12 02-14 information security managers - unannotated
Post on 30-Jul-2015
2.423 Views
Preview:
TRANSCRIPT
• Cloud workshop
• How is the cloud structured?
• Understanding cloud functions
• Framework for data analysis
Cloud workshop
• What will you use the cloud for?
• Three functions that the cloud provides.
• Three functions the cloud does not provide.
• Three cloud providers.
• What is Amazon providing?
• What is Brand X providing?
• Are there any other vendors?
• What is the “demarc line” for responsibilities?
• How much negotiating power do you have?
• What do you want?
•Platform as a Service - PaaS
•Software as a Service – SaaS•Professional Services as a Service -PSaaS
•Infrastructure as a Service - IaaS
• Platform as a Service - PaaS
• Infrastructure• computing platform• “solution stack”• uses distributed infrastructure components
• Supports cloud applications• allows deployment of customer applications• vendor assumes management of underlying hardware and basic software
• Software / Services as a selling point• COTS software• Centralized patch management• Data preservation / backup
• Software as a Service – SaaS• Professional Services as a Service• Distributed delivery
• Web access• One to many distribution
• Cloud is the platform• Virtual data center
• No capital outlay• A-la-cartre hardware use
• Infrastructure as a Service - IaaS
• Billed as a utility•Pricing feature or use based
What will you use the cloud for?
What does your cloud provider do?
What type of provider do you have?
Who is controller, transferor, processor?
• Is security binary?• What is a breach?• Who are the parties to a breach?• Who has to be notified?• Who are the parties to a data transaction?• Which societal emphases prevail?• How do we make security a societal
determining factor in purchase decisions?• How do you measure security?• What role should government play?• Are you a special snowflake?
• Transparency• Imperfect information• Competitive pressures• Lack of definition• Imperfection in software• Risk perception
• Sectoral Based• Reactive• Generally state
based• Narrowly tailored
• Issue Based• Proactive• National
implementation
• Breach – both benign and malicious
• Breach notification
• Transfer of risk
• Security policies
• Contracting parties, third parties and vendors
• Legislative and regulatory
• Specific Safeguards• Protect against reasonably
anticipated uses• Ensure that workforce
complies with rule• Civil penalties• Actions by state AG• HHS investigations
HIPAA
• Security and confidentiality of customer information
• Protect against anticipated threats or hazards to security and integrity
• Protect against unauthorized access or use.
GLB
• Identification / Authentication procedures
• Disposal rules• Procedures to ensure
accuracy• Integrity / accuracy of
information sent out• Attempts to prevent
impersonation fraud.
FCRA
• Secure webservers• Delete personal
information after use• Limit employee access to
day• Provide training• Screen third parties
COPPA
• Protect the confidentiality of CPNI
• Reasonable measures to prevent and discover unauthorized access
FCC
• Massachusetts leads the way• Generally address confidentiality• Typically only include information tied to numbers• Beginning to include biometric data• Nexus requirement – except for Massachusetts• Exceptions for minor breaches / encrypted data
• U.S. continues to prefer sectoral• Breach approached from confidentiality• Private rights of action disfavored• FTC likely to have overall responsibility• Nexus requirement still the norm• Privacy / security interaction involves identification numbers.
• Data governance laws are here to stay• Expectation that in some format data breach will be extended to
cover not just telecoms• General data breach requirements in some EU Member States
already• Accountability and transparency principles• Broad scope of definition of personal data• Cloud and jurisdictional challenges• The role of controllers and processors
DATA PROTECTION/SECURITY COMPLIANCE AS A
COMPETITIVE MARKET ADVANTAGE
• A couple of deal-breaking elements from our daily experience:
1. Personal Data Processing Agreements (where duties and obligations are clearly identified)
2. Transparency and control over the personal data flow(circulation/transfer of personal data)
• These elements are requested by customers for 2 main reasons:1. COMPLIANCE: to establish enough control by the customer (Controller) on the personal data processing carried out by the provider (Processor) 2. INTERNAL RESPONSIBILITIES: to internally show that protection and control over personal data, as a company asset, have been considered in the choice of a provider that offers enough guarantees
EU data protection/security checklist
A Service Provider (SP) will have to share:① Information about its identity (and the representative in the EU, if
applicable), its data protection role, and the contact details of the Data Protection Officer or of a “privacy contact person”
② SP will have to describe in which ways the data will be processed and provide information on data location and subcontractors
③ How data transfers may take place and on which legal ground (mainly model contracts, binding corporate rules – SH principles have been under revision)
④ Data security measure in place, with special reference to:- availability of data- integrity- confidentiality - transparency- isolation (purpose limitation)- intervenability
⑤ Way to monitor SP data security / possibility to run audits for clients or trusted third-parties
⑥ Personal data breach notification policy
⑦ Data portability, migration, and transfer back assistance
⑧ Data retention, restitution and deletion policies
⑨ Accountability, meaning the policies and procedures SP has in place to ensure and demonstrate compliance, throughout the SP value chain (e.g., sub-contractors)
⑩ Cooperation with clients to respect data protection law, e.g., to assure the exercise of data protection rights
11 Management of law enforcement request of access to personal data
12 Remedies available for the customer in case of CSP breach of contract
• EU continues to prefer industry regulation• Breach approached from a confidentiality viewpoint• Private rights of action disfavored• National laws lag• Privacy tied to individual data
Break down your cloud transaction.
Understand what security means to you.
Define breach.
Decide what kind of snowflake you are.
How does the cloud operate?
Who has access to the cloud?
General risk analysis. • SLA• Choice of Law
• Compliance• Regulations
• Contract• Security• Breach• Termination
Reliability• Demonstrated by metrics• Objective criteria used• Third party vendors consideredContract• Standard SLA may need additional
clauses for response time, fallback options, standards of service
• Static v. flexible SLA
In what country is the provider located?
Where is the provider’s infrastructure?
Will other providers be used?
What will happen to the data on termination?
Where will the data be physically located?
Should jurisdiction be split?
How will data be collected, processed, transferred?
Jurisdiction over the contract
Whose law governsWhere the dispute is heardChange in judicial presumptionsJurisdiction over the data
Data protection directiveExport control laws
Jurisdiction over the data
Choice of lawThis Agreement shall be governed by the laws of the District ofColumbia, without reference to its choice of law provisions.Jurisdiction and venue shall be proper before the U.S. District Courtfor the District of Columbia located in Washington, D.C. The partiesagree not to contest notice from, or the jurisdiction of, this court.Notwithstanding the preceding sentences, the parties agree that allissues regarding the processing, transfer, protection and privacy ofany information transferred from X or any End User to Vendor shallbe governed by the laws of the United Kingdom. All disputesbetween the parties, and between a party and an End Userregarding Vendor’s access to this data shalll be heard before theappropriate court located in London, United Kingdom
Split choice of law if you have differing regulatory
obligations.
Security• Define “breach” • Determine when a breach happens• Assume there will be data breach laws• Review any laws that my currently exist• Understand who will be responsible for security• Create enforceable contract terms• Remember post termination issues• Understand that you may not be made whole
• What is a breach?• Who are the parties to a breach?• Who has to be notified?• Who are the parties to a data transaction?
• Breach: benign and malicious.
• Breach: parties, third parties, subcontractors, vendors
• Breach laws: state and federal
• Responsibility for security: parties, third parties, subcontractors vendors
• Post termination issues: data belongs to customer, breach liability extends post termination.
• Security policy: made part of contract. Revisions subject to customer review. Flow down to subcontractors and vendors
Contract provisions
Vendor has provided X with a copy of its current security policy(Policy) as it applies to the services to be performed by Vendorpursuant to this Agreement. Vendor represents and warrants thatthis security policy represents best of breed security procedures inits industry. Vendor shall give X no less than sixty days prior writtennotices of any changes in the Policy that impact the servicesprovided to X. Should X determine that these changesmaterially impact the security of the services, X shall have the rightto terminate this Agreement. In such a case, Vendor shall providereasonable assistance to X to transition its services to anotherprovider.
Require your vendor to have skin in the game.
Access
• Document data to which you have access
• Limit the number of employees who have access to data
• Create and implement access policies
• Require written notice
• Don’t assume validity
• Create and implement access policies
• Include legal advisor
• Understand and define law enforcement access
• Don’t assume your country’s laws will prevail
• Don’t let stereotypes interfere with a legal analysis
• Try to create definition
Access
Vendor shall provide X with no less than ten days prior written noticeof any governmental request for access to the data. For the purposesof this paragraph only, the term “governmental” includes any lawenforcement or similar entity. Should Vendor be prohibited by lawfrom providing this notice, Vendor shall strictly limit any disclosure ofthe data to that which is required by the law and the written documentupon which disclosure is based. Under no circumstances shallVendor provide access without a written request of disclosure whichcites the law requiring such disclosure. Vendor shall require thisprovision, or one similarly protective of X’s rights in all its contractswith suppliers or other vendors who provide aspects of the Services.
Understand who has access to data and under
what circumstances.
Termination
• Create and implement deletion policies • Flow down contract terms to vendors• Do not assume security ends upon termination• Create and implement deletion policies
Upon termination or expiration of this Agreement, Vendor shall deleteall data and provide X with written confirmation of this deletion.Vendor shall also instruct any entities who have had access to thedata to also delete it and provide Vendor with written certification ofthis deletion. The security obligations set out in this Agreementrelating to the data shall survive termination or expiration of thisAgreement until such time as the data is completely deleted byVendor and/or Vendor’s suppliers. Vendor shall require this provision,or one similarly protective of X’s rights in all its contracts withsuppliers or other vendors who provide aspects of the Services.
When agreement terminates, your rights
terminate.
Determine how services will be used
Evaluate cloud structure
Understand data collection, processing and transfer
Security breach notification
High risk regulatory areas
Disposition of data on termination
top related