Upload
acton-buck
View
31
Download
0
Embed Size (px)
DESCRIPTION
Internal measures for risk management Keeping data safe, and Dealing with a failure. David Vaile, Executive Director Cyberspace Law and Policy Centre UNSW Law Faculty June 2009 http://cyberlawcentre.org/. Outline. What data is targeted? How to reduce the risk of data breaches? - PowerPoint PPT Presentation
Citation preview
Internal measures for risk managementInternal measures for risk management
Keeping data safe, and Keeping data safe, and Dealing with a failureDealing with a failure
David Vaile, Executive Director
Cyberspace Law and Policy CentreUNSW Law FacultyJune 2009http://cyberlawcentre.org/
OutlineOutline
• What data is targeted?• How to reduce the risk of data breaches?• Improving processes for data loss protection• Assessing risk • Interaction with Digital Document Retention and
Destruction policy issues
• Damage control• What happens after disclosure?• Examining the potential mandatory disclosure
breach notification rules being proposed
What data is targeted by e-criminals?What data is targeted by e-criminals?
• Wide range: some direct, some peripheral• Customer authentication, staff
authentication • Passwords!• System controls and security
architecture, crypto systems etc.• Contact lists: customers, suppliers,
intermediaries• Organisational structure: names and roles• Transaction data, commercially sensitive
data• Demographic data
How is data is targeted by How is data is targeted by e-criminals?e-criminals?Complex mix of techniquesSocial engineeringStraight hacking (rarer)Interfering in secure transactions
(rare)Malware: spam, zombie bot net, root
kitsPhishing and other hybrids Insiders / expelleesSuppliers
How can organisations reduce the How can organisations reduce the risk of data breaches?risk of data breaches?• ID what you hold, who it might tempt, how they’d
get it• Review your governance model for commercial and
personal information security• Risk assessment• Digital document retention and destruction policies• Audits and process improvement• Reward the whistleblower, don’t suppress bad news• Value data for the worst loss it could cause a
stakeholder• Review IT security infrastructure, malware
protection• Assume security will fail • Damage management policies: for you and data
subject
Improving your business processes Improving your business processes for data loss protectionfor data loss protection• Identify data ‘owners’, localise responsibility• Value errors, mistakes, problems, niggling
doubts, reward open reports and good response• Stop suppression of bad news, hiding, denial• Model the lifecycle of data, ID the weak links• Review policies to ensure they value data• Audits, run-throughs, external attack simulation• Avoid ‘stupid security’, insist on good security• Subjects get reasonable access to own records?• Logging and transaction analysis,
anomaly detection, investigation
Assessing risk of data breachAssessing risk of data breachWhose risk? Yours, staff, suppliers,
customers, their associates ...Very wide multi-pass audit for risk
vectorsExternal reality checks, industry scanDo your internal systems and
processes support protection and detection?
Can you cope with a breach? Policy, procedures, customer centric response?
Interaction with retention & Interaction with retention & destruction policy?destruction policy?• Digital Document Retention & Destruction
policy: critical for bringing 3 tribes together• Know why and how long you retain,
when you destroy• Review evidentiary value of your metadata
and logs• Breach risk should drive some of the policy:• shorter retention periods?• de-identified storage?
• Review every 3 years, react to risk changes
Damage controlDamage control• It’s D-Day, the horse has bolted.• You must have a plan sorted out first! • Assume the worst happens: who gets
hurt, who needs help, what you can you keep quiet?
• Get help quick: law enforcement, external security, smart PR
• Offer help quick: victims, staff, intermediaries
• Reassure victims• Be open with media and inquirers,
hiding makes it worse.
What happens after disclosure?What happens after disclosure?• Identify what is lost, who is affected, scope of risk,
how far it has gone -- Assume the worst!• Work out how to protect your own interests, and
stakeholders who may be affected. • Notification: not open-ended, consider how far is
needed• Offer practical assistance to those affected• Don’t lay blame easily.• Consider accepting some liability for minor
remedies and losses: great for retaining trust and confidence
• Move quickly for first responses, but buy time to carefully review the actual outcome
Potential mandatory disclosure Potential mandatory disclosure breach notification rulesbreach notification rules• Review global developments, see where it is
headed in Australia – some years to go• Not an option to stay in denial• See Australian Privacy Commissioner
voluntary guidelines, US approach, EU model
• Consider opting for world’s best practice, which may be higher than current mandatory requirement
• Disclose in a way that is of most help to the recipient: in some case will just be online, may be by direct contact, or advertisement
David Vaile, Executive Director
Cyberspace Law and Policy CentreUNSW Law Faculty
(02) 9385 3589
http://cyberlawcentre.org/