Designate a privacy/security official for day-to-day compliance and clearly define roles and responsibilities for personnel, management and executive governance committee

2. Establish written, comprehensive policies, procedures and standards to prevent and detect criminal conduct / unacceptable behavior and promote a culture of compliance

3. Conduct on-boarding and annual training and continual education - communicate company standards/procedures to officers, employees, and agents as appropriate

4. Develop open lines of communication for reporting security incidents and other compliance issues that should include providing an anonymous hotline and conducting exit interviews to uncover unreported issues

5. Monitor and self-audit by regularly conducting risk assessments and control assessments and reporting program effectiveness to the executive governance committee, and continually updating and improving the program

6. Respond appropriately to incidents and take steps to prevent recurrence, including investigation, mitigation plans, and, as appropriate, breach notification

7. Ensure consistently enforcement and discipline of violations of well-publicized policies to demonstrate program credibility and integrity, commitment to compliance and prevent recurrence

Regulators refer to this as a “culture of compliance” 67

Top 20 SANS Critical Security Controls for Effective Cyber Defense

Strengthen 10 year old HIPAA Security Rule with well vetted “Standard of Care”

68

Originally developed by the Consortium for Cyber Action that includes government agencies and private organizations, such as SANS, Verizon Business, American Express, Booz Allen Hamilton, Center for Internet Security, Core Security, Department of Defense Cyber Crime Center, Defense Information Systems Agency, Goldman Sachs, McAfee, nCircle, Qualys, Tenable, Australian Government - Innovations, Citibank, Centre for the Protection of National Infrastructure, Department of Homeland Security, Department of Defense, Mandiant, Mitre, National Security Agency, Symantec, others).

Tier 1. VERY HIGH Tier 4. Medium

Inventory of Authorized & Unauthorized Devices (1) Data Recovery Capability

Inventory of Authorized & Unauthorized Software (1) Security Skills Assessment & Appropriate Training to Fill Gaps

Secure Configurations for Hardware & Software on Mobile Devices, Laptops, Workstations, & Servers (1a.)

Maintenance, Monitoring, & Analysis of Audit Logs

Continuous Vulnerability Assessment & Remediation (1a.) Controlled Access Based on Need to Know

Tier 2. HIGH Account Monitoring & Control

Application Software Security Incident Response & Management

Wireless Device Control Tier 5. Medium / Low

Tier 3. HIGH / Medium Data Loss Prevention

Malware Defenses Tier 6. Low

Security Configurations for Network Devices, e.g. Firewalls, Routers, & Switches Secure Network Engineering

Limitation & Control of Network Ports, Protocols, & Services Penetration Tests & Red Team Exercises

Controlled Use of Administrative Privileges

Boundary Defense

Tiers are based on assessment by NSA alone. All are considered important controls. The tiers may help with prioritization of efforts.

1st 5 Quick Wins: application white-listing; using common, secure configurations; patch application software w/in 48 hrs; patch systems software w/in 48 hrs; reduce # of users w/ administrative privileges.

Verizon Business no longer includes a list of remediation recommendation to its common root cause findings in its annual Data Breach Investigations Report and instead refers to the Top SANS 20 CSCs.

69

Certified, experienced privacy (CIPP), security (CISSP), and cloud (CCSK) professionals help you establish a legally defensible Privacy and Security Program with our 2-phased process:

Phase 1 – Gap Assessment Create data flow, inventory, and locations map Conduct controls evaluation of your current program against applicable regulations and standards

These may include HIPAA, PCI-DSS, GLBA, ISO 27002:2013, NIST Cybersecurity Framework, SEC Cybersecurity Alert, state privacy laws, cross-border transfer rules, cloud strategy, mobile apps, and more. Perform risk assessment Provide report of findings and prioritized roadmap for you to establish or strengthen your program

Phase 2 - Implementation Assist with custom implementation of Phase 1 recommendations, including policies and procedures

An effective transfer of knowledge and all our tools are provided to enable you to establish a LEAN Privacy and Security Program that is sustainable and legally defensible. Our goal is always to create a raving client!

Michael Cox, CIPP mcox@socalprivacy.com President 619.318.1263

www.SoCalPrivacy.com

Information privacy and security due diligence and programs

SoCal Privacy Consultants BIOsFive+ years of working together

Michael Cox, CIPP

President and Privacy Risk Consultant, SoCal Privacy Consultants Chief Privacy Officer, Pathway Genomics

Corporation Confidential clients - one under FTC consent order

– built program/provide consulting

VP of Enterprise Risk Management, Goal Financial

Business Risk Officer, Capital One Auto Finance

VP of Operations – multiple organizations

Certified Information Privacy Professional (CIPP)

Member, International Association of Privacy professionals (IAPP)

Member, IAPP Professional Privacy Faculty

Co-author, Security chapter for HIMSS Good Informatics Practices (GIP)

Frequent speaker on privacy subjects

B.S., Business Administration, Virginia Tech

Paul Boulanger, CISSP, CCSK

Information Security Consultant, SoCal Privacy Consultants

Information Security Officer, Pathway Genomics Corporation

CTO/Co-Founder, Sea Networks, Inc.

Sr. Internet Engineer, Nextleft

Instructor of Microsoft Certified Systems Engineer class for DoD personnel retraining at San Diego State University

Certified Information Systems Security Professional (CISSP)

Certificate of Cloud Security Knowledge (CCSK)

Computer Science, University of California at San Diego