Information Assurance in a Global Context:Strategies for Security and Privacy for Cross-Border and

Multi-national Organizations

Matt Stamper, MPIA, MS, CISA, ITIL

VP of Services: redIT

President: ISACA San Diego Chapter

Co-Chair: InfraGard San Diego

Board of Advisors: Multiple

WCIT

Guadalajara, Jalisco

September 28th, 2014

Agenda Why information assurance (IA) matters

Core Definitions: ILM, Security, Privacy, and IA

Regulatory Requirements

Frameworks & Approaches

New Technologies: IoT & Cloud

Lessons from Tijuana/San Diego

Questions & Comments

PAGE 3

Why Information Assurance Matters…

We rarely question the quality of information we use to make

decisions…putting our organizations, economies, and personal lives at

risk

Information is the most valuable asset in our economy and fuels

innovation & growth (data is the raw material of the global economy)

o Commerce

o Science

o Government

Our dependencies on accurate and timely information are increasing

exponentially

Massive asymmetries in IA practices

Gap between laws & regulations and practice

Critically, trust is at risk!

PAGE 4

Trust and Societies: Quantifiable Impact

“If you take a broad enough definition of trust, then it would explain basically all the difference between the per capita income of the United States and Somalia,” ventures Steve Knack, a senior economist at the World Bank who has been studying the economics of trust for over a decade. That suggests that trust is worth $12.4 trillion dollars a year to the U.S., which, in case you are wondering, is 99.5% of this country’s income (2006 figures). If you make $40,000 a year, then $200 is down to hard work and $39,800 is down to trust” (http://www.forbes.com/2006/09/22/trust-economy-markets-tech_cx_th_06trust_0925harford.html)

Trust is essential to maintaining the social and economic benefits that networked technologies bring to the United States and the rest of the world” (Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy, February, 2012: White House)

Trust is at the heart of today’s complex global economy. But, paradoxically, trust is also in increasingly short supply in many of our societies, especially in our attitudes towards big business, parliaments and governments. This decline threatens our capacity to tackle some of today’s key challenges (http://www.oecd.org/forum/the-cost-of-mistrust.htm)

PAGE 5

The Impact of Lost Trust on Society

Financial Crisis

http://www.youtube.com/watch?v=uw_Tgu0txS0

PAGE 6

International Data Flows: The Global Currency

“The Growth of the Internet and the ability to move data rapidly and globally has been a key building block of the global economic order” (The Internet, Cross-Border Data Flows and International Trade, Joshua Meltzer, The Brookings Institute, February, 2013)

“Exports (emphasis mine) of cloud computing services were estimated to be worth approximately $1.5b in 2010 (and this is likely a conservative figure and the market for cloud computing services is anticipated to grow by up to 600 percent by 2015” (Policy Challenges of Cross-Border Computing” – Journal of International Commerce and Economics, November 2012).

Over 2 Billion Individual have access to the Internet

More devices will be connected than people – billions of devices

Nearly free transaction costs

The days of information arbitrage are over

Barriers to innovation & exploitation are equally low

Critical Shared Data Sets

Weather & Climate data

Census data

Healthcare and Disease Control data

Financial & Currency data

Trade data

A McKinsey Global Institute study estimated that the Internet contributed over 10 percent to GDP growth in the last five years to the world’s top ten economies and for every job lost as a result of the Internet, 2.6 jobs have been created.

PAGE 7

Open Government Initiatives: Public Sector Data

Governments across the globe recognize that information is both:

A national resource that requires protection

A public good that should be readily disseminated

Key areas of focus within the Open Government community include:

Transparency with budgets & procurement

Private/Public Sector data sharing

Innovation

“The original and essentially libertarian nature of the Internet is increasingly being challenged by

assertions by government of jurisdiction over the Internet or the development of rules that restrict

the ability of individuals and companies to access the Internet and move data across borders” (The

Internet, Cross-Border Data Flows and International Trade, Joshua Meltzer, The Brookings Institute,

February, 2013)

PAGE 8

Why Information Assurance is Critical Now!

Here’s just a quick sampling of what’s occurring on a daily basis. This is just the US public sector.

Organized Criminals in Russia Steal 1b Passwords (8/5/2014)

http://www.nytimes.com/2014/08/06/technology/russian-gang-said-to-amass-more-than-a-billion-stolen-internet-credentials.html?_r=0

JP Morgan Potentially Compromised (8/18/2014)

http://online.wsj.com/articles/fbi-probes-possible-computer-hacking-incident-at-j-p-morgan-1409168480

Hospital Hacked – 4.5 Million Records Compromised (8/18/2014)

http://money.cnn.com/2014/08/18/technology/security/hospital-chs-hack/

Home Depot

http://www.forbes.com/sites/quickerbettertech/2014/09/22/why-the-home-depot-breach-is-worse-than-you-think/

Target

http://online.wsj.com/news/articles/SB10001424052702304773104579266743230242538

The Car (2014 Moving Forward)

http://money.cnn.com/2014/06/01/technology/security/car-hack/

PAGE 9

The Assault on Healthcare & ePHI

According to a Ponemon Institute Study, criminal attacks on healthcare systems

have risen 100% since 2010 with an average cost of a breach is $2m (US)

Over 90% of healthcare organizations have had a breach in the last two years with

38% having had more than five incidents (down from 45% the previous year)

Risks with mandated health information exchanges (third-party considerations) /

weakest link despite security standards from HIPAA-HITECH

Bring Your Own Device (BYOD) - nearly 50% of breaches attributed to a lost or

stolen device and over 88% of organizations allow the use of BYOD

Fortunately, the number of records compromised has decreased based on earlier

detection and incident response – we’re getting better at handling security

breaches…practices makes perfect?

Working Definitions

PAGE 11

Security - Defined

The easiest way to think about security is to think about the outcome of what good

security provides: confidentiality, integrity, and availability of information (CIA).

Confidentiality is the end-state of ensuring that information is only viewed and

acted upon by those individuals, organizations, or systems that are authorized to

see such information. “A loss of confidentiality is the unauthorized disclosure of

information” – FIPS 199.

Integrity is the end-state of information and its processing such that the

information is believed to be complete, accurate, valid and subject to restricted

access (CAVR)…essentially un tampered with or otherwise modified by

unauthorized activity. “A loss of integrity is the unauthorized modification or

destruction of information” – FIPS 199.

Availability is simply that…that the information is available for its required use

without delay or loss. “A loss of availability is the disruption of access to or use of

information or an information system” – FIPS 199.

Collectively, IT security is the set of processes that are involved with ensuring that

data and information meet the confidentiality, integrity, and availability objectives of

business.

PAGE 12

Privacy - Defined

Definitions of privacy are growing more nuanced over time.

Privacy is “the right to be left alone” (Samual Warren & Louis Brandeis: The Right to

Privacy, Harvard Law Review, 1890).

Privacy is “the right of the individual to be protected against the intrusion into his

(her) personal life or affairs, or those of his (her) family, by direct physical means or by

publication of information” (UK, Calcutt Committee: 1997)

Privacy has contextual considerations:

Information Privacy

Bodily Privacy

Territorial / Physical Privacy

Communications Privacy (Foundations of Information Privacy and Data Protection, Swire, et. al., IAPP, 2012)

PAGE 13

Information Assurance: Three Perspectives

National Defense: Information Assurance as a concept is strongly influenced by the defense and national security communities and the concept of network centric warfare techniques:

“Measures that protect and defend information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. This includes providing for restoration of information systems by incorporating protection, detection, and reaction capabilities” (Department of Defense Directive Number 8500.1: October 24, 2002)

Corporate View: Intellectual Property, Financial, Client & Partner Data, is subject to appropriate governance & controlled – CAVR.

Consumer View: Personal Health, Financial and other UII Data is controlled by the individual and disclosure is also controlled by the individual.

PAGE 14

Data Classification

Given the regulatory and jurisdictional issues related to information and data flows, organizations need to implement best practices to classify their data. There are a number of approaches including:

National Security

• Top Secret

• Classified

• Unclassified:FOUO

Corporate Security

Confidential

Proprietary

Privileged / Restricted Access

Personal Data

• ePHI

• Financial Information

• Phone, Internet & Utility

PAGE 15

Information Lifecycle & IA

Tech Target: http://searchdatamanagement.techtarget.com/feature/Information-assurance-Dependability-and-security-of-networked-information-systems

Cloud Security Alliance

PAGE 16

Bringing It All Together: IA, Security, and Privacy

If we agree that information is the new global currency and that innovation and growth

are predicated on the quality of the information and data we use, it’s important that

we couple IA, Security and Privacy and make information governance a top priority for

our organizations.

Let’s get to work!

Privacy Laws & StandardsBy Country / Region

• Mexico

• Canada

• US

• EU

• APEC

By Industry

HIPAA-HITECH

Financial Services

PAGE 18

Laws & Regulations: Mexico, Canada and US

Mexico – National Privacy Law

http://www.diputados.gob.mx/LeyesBiblio/pdf/LFPDPPP.pdf

Canada – National Privacy Law

https://www.priv.gc.ca/index_e.asp

https://www.priv.gc.ca/leg_c/leg_c_p_e.asp

US – Sectoral Approach (Federal Trade Commission)

http://www.whitehouse.gov/sites/default/files/privacy-final.pdf

States

Massachusetts - http://www.mass.gov/ocabr/docs/idtheft/201cmr1700reg.pdf

California - http://oag.ca.gov/ecrime/databreach/reporting

Nevada - http://www.leg.state.nv.us/NRS/NRS-603A.html

PAGE 19

Laws & Regulations: Australia, APEC & Europe (EU)

Australia

http://www.oaic.gov.au/privacy/privacy-act/the-privacy-act

http://www.oaic.gov.au/privacy/privacy-resources/privacy-fact-sheets/other/privacy-fact-sheet-17-australian-privacy-principles

APEC

http://www.apec.org/About-Us/About-APEC/Fact-Sheets/APEC-Privacy-Framework.aspx

European Union

http://europa.eu/about-eu/countries/member-countries/index_en.htm

http://ec.europa.eu/dataprotectionofficer/legal_framework_en.htm

https://safeharbor.export.gov/list.aspx (Safe Harbor Registrants)

PAGE 20

Privacy & Security – Inextricably Linked

Security can exist without privacy but privacy

cannot exist without security. Consequently,

privacy frameworks offer insights into good

governance and security practices though many

standards and frameworks have been challenged

by recent events – notably the Payment Card

Industry – Data Security Standard (PCI-DSS).

PAGE 21

International Privacy Regimes: APEC & OECD

APEC - 2004 OECD - 1980

Preventing Harm Collection Limitation Principle

Notice Data Quality Principle

Collection Limitation Purpose Specification Principle

Uses of Personal Information Use Limitation Principle

Choice Security Safeguards Principle

Integrity of Personal Information Openness Principle

Security Safeguards Individual Participation Principle

Access and Correction Accountability

Accountability

PAGE 22

International Privacy (Cont.): FIPS & Madrid

FIPS (1973) Madrid Resolution (2009)

No Secret Repositories Principle of Lawfulness & Fairness

Individual Control Over Use Purpose Specification Principle

Individual Consent Proportionality Principle

Correction Data Quality

Precautions Against Misuse Openness Principle

Accountability

PAGE 23

HIPAA-HITECT: Administrative, Physical & Technical

Security Management Process 164.308(a)(1)

Risk AnalysisRisk ManagementSystem Review

Assigned Security Responsibility 164.308(a)(2)

Accountability

Workforce Security164.308(a)(3)

Authorization and/orSupervision, Clearance & TerminationProcedures

Information Access Management164.308(a)(4)

RBAC Procedures

Security Awareness and Training164.308(a)(5)

Anti-malware, log-in procedures, password management

Security Incident Procedures164.308(a)(6)

Incident Response Procedures

PAGE 24

HIPAA-HITECT: Administrative, Physical & Technical

Contingency Plan164.308(a)(7)

Backup & RecoveryBC/DR Procedures & Testing Applications and Data Criticality Analysis

Evaluation164.308(a)(8)

Review of Systems

Business Associate Contracts andOther Arrangements164.308(b)(1)

Contractual Obligations with Service Providers (Business Associates)Cascading Liability

Facility Access Controls164.310(a)(1)

Access Controls, Maintenance of Records,Contingency Operations

Access Control164.312(a)(1)

Encryption, Decryption, Log-off, Emergency Access*

Audit Controls164.312(b)

Evidence of Review

Transmission Integrity Controls (A)Security 164.312(e)(1)

Security and Integrity

PAGE 25

Gramm-Leach-Bliley (GLB) – FTC Enforcement

Financial Services Firms have an obligation to safeguard non-public information (NPI)

such as full account numbers, social security numbers (SSNs), etc.

Obligations:

Privacy Notices

Non-Affiliated Third Parties & Opt Out

Ensure the Security & Confidentiality of Customer Records

Protect Against Anticipated Threats or Hazards

Protect Against Unauthorized Access

The FTC has established a clear expectation of security as a corporate

obligation.

Security Frameworks Security Frameworks & Standards

• SANS 20

• PCI-DSS

• ISO 27001/27002

• Cloud Security Alliance

• COBIT (ISACA)

PAGE 27

SANS Top 20 Security Controls

The SANS Top 20 is considered a good set of minimum necessary security controls. The controls cover a broad suite of good control activity:

Critical Control 1: Inventory of Authorized and Unauthorized Devices

Critical Control 2: Inventory of Authorized and Unauthorized Software

Critical Control 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers

Critical Control 4: Continuous Vulnerability Assessment and Remediation

Critical Control 5: Malware Defenses

Critical Control 6: Application Software Security

Critical Control 7: Wireless Device Control

Critical Control 8: Data Recovery Capability

Critical Control 9: Security Skills Assessment and Appropriate Training to Fill Gaps

Critical Control 10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches

PAGE 28

SANS Top 20 Security Controls

The SANS Top 20 is considered a good set of minimum necessary security controls.

The controls cover a broad suite of good control activity:

Critical Control 11: Limitation and Control of Network Ports, Protocols, and

Services

Critical Control 12: Controlled Use of Administrative Privileges

Critical Control 13: Boundary Defense

Critical Control 14: Maintenance, Monitoring, and Analysis of Audit Logs

Critical Control 15: Controlled Access Based on the Need to Know

Critical Control 16: Account Monitoring and Control

Critical Control 17: Data Loss Prevention

Critical Control 18: Incident Response and Management

Critical Control 19: Secure Network Engineering

Critical Control 20: Penetration Tests and Red Team Exercises

PAGE 29

PCI-DSS: 3.0 – 12 Requirements

Requirement 1: Install and maintain a firewall configuration to protect cardholder

data

Requirement 2: Do not use vendor-supplied defaults for system passwords and

other security parameters

Requirement 3: Protect stored cardholder data

Requirement 4: Encrypt transmission of cardholder data across open, public

networks

Requirement 5: Protect all systems against malware and regularly update anti-

virus software or programs

Requirement 6: Develop and maintain secure systems and applications

https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf

PAGE 30

PCI-DSS: 3.0 – 12 Requirements

Requirement 7: Restrict access to cardholder data by business need to know

Requirement 8: Identify and authenticate access to system components

Requirement 9: Restrict physical access to cardholder data

Requirement 10: Track and monitor all access to network resources and

cardholder data

Requirement 11: Regularly test security systems and processes.

Requirement 12: Maintain a policy that addresses information security for all

personnel.

Requirement A.1: Shared hosting providers must protect the cardholder data

environment

https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf

PAGE 31

ISO:27001, CSA & ISACA

There are three organizations that are driving good security standards and practices in

particular that should be part of an organization’s control design:

International Standards Organization (ISO)

http://www.iso.org/iso/home/standards/management-standards/iso27001.htm

Cloud Security Alliance (CSA)

https://cloudsecurityalliance.org/

Information Systems Audit and Control Association (ISACA)

https://www.isaca.org/Pages/default.aspx

PAGE 32

COBIT – Cloud Governance

ISACA’s “IT Control Objectives for Cloud Computing: Controls and Assurance in the Cloud” provides a solid framework for assessing controls in cloud environments and a reference for good governance.

“ISACA defines governance as the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved and ascertaining that risks are managed appropriately.”

Leveraging cloud services requires controls and governance that touch upon the following:

Plan and Organize (PO) Acquire and Implement (AI)

Deliver & Support (DS) Monitor & Evaluate (ME)

Technology and IAInternet of Things (IoT)

Cloud Computing

PAGE 34

Internet of Things

http://www.theregister.co.uk/2014/05/07/freescale_internet_of_things/

PAGE 35

On Site

Applications

Database

O/S

Hypervisors

Servers

Storage

Networks

Backups

Infrastructure(as a Service)

Applications

Database

O/S

Hypervisors

Servers

Storage

Networks

Backups

Platform(as a Service)

Applications

Database

O/S

Hypervisors

Servers

Storage

Networks

Backups

Software(as a Service)

Applications

Database

O/S

Hypervisors

Servers

Storage

Networks

Backups

Service Demarcation & Information Assurance

Roles & Responsibilities are Crucial Regardless of the Service Model

Security, Monitoring & Governance: Critical Foundation

PAGE 36

Application

Database

OS

Hypervisors

Servers

Storage

Network

Backups

Application

SE

CU

RI

TY

MO

NI

TO

RI

NG

ITIL

/S

ER

VIC

E M

AN

GE

ME

NT

• Audit Trail• Client • SaaS

• Segregation of Duties • What is logged?• Who’s responsible for

the application is based on the service model

• How is the application impacted by other layers?

• What information is shared among layers?

• Shared administrative accounts?D a t a C e n t e r

PAGE 37

Cloud Layers – Application Risk

Applications probably offer the widest array of risks to

organizations. One of the key reasons…think about who uses

applications…it’s us.

Applications – Typical Risks:

Human error / social networking exposure / APT attacks

Segregation of duties / elevated privileges

Database linkages / poor data validation

Session-hacking, man-in-the-middle attacks, cross-site scripting

Poor application coding

Poor passwords (complexity/aging)

Poor logging habits

Many firewalls are not application aware (just ports 80, 443)

Other considerations?

PAGE 38

Database

Database

OS

Hypervisors

Servers

Storage

Network

Backups

Application

SE

CU

RI

TY

MO

NI

TO

RI

NG

ITIL

/S

ER

VIC

E M

AN

GE

ME

NT

• Database activity monitoring

• Time-stamping transactions / logs

• Memory-based databases…data living in memory

• HADOOP and other changing non-database approaches to analytics

D a t a C e n t e r

PAGE 39

Service Provider Considerations

Contracts Matter – Wrap Around Agreements Present Risks to Organizations

Right to audit clause

Data location covenants

Compliance Reviews:

SSAE 16 SOC 1

ISAE 3402

SOC 2

Roles & Responsibilities

Statements of Work

PAGE 40

Common Themes

• Inventory of Information

• Inventory of Critical Assets

• Supply-Chain / Vendor assessments

• Risk Assessments

• Security Assessments

• Board of Directors

• Executive Responsibility

• Investment in Training & Competencies

PAGE 41

Tijuana – San Diego (Our IA Ecosystem)

Brier & Thorn – SOC in Tijuana

http://brierandthorn.com/

BridgeSTOR – Cloud Data Encryption

http://bridgestor.com/

CyberFlow Analytics – APT Solution

http://www.cyberflowanalytics.com/

CyberTECH & CyberHive

http://cybertechnetwork.org/

http://cyberhivesandiego.org/cybertech/

InfraGard

http://www.infragardsd.org/

ISACA – SD

http://isaca-sd.org/

PAGE 42

Quick Wins

Information Assurance begins with:

• Know Legal Obligations

• Data Classification

• Data Inventory

• Data Retention

• Privacy Impact Assessment

• Security / Vulnerability Assessment

• Keep The Board Informed – No Surprises

• Assume a Breach!

PAGE 43

References

Privacy

https://www.privacyrights.org/data-breach/new

http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

https://www.enisa.europa.eu/activities/identity-and-trust/risks-and-data-breaches/dbn

Security

https://www.isaca.org

http://www.sans.org/

http://www.nist.gov/cybersecurity-portal.cfm

https://cloudsecurityalliance.org/

us.redit.com

Matt Stamper, MPIA, MS, CISA, ITIL (CIPP-US: Pending)

T 858.836.02224

M 760.809.2164

E matt.stamper@redIT.com