PwC Insights
Agenda
a) Information Security Management
1. Standards and frameworks
2. What are the drivers we see for information security?
b) Data Privacy
c) Technical Security
1. IoT Security - Example Connected Car
2. Supply Chain Security - Example TISX Certification
3. Production Security - Example SCADA Security
2May 2017Information Security
PwC Insights
Information security management has developed significantly throughout the last decades
5May 2017Information Security
PwC Insights
As a result companies need to consider a multitude of standards, frameworks and regulations
ISO 2700x
NIST
HIPSA
ITIL
BS 15000…
Cobit
BSI GS
PCI-DSS
6May 2017Information Security
PwC Insights
PwCs value chain based approach provides a sustainable advance on relevant requirements
Info
rma
tion
Sec
uri
ty
Ma
na
gem
ent
Ind
ust
ria
l V
alu
e C
ha
inS
up
por
tin
g P
roce
sses
R&D Product Innovation & Development
Sales&
MarketingProduction Product
Logistics
Operation / Aftersales /
Service Management
Business Development &
Planing
Finance & Investment
management
Technology & Resource
ManagementProcurement
Corporate Governance/
Legal
Technology
Process
People
Policies & Regulations
Organization RiskMgmt.
Governance Monitoring & Reporting
Consulting&
Awareness
Assessment Incident Mgmt.
Information Security Management Function
7May 2017Information Security
PwC Insights
PwCs framework “simplifies” information security into 6 pillars across 5 dimensions
Technology
Process
People
Policies &Regulations
Organization
Pw
C fr
am
ewor
k fo
r In
form
ati
on S
ecu
rity
Consulting&
Awareness
RiskMgmt.
Risk evaluation and risk management with focus on digital business processes
Creation of a information security culture and support business unit with less knowledge within line function as well as in projects
AssessmentGovernance
Establish effective governance in order to support a timely adaption to ever changing requirements and threat landscapes
Systemic assessment of the status of information security management system in order to identify improvement opportunities and define according measures to close identified gaps
Monitoring & Reporting
Incident Mgmt.
Build transparency regarding the current status of information security and report the effectiveness and efficiency of the management system
Establish, run and test a security incident management process
8May 2017Information Security
PwC Insights
Extract of the 5 dimensions Extract of references to standards
ISO 27001• 6.1.2 Information security
risk assessment• …ISO 27002• 12.6.1 Management of
technical vulnerabilities• …
BSI-Grundschutz• 100-2 Schutzbedarfsanalyse• 100-3 Risikoanalyse
NIST• RA-1 Risk assessment policy
and procedures• …
Pillar 1 - Risk Management:The basis for decision making
Focus area
• Determine risk appetite and risk evaluation methodology based on company strategy• Definition of risk assessment and risk management process and definition of exception processes• Creation and update of risk registers and integration into overall risk management of the company• Creation and update of exception registers• Regular review of accepted risks and exceptions
RiskMgmt.
Technology
Process
People
Policies & Regulations
Organization • Information security risk management organization
• Risk management policy• Exception handling policy
• Ensure appropriate risk level in other policies
• Risk management training
• Risk management process• Exception handling process
• Ensure appropriate risk level in other processes
• Workflow supported risk management tool
• Technology selection and operation support
9May 2017Information Security
PwC Insights
Extract of the 5 dimensions Extract of references to standards
Pillar 2 - Governance:Policies and security organization
Focus area
• Establish organizational an process structures that enable the company to identify and react on the ever changing environment (threat landscape and regulations)
• Definition of the overarching document lifecycle management process• Establish necessary boards or committees to ensure full insight and control of information security in all
business areas (cross-functional/cross-silo governance)
Governance
Technology
Process
People
Policies & Regulations
Organization • Overall information security organization
• Document management policy
• Information security policy and all lower level policies
• Chief Information Security Officer (CISO)
• Security Information Officer• Contact Points
• Document management process
• Compliance management process
• Workflow supported document management
• Specific hardening policies
ISO 27001• 5.2 Policy• 5.3 Organizational roles,
responsibilities and authorities
• …NIST• PL-1 Security planning
policy and procedures
BSI-Grundschutz• 100-2 Bereitstellung der
Ressourcen für die Informationssicherheit
• …
10May 2017Information Security
PwC Insights
Focus area
• Monitoring of technology components such as network devices, firewalls and servers as well as overarching systems like SIEM
• Definition and measurement of KPIs and KRIs• Aggregation of available information (collected on technology level as well as through assessments) to
meaningful reports to enable proactive management as well for senior management
Monitoring& Reporting
Extract of the 5 dimensions Extract of references to standards
Pillar 3 - Monitoring and Reporting:Creating transparency
Technology
Process
People
Policies & Regulations
Organization • Collection and aggregation across multiple silos and function
• Reporting procedure and reporting content
• Monitoring policy on technology level
• Transparency on current status for all employees
• Security monitoring process and escalation rules
• Reporting process and acceptance levels of reports
• Security monitoring technology (e.g. SIEM)
• KPI-aggregation system
ISO 27001• 5.3 Organizational roles,
responsibilities and authorities
• …ISO 27002• 13.1.1 Network controls• …
BSI-Grundschutz• 100-2 Managementreport• …NIST• PE-3(3) Continuous
guards/alarms/monitoring• AU-6 Audit review, analysis,
and reporting• …
11May 2017Information Security
PwC Insights
Focus area
• Inhouse consulting support within strategic projects and cross-functional projects as well as in business units with less contact points to information security / lower information security maturity
• Creation of an information security culture in the mindset of the employees and moreover the management and senior management
• Enforce security and inform the staff of updates and changes to information policies in stakeholder adequate communication formats
Consulting &
Awareness
Extract of the 5 dimensions Extract of references to standards
Pillar 4 - Consulting & Awareness:Creating security culture
Technology
Process
People
Policies & Regulations
Organization • Cross-function integration of awareness campaigns
• Regulations on mandatory trainings related to security
• Communication of policies • On- and off-boarding policy
• Create security awareness and culture
• Support on- and off-boarding of employees
• Awareness process• Enforcement of training
• Enforcement of on-boarding and off-boarding
• Tool support for follow up of incidents and missed training
ISO 27001• 7.3 Awareness• …
ISO 27002• 7.1.2 Information security
awareness, education and training
• …
BSI-Grundschutz• 100-2 Einbindung aller
Mitarbeiter in den Sicherheitsprozess
NIST• AT-1 Security awareness
and training policy and procedures
12May 2017Information Security
PwC Insights
Focus area
• Systemic approach in covering all areas of the information security management system in accordance to the risk appetite and the risk assessments performed
• Define the assessment methodology and conduct assessment planning • Review self-assessments, perform independent assessments and register findings and recommendations• Follow-up on identified findings and validate whether the issues have been either solved or accepted
Assessment
Extract of the 5 dimensions Extract of references to standards
Pillar 5 - Assessment:Independent oversight
Technology
Process
People
Policies & Regulations
Organization • Independent function for oversight including authority to assess and communicate results to management
• Cross-functional assessment regulations and policies
• Assessment of policies against best practices
• Assess behavior of employees at entrances and gateways as well as with found USB-sticks
• Assessment process• Follow-up process
• Assessment of compliance to processes
• Workflow supported assessment tool
• Assessment of compliance to technology policies
ISO 27001• 9.2 Internal Audit• 9.3 Management review• …ISO 27002• 12.7 Information systems
audit considerations• …
BSI-Grundschutz• 100-2 Methoden zur
Überprüfung des Informationssicherheits-prozesses
NIST• AU-6 Audit review, analysis,
and reporting• …
13May 2017Information Security
PwC Insights
Focus area
• Define and establish a process that handles information security incidents incl. prioritization and escalation• Create knowledge data base on how to address repetitive incidents• Establish breach response capabilities to identify, contain and resolve the security breach incl. preparing
press statements and external stakeholder information
IncidentMgmt.
Extract of the 5 dimensions Extract of references to standards
Pillar 6 - Incident Management:Becoming cyber resilient
Technology
Process
People
Policies & Regulations
Organization • Escalation, responsibility and organizational format in crisis situation
• Security incident policy• Crisis policy and handbook
• Sufficient Incident training and crisis simulations for relevant employees
• Incident management process and connection into all operational processes especially monitoring
• Workflow supported risk management tool
• Input from technology stack through monitoring
ISO 27002• 16 Information security
incident management• …
BSI-Grundschutz• 100-2 Kommunikation,
Einbindung und Meldewege
NIST• IR-1 Incident response
policy and procedures • …
14May 2017Information Security
PwC Insights
Implementation of standards in companiesdefinition, implementation, improvement
Customization of generic „best-practices“ to the individual context of the company
Implementation of the customized processes within the company
Audit of the processes and the technology (infrastructure) against the standards
Definition of generic „best-practices“ for managing information security
Monitor and check the information security processes
BSI 100-1, 100-2,ISO27001
Gap Analysis, Management
Buy-In
Policies, Business Processes,
Infrastructure
KPIs, Benchmarking, ICS
ISMS audit, penetration testing
International Organization for Standardization
Industry and professional consulting
Management
Internal audit, IT-Monitoring, CISO
Independent external auditors
15May 2017Information Security
PwC Insights
ISO Domains
Operative Level
Management Level
Physical / perimeter securityPhysical aspects
Technical aspects
Management aspectsCommunication & operative Management
Acquisition, planning and operating of IT systems
Personalsicherheit IT-Service Continuity
Compliance
Asset Management
Incident Management
Identity & Access Mangement
Organization of the Information security mangement
Security Policy
16May 2017Information Security
PwC Insights
The digital enterprise comprises of digitized and integrated processes, products & business models
Core Application Fields
I
Digitization of product and
service offerings
Digitization and integration of vertical and horizontal
value chains
Digital Business Models and customer access
III
II
IV
Industry 4.0
Compliance, security, legal & tax
Dig
ital
En
able
rs
Organisation, employees and digital culture
IT Architecture and data managementLocation Detection
Technologies
Cloud Computing
Smart Sensors
AugmentedReality /
Wearables
Internet of Things
3D Printing
Big Data Analytics
AdvancedHuman-Machine
Interfaces
Mobile Devices
Customer Profiling
Authentication & Fraud
Detection
Core technologies to provide innovative Industry 4.0 solutions
18May 2017Information Security
PwC Insights
Examples
New player entered the rising digital market
• Technology as core of business (data centric business models)
• Scalable business
Over-the-Top players Target companies
Adaption of the insights of the OTT players
• Linear business models• Slow growth
Social computing
Internet of things
Cloud computing
Deutsche PostHandyporto
BMWBMW Connected
Deutsche BahnTouch & Travel
19May 2017Information Security
PwC Insights
Digital Transition drives the Metamorphose of the value chain
Mobile devices
FintechOpenSource
Industrie 4.0
Cloud
Big data
Connected car
Internet of things
Mobile online services
20May 2017Information Security
PwC Insights
The transformation drives the need of trust within the whole corporate IT
• The volume of investment in the different sectors of a company is very different and requires differing prioritization of the topic of "security".
Investment
• The development in the areas is based on deviating parameters. While the products are oriented towards the customer market, the production is based on efficiency and the business IT is based on functionality.
Evolution
• All three areas are usually subdivided into different departments, which can follow divergent strategies.
Organization
21May 2017Information Security
PwC Insights
„The executive board has to take appropriate measures, […] , to detect early on developments jeopardizing the continued existence of companies. “1
A management system for information security is, in our opinion an important subsystem.Detailed requirements come from • laws2/jurisprudence and• norms/standards.
Information security needs to be implemented company-wide and across sectors.Needs-oriented, individual design according to the current state of the artwith regard to • organization,• structures and• technologies.
Foreseeable, more concrete regulatory requirements in the course of the digitalization• Car Spy Act• IT security act• EU-NIS-guideline
Tendency to increasingly exposed responsibility of the executive board in case of compliance and security violations.• ISMS supports amongst others • Effectiveness review, • Documentation and• Further development of
requirements.
The ISMS supports the executive board in meeting its organizational duties in the subject of information security.
Appropriate measures are• designed,• implemented,• sufficiently monitored,• audited and • adequately documented.
Management of Cyber Security is a compliance issue for our digital clients
1 § 91 II AktG2 Examples: protection of business secrets, Know-how ; protection of industrial property rights (z. B. Patents, brands in design and registration phase or UrhG); surveillance of third
parties like e.g. suppliers for the purpose of third party compliance (e.g. BGB, ProdHG, PatG, UWG)
FundamentalsCorrect implementation OutlookDesign
§ National provisions
International provisions
Business specific provisions
Information security Compliance
Integrated management system
…
22May 2017Information Security
PwC Insights
Daten in Unternehmen – die Wissenspyramide
May 2017Data Privacy24
Entscheiden
Zusammenfassung
Synthese
Analyse
Ordnen
Sammeln
Syntax
Semantik
Pragmatik/VernetzungInformationen werden mit Erfahrungen und
Kontext-Informationen verknüpft
Hans-Hermann Gröger, PwC GmbH, Dipl Kfm, CISA, Experte Informationssicherheit,
Mobil-Nr.: 0170-7864 279
Aussagen/Daten wird eine Bedeutung zugewiesen
Mobil-Nr.: 0170-7864279
Einzelne Zeichen werden mittels Syntax zu einer Aussage angeordnet
0170-7864 279
01707864279
Aktion
PwC Insights
Daten in Unternehmen
May 2017Data Privacy25
Welche Datenquellen werden in Ihrem Unternehmen am stärksten wachsen?Angaben in Prozent, n=254, Mehrfachnennungen möglich. Quelle: IDC, Oktober 2012
Marketing, Vertrieb
Beschaffung/Logistik
Innovation
Personal
IT
öffe
ntlic
hin
tern
gehe
im2
vert
raul
ich1
Proz
ess
Wertschöpfung
Finanzen/Steuerung
Produktion
PwC Insights
Information Lifecycle Management
May 2017Data Privacy26
• How can specific data help you to gather a competitive advantage?
• Which data are required to support the business goals?• Which type of information do you want to store and which
regulations require compliance?• Will you acquire data from external resources or create
them with the company?• How often are the data updated?• How are new data sources and information objects
incorporated and managed?
• Are there requirements to store information in a specific form (standard data type)?
• Which storage type is the best fit for business and legal requirements?
• Is there a single source of truth for specific information?• Are information stored in their original data form or
managed in a central vault (MDM)?• Is it required to keep different versions of data (files)• Are there disaster recovery processes in place?• What is the expected volume (in GB or TB) of data and
how high is the traffic/change rate?• How long does each data type need to be kept?• How often and on which time frame will you evaluate
data?• Who is responsible for the various data collections?
• Who needs to access the data and who explicitly not?• Is there a specific level of detail to which access needs to
be granted (raw information, aggregated information, insights/trends)?
• Which processes depend on a specific data collection?• Do you have the required data aggregation and integration
skillsets and infrastructure?• In which frequency are data accessed, modified,
aggregated and analyzed?
• How fast can data be “activated” and staged?• In which interval will data be used?• Is access to raw data or insights required?• Does meta data have to be restored as well?
• What kind of information will be published and in which form?
• What processes /distribution channels are used to share information?
• Which distribution spaces exists (group-specific, company-wide, third-parties, public)?
• Are there any established copyrights on data?• In which level of detail are data to be shared?• Will data sharing be restricted due to e.g. publishing or
patenting?• Do you intend to make all your data available for
sharing?• In which repository do you plan to deposit and share
your data?• Will a data sharing agreement be required?• What other documentation and contextual information
will be available in order to help others to understand the data?
• Which medium (physical, digital), form (pdf, odf), and location (local, region, global) is required to archive data?
• What are the legal requirements and which information objects are affected?
• Which internal/company-specific policies exist?• How will data security be guaranteed (e.g. encryption)?• Is the available storage sufficient or will you need to invest
in additional services?
• After which time period can data be destroyed?• Which processes and technologies assure that no
information can be restored?• Which policies exists for the different information objects?
1 Create
4 Share
5 Archive
2 Store
3 Use
6 Re-Use
7 Destroy
PwC Insights
Information Lifecycle Management: Stetige Abstimmung zwischen Strategie, Governance, Archtitektur&Technologie sowie Analytics
May 2017Data Privacy27
Bedingungen/Leitlinien Wertschöpfung
Vorgaben
Risiko minimieren durch Transparenz
bei Rollen & Prozessen sowie
klaren Vorgaben im Umgang mit Daten
Kosten rechtfertigen
durch effiziente Umsetzung der Vorgaben sowie Realisierung des Wertschöpfungs-
potentials der Daten
Wert generieren durch Umsatzsteigerung,
Kostenoptimierung und Nachhaltigkeit
Was wird reguliert, wer kontrolliert und welche Daten brauchen wir?
Was für neue Erkenntnisse haben wir gewonnenund welche Insights ergeben sich daraus?
Wie positionieren wir uns und welchen Fokus haben wir?
Use Cases
Anforderungen
PwC Insights
Unternehmens-Risiken aus Daten (Beispiele)
May 2017Data Privacy28
Beeinträchtigte Schutzziele
Integrität
Vertraulichkeit
Vertraulichkeit
Verfügbarkeit
Verfügbarkeit
Integrität, Verfügbarkeit
Unternehmens-Risiko
Cash-Out durch Verarbeitung der manipulierten Daten
Innovations-Verlust
Ahndung von Datenschutz-Verstößen,Reputationsschäden
Steuerschätzung,Ahndung einer nicht-ordnungsmäßigen Buchführung
Ausfälle in der Lieferkette,Entgangener Umsatz
Unterbrechung von Produktion oder Dienstleistung
Ereignis
Unberechtigte Manipulation von Buchhaltungsdaten
Datendiebstahl,Diebstahl von Hardware
Veröffentlichung personenbezogener Daten
Ausfall von Archivsystemen für Buchhaltungsdaten
Fehlerhafte Verarbeitung Bestellungen oder Lieferabrufen
Asset-Sabotage
Ereignis Beeinträchtigte Schutzziele Unternehmens-Risiko
PwC Insights
Datensicherheit und Datenschutz
May 2017Data Privacy30
Beeinträchtigte Schutzziele
Schutz von Unternehmen und deren Organen vor Risiken aus Daten
Sicherstellung von• Vertraulichkeit,• Integrität und• Verfügbarkeit
Handelsgesetzbuch (HGB),Abgabenordnung (AO),IT-Sicherheitsgesetz (ITSiG),Bürgerliches Gesetzbuch (BGB)
Cash-Out,Produktionsausfall
Unternehmens-Risiko
Schutz von Grund- und Persönlichkeitsrechten natürlicher Personen
Sicherstellung der• Informationellen
Selbstbestimmung
Bundesdatenschutzgesetz (BDSG),Datenschutzgrundverordnung (EU-DSGVO)
Strafgelder bei Compliance-Verstößen,Reputationsschäden
Beschreibung
Ziele
Quellen / Grundlagen
Beispielhafte Risiken
Datensicherheit Datenschutz
PwC Insights
Datensicherheit im Information Lifecycle
May 2017Data Privacy31
• Klassifizierung von Daten nach Schutzbedarf (Vertraulichkeit, Integrität, Verfügbarkeit)
• Eingabe- und Erfassungs-Kontrollen (Integrität)
• Verschlüsselung von Datenträgern und Datenbanken (Vertraulichkeit)
• Durchführung von Backups und redundante Massenspeicher (Verfügbarkeit)
• Zugriffs-, und Zugangsregelungen (Vertraulichkeit, Integrität)
• Kontinuierliche Überwachung der Systemverfügbarkeit (Verfügbarkeit)
• Regelmäßige Tests von Verfahren zum Abruf von Informationen aus dem Archiv (Verfügbarkeit)
• Überwachung von Schnittstellen (Verfügbarkeit)
• Absicherung der Kommunikation durch PKI (Integrität)
• Technische Maßnahmen zur Sicherstellung des Read-Only-Zugriffs (Integrität)
• Schutz vor physischer Beschädigung der Datenträger (Verfügbarkeit)
• Vorgabe von Verfahren zur Vernichtung von Datenträgern (Vertraulichkeit)
• Mehrstufige Genehmigungsverfahren vor der Vernichtung (Verfügbarkeit)
1 Create
4 Share
5 Archive
2 Store
3 Use
6 Re-Use
7 Destroy
PwC Insights
Datenschutz im Information Lifecycle
May 2017Data Privacy32
• Einholen/prüfen der Einwilligung zur Datenverarbeitung personenbezogener Daten
• Information über Datenerhebung und Verarbeitung an Betroffene
• Sicherstellung des Speicherortes (insb. Cloud-Speicher)
• Einholen/prüfen der Einwilligung bei Speicherung in Drittländern
• Anonymisierung/Pseudonymisierung
• Prüfung, ob der Zweck der Datenverarbeitung / -nutzung zulässig ist und der Einwilligung entspricht
• Prüfung, ob Daten noch verwendet werden dürfen
• Prüfung, ob der Zweck der Datenverarbeitung / -nutzung zulässig ist und der Einwilligung entspricht
• Überprüfung der Einwilligung zur Datenweitergabe
• Meldeverfahren für unbeabsichtigte Weitergabe/Offenlegung
• Festlegung einer maximalen Aufbewahrungsdauer bei Archivierung
• Sicherstellung des Speicherortes (insb. Cloud-Speicher)
• Sicherstellung der Löschung personenbezogener Daten auch bei Dritten (z.B. Auftragsdatenverarbeitung)
• Technische Maßnahmen zur unwiederbringlichen Löschung
1 Create
4 Share
5 Archive
2 Store
3 Use
6 Re-Use
7 Destroy
PwC Insights
Datenschutzgrundverordnung in a Nutshell (EU-DSGVO)
May 2017Data Privacy33
Anwendungsbereich• Verarbeitung personenbezogener Daten im Rahmen der Tätigkeit einer Niederlassung in der Union
• Unabhängig vom Ort der Verarbeitung
• Eingeschränkt auf den Schutz natürlicher Personen
• Unabhängig vom Automatisierungsgrad der Verarbeitung
• Nicht auf Verarbeitung in IT-Systemen beschränkt
Grundprinzipien• Verbot mit Erlaubnisvorbehalt: Bis auf Ausnahmefälle ist eine Einwilligung der betroffenen Person erforderlich
• Datensparsamkeit: Beschränkung der Verarbeitung auf das dem Zweck angemessene Maß
• Zweckbindung: Personenbezogene Daten dürfen nur für festgelegte, eindeutige und rechtmäßige Zwecke erhoben werden
• Datensicherheit: Geeignete technische und organisatorische Sicherheitsmaßnahmen zum Schutz der personenbezogenen Daten sind erforderlich
Einschätzung der Angemessenheit erfordert eine Risikobeurteilung
• Übermittlung in Drittstaaten: Die Übermittlung von personenbezogenen Daten in Drittstaaten ist zulässig, wenn ein angemessenes Schutzniveau gewährleistet ist.
Nachweis ist u.a. möglich durch Entscheidung der Europäischen Kommission
Außerdem in Sonderfällen durch Einwilligung der betroffenen Person
• Rechenschaftspflicht: Nachweis der Datenschutz-Compliance durch Verantwortlichen/Auftragsverarbeiter
PwC Insights
Datenschutzgrundverordnung in a Nutshell (EU-DSGVO)
May 2017Data Privacy34
Betroffenenrechte• Informationspflicht
Betroffene Personen sind bei Erhebung der Daten zu informieren.
Art und Umfang der Information sind abhängig davon, ob die Daten direkt bei der betroffenen Person erhoben werden.
Dabei ist u.a. der Zweck der Datenerhebung und -verarbeitung anzugeben.
• Auskunftsrecht
Auf Anfrage ist natürlichen Personen zu bestätigen, ob personenbezogene Daten verarbeitet werden.
Zudem sind die personenbezogenen Daten sowie umfangreiche Auskünfte zur Datenverarbeitung mitzuteilen. (u.a. Zweck, Dauer und Empfänger denen die Daten offengelegt wurden)
Die Rechte und Freiheiten anderer Personen sind bei der Beantwortung der Anfragen zu beachten.
• Berichtigung und Löschung
• Betroffenen Personen ist das Recht auf Berichtigung der personenbezogenen Daten einzuräumen.
• Betroffene Personen haben das Recht die unverzügliche Löschung der personenbezogenen Daten zu verlangen wenn z.B.
die Daten für den Erhebungszweck nicht mehr notwendig sind,
die Einwilligung für die Verarbeitung widerrufen wird oder
die Daten unrechtmäßig erhoben wurden.
• Die Daten sind nach Offenlegung gegenüber Dritten auch bei diesen zu löschen.
PwC Insights
Datenschutzgrundverordnung in a Nutshell (EU-DSGVO)
May 2017Data Privacy35
Technischer und organisatorischer Datenschutz• Privacy by Design und Privacy by Default
Standardeinstellungen zur Verarbeitung personenbezogener Daten sollen so ausgelegt werden, dass nur für den konkreten Zweck notwendige Daten verarbeitet werden.
Die Regelung hat mittelbare Auswirkungen auf IT-Produkte und –Verfahren.
• Meldung von Datenschutzverletzungen
Verletzungen des Schutzes personenbezogener Daten sind innerhalb von 72 Stunden an die zuständigen Aufsichtsbehörden zu melden.
• Datenschutz-Folgenabschätzung
Bei voraussichtlich hohem Risiko für persönliche Rechte und Freiheiten durch die Datenverarbeitung ist eine Folgenabschätzung für den Schutz der personenbezogenen Daten durchzuführen. (z.B. Videoüberwachung)
Einbindung des betrieblichen oder behördlichen Datenschutzbeauftragten ist erforderlich.
• Pflicht zur Bestellung eines Datenschutzbeauftragten
Alle öffentlichen Stellen sowie Unternehmen deren Kerntätigkeit in der Datenverarbeitung besteht müssen einen Datenschutzbeauftragten benennen.
Mitgliedsstaaten können im nationalen Recht weitere Fälle vorschreiben.
• Verhaltensregeln und Zertifizierungen
Verhaltensregeln und Zertifizierungen sollen Erleichterungen in den Verfahren nach der EU-DSGVO (z.B. in der Nachweisführung) ermöglichen und einen Wettbewerbsvorteil darstellen.
Zertifizierungen können durch die Aufsichtsbehörden oder akkreditierte Stellen erfolgen.
PwC Insights
Herausforderungen von Datenschutzprojekten (Beispiele)
May 2017Data Privacy36
Text• Text• Text• Text
PwC Insights
Herausforderung: GovernanceHintergrund und exemplarische Maßnahmen
May 2017Data Privacy37
Statt eines einmaligen Projektes müssen Maßnahmen und Verfahren ergriffen werden, die eine dauerhafte, adaptive
Anforderungserfüllung sicherstellen
Zentrale Stelle für die Steuerung und Überwachung der Anforderungseinhaltung
Grundsätzliche verpflichtende Beurteilung im Rahmen neuer Entwicklungen und Projekte
Vorgaben für die Erfassung und Dokumentation der
• Erhebung von Daten
• Nutzung von Daten
PwC Insights
Herausforderung: DateninventarHintergrund und exemplarische Maßnahmen
May 2017Data Privacy38
Sowohl die Daten des Unternehmens an sich als auch der Kontext, in dem sie erhoben und genutzt werden, müssen vollständig
identifiziert und bewertet werden
Analyse der Daten zur Ermittlung des Personenbezugs• originär oder• durch Verknüpfung mit anderen pbz. Daten
Vollständige Identifikation und Dokumentation der• Geschäftsprozesse sowie der• in den Geschäftsprozessen erhobenen bzw.
genutzten Daten
PwC Insights
Herausforderung: Consent ManagementHintergrund und exemplarische Maßnahmen
May 2017Data Privacy39
Im Hinblick auf die vorhandenen personenbezogenen Daten muss verwaltet werden, zu welcher Nutzung dieser Daten eine
Zustimmung vorliegt
Identifikation und Klassifikation der Nutzungsarten / -varianten für die einzelnen Daten Aufbau eines Systems zur
• Verwaltung der Zustimmungen für die Nutzung der einzelnen Daten
• Änderung der Zustimmung zur Nutzung
Einrichtung verlässlicher organisatorischer Maßnahmen zur Sicherstellung, dass Daten nur mit Zustimmung verarbeitet werden
PwC Insights
Herausforderung: BetroffenenrechteHintergrund und exemplarische Maßnahmen
May 2017Data Privacy40
Es muss eine Plattform bereit gestellt werden, mit deren Hilfe die Auskunft, die Korrektur, die Löschung und die Bereitstellung der
zu einer Person gespeicherten Daten möglich ist
Aufbau Repository zur automatischen Ermittlung der in den einzelnen Systemen gespeicherten Daten
Entwicklung einer zentralen Plattform zur Verwaltung der Betroffenenanfragen
Einrichtung geeigneter Authentisierungs- und Autorisierungsverfahren
Erweiterung der Bestandssysteme um (Schnitstellen-)Funktionen zur Auskunft, Korrektur, Löschung, Bereitstellung
PwC Insights
Lack of security arise from the insufficient project environment
Limited capabilities & capacity
Competitive/ market pressure
Budget pressure
Lag of responsibility
Timepressure
Conflicts of
interest
Current project environmentConnected car: Influencing factors & project environment
Automotive IT
Tim
e
Competition
Bu
dge
t
Compliance
Connected Car and Autonomous Driving is a new topic for Car Manufactures within a new environment for people in IT, R&D, Sales and Security. Based on tough competition and market pressure it is important to deliver working solutions on the date of SOP. The path to get this working solutions and the solution itself shows some significant challenges.
43May 2017IoT Security
PwC Insights
Missing synchronization of the classic car development and the related IT projects leads to insufficient security
SOP
Mar
keti
ng&
Sal
es
Development Prototyping & Test
Car
de
velo
pmen
tB
acke
nd
deve
lopm
ent
DevelopmentPrototyping &
Test
Development Pre-sales
Minimum requirementspecification
Unsecuresolution
44May 2017IoT Security
PwC Insights
IoT Security - Automotive Security from the technological perspective
Internet and Backend 1)
• Backend Services
• Navigation services
• Wireless Update / OTA / Cloud Dienste
• SMS, intelligent emergency call(eCall) 2)
Interfaces to the the Vehicle• Mobile
communications
• WLAN
• Bluetooth
• Kessy
1) Croup backend as well as provider backend 2) possibly belongs to provider backend
Internet and BackendIT-Security in the Vehicle
• CANBus network
• FlexRay
• Ethernet
• MOST
• LIN Bus
• Control devices
Interfaces to the Vehicle
• TPMS
• Diagnosis (ODB2)
• OCU1
45May 2017IoT Security
PwC Insights
• Systematic, risk based and criticality driven approach• Framework for the evaluation of risks• Iterative approach
IoT Security – Information security has to be part of the vehicle development process
Methods
Modelling of the Threat Detection
Map
Set up Documentation
Risk Assessment and
Derive Measures
Perform Analyses
Determining the
Examination Catalog
11 33 44 6655Documentation
Review
22
11 33 55
44 6622
1. Systematic registration und decomposition of the vehicle
2.Conception of the data flowchart3. Valuation of assets and protection
objectives4.Representation and weighting of
direct and indirect attack paths
1. Review of the documentation2. Validation and itemisation of the
identified threat scenarios3. Identification and assessment of
available protection measures4. Assessment of the feasibility of
threat scenarios
1. Conception of the priorities for security tests (test depth will be determined based on the criticality of components)
2.Derivation of audit objectives3. Conception of the examination
catalog
1. Performing the analysis according to the examination catalog Functional tests (e.g. based on
ISO 29119) Explorative penetrationtests
1. Valuation of risks2.Measures to adress the risks and
formulate assessment of the residual risk
3. Updating the threat detection map
1. Overview of the results2.Correlation and processing of the
results3. Recommendation of measures for
removal of deficiencies4.Overall evaluation and risk
classification
46May 2017IoT Security
PwC Insights
Combination of different technical test methods have to be implemented
Only a combination of functional test methods based in a risk approach and explorative tests based in the view of an attacker can give a realistic level of the build-in security.
Security functions Defined strategic security level
Results of the risk analyses
Test & hacking experiences
Test catalogue for EE-Systems and functions
Functional tests
Comprehensive analysis of the effectiveness of built-in protection measures with regard to the information security risk.
Explorative tests
Analysis of the actual information security risk caused by a cyber attack.
47May 2017IoT Security
PwC Insights
Set-up of test catalogues follows a structured approach
• Systematic risk-based and criticality-driven approach
• documentation Review
• Functional testing (including ISO 29119) as well as exploratory penetration testing
• Framework for the assessment of risks
• Iterative procedure
• A comprehensive overview of the threats and security risks
• Comprehensible, structured and repeatable test methodology
• Overview of existing vulnerabilities
• Recommendation for the removal of weaknesses (before start of production)
Methods and tools Advantages
Modeling the threat map
Reporting of the test results
Risk evaluation and definition
of measures
Performing of analysis
Test catalogue set-up
I III IV VIV
IoT Test
• High complexity of the whole system
• Completeness of analyzes concerning the vehicle architecture
• Consistent and efficient execution of analyzes
• Consistent assessment of risks
Challenges
Documentation review
II
48May 2017IoT Security
PwC Insights
Information Security within the supply chainSecurity integration within the cyber chain
Ind
ust
riel
leW
erts
chöp
-fu
ng
sket
te
R&D Product-innovation & -development
SalesProduct Produktion Produkt-
Logistik
Produktbetrieb/Ersatzteil und Service Management
R&D Produkt-innovation & -entwicklung
SalesProdukt-verkauf
Produktion Produkt-Logistik
Produktbe-trieb/Ersatzteilund Service Management
R&D Produkt-innovation & -entwicklung
SalesProdukt-verkauf
Produktion Produkt-Logistik
Produktbe-trieb/Ersatzteilund Service Management
R&D Produkt-innovation & -entwicklung
SalesProdukt-verkauf
Produktion Produkt-Logistik
Produktbe-trieb/Ersatzteilund Service Management
R&D Produkt-innovation & -entwicklung
SalesProdukt-verkauf
Produktion Produkt-Logistik
Produkt-betrieb/Ersatz-teil und Service Management
The highly integrated automotive industry requires an exchange of confidential information along the value chain.
50May 2017Supply Chain Security
PwC Insights
Information Security within the supply chain
The TISAX Audit standard provided trusted audit reports from the supplier to the OEM in the automotive industry by accreditation of auditors.
Auditor
Participant(e.g. OEM)
Auditee(Participant of
the supply chain)Trusted Anchor
AccreditationENX-Network
Audit applicationReport provision
Release of the reportLink to the report
Audit & ReportReport request
51May 2017Supply Chain Security
PwC Insights
TISAX as an trusted anchor within the supply chain
OEMSupplier
Registered Audit Provider
AssessmentContract
CertificationServices GmbH
Registered Participants 2 3 4 5O
ptio
nal
Con
nect
ion
to th
ird
part
y
Opt
iona
lD
ata
prot
ecti
on
Not
yet
def
ined
(Clo
ud) p
rovi
der
secu
rity
1
ISM
SO
ptio
nal
Prot
otyp
e pr
otec
tion
ISMSModule to assess the maturity of the Information security management processes.This basic Module is always required.
Prototype protectionThis module is required if the supplier have to handle highly confidential information about prototypes. The focus is the maturity of the physical security measures.
Connection to third partyThis module is required if the supplier is connected to the IT network or an other technical connection to exchange confidential information is established.
Data protectionThis Module is required if the supplier handle personal information of customers. The result of this module only indicates extensive data privacy compliance assessments.
(Cloud) provider securityThis module is not yet released. Should be required if the supplier used cloud services to process confidential information of the client.
52May 2017Supply Chain Security
PwC Insights
The Parents of TISAX
“Trusted Information Security Assessment Exchange (TISAX) is a part of the ENX platform and works as a verifying and exchange mechanism that serves cross-company as a recognition of information security assessments.“
“ENX is a non-profit organization that was build in the year 2000 by automobile companies and serves as umbrella for the network standard ENX. ENX is used for the exchange of information and for the initiation of pre-competitive cooperation projects in the field of IT.”
www.enx.com www.enx.com
Based on the results of the Working Group “Information Security,” the VDA has recommended its members to bring their information protection into line with the international standard ISO 2700x […].
The VDA published the questionnaire for checking Information Security Assessment and Information Security Management, Version 3.0.2 (12.01.2017).
www.vda.de
Currently registered to perform assessments:
• PwC Certification Services GmbH
• Operational Services GmbH
• TÜV
• EY
• (KPMG)
53May 2017Supply Chain Security
PwC Insights
To check information security systems TISAX accredited auditors have to adhere to precisely defined procedures.
Assessment ApproachPhase overview
Initial Assessment
Corrective Action Plan Assessment
Follow-UpAssessment proceeding Concluded
Phase I Phase III-optional
Phase II-optional
Phase IV
• Opening meeting• Definition of objectives,
project scope and characteristics
• Provisioning of documents
• Interview or on-site inspection
• Initial assessment report
• Is only conducted if there were non-conformities
• Verification of auditee‘s corrective action plan and time plan
• The result is a suitable corrective action plan
• Has to be conducted within 9 months after the initial assessment
• Is conducted to verify that the previously identified non-conformities are resolved
• The result is a Follow-up Assessment Report
• In the closing meeting the assessment findings and results will be presented to the auditee
• The final assessment report will be issued after the acceptance of the auditee
54May 2017Supply Chain Security
PwC Insights
Assessment LevelsSpecification of the necessary assessment
Assessment Level Short Description Protection Level
AL 2 Plausibility check of self-assessment restricted to evaluation of evidences and an expert interview
High protection level
AL 3 Full assessment including evaluation of evidences, on-site inspection and expert interviews
Very high protection level
Overview
TISAX uses Assessment Levels to introduce different intensities and methodologies for different needs of the auditee. A higher
Assessment Level increases the accuracy of the assessment as well as the efforts needed to be invested to complete the
Assessment. An assessment made with a higher Assessment Level always satisfies the requirements for lower Assessment
Levels. Assessment Level 1 is a special case only used in group-assessments or for self-assessments by the auditee.
55May 2017Supply Chain Security
PwC Insights
For each control the current maturity level is determined. The overall target maturity level has been set at 3.00. Deviations of up to 10% from the target maturity level (2,70) may be acceptable. Deviations between 10% and 30% may be considered a minor non-conformity. Deviations of more than 30% must be considered a major non-conformity regardless of the actual risk for information security.
Level
0 – Incomplete
1 – Performed
2 – Managed
3 – Established (Implemented)
4 – Predictable
5 – Optimizing
Maturity LevelsOverview
56May 2017Supply Chain Security
PwC Insights
ICS/SCADA Security
RisksIndustrial-IT
Risks Industry 4.0
RisksBusiness-IT
?
58May 2017Production Security
PwC Insights
Industrial Security vs. Office IT-Security
Production (from clean till tough)
Engineer from Manufacturer
Depends on ICS/SCADA system
Location
Latency < 300ms
Low, switches just have a few ports
Installation
Topology
Availability
Amount
Part of the System (functional) Monitoring
Climate Office and Data Center
Specialized IT-engineers
Meshed in most cases, mainly IP-based
Seconds or minutes of outage are acceptable
Quite high with switches consisting high port density
IT-Expert, Network Monitoring, SIEM, Vulnerability Management etc.…
Up to 20 years or more Product Lifecycle One to three years
59May 2017Production Security
PwC Insights
ICS/SCADA Security
Industrial Control Systems (ICS) have beendeveloped with a focus on:safety, but not on security,
functionality, but not on fault reaction,persistence, but not on transformation.
60May 2017Production Security
PwC Insights
ICS/SCADA Security in an Industry 4.0 World
ICSs enable Industry 4.0
Industrial Control Systems (ICS) build the backbone of Industry 4.0.
Success of new business models for the production depends on gaining control over the Industry 4.0 security.
Effective Industry 4.0 security is based on a strong ICS risk and vulnerability management.
Industry 4.0 pushes the ICS development
61May 2017Production Security
PwC Insights
ICS/SCADA Security in an Industry 4.0 World
ICS threats to be identified
The necessary ICS threat, risk and vulnerability management is based on a transparent IT and production security.
Common IT security tools are not suitable for ICSs.
ICS Security Scanning tools are not available on the market.
Managing the ICS security is key
62May 2017Production Security
PwC Insights
ICS/SCADA TestingSCADA Exploitation Frameworks
SCADA Exploitation Frameworks and Tools:
• Metasploit – Popular Exploitation Framework (free)
• Core Impact – Elite and expensive Exploitation Framework ($)
• Immunity Canvas – Elite and expensive Exploitation Framework ($)
• Gleg SCADA+ Exploit Pack – Collection of unique Exploits ($)
• Gleg SCADA+ Pack Latest Updates – Updates ($)
• Modscan – A MODBUS/TCP scanner (free)
• Scadascan – Audit SCADA network for vulnerabilities (free)
• Nessus – basics (free)
64May 2017Production Security
PwC Insights
Special technical features.
• Includes protocol implementation of PROFINET to preform detailed ICS/SCADA service analysis
• Includes protocol implementation of Siemens custom S7 protocol to receive detailed information from S7-based ICS/SCADA Systems
• Implementation of custom scanning modes to mitigate the risk of scanning sensitive ICS/SCADA environments
• Offers detailed scanning timing, white- and black-listing settings
PwC MonitoringSystem
Update Server
ExterneFirewall
SCADA Server(MTU)
Modem
RTU/PLC
SCADA Server (Sub MTU)
Modem Modem
RTU/PLC
RTU/PLC
Modem
Modem
Modem
ICS Scan Node
Control Center Intermediate SCADA Field Sites
ICS Scan Node
ICS Security Service Center
May 2017Production Security65
Thanks for your attention.
© 2017 PricewaterhouseCoopers GmbH Wirtschaftsprüfungsgesellschaft.Alle Rechte vorbehalten. „PwC“ bezeichnet in diesem Dokument die PricewaterhouseCoopers GmbH
Wirtschaftsprüfungsgesellschaft, die eine Mitgliedsgesellschaft der PricewaterhouseCoopers International Limited (PwCIL) ist. Jede der Mitgliedsgesellschaften der PwCIL ist eine rechtlich selbstständigeGesellschaft.