Security & PrivacySecurity & Privacy

The changing world of Privacy and The changing world of Privacy and the core drivers.the core drivers.

Privacy IssuesPrivacy Issues

Authentication of a customer prior to disclosure of information.

There is a need to beef up practices, policies and governance while remaining sensitive to customer circumstances in order to anticipate possible privacy issues.

Privacy IssuesPrivacy Issues

Negotiation of confidentiality and privacy provisions in service provider contracts

Service providers must be clear in identifying their obligations, we are not responsible for their compliance obligations.

Privacy IssuesPrivacy Issues

Identity Theft Limit the data that is shared with third

party service providers. Minimize the data to that required for

them to perform their service. Limit data included on customer

communications Needs to know policy and governance

Privacy ImpactsPrivacy Impacts

Privacy impacts to Infrastructure Protection operations.LEA Requests …electronic wiretapBackground checks … (potential)

employeesSecurity Clearances …personal employee

dataFraud … customer information protection

Privacy DriverPrivacy Driver

SOX

Tactical ResponseTactical Response

Data Mining and Correlation

Does the need for protectionof privacy override theBusiness operational needs?

Compliance MatrixCompliance MatrixFunctional Functional

RequirementsRequirementsPCIPCI SOXSOX PrivacyPrivacy

Comprehensive, granular view to know precisely who did what to which information

Be able to reconstruct a wide range of events tied to cardholder information

COBIT and ISO 17799 requirements Disclosure of personal information must be audited

Scales across the enterprise Audit all accesses to cardholder data

Corporations must demonstrate that they have insight into and control over systems that can impact their ability to faithfully report financial status

Disclosure of personal information is audited

Cross-application, Cross-data source

Be able to reconstruct a wide range of events tied to cardholder information, independent of information source

Comprehensive, corporate information sources

Disclosure of personal information must be audited, independent of data source

Real-time architecture Review logs for all system components at least daily.

Limit risk exposure

Detect suspicious or anomalous user behavior

Alert suspicious behavior Alert suspicious behavior Alert suspicious behavior

Policy-based flexibility to respond to changing auditing requirements

SOX doesn’t explicitly define operational control methodologies.

Federal governments, as well as many local governments are currently enacting legislation.

Simplified Reporting Review logs for all system components at least daily.

Corporations must demonstrate that they have insight into and control over systems that can impact their ability to faithfully report financial status

Demonstrate that disclosure of personal information is monitored, logged and audited

Requirement 1010.1 Establish a process for linking all data access activities (especially those with root or administrative privileges) to an individual user or system.

10.2 Implement automated audit trails to reconstruct the following events:

10.2.1 All accesses to customer data

10.2.2 All actions taken by any individual with root or administrative privileges

10.2.3 Access to all audit trails

10.2.4 Invalid logical access attempts

10.2 5 Use of identification and authentication mechanisms

10.2.6 Initialization of the audit logs

10.2.7 Creation and deletion of system level objects

10.3 Record at least the following audit trail entries for each event:

10.3.1 User identification

10.3.2 Type of event

10.3.3 Date and time

10.3.4 Success or failure indication

10.3.5 Origination of event

10.3.6 Identity or name of affected data, system component, or resource

10.5 Secure audit trails so they cannot be altered in any way.

10.6 Review logs for all system components at least daily.

10.7 Retain your audit trail history for a period that is consistent with its effective use, as well as legal regulations. An audit history usually covers a period of 2 years or more.

Audit ChecklistAudit Checklist

The SOX Compliance ChallengeThe SOX Compliance Challenge

Section 404 of the Sarbanes-Oxley Act requires Section 404 of the Sarbanes-Oxley Act requires enterprises to have insight into and control over enterprises to have insight into and control over systems that can impact their ability to faithfully systems that can impact their ability to faithfully report financial status. report financial status.

Non-compliance and/or incorrect information can Non-compliance and/or incorrect information can result in punitive penalties.result in punitive penalties.

COBIT 13.6 and ISO 17799COBIT 13.6 and ISO 17799SOX doesn’t explicitly define operational control methodologies. SOX doesn’t explicitly define operational control methodologies. COBIT and ISO 17799 are the two most commonly used frameworks COBIT and ISO 17799 are the two most commonly used frameworks for SOX compliance. for SOX compliance.

Both of these standards demand that a company have insight into the Both of these standards demand that a company have insight into the following areas key to maintaining control over critical data activities:following areas key to maintaining control over critical data activities:

Logins and Logouts Application and data trigger

modifications Changes to user definitions

and privileges Data structure changes

Access to and usage of sensitive data

Errors and exceptions Sources of client access Time of access

The Information Protection and Privacy Challenge

Across the country and around the world, organizations are discovering how serious the threat of information and identity theft can be.

Some are discovering the hard way, as the recent large identity theft incidents major corporate databases illustrate. The cost of failure has proven to include the loss of brand equity and public trust.

Because information and identity theft incidents are typically perpetrated by authorized users, stronger perimeter security and encryption have limited benefit in detecting and stopping them.

Use Cases for Information and Identity Theft

MASQUERADERPhishing, Key log, Spyware

SECONDARY ATTACKSWorms/viruses, Trojans

INACTIVE ACCOUNTSIncomplete Account Decommissioning

ACCIDENTAL MISUSE“innovative” employee

INSIDERGood guy gone bad

WEAK AUTHENTICATIONLost passwords

OUTSOURCINGTrusted partner gone bad

Tactical Response

Data Management“Needs to know”

Privacy can be protectedand business can continuewith a good strategy and a practical tactical response.

The Compliance RealityThe Compliance Reality

Database Logging Traffic Anomaly Systems Intrusion Detection Systems Content Filtering

Traditional security products are not designed to monitor user activities at the data server

Detection of Information TheftDetection of Information Theft

Catching Information Theft requires determining in real time that the BEHAVIOR of an individual’s information access is ANOMALOUS compared to his/her normal access behavior.

Behavior of information access:““WHO is doing WHAT to WHICH and WHO is doing WHAT to WHICH and HOW MUCHHOW MUCH

critical information, WHEN and from WHERE”critical information, WHEN and from WHERE”

Traditional Audit SolutionsTraditional Audit Solutions

Traditional audit solutions are not user behavior Traditional audit solutions are not user behavior aware.aware. TheyThey have been point application-driven, have been point application-driven, custom-coded, after-the-fact report-driven and custom-coded, after-the-fact report-driven and

lacking correlation and analytics.lacking correlation and analytics.

Solution:Solution: Activity Auditing Activity Auditing Provides a comprehensive, granular view into key

compliance activities Transparent solution that scales across the enterprise Policy-based flexibility to respond to changing auditing

requirements Inherently real-time architecture that supplies compliance-

driven audit reports and real-time security alerts and forensic information

Intelligent solution that provides automated correlation and analytics to specify and detect composite or anomalous behavior

PCI CompliancePCI ComplianceSolves the difficult challenge to monitor all access to

cardholder information including:

Identify sensitive data to reduce audit “information glut” Monitor and log access to sensitive data across multiple

applications Audit all actions taken by individuals with root or

administrative privileges Capture full context for each event record, including

exact commands given to data server to facilitate forensic reconstruction of activity and the precise exposure of a PCI violation

Generate audit reports Detect unauthorized access to sensitive information while

it’s happening, in real-time

SOX ComplianceSOX ComplianceProvides a single, flexible, enterprise level solution that can handle both current and future requirements including:

Identify SOX-appropriate assets and activities Monitor privileged user activity to ensure accuracy of

financial information Audit specific data access activity to demonstrate

compliance with documented policies and procedures Capture full context for each event record, including

exact commands given to data server to facilitate forensic reconstruction of activity

Generate audit reports

Information and Identity Theft Protection

Identify sensitive data to reduce audit “information glut”

Monitor and log access to sensitive data across multiple applications

Audit all actions taken individuals with root or administrative privileges Monitor user activity to mission-critical information and applications

Detect unauthorized access to high-risk information while it’s happening, in real-time

Real-time alerting to minimize the impact of breach

ContactContact

William (Bill) G. O’BrienWilliam (Bill) G. O’BrienSystems Security ArchitectSystems Security ArchitectBell CanadaBell Canadawilliam.obrien@bell.cawilliam.obrien@bell.ca905-212-0236905-212-0236