Basic Digital Privacy for AuditorsA Refresher and Evolving Challenges December 2, 2014 Tom Tollerton, CISA, CISSP, CTGA, QSA Manager, IT Advisory Services - Cybersecurity Dixon Hughes Goodman LLP
Agenda • Definition of Privacy • Current Trends • Current Privacy Regulations • Auditing Privacy Programs • Evolving Challenges
Definition of Privacy What is privacy really? Privacy vs. Security
“If you have built castles in the air, your work need not be lost; that is where they should be. Now put the foundations under them.” - Henry David Thoreau Walden
Definition(s) of Privacy • “Privacy is the protection of personal data and is considered a fundamental human right.” • OECD Guidelines, 1980 • “The rights and obligations of individuals and organizations with respect to the collection, use, disclosure, and retention of personal data.” • AICPA/CICA, 2005 • “The right to be let alone.” • Warren/Brandeis, 1890 Source: IIA Global Technology Audit Guide June 2006
Privacy vs. Security • Information Security: • Confidentiality • Integrity • Availability • When addressing privacy, security is part of a means to an end
Current Privacy Trends What are we seeing in the real world?
Increased Collection of PII • Supports normal business operation, but… • Also a result of far more sophisticated marketing strategies. • Businesses are even asking for PII in the name of SECURITY! • And yet, consumers continue to give up their sensitive information.
Increased Collection of PII • Good marketing is designed to encourage consumers to acquiesce • “Must have” product or service • Urgency – it’s now or you lose the deal • Scare tactics • Make the reward seem worth the risk • Creates tension and frustration between consumers and the providers they rely upon.
Evolving Roles • Chief Privacy Officer is being assigned to existing personnel out of necessity • May be assigned to security or IT director • Individual may not have requisite knowledge • Auditors are being looked to as advisors • Leaders know they must comply, but don’t know where to begin
Current Privacy Regulations Legal and industry requirements Non-regulatory expectations
New/Evolving Privacy Regulations • State Privacy and Breach Notification Laws • HIPAA Omnibus Rule
New/Evolving Privacy Regulations • HIPAA Omnibus Rule • Far more attention paid to Business Associates • More detailed language around what constitutes marketing
New/Evolving Privacy Regulations • State Privacy and Breach Notification Laws • Massachusetts Data Protection Law (201 CMR 17.00) • Went into effect 2010 • Very specific technical requirements for data protection • Requires documented policies
New/Evolving Privacy Regulations • State Privacy and Breach Notification Laws • Florida Information Protection Act (FIPA) • Went into effect 2014 • Requires reporting of breaches to the State Attorney General’s Office • Stipulates strict monetary penalties
New/Evolving Privacy Regulations • Growing number of regulations are increasing burdens on: • Businesses to achieve and maintain compliance • Internal auditors to keep up with auditing and reporting for each requirement
Auditing Privacy Programs Top questions for audit leaders Effective audit methodologies and frameworks. Gaining organizational support.
Top Questions • Does the organization understand its legal obligations for protecting PII? • Does the scope of the privacy program include all business services that may involve PII? • Assignment of Roles and Responsibilities • Outside of compliance requirements, how much risk of a privacy breach is the organization willing to accept?
Top Questions (cont’d) • Awareness of responsibilities and acceptable behavior • Does the organization know where and how all PII is stored? How it is transmitted? • Vendor relationships. Who is the organization sharing consumer data with and why? • Does the organization have a policy defining the limits on how PII is to be used?
Top Questions (cont’d) • Data breach response plan • Investigation • Reporting • Customer Notification • Testing • Internal and external transparency • How is policy enforced?
ISACA/OECD Privacy Principles • ISACA Guideline G31 • Defines privacy • Links to Standards and CobiT • Describes performance of audit work • G31 relies upon 12 Privacy Principles outlined by the Organisation for Economic Co-operation and Development (OECD)
AICPA Generally Accepted Privacy Principles (GAPP) • AICPA GAPP • Defines 10 Privacy Principles similar to ISACA G31 • Provides end-to-end guidance on privacy program implementation, as well as auditing the program
ISACA/OECD AICPA GAPP PrivacyPrinciples Source: IIA Global Technology Audit Guide June 2006
More Advanced Audit Workflows • Integrating with compliance workflows • Centralized enterprise GRC tool • Flag potential issues that could violate privacy policies or compliance requirements • Map redundant privacy controls • Track controls and business relationships • Continuous auditing • Technology helps ongoing auditing of key technical controls (e.g. Tripwire, database activity monitoring)
Checking in with ourselves • Are we performing audits regularly? • How do we hold the organization accountable between audits? • Do audits address the full scope of PII in the organization? (Collection, use, storage, transmission, destruction, etc.) • Do we really have the training, understanding, and capacity to perform a thorough, effective audit? • Do we need to fill in knowledge gaps? • Do we need additional personnel resources?
Checking in with ourselves (cont’d) • Are we auditing based upon regulatory requirements and industry accepted frameworks? • Are we pushing the organization based upon minimum regulatory/industry requirements alone, or…. • Do we effectively communicate the business value of data privacy? • Do we constantly encourage and seek improvement? • Are we able to provide clear recommendations and path for remediation.
Gaining Organizational Support:Value Proposition • What are the benefits of a strong Privacy Program? • Compliance validation • Confidence from business partners • Consumer trust and loyalty • Brand protection • Shareholder value
Gaining Organizational Support:Value Proposition • What are the CONSEQUENCES of a weak Privacy Program? • Regulatory penalties or industry fines • Significant investigation and remediation costs • Legal liability • Damaged reputation and brand • Damaged business relationships • Customer or employee distrust • Impaired organizational function
Evolving Privacy Challenges New digital products, services, and technologies. Evolving regulations. Resources and capacity.
New Products/Services/Technologies • Mobile Devices • App Revolution • Health/Fitness Tracking • “The Cloud” • Social Media
Evolving Compliance Requirements • States introducing individual legislation for data privacy and breach reporting • HIPAA Omnibus • Increased third party provider scrutiny (“Business Associates”)
Additional Privacy Challenges • Increased reliance upon third party providers • Resource constraints • New Frameworks – Where do they fit in? • NIST Cybersecurity Framework • SSAE 16 / SOC 1, 2
Starting to Address These Challenges • Incorporate continual evaluation of third parties and how they access, use, and destroy information. • Maintain close relationship with internal or external legal counsel to understand ongoing compliance requirements. • Continue to make Security and Privacy Awareness a critical part of operations. • Simplify and consolidate our privacy policies.
Reminder Data Privacy Day Wednesday, January 28, 2015 Declared by US House of Representatives (402-0) House Resolution HR 31 January 28, 2009
For More Information/Assistance Tom Tollerton, CISA, CISSP, CTGA, QSA Manager, IT Advisory Services – Cybersecurity Dixon Hughes Goodman LLP 704.367.7061 (d) 941.685.0004 (c) email@example.com @dhg_cyber • PCI Compliance Assessments • TG3/TR39 PIN Security Audits • HIPAA Security Risk Analyses • SSAE 16 / SOC Audits • Network Vulnerability Assessments • Penetration Testing