Embed Size (px)
DESCRIPTION
ISO 27001 compliance as prima facie evidence of good faith action Spring 2010 - IPOL Mark Thompson-Kolar MSI 2011 Tailored/HCI. The Breach Problem. Records with sensitive personal information (PII) in security breaches in U.S. since 2005 > 346 million (not all reported!) - PowerPoint PPT Presentation
Citation preview
1
ISO 27001 compliance as prima facie evidence of good faith
actionSpring 2010 - IPOL
Mark Thompson-KolarMSI 2011 Tailored/HCI
2
The Breach Problem Records with sensitive personal information
(PII) in security breaches in U.S. since 2005 > 346 million (not all reported!)
U.S. population: 307 million. More than 1 breach per resident. PII - identifiable data, usually includes
social security number, credit card nos., with names, addresses. ... biometric.Sources: Privacy rights Clearinghouse, March 13, 2010 & U.S. Census Bureau estimate, July 2009
3
Breaches Not Going Away Breaches will keep happening. “You cannot anticipate every
internal and external threat, nor can you predict when an employee will prove dishonest or capable of a major mistake. No security system is bulletproof. ... The question is not 'if' your data will be comprised, it is 'when.' ”
Source: Tedder, K. January 2010. A First Data White Paper: Don't Wait for a Data Compromise.
Image from Datarati: Actionable Insights
4
U.S. Info Security Regulatory Framework
• Regulations• HIPAA / HITECH• Sarbanes-Oxley• FCRA/FACTA• Gramm-Leach-Bliley• FTC Act 5
• Information covered
• Health records• Corporate financial• Consumers' credit• Personal financial• Deceptive practices
5
Breach Examples: ChoicePoint
ChoicePoint, a large data broker based in Atlanta, Ga.
800-plus cases of identity theft resulting from theft of data.
Violations alleged - Fair Credit Reporting Act and FTC Act 5.
2006 settles FTC breach charges: $10 million in civil penalties $5 million for consumer redress
Source: FTC news release
6
Breach Examples: TJX
Source: FTC news release
The TJX Cos. Inc, major discount retailer455,000 consumers' PII taken in 2005-06.FTC alleged TJX failed to use reasonable
and appropriate security measures to prevent unauthorized access to PII.
Banks claimed tens of millions of dollars in fraudulent charges made on the cards.
Company had passed a checklist-style audit under Payment Card Industry Data Security Standards.
7
Breach Examples: Dave & Buster's
Source: FTC news release
March 25, 2010Dave & Buster’s, Inc. restaurantsFTC charges company left consumers’
credit and debit card information vulnerable to hackers - 130,000 cards.
Failed to take reasonable steps to secure this sensitive PII on its network.
Several hundred thousand dollars in fraudulent charges.
8
Security in SettlementsChoicePoint required by FTC to: Establish and maintain a comprehensive
information security program. Company must obtain audits by an
independent, third-party security professional every other year for 20 years.
Source: FTC news release
9
Security in SettlementsTJX required by FTC to: “...Establish and maintain a comprehensive
security program reasonably designed to protect the security, confidentiality, and integrity of personal information it collects from or about consumers.
“Security program must “contain administrative, technical, and physical safeguards appropriate to each company’s size, the nature of its activities, and the sensitivity of the personal information it collects.”
Source: FTC news release
10
Security in SettlementsDave & Buster's required by FTC to: Put in place a comprehensive information
security program. Establish and maintain a program designed to
protect the security, confidentiality, and integrity of customers' PII.
Requires company to obtain independent, professional audits, every other year for 10 years.
Source: FTC news release
11
Seeing a Trend Recent Dave & Buster's settlement is FTC’s
27th case challenging faulty data security practices by organizations that handle sensitive consumer information.
Settlements fairly consistent in what breached companies must do.
Primary point: improve processes by establishing a comprehensive information security program.
12
Consideration for Good Actors
Data breaches of PII will continue. Settlements require improvement
processes, not checklists. How to get companies to do well-regarded
improvement processes sooner, not later? Reward for “doing right thing”:
– Consistent, up-front “prima facie” consideration of such steps as evidence of good faith action if breach occurred.
13
ISO 27001 Suggestion Need a very highly regarded data security
standard. ISO 27001 would be superb choice.There are others, outside scope of this presentation
[one other that might make sense]: CObiT - Control Objectives for Information and
related Technology, a set of best practices for IT management.
COSO - The Committee of Sponsoring Organizations of the Treadway Commission Control Objectives.)
Source: Solutionary
14
About ISO 27001 (& Family)
Collection of interrelated data security standards.
Developed by Switzerland-based NGO (International Organization for Standardization).
ISO is global network that identifies what International Standards are required by business, government and society, develops them in partnership with the sectors that will put them to use ...
Source: International Organization for Standardization
15
ISO 27001 Overview 27001 respected as a comprehensive framework. Aka (ISMS): “Information Security Management
Systems”. Establishes risk management processes:
Some data more vital to protect. Must examine what information you have.
Encourages continual improvement to business practices - very important as security vulnerability environment never stops changing.
Source: International Organization for Standardization
16
ISO 27001 CertificationsMarch 2010 The total worldwide companies that had achieved
ISO 27001 certification was 6,385. In U.S., just 95 of them were located in the U.S.
Sources: International Register of ISMS Certificates, National Geophysical Data Center
17
ISO 27001 Strengths Utilizes Plan-Do-Check-Act methodology:
PLAN. Clause 4 expects firm to plan the establishment of organization’s ISMS.
DO. Clause 5 expects firm to implement, operate, and maintain its ISMS.
CHECK. Clauses 6 and 7 expect firm to monitor, measure, audit, & review ISMS.
ACT. Clause 8 expects company to take corrective and preventive actions, and continually improve the ISMS.
Source: JBW Group International
18
Additional ISO 27001 Strengths
More on Plan-Do-Check-Act methodology: Works with variety of regulations and kinds
of information. Company must know all relevant legal, regulatory, industry standards and contractual requirements that affect the business's use of information assets.
Outlines 11 control areas, 39 control objectives and 133 specific controls.
NOT a “checklist” standard. Process driven. IS risk-assessment driven standard.Source: JBW Group International
19
ISO 27001 & Risk Assessment
“When organizations implement ISO 27001, not only do they safeguard assets through best practice controls, they empower their organization with a risk-assessment methodology that assures the proper treatment of all risks ... (this) allows an organization to be ever responsive to new risks and to address each risk in a manner most suitable to their organization at the time.”
Source: Barry L. Kouns, security consultant and principal with SQM-Advisors consultants
20
ISO 27001 & Due Diligence
Due diligence - corporate officers operate in line with accepted business practices and follow all relevant laws and other regulatory requirements
ISO 27001's guidelines, evaluation criteria, reference standards help companies practice DD
“Developers should be prepared to show they have used security processes at least as thorough and demanding as those of equivalent ISO 27001 rated systems. This will establish due diligence ...”
Source: Edward H. Freeman, data security consultant
21
ISO 27001 & Regulatory Enforcement
Looking back at the regulatory settlements ... “Trends in enforcement actions, and what
they impose in the way of security program requirements look a lot like clauses 4-8 of ISO 27001”
Source: Patrick Sullivan, JBW Group International
22
TJX Settlement | ISO 27001
Settlement: Establish and maintain a comprehensive security program ... contain administrative, technical, and physical safeguards appropriate to each company’s size, the nature of its activities, and the sensitivity of PII it collects.
ISO 27001 - Clause 4: “Define an ISMS policy in terms of the characteristics of the business, the organization, its location, assets and technology that ... takes business and legal or regulatory requirements as well as contractual security obligations into account ... aligns with the organization’s strategic risk management context.
Sources: FTC, CQR Payments
23
TJX Settlement | ISO 27001
Settlement: Identify internal and external risks to the security and confidentiality of personal information and assess the safeguards already in place.
27001 - Clause 4: Identify, analyze and evaluate the risks; select control objectives and control for the treatment of risks.
Sources: FTC, CQR Payments
24
TJX Settlement | ISO 27001
Settlement: Evaluate and adjust information security programs to reflect results of monitoring.
27001 - Clause 4: Conduct internal ISMS audits at planned intervals and update security plans to take into account the findings of monitoring and reviewing activities.
Sources: FTC, CQR Payments
25
TJX Settlement | ISO 27001
Settlement: Designate an employee or employees to coordinate information security program.
27001 - Clause 5: Explicitly states the management responsibility for the ISMS and details the necessary requirements pertaining to management commitment and resource management, including provision of resources as well as training, awareness and competence.
Sources: FTC, CQR Payments
26
ISO 27001 Isn't PerfectSome criticisms:It focuses on certifying the “process” by which you
determine which controls should be in place – not that the controls actually are in place.
Without significant testing to validate that the technical controls are operating as planned – it can lead to a false sense of security.
It doesn't include controls guidance for software applications – a major source of risk.
Success is in implementation. Adherence to Plan-Do-Check-Act lets businesses avoid these issues.
Source: John Verry, Pivot Point Security
27
Reasons to Favor ISO 27001
Respected globally as a solid framework.Employs risk management process.Supports company's due diligence efforts.Improves corporate processes.Has clear points of connection with U.S. law
and effective in multi-agency regulatory framework.
Handles variety of information types.Use growing worldwide; makes sense to use as
businesses global.
28
ISO-lated?Is ISO 27001 only viable option
for prima facie consideration?No.But it's one that makes good
sense.
29
Thank you!
