december 2 2014 n.
Skip this Video
Loading SlideShow in 5 Seconds..
December 2, 2014 PowerPoint Presentation
Download Presentation
December 2, 2014

December 2, 2014

129 Vues Download Presentation
Télécharger la présentation

December 2, 2014

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Basic Digital Privacy for AuditorsA Refresher and Evolving Challenges December 2, 2014 Tom Tollerton, CISA, CISSP, CTGA, QSA Manager, IT Advisory Services - Cybersecurity Dixon Hughes Goodman LLP

  2. Agenda • Definition of Privacy • Current Trends • Current Privacy Regulations • Auditing Privacy Programs • Evolving Challenges

  3. Definition of Privacy What is privacy really? Privacy vs. Security

  4. “If you have built castles in the air, your work need not be lost; that is where they should be. Now put the foundations under them.” - Henry David Thoreau Walden

  5. Definition(s) of Privacy • “Privacy is the protection of personal data and is considered a fundamental human right.” • OECD Guidelines, 1980 • “The rights and obligations of individuals and organizations with respect to the collection, use, disclosure, and retention of personal data.” • AICPA/CICA, 2005 • “The right to be let alone.” • Warren/Brandeis, 1890 Source: IIA Global Technology Audit Guide June 2006

  6. Privacy vs. Security • Information Security: • Confidentiality • Integrity • Availability • When addressing privacy, security is part of a means to an end

  7. Current Privacy Trends What are we seeing in the real world?

  8. Increased Collection of PII • Supports normal business operation, but… • Also a result of far more sophisticated marketing strategies. • Businesses are even asking for PII in the name of SECURITY! • And yet, consumers continue to give up their sensitive information.

  9. Proliferation of Services

  10. Increased Collection of PII • Good marketing is designed to encourage consumers to acquiesce • “Must have” product or service • Urgency – it’s now or you lose the deal • Scare tactics • Make the reward seem worth the risk • Creates tension and frustration between consumers and the providers they rely upon.

  11. Evolving Roles • Chief Privacy Officer is being assigned to existing personnel out of necessity • May be assigned to security or IT director • Individual may not have requisite knowledge • Auditors are being looked to as advisors • Leaders know they must comply, but don’t know where to begin

  12. Current Privacy Regulations Legal and industry requirements Non-regulatory expectations

  13. New/Evolving Privacy Regulations • State Privacy and Breach Notification Laws • HIPAA Omnibus Rule

  14. New/Evolving Privacy Regulations • HIPAA Omnibus Rule • Far more attention paid to Business Associates • More detailed language around what constitutes marketing

  15. New/Evolving Privacy Regulations • State Privacy and Breach Notification Laws • Massachusetts Data Protection Law (201 CMR 17.00) • Went into effect 2010 • Very specific technical requirements for data protection • Requires documented policies

  16. New/Evolving Privacy Regulations • State Privacy and Breach Notification Laws • Florida Information Protection Act (FIPA) • Went into effect 2014 • Requires reporting of breaches to the State Attorney General’s Office • Stipulates strict monetary penalties

  17. New/Evolving Privacy Regulations • Growing number of regulations are increasing burdens on: • Businesses to achieve and maintain compliance • Internal auditors to keep up with auditing and reporting for each requirement

  18. Auditing Privacy Programs Top questions for audit leaders Effective audit methodologies and frameworks. Gaining organizational support.

  19. Top Questions • Does the organization understand its legal obligations for protecting PII? • Does the scope of the privacy program include all business services that may involve PII? • Assignment of Roles and Responsibilities • Outside of compliance requirements, how much risk of a privacy breach is the organization willing to accept?

  20. Top Questions (cont’d) • Awareness of responsibilities and acceptable behavior • Does the organization know where and how all PII is stored? How it is transmitted? • Vendor relationships. Who is the organization sharing consumer data with and why? • Does the organization have a policy defining the limits on how PII is to be used?

  21. Top Questions (cont’d) • Data breach response plan • Investigation • Reporting • Customer Notification • Testing • Internal and external transparency • How is policy enforced?

  22. ISACA/OECD Privacy Principles • ISACA Guideline G31 • Defines privacy • Links to Standards and CobiT • Describes performance of audit work • G31 relies upon 12 Privacy Principles outlined by the Organisation for Economic Co-operation and Development (OECD)

  23. AICPA Generally Accepted Privacy Principles (GAPP) • AICPA GAPP • Defines 10 Privacy Principles similar to ISACA G31 • Provides end-to-end guidance on privacy program implementation, as well as auditing the program

  24. GAPP Privacy Program

  25. ISACA/OECD AICPA GAPP PrivacyPrinciples Source: IIA Global Technology Audit Guide June 2006

  26. Fully Understanding Privacy Principles

  27. Fully Understanding Privacy Principles (cont’d)

  28. Basic Privacy Audit Program

  29. More Advanced Audit Workflows • Integrating with compliance workflows • Centralized enterprise GRC tool • Flag potential issues that could violate privacy policies or compliance requirements • Map redundant privacy controls • Track controls and business relationships • Continuous auditing • Technology helps ongoing auditing of key technical controls (e.g. Tripwire, database activity monitoring)

  30. Checking in with ourselves • Are we performing audits regularly? • How do we hold the organization accountable between audits? • Do audits address the full scope of PII in the organization? (Collection, use, storage, transmission, destruction, etc.) • Do we really have the training, understanding, and capacity to perform a thorough, effective audit? • Do we need to fill in knowledge gaps? • Do we need additional personnel resources?

  31. Checking in with ourselves (cont’d) • Are we auditing based upon regulatory requirements and industry accepted frameworks? • Are we pushing the organization based upon minimum regulatory/industry requirements alone, or…. • Do we effectively communicate the business value of data privacy? • Do we constantly encourage and seek improvement? • Are we able to provide clear recommendations and path for remediation.

  32. Gaining Organizational Support:Value Proposition • What are the benefits of a strong Privacy Program? • Compliance validation • Confidence from business partners • Consumer trust and loyalty • Brand protection • Shareholder value

  33. Gaining Organizational Support:Value Proposition • What are the CONSEQUENCES of a weak Privacy Program? • Regulatory penalties or industry fines • Significant investigation and remediation costs • Legal liability • Damaged reputation and brand • Damaged business relationships • Customer or employee distrust • Impaired organizational function

  34. Evolving Privacy Challenges New digital products, services, and technologies. Evolving regulations. Resources and capacity.

  35. New Products/Services/Technologies • Mobile Devices • App Revolution • Health/Fitness Tracking • “The Cloud” • Social Media

  36. Evolving Compliance Requirements • States introducing individual legislation for data privacy and breach reporting • HIPAA Omnibus • Increased third party provider scrutiny (“Business Associates”)

  37. Additional Privacy Challenges • Increased reliance upon third party providers • Resource constraints • New Frameworks – Where do they fit in? • NIST Cybersecurity Framework • SSAE 16 / SOC 1, 2

  38. Starting to Address These Challenges • Incorporate continual evaluation of third parties and how they access, use, and destroy information. • Maintain close relationship with internal or external legal counsel to understand ongoing compliance requirements. • Continue to make Security and Privacy Awareness a critical part of operations. • Simplify and consolidate our privacy policies.

  39. Reminder Data Privacy Day Wednesday, January 28, 2015 Declared by US House of Representatives (402-0) House Resolution HR 31 January 28, 2009

  40. Questions

  41. For More Information/Assistance Tom Tollerton, CISA, CISSP, CTGA, QSA Manager, IT Advisory Services – Cybersecurity Dixon Hughes Goodman LLP 704.367.7061 (d) 941.685.0004 (c) @dhg_cyber • PCI Compliance Assessments • TG3/TR39 PIN Security Audits • HIPAA Security Risk Analyses • SSAE 16 / SOC Audits • Network Vulnerability Assessments • Penetration Testing