ezshield.com ©2014 ezshield all rights reserved. confidential and proprietary. ezshield.com ©2014...

EZShield.com ©2014 EZShield All Rights Reserved. Confidential and Proprietary. EZShield.com ©2014 EZShield All Rights Reserved. Confidential and Proprietary.

March 2015

Cybersecurity and Data Privacy Trends A Third-Party Service Provider’s Perspective

1

EZShield.com ©2014 EZShield All Rights Reserved. Confidential and Proprietary.

Introduction• John Burcham, CCEP, Corporate Counsel, Chief Privacy Officer• BIO:• 10 years experience in-house with privately held and publicly traded

companies focused in the areas of data privacy, IT Security, information lifecycle, business process and controls, third party reporting and UDAAP. Corporate Counsel and Chief Privacy Officer at EZShield, Inc. Primary focus is in financial institutions, insurance providers and bank service companies.

• SUMMARY:• Through this session, attendees will learn about developing and anticipated

trends from the perspective of a third-party service provider. Discussion will include the value of third party risk assurance and independent validation, and wholistic privacy program review. There will be additional discussion on developing standards in new areas of concern; such as cryptocurrency, big data, and the Internet of things, and how they are impacting the overall security and privacy landscape.

• Direct Dial: (410) 809-2517 [email protected]

2


Our Framework -

• Regulatory Guidance – we span multiple regulated industries, serving banks, credit unions, bank service companies, telecommunications providers and insurers• Industry Standards like PCI-DSS• Third Party Groups like Shared Assessments

3


Monitoring Developing Standards

• Monitor more cybersecurity standards than just your particular regulators.• Try and see what is coming next, and be

prepared.• Standards are baselines, go above and beyond. • Today’s standard won’t work tomorrow.

4


High-Level Concepts

• Industry Specific standards are only part of the picture • Consumer expectation drives privacy, not law.• Most regulatory privacy regulation is at least

part based in consumer protection concepts• Highly trained staff are essential• If you experience an event – utilize all of your

skilled people to explain what happened. • Target example.

5


Train, Train and Train some more

• Cyberattacks invariably occur when there is a process breakdown.

• Technical compliance is often easiest. In many cases, companies cannot reasonably identify weaknesses on their own anyway(Heartbleed, Freak, etc.)

• The only thing that can be certain is that you have a plan.

• Try and think ahead, and make sure your staff is ready.

6


An example - Convenience vs. Privacy

• BYOD Policies– In many places, convenience has trumped ideal security

• Wearable devices– It will happen sooner than you think.– FitBit walking challenges through HR– Smart watches, etc.

• Internet of Things and device connectivity– Bluetooth phones connected to WiFi enabled cars– Devices in your office: printers, scanners, photographic

document capture , etc.

7

EZShield.com ©2014 EZShield All Rights Reserved. Confidential and Proprietary. ©2014 EZShield All Rights Reserved. Confidential and Proprietary.

The Questions I don’t Get Asked Enough

8


The Questions I don’t Get Asked Enough• What data is needed?

What data will be used, what additional data may be collected, what is our privacy and security posture? These are questions to ask in advance of executing the relationship.

• Do you perform background checks?The workforce continues to be one of the largest security vulnerabilities. Are you comfortable that the third party you are contracting with has performed sufficient background checks on all members of its workforce who will have access to your sensitive data, and is requiring its subcontractors to do the same?

9


The Questions I don’t Get Asked Enough• What will happen if my company (the TPSP) has a breach?

Most organizations are not even prepared to manage their own incidents and cyber attacks. Many times, we are not asked for our incident response plan and the results of our testing.

• Have you implemented a holistic approach to vendor risk management? What experience do you have working within a third-party risk management environment?Managing vendor risk is an ongoing process at each phase of the lifecycle of the third party relationship. Negotiation, program management and end-of-relationship planning is all essential.

10


The Questions I don’t Get Asked Enough

• Who are your service providers?Understanding our relationships with other parties and the potential impact to your sensitive data is critical. Be diligent in evaluating and determining what additional parties are involved in the service provided; the level of risk involved; and how the TPSP can ensure the protection of private data wherever it may end up—including locations such as fourth party backup contingencies.

11


• How do we evaluate risk?You need to manage risks holistically throughout the relationship lifecycle. Perform a vendor risk assessment to identify, mitigate, and monitor security risks based on the your organization’s control objectives. Industry standards are a great jumping off-point, they enable the organization to achieve efficiency and scalability in an implementation.

• What are your comprehensive security safeguards for your data?You cannot outsource your security responsibilities with regard to protecting corporate data that is critical to your mission and business success. Transparency increases trust.

12


• Questions specific to our industry.Third party risk is not all the same. We often find ourselves telling partners what they should ask us. Define criteria to classify your service providers by risk or criticality, and focus oversight efforts.

• Do you participate in industry events and share information about cyber threats?Lead, don’t follow. Influence your vendor community to actively participate in industry groups. The more information organizations share, the more resilient all of our IT security programs will be.

13


Staying Ahead- A New York example

14


NY Department of Financial Services – Letter dated December 10, 2014

Security examinations will now include:•Corporate governance, including organization and reporting structure for cyber security related issues; •Management of cyber security issues, including the interaction between information security and core business functions, written information security policies and procedures, and the periodic reevaluation of such policies and procedures in light of changing risks; •Resources devoted to information security and overall risk management; •The risks posed by shared infrastructure; •Protections against intrusion including multi-factor or adaptive authentication and server and database configurations;

15


NY Department of Financial Services – Letter dated December 10, 2014

• Information security testing and monitoring, including penetration testing;

• Incident detection and response processes, including monitoring;

• Training of information security professionals as well as all other personnel;

• Management of third-party service providers; • Integration of information security into business

continuity and disaster recovery policies and procedures; and

• Cyber security insurance coverage and other third-party protections.

16


Follow up IT/Cyber Risk Assessment Questions

1. Provide the CV and job description of the current Chief lnformation Security Officer or the individual otherwise responsible for information security, describe that individual's information security training and experience, and identify all reporting lines for that individual, including all committees and managers. In addition, provide an organization chart for your institution's IT and information security functions.

2. Describe the extent to which your institution maintains information security policies and procedures designed to address the information security goals of confidentiality, integrity, and availability. Provide copies of all such information security policies.

3. Describe how data classification is integrated into information risk management policies and procedures.

4. Describe your institution's vulnerability management program as applicable to servers, endpoints, mobile devices, network devices, systems, and applications.

5. Describe the organization's patch management program including how updates, patches, and fixes are obtained and disseminated, whether processes are

manual or automated, and how often they occur.

17


Follow up IT/Cyber Risk Assessment Questions6. Describe identity and access management systems employed by the organization for both

internal and external users, including all administrative, logical, and physical controls and whether such controls are preventive, detective, or corrective in nature.

7. Identify and describe the current use of multi-factor authentication for any systems or applications.

8. Describe your institution's due diligence process regarding information security practices that is used in vetting, selecting, and monitoring third-party service providers.

9. Describe all application development standards utilized by the organization, including the use of a secure software development life cycle, and the extent to which security and

privacy requirements are assessed and incorporated into the initial phases of the application development process.

10. Provide a copy of, to the extent it exists in writing, or otherwise describe, the organization's incident response program, including how incidents are reported, escalated, and remediated.

11. Describe the extent to which information security is incorporated into the organization's BCP/DR plan, how and how often the BCP/DR is tested, and the results of the

most recent test.

12. Describe any significant changes to the institution's IT portfolio over the last 24 months resulting from mergers, acquisitions, or the addition of new business lines.

18


NY Department of Financial Services – Proposed Cryptocurrency Rules

• Section 200.16 Cyber security program

• (a) Generally. Each Licensee shall establish and maintain an effective cyber security program to ensure the availability and functionality of the Licensee’s electronic systems and to protect those systems and any sensitive data stored on those systems from unauthorized access, use, or tampering. The cyber security program shall be designed to perform the following five core cyber security functions:

– (1) identify internal and external cyber risks by, at a minimum, identifying the information stored on the Licensee’s systems, the sensitivity of such information, and how and by whom such information may be accessed;

– (2) protect the Licensee’s electronic systems, and the information stored on those systems, from unauthorized access, use, or other malicious acts through the use of defensive infrastructure and the implementation of policies and procedures;

– (3) detect systems intrusions, data breaches, unauthorized access to systems or information, malware, and other Cyber Security Events;

– (4) respond to detected Cyber Security Events to mitigate any negative effects; and– (5) recover from Cyber Security Events and restore normal operations and services.

19


NY Department of Financial Services – Proposed Cryptocurrency Rules• (b) Policy. Each Licensee shall implement a written cyber security policy setting forth the Licensee’s

policies and procedures for the protection of its electronic systems and customer and counterparty data stored on those systems, which shall be reviewed and approved by the Licensee’s board of directors or equivalent governing body at least annually. The cyber security policy must address the following areas:

– (1) information security;– (2) data governance and classification;– (3) access controls;– (4) business continuity and disaster recovery planning and resources;30– (5) capacity and performance planning;– (6) systems operations and availability concerns;– (7) systems and network security;– (8) systems and application development and quality assurance;– (9) physical security and environmental controls;– (10) customer data privacy;– (11) vendor and third-party service provider management;– (12) monitoring and implementing changes to core protocols not directly controlled by the

Licensee, as applicable; and– (13) incident response.

20


NY Department of Financial Services – Proposed Cryptocurrency Rules• (c) Chief Information Security Officer. Each Licensee shall

designate a qualified employee to serve as the Licensee’s Chief Information Security Officer (“CISO”) responsible for overseeing and implementing the Licensee’s cyber security program and enforcing its cyber security policy.

• (d) Reporting. Each Licensee shall submit to the Department a report, prepared by the CISO and presented to the Licensee’s board of directors or equivalent governing body, at least annually, assessing the availability, functionality, and integrity of the Licensee’s electronic systems, identifying relevant cyber risks to the Licensee, assessing the Licensee’s cyber security program, and proposing steps for the redress of any inadequacies identified therein.

21


NY Department of Financial Services – Proposed Cryptocurrency Rules• (e) Audit. Each Licensee’s cyber security program shall, at a minimum, include audit

functions as set forth below.– (1) Penetration testing. Each Licensee shall conduct penetration testing of its

electronic systems, at least annually, and vulnerability assessment of those systems, at least quarterly.

– (2) Audit trail. Each Licensee shall maintain audit trail systems that: (i) track and maintain data that allows for the complete and accurate

reconstruction of all financial transactions and accounting; (ii) protect the integrity of data stored and maintained as part of the audit trail

from alteration or tampering; (iii) protect the integrity of hardware from alteration or tampering, including by

limiting access permissions to hardware, enclosing hardware in locked cages, and maintaining logs of physical access to hardware that allows for event reconstruction;

(iv) log system events including, at minimum, access and alterations made to the audit trail systems by the systems or by an authorized user, and all system administrator functions performed on the systems; and

(v) maintain records produced as part of the audit trail for a period of ten years in accordance with the recordkeeping requirements set forth in this Part.

22


NY Department of Financial Services – Proposed Cryptocurrency Rules– (3) Source code reviews. Each Licensee shall have an

independent, qualified third party conduct a source code review of any internally developed proprietary software used in the Licensee’s business operations, at least annually.

• (f) Personnel and Intelligence. Each Licensee shall:– (1) employ cyber security personnel adequate to manage the

Licensee’s cyber security risks and to perform the core cyber security functions specified in Subsection 200.16(a)(1)-(5);

– (2) provide and require cyber security personnel to attend regular cyber security update and training sessions; and

– (3) require key cyber security personnel to take steps to stay abreast of changing cyber security threats and countermeasures.

23


Thank You

24


Questions?

25

ezshield.com ©2014 ezshield all rights reserved. confidential and proprietary. ezshield.com ©2014...

Documents

privacy landscape

areas of data privacy

data privacy trends

developing standards

regulatory privacy regulation

cybersecurity standards

privacy byod policies

chief privacy officer