Transcription
PRIVACY, SECURITY, RISK ANDTHE DIGITAL REVOLUTIONDan CarayiannisRSA Archer WW Public Sector Director1
DELL LEADERSHIP30,000 50 million1 billionidentitiesconsumerscustomers20 of the97%TOP 2018 of the TOP 20 TelecomManufacturing16 of the TOP 20 EnergyConsumer product19 of the94%TOP 2010 of the TOP 10 TechnologyFinancial institutions13 of the 15 Executive DepartmentsHealthcare institutionsof U.S. GovernmentInternational Government OrganizationsTransportation2
RSA Archer customers1,500 GRC deployments48 of the Fortune 5092 of the Fortune 100ARCHERAT AGLANCECustomers in every marketplace:-Public Sector 100 US Government Agencies 18 States 16 Cities/Municipalities Foreign Government Deployments-10 biggest U.S. echnologyGlobal operations 1B revenue2,700 employees1,000 technology partners30 years of cybersecurity expertise15 years of risk expertiseEMC/RSA A Dell TechnologiesSubsidiaryRSA Archer AnalystRecognitionA Leader in: Gartner Magic Quadrant for Operational RiskManagement Solutions (2017) Gartner Magic Quadrant for IT RiskManagement Solutions (2017) Gartner Magic Quadrant for BusinessContinuity Management Planning Software,Worldwide (2017) Gartner Magic Quadrant for IT Vendor RiskManagement (2017) The Forrester Wave : Governance, Risk,And Compliance Platforms (2017)-RetailGartner 3does not endorse any vendor, product or service depicted in its research publications and does not advise technology user to select only those vendors with the highest ratings or other designation.Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, withrespect to this research, including any warranties of merchantability or fitness for a particular purpose.* bankrate.com
TODAY’S PUBLIC SECTOR Security, Privacy and Risk Management are top priorities Government organizations moving from a reactive, restrictiveapproach that inhibits modernization and enhancedcapabilities to one that’s resilient, adaptable and agile Increasing demand for consistent and accurate informationaccessible by employees and the public they serve4
TODAY’S PUBLIC SECTOR Accelerated government adoption and expanded use ofmobile, cloud, IOT, AI, Blockchain and other technologiesto support operations and public access IT consolidation, centralization and digital modernizationinitiatives can be challenging, complex and introduce risks Government organizations are leveraging 3rd partyorganizations with greater frequency5
THE ATTACK SURFACE IS EXPANDINGAND WITH IT PRIVACY RISKS! Individual computers (government, personal) Mobile devices Virtualization Cloud computing Internet of Things (IoT)6
ADVERSARIES COME IN MANY FLAVORSNATIONSTATEACTORSNation-statesPetty criminalsOrganized crimeInsidersCyber-terrorists /HacktivistsCRIMINALSNON-STATEACTORS7
COMMERCIAL – NATION-STATE?“It erased everything stored on 3,262 of the company’s 6,797 personalcomputers and 837 of its 1,555 servers. The studio was reduced to using faxmachines, communicating through posted messages, and paying its 7,000employees with paper checks.” (2014)- Fortune, July 20158
GOVERNMENT – NATION-STATE?9
WANNACRY – GLOBAL IMPACTFriday, 12 May 2017 – 230,000 Computers In Over150 Countries Were Infected10
NATIONAL GOVERNMENT SERVICES11
STATES AND MUNICIPALITIES12
ELECTION SYSTEMS13
CANADIAN COMMERCIAL14
CANADIAN GOVERNMENT15
RECENT BREACH16
VERIZON DATA BREACH SURVEY In 2017 public sector organizations became the #1 target for cyberattacks Public Sector organizations were 3rd most data breach victims 21,000 breaches were reported among 92 public sectororganizations surveyed – 239 were confirmed 41% contained stolen PII data17
DIGITAL RISK TRANSFORMATIONDigital Risk is the risk associated with transforming traditional analogue and antiquatedproducts, processes and services to new digital platforms using digital technologyEnablement Risks Data privacy, e.g. Big Data,data warehouses, etc. Implementation issues withnew technologies Third party providers (techpartners, consultants,operations support)18Optimization Risks Adoption rates andorganizational changemanagementTransformation Risks Interruption or downtime due totransition High profile, reputational risks Third party providers (partners,consultants) Poor public adoption Opportunity costs if wrongdecision is made
DIGITAL RISK TRANSFORMATIONEnterprise RiskDigital Risk Management (DRM) facilitates theOperationalRegulatorymanagementof risks associated withdigital business Legalcomponents such as cloud, mobile, social, big data, thirdLegalparty technology ComplianceIT RiskMgmt.andInternet of Things (IoT).ManagementHow are traditional riskAuditdisciplines addressingdigital businessinitiatives?Third PartySecurity RiskManagementBusiness Continuity/DRHow are traditional riskdisciplines addressing OT?IT Services/OperationsStrategicPerformanceCorp SocialResponsibilityIncidentEnvironmental(business operations,regulatory& legal)How does IoT impact therisk profile of theorganization?Physical OperationsFinancialConsumer ApplicationsIs the organization making the rightstrategic decisions in digitizing theMarket,business?Credit, Liquidity RiskFinancial ControlsFraudWhat is the cloud strategyfor the business andassociated risks?Business ApplicationsTechnical LandscapeIT systems19Operational TechnologyIoTCloud(e.g. SaaS, Mobile, Social)
RISKS APPEAR ACROSS THE GOVERNMENT ENTERPRISEPoor Public ServiceNegative PublicReputationLitigationPoor internal controls &governanceSupply Chain InterruptionHuman errorsRegulatoryviolations, fines andsanctionsEmployee Health &WelfarePrivacy BreachEnvironmentaldamageInefficient processes &technologiesUnknown,unidentified risksOperationsinterruptionInternal and externalfraud203rd party nonperformance,error or fraudInformation Securitybreaches
MANAGINGP R I VA C Y R I S KIS BOTH AMISSIONAND ATECHNOLOGYCHALLENGE21MagnitudeVelocityRiskof riskincreasingof riskincreasingComplexityincreasing
K E Y P R I VA C Y P R O G R A M M A N A G E M E N T E L E M E N T SPrimary objective:Detect and respond to the threatbefore a breach occurs but if abreach does occur, you need toknow the details and exactimpact.Primary objective:Know where data is in theenterprise and who has accessand implement controls in dataprocessing activities.22Primary objective:Establish a risk assessmentprocess to ensure controls areappropriately designed ernanceComplianceManagementPrimary objective:Establish a compliance programto ensure controls are effectiveand operational.
Maintain assessmentscopes for sensitive dataenvironments Perform privacy impactassessments (PIA) anddata protection impactassessments (DPIA)when required Identify operatingconditions that maynecessitate a DPIA Implement consistentprocesses for bothexisting environmentsand new initiativesComplianceManagement Maintain an accurate andcomplete inventory ofprocessing activities andinformation assets andrelated 3rd Parties Implement risk basedaccess and authorization Ensure governanceprocesses validateaccess levels Manage notice andconsent activities andretention scheduleslinked to the informationinventory Assess processingactivities in accordancewith prevailingrequirementsRisk Assessment Streamline incidentresponse and breachmanagement processes Implement infrastructurethat provides visibilityacross the enterprise Ensure forensiccapabilities are in placeto investigate properly Ensure loggingcapabilities are alignedwith response needs Address dataobfuscation andencryption controls Test and refine IRprocesses andprocedures on a regularbasisData GovernanceBreach ResponseKEY PRIVACY PROGRAM INGREDIENTSDON’T FORGET ABOUT THIRD PARTIES 23 Ensure issues aremanaged and tracked Establish policies,standards and controls Implement training andawareness programspecific to PII handling Streamline controltesting scoping,execution, and reporting Look for controloverlaps with otherregulatory requirementsto streamline andsimplify your controlframework
PRIVACY AND SECURITY GO HAND IN HANDEMBRACE A SECURITY FRAMEWORKNIST CSF addresses standards, guidelines, andbest practicesPromotes the protection of information andinformation systems, particularly within the criticalinfrastructure community.24
FINAL THOUGHTS Public demand for enhanced, secureand continual info access is constantand growing – so are cyber threats Privacy-Security-Risk-Audit Teams needto collaborate and work together Ongoing updates to policies, proceduresand controls to protect data, informationaccess and systems25
FINAL THOUGHTS Understand your “crown jewels” (data andsystems) and how they’re managed,accessed and protected Encryption in transit and at rest / continualverification of privileges and access Build in resiliency and be prepared for theinevitable, create and update contingencyplans, training employees and havesystem and data backups in place to26minimize impact
FINAL THOUGHTS Implement continuous data monitoring andfrequent risk management reviews andconduct “what if” scenarios Pay close attention to your extendedecosystem and key vendors with access toand handling data Privacy is everyone’s business - build a cultureof awareness with employee awarenesstraining (including leadership) to mitigate andminimize data and privacy risks – people,27process and technology
QUESTIONS?THANK YOU!Dan Carayiannisdan.Carayiannis@rsa.comC O N F I D E28N T I A L
RSA Archer customers 1,500 GRC deployments 48 of the Fortune 50 92 of the Fortune 100 Customers in every marketplace:-Public Sector 100 US Government Agencies . Business Continuity/DR. Security Risk Management. Incident (business operations, regulatory& legal) Operational Risk Compliance Third Party Audit Strategic
