2015 aga/eei utility internal audit training · scope of the challenge limited to your “four...

2015 AGA/EEI Utility Internal Audit Training

Data Privacy

August 25, 2015

www.pwc.com

PwC

Agenda

• Key concepts of data privacy

• Current privacy trends

• Emerging privacy focus areas for utilities

2

August 20152015 AGA/EEI Utility Internal Auditor Training - Data Privacy

PwC

Key concepts of data privacy

3


PwC

Role of the CPO versus the CISO

• CPO – Determines what data needs to be protected

- Regulations

- Privacy requirements/controls

- Privacy risk assessments

- Privacy by design

- Privacy impact assessments

- Governs privacy incident management processes, notification, and impact to individual experience

• CISO – Develops and manages data protection

- Technical security and controls

- Identifies, evaluates, protects against, and reports on information security risks

- Educates stakeholders that this is not solely a technology and security issue

4


PwC

The information lifecycle

1

5

4

2

3

Create/Collect

Use/Distribute

Dispose/Destroy

Retain Store/Transmit

Information flows throughout the organization and privacy must be considered in all phases.

5


PwC

What are organizations trying to protect?Key drivers for data protection & privacy

Proprietary Business Information: intellectual property, critical asset information, regulated data, sourcing strategy

Personally Identifiable Information:name, age, identification numbers, home ore-mail address, geolocation data, phone number, income or physical characteristics, opinions, web browsing or energy history/patterns. Most information collected by an organization about an individual is likely to be considered personal if it can be attributed to an identified individual.

Sensitive Personal Information: Information on medical or health conditions, financial information (including credit cards), ethnic origin –defined by regulation but also policy

1

2

3

4

5

6

Title

6


PwC

What is data privacy?

Privacy encompasses the rights of individuals and obligations of organizations with respect to the collection, use, retention, disclosure and disposal of personal information across the information lifecycle.

Notice

Choice and consent

Access

DisclosureCollection

Use, retention and disposal

7


PwC

Accountability and Governance

Risk and ComplianceAssessment

Processes and Controls

Training and Awareness

Vendor Management

Monitoring and Auditing

Incident Management and Response

Sensitive Data

Accountability and Governance

• Designation of responsibility for sensitive data protection

• Cross functional partnerships and processes

Risk and Compliance Assessment

• Applicable laws and regulations

• Business process risk ranking

• Data flow mapping and inventory

• Privacy impact assessment

Processes and Controls

• Policies and procedures

• Collection, storage, use, transfer and destruction processes

• Technical, administrative and physical data protection controls

• Privacy By Design principles

Training and Awareness

• Comprehensive training with defined elements, audience, frequency, monitoring and sanctions

Monitoring and Auditing

• Periodic testing of control effectiveness

• Independent assessments

Incident Management and Response

• Defined response and breach notification plan

• Testing of plan

• Inclusion of vendor or third party

Vendor Management

• Risk valuation of vendor relationships

• Vendor assessment (questionnaire/onsite)

• Reporting and on-going evaluation

Data Protection & Privacy Program Components

8


PwC

Current privacy trends

9


PwC

Evolving perspective on privacy & security

Scope of the challenge Limited to your “four walls” and the extended enterprise

Spans your interconnected global business ecosystem

Ownership and accountability

IT and Legal led and operated Business-aligned and owned; CEO and board accountable

Adversaries’ characteristics

One-off and opportunistic; motivated by notoriety, technical challenge, and individual gain

Organized, funded and targeted;motivated by economic, monetary and political gain

Information asset protection

One-size-fits-all approach Prioritize and protect your “crown jewels” and manage data across the information management lifecycle

Defense posture Protect the perimeter; respond if attacked

Plan, monitor, and rapidly respond when attacked

Regulatory Environment Self regulation Regulatory upheaval in privacy across the globe and emerging cyber security regulation. Increased enforcement.

Security intelligence and information sharing

Keep to yourself Public/private partnerships; collaboration with industry working groups

Consumer awareness and expectations

Limited use of consumer data to market and personalize products

The boom of Big Data is colliding with increased concerns/awareness over privacy

Historical IT Security and Privacy Perspectives

Today’s Leading Cybersecurity and Privacy Insights

10


PwC

• Continued focus on privacy and security in all sectors, states and at federal level –emerging regulations do not necessarily align amongst each other

• Companies want to leverage Big Data and are re-evaluating their current information governance model to for compliance and maximized opportunities

• Significant data breaches continue, targets go beyond payment card data

• Intersection of information governance and data privacy

• Ongoing challenges with:

• Creating a sufficiently robust privacy strategy that accounts for a complex, multi-regulatory, and changing environment

• Effectively managing information across structured and unstructured data

• Standardizing practices across all entities and regions

• Coordinating incident response and investigations

• Adopting privacy values throughout the enterprise

• Implementing privacy commitments with supporting processes and controls

Overall trends in privacy efforts across industries

11


PwC

Trends in the regulatory enforcement

• Transparency – Information collection and use practices should be transparent to the consumer and appropriate to the medium at which its provided (i.e., short form privacy notices for mobile apps)

• Simplified Choice – Companies should provide consumers the ability to make decisions about their data at a relevant time and context

• Privacy and security by design – Privacy needs to be embedded in every stage of the product/systems development lifecycle

• Compliance with privacy policies – regulators looks to consumer facing privacy policies to determine whether companies have a program to comply with those notices

• “Reasonable” security practices –expectation that all companies have reasonable security practices and safeguards in place to protect consumer data

• Ownership & accountability –expectation is that there is a clearly defined individual or group of individuals that are responsible for privacy and security programs.

• Formally documented privacy program –expectation is that companies have a formally documented program, including review against accepted frameworks, including the FTC’s Privacy Report issued in March 2012

12


PwC

GSISS Survey 2015 – Utilities summary results Progress implementing key safeguards

13


PwC

GSISS Survey 2015 – Utilities summary resultsSecurity spending

14


PwC

GSISS Survey 2015 – Utilities summary resultsSources of incidents

15


PwC

Emerging privacy focus areas for utilities

16


PwC

Privacy focus areas for utilities

• Smart Grid continues to drive much of the privacy dialogue, but a broader focus on customer (and employee) data is emerging

• Industry transformation is driving new data and processes and requires new controls; emerging uses for technology and data

• M&A activity disrupts resource availability and program stability

• Information sharing and analysis centers (ISAC) maturing

• Regulatory activity continues with broad ranges of compliance requirements

• DataGuard Energy Data Privacy Program published

• Exploration of outsourcing and cloud services, particularly related to employee – vendor risk programs remain under development

• Increase in Board focus on privacy, but often after an incident

17


PwC

Maturity of Internal privacy

programs

Optimized

4%

Undefined

15%

Initial

31%

Managed

4%

Defined

27%

Repeatable

19%

Optimized

Have found no material gaps in two consecutive enterprise privacy assessments or audits

Managed

Regularly quantify our privacy performance, including keeping data inventory current

Make process improvements based on results

Defined

Have a formally designated privacy leader and a complete set of documented privacy policies and procedures

Have completed first enterprise privacy assessment or audit

Undefined

• Have not formally or informally assigned anyone with the privacy responsibilities

Initial

At least one person is handling privacy issues at least part time on an ad-hoc basis

Activities are mostly reactive in nature

Repeatable

At least one person has been handling privacy issues on a full time basis for at least a year

Complete program has yet to be defined

18


2015 PwC Power & Utilities CAE SurveyCustomer Information

PwC

Personal Details Courtesy of the Smart Grid

UtilityUsage

ConsumerProfiling

PersonalInformation

Smart GridData

• Identifiable load signatures (i.e. laundry, toaster, dishwasher) tracking consumer living patterns

• PEV charge stations tracking Electric vehicle travel routines and location data

• Number of members in a household and sleep routines

• Medical device usage and consumer health implications

• Identifying homes with security systems vs. vacant houses

Trove (GridGlo) Mines Smart Grid Data for B2B Monetization*

• Data is aggregated from:• Public Records – DMV, City Permits• Smart Grid data

• Complex algorithms used to develop applications for:• Energy Forecasting Modeler, • Demand Response,• Customer Scoring, and• Financial Risk Management

*Source: http://www.greentechmedia.com/articles/read/gridglo-mines-data-for-smart-grid-apps

19


PwC

Gearing up for convergence

The convergence of information, operational and consumer technologies will very likely introduce tremendous benefits for business and conveniences for customers. It will also create a new world of privacy and security risks for power and utility companies.

20


PwC


Customer Engagement Mechanisms

Social Media

Message

boards/blogs

Email

Mobile

applications

Press events

81% of respondents indicated their company has initiated or expanded customer engagement mechanisms through Social media (e.g., Twitter, Facebook) as well as Mobile applications

5% of the respondents also specified Television as one of the mechanisms for customer engagement.

21


PwC

6%

19%

25%

38%

13%

63%

0%

20%

40%

60%

80%

100%

Privacy officeprovides annual

report to the Board

Privacy principlesare included in

tariffs

Privacy isdesignated in a

publicly-availabledocument as a topenterprise risk to

be managed

Havecommunicated

privacy approachto consumers

Have a specialweb page

dedicated toexplaining

consumer privacy

All employeescomplete annualprivacy training

Level of Visibility of Consumer Data Privacy

Privacy risks in order of highest concern to lowest concern:

1

Company does not have sufficiently defined policies around acceptable uses of consumer personal data

2

Company does not have a robust enough approach for handling third-party requests for personal data

3Company does not have sufficient information security protections for personal data

4Company does not know where all personal data is

5Company does not have sufficient oversight of vendors’ handling of personal data

22



PwC

Board level focus

Board members should ensure a proactive focus on:

Determining what their most valuable information assets are, where they are located at any given time, and who has access to them.

Developing an evolved approach to security and privacy programs in which businesses allocate and prioritize resources to proactively protect and create and enact incident response plans in case of an event.

Holding business executives accountable for protecting valuable data in the same manner as they are held accountable for financial results and other key business management metrics.

Identify

1

Protect

Be Accountable

2

3

23


PwC

Additional questions boards are consideringDue Care

What does the board exercising due care mean in the context of cybersecurity and privacy? Regulators are increasingly

taking this approach. (Can we show that we have 1) done a risk assessment? 2) assessed ourselves against a recognized

standard (e.g. NIST or ISO) and 3) implemented a program 4) have a way of monitoring compliance against

commitments?)

Storing data in the cloud

Is outsourcing data storage a better security system than at least most companies can securely do on their own? What are

the privacy considerations associated with storing data in the cloud e.g. cross-border data transfer requirements?

Mergers and Acquisitions

Where a merger or acquisition is contemplated, is a review of the sufficiency and integrity of cybersecurity and privacy

protections necessary? Has valuable IP already been leaked?

Insider Threat

What has been done to mitigate threats from insiders to prevent crown jewels from “walking out the door”?

Global Regulations

Do we know what global and US privacy and cybersecurity laws and regulations apply to us? Do we have processes in place

to comply with the myriad of regulations and to monitor compliance over time?

Cyber Insurance

Regarding “cyber insurance”, what does it truly cover? Will insurer refuse to cover you if they say you didn’t meet certain

standards, duties and obligations?

Collaboration

Do companies share breach experience/solutions with competitors so everyone learns or is this competitiveness barrier?

Do they communicate with the federal government about threats and intel?

Compliance with Privacy Commitments

Are we collecting, using or sharing data in new ways? Do our data handling practices comply with our customer privacy

commitments/policies?

1

2

3

4

5

6

7

8

24


PwC

Does your company have a vendor risk management program?

Is it reviewed or audited by an independent function?

Vendor RiskManagement

Program

34% have review/audit by Internal

Audit

8% have review/audit

by an independent

function*

50% do not have an

independent review/audit

8% do not have a

program

28%

60% have

program that

is still being

developed

12% do not have a

program

Have a mature program

25


2015 PwC Power & Utilities CAE SurveyThird Party Risk management

PwC

Third party inventory, stratification & assessment Illustrative model

An inventory, risk rating and on-going testing model enables efforts to establish theThird Party inventory and to oversee services with higher levels of inherent risk.

The model drives the on-going due diligence process based on the inherent risk and thebusiness facts of the services provided.

26


PwC

3rd Party Risk Management considerations

Contract Considerations

Contract inventory

• Does a complete list of all contracts exist, and are they reviewed by Legal?

Contract terms

• Are there clear contract terms regarding the collection and use of information , and are they consistent with your privacy policy and notice?

• Is there a “right to audit” clause?

Contract maintenance

• How are changes to the policy approved and communicated?

• Is an annual review of the contract performed?

Attest reports

• Are there SOC reports, Safe Harbor considerations or other considerations?

Risk Assessment

Vendor risk assessment

• Has a complete vendor /third party inventory and risk assessment been performed?

• Have you understood and documented the data lifecycle process?

• Has the vendor’s people, process, or technology changed? For example, has the vendor begun using cloud technology or a subcontractor?

Data exposure

• Is there understanding of what data is provided to vendors and how the vendors protect, store, use, and destroy that data?

Vendor access

• Has vendor access been restricted appropriately, and are all points of access known?

• Do any terminated vendors still have access to your data?

RiskAssessment

Vendor ManagementProgram

Contracts

Vendor risk assessment Data

exposure

Vendoraccess

Contract inventory

Contractterms

Incidentresponse

Policy alignment

TPRM

Contractmaintenance

Attestreports

Impactassessment

Monitoring

Vendor Management Program

Policy alignment

• Does the vendor policy align with the Company’s privacy policies?

Incident response & Impact assessment

• Is there a process to address a vendor data breach? Is there a process in place to determine the impact?

Monitoring

• Has a program been established to monitor ongoing compliance of the vendors?

27


PwC

In summary…Questions IA should be asking

• How are our investments in privacy trending – has progress stalled?

• How would we respond to a regulatory inquiry about our current privacy practices?

• Are we coordinating disparate efforts related information management?

• How have changes / disruptions in our business impacted the privacy program?

• Which third parties have access to our customers personal information? Do we know how they are they actually using it? How are we protecting it?

• Does our Board have a sufficient understanding of the magnitude of our organization’s privacy and security risk, as well as what we’re doing to eliminate or mitigate those risks?

28


Thank You

Dave SandsPwC Power & Utilities [email protected]

© 2015 PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights reserved. PwC refers to the United States member firm,

and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details.

This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.

2015 aga/eei utility internal audit training · scope of the challenge limited to your “four...

Documents