vorlesung 20170523 unihh - is in der wirtschaft - handout · mindset of the employees and moreover...

Information Security

Insights from PwC

www.pwc.de

current situation and future developments

PwC Insights

Agenda

a) Information Security Management

1. Standards and frameworks

2. What are the drivers we see for information security?

b) Data Privacy

c) Technical Security

1. IoT Security - Example Connected Car

2. Supply Chain Security - Example TISX Certification

3. Production Security - Example SCADA Security

2May 2017Information Security

Information Security Management

www.pwc.de

PwC Insights

Standards and frameworks


PwC Insights

Information security management has developed significantly throughout the last decades


PwC Insights

As a result companies need to consider a multitude of standards, frameworks and regulations

ISO 2700x

NIST

HIPSA

ITIL

BS 15000…

Cobit

BSI GS

PCI-DSS


PwC Insights

PwCs value chain based approach provides a sustainable advance on relevant requirements

Info

rma

tion

Sec

uri

ty

Ma

na

gem

ent

Ind

ust

ria

l V

alu

e C

ha

inS

up

por

tin

g P

roce

sses

R&D Product Innovation & Development

Sales&

MarketingProduction Product

Logistics

Operation / Aftersales /

Service Management

Business Development &

Planing

Finance & Investment

management

Technology & Resource

ManagementProcurement

Corporate Governance/

Legal

Technology

Process

People

Policies & Regulations

Organization RiskMgmt.

Governance Monitoring & Reporting

Consulting&

Awareness

Assessment Incident Mgmt.

Information Security Management Function


PwC Insights

PwCs framework “simplifies” information security into 6 pillars across 5 dimensions

Technology

Process

People

Policies &Regulations

Organization

Pw

C fr

am

ewor

k fo

r In

form

ati

on S

ecu

rity

Consulting&

Awareness

RiskMgmt.

Risk evaluation and risk management with focus on digital business processes

Creation of a information security culture and support business unit with less knowledge within line function as well as in projects

AssessmentGovernance

Establish effective governance in order to support a timely adaption to ever changing requirements and threat landscapes

Systemic assessment of the status of information security management system in order to identify improvement opportunities and define according measures to close identified gaps

Monitoring & Reporting

Incident Mgmt.

Build transparency regarding the current status of information security and report the effectiveness and efficiency of the management system

Establish, run and test a security incident management process


PwC Insights

Extract of the 5 dimensions Extract of references to standards

ISO 27001• 6.1.2 Information security

risk assessment• …ISO 27002• 12.6.1 Management of

technical vulnerabilities• …

BSI-Grundschutz• 100-2 Schutzbedarfsanalyse• 100-3 Risikoanalyse

NIST• RA-1 Risk assessment policy

and procedures• …

Pillar 1 - Risk Management:The basis for decision making

Focus area

• Determine risk appetite and risk evaluation methodology based on company strategy• Definition of risk assessment and risk management process and definition of exception processes• Creation and update of risk registers and integration into overall risk management of the company• Creation and update of exception registers• Regular review of accepted risks and exceptions

RiskMgmt.

Technology

Process

People


Organization • Information security risk management organization

• Risk management policy• Exception handling policy

• Ensure appropriate risk level in other policies

• Risk management training

• Risk management process• Exception handling process

• Ensure appropriate risk level in other processes

• Workflow supported risk management tool

• Technology selection and operation support


PwC Insights


Pillar 2 - Governance:Policies and security organization

Focus area

• Establish organizational an process structures that enable the company to identify and react on the ever changing environment (threat landscape and regulations)

• Definition of the overarching document lifecycle management process• Establish necessary boards or committees to ensure full insight and control of information security in all

business areas (cross-functional/cross-silo governance)

Governance

Technology

Process

People


Organization • Overall information security organization

• Document management policy

• Information security policy and all lower level policies

• Chief Information Security Officer (CISO)

• Security Information Officer• Contact Points

• Document management process

• Compliance management process

• Workflow supported document management

• Specific hardening policies

ISO 27001• 5.2 Policy• 5.3 Organizational roles,

responsibilities and authorities

• …NIST• PL-1 Security planning

policy and procedures

BSI-Grundschutz• 100-2 Bereitstellung der

Ressourcen für die Informationssicherheit

• …


PwC Insights

Focus area

• Monitoring of technology components such as network devices, firewalls and servers as well as overarching systems like SIEM

• Definition and measurement of KPIs and KRIs• Aggregation of available information (collected on technology level as well as through assessments) to

meaningful reports to enable proactive management as well for senior management

Monitoring& Reporting


Pillar 3 - Monitoring and Reporting:Creating transparency

Technology

Process

People


Organization • Collection and aggregation across multiple silos and function

• Reporting procedure and reporting content

• Monitoring policy on technology level

• Transparency on current status for all employees

• Security monitoring process and escalation rules

• Reporting process and acceptance levels of reports

• Security monitoring technology (e.g. SIEM)

• KPI-aggregation system

ISO 27001• 5.3 Organizational roles,

responsibilities and authorities

• …ISO 27002• 13.1.1 Network controls• …

BSI-Grundschutz• 100-2 Managementreport• …NIST• PE-3(3) Continuous

guards/alarms/monitoring• AU-6 Audit review, analysis,

and reporting• …


PwC Insights

Focus area

• Inhouse consulting support within strategic projects and cross-functional projects as well as in business units with less contact points to information security / lower information security maturity

• Creation of an information security culture in the mindset of the employees and moreover the management and senior management

• Enforce security and inform the staff of updates and changes to information policies in stakeholder adequate communication formats

Consulting &

Awareness


Pillar 4 - Consulting & Awareness:Creating security culture

Technology

Process

People


Organization • Cross-function integration of awareness campaigns

• Regulations on mandatory trainings related to security

• Communication of policies • On- and off-boarding policy

• Create security awareness and culture

• Support on- and off-boarding of employees

• Awareness process• Enforcement of training

• Enforcement of on-boarding and off-boarding

• Tool support for follow up of incidents and missed training

ISO 27001• 7.3 Awareness• …

ISO 27002• 7.1.2 Information security

awareness, education and training

• …

BSI-Grundschutz• 100-2 Einbindung aller

Mitarbeiter in den Sicherheitsprozess

NIST• AT-1 Security awareness

and training policy and procedures


PwC Insights

Focus area

• Systemic approach in covering all areas of the information security management system in accordance to the risk appetite and the risk assessments performed

• Define the assessment methodology and conduct assessment planning • Review self-assessments, perform independent assessments and register findings and recommendations• Follow-up on identified findings and validate whether the issues have been either solved or accepted

Assessment


Pillar 5 - Assessment:Independent oversight

Technology

Process

People


Organization • Independent function for oversight including authority to assess and communicate results to management

• Cross-functional assessment regulations and policies

• Assessment of policies against best practices

• Assess behavior of employees at entrances and gateways as well as with found USB-sticks

• Assessment process• Follow-up process

• Assessment of compliance to processes

• Workflow supported assessment tool

• Assessment of compliance to technology policies

ISO 27001• 9.2 Internal Audit• 9.3 Management review• …ISO 27002• 12.7 Information systems

audit considerations• …

BSI-Grundschutz• 100-2 Methoden zur

Überprüfung des Informationssicherheits-prozesses

NIST• AU-6 Audit review, analysis,

and reporting• …


PwC Insights

Focus area

• Define and establish a process that handles information security incidents incl. prioritization and escalation• Create knowledge data base on how to address repetitive incidents• Establish breach response capabilities to identify, contain and resolve the security breach incl. preparing

press statements and external stakeholder information

IncidentMgmt.


Pillar 6 - Incident Management:Becoming cyber resilient

Technology

Process

People


Organization • Escalation, responsibility and organizational format in crisis situation

• Security incident policy• Crisis policy and handbook

• Sufficient Incident training and crisis simulations for relevant employees

• Incident management process and connection into all operational processes especially monitoring

• Workflow supported risk management tool

• Input from technology stack through monitoring

ISO 27002• 16 Information security

incident management• …

BSI-Grundschutz• 100-2 Kommunikation,

Einbindung und Meldewege

NIST• IR-1 Incident response

policy and procedures • …


PwC Insights

Implementation of standards in companiesdefinition, implementation, improvement

Customization of generic „best-practices“ to the individual context of the company

Implementation of the customized processes within the company

Audit of the processes and the technology (infrastructure) against the standards

Definition of generic „best-practices“ for managing information security

Monitor and check the information security processes

BSI 100-1, 100-2,ISO27001

Gap Analysis, Management

Buy-In

Policies, Business Processes,

Infrastructure

KPIs, Benchmarking, ICS

ISMS audit, penetration testing

International Organization for Standardization

Industry and professional consulting

Management

Internal audit, IT-Monitoring, CISO

Independent external auditors


PwC Insights

ISO Domains

Operative Level

Management Level

Physical / perimeter securityPhysical aspects

Technical aspects

Management aspectsCommunication & operative Management

Acquisition, planning and operating of IT systems

Personalsicherheit IT-Service Continuity

Compliance

Asset Management

Incident Management

Identity & Access Mangement

Organization of the Information security mangement

Security Policy


PwC Insights

What are the drivers we see for

information security?


PwC Insights

The digital enterprise comprises of digitized and integrated processes, products & business models

Core Application Fields

I

Digitization of product and

service offerings

Digitization and integration of vertical and horizontal

value chains

Digital Business Models and customer access

III

II

IV

Industry 4.0

Compliance, security, legal & tax

Dig

ital

En

able

rs

Organisation, employees and digital culture

IT Architecture and data managementLocation Detection

Technologies

Cloud Computing

Smart Sensors

AugmentedReality /

Wearables

Internet of Things

3D Printing

Big Data Analytics

AdvancedHuman-Machine

Interfaces

Mobile Devices

Customer Profiling

Authentication & Fraud

Detection

Core technologies to provide innovative Industry 4.0 solutions


PwC Insights

Examples

New player entered the rising digital market

• Technology as core of business (data centric business models)

• Scalable business

Over-the-Top players Target companies

Adaption of the insights of the OTT players

• Linear business models• Slow growth

Social computing

Internet of things

Cloud computing

Deutsche PostHandyporto

BMWBMW Connected

Deutsche BahnTouch & Travel


PwC Insights

Digital Transition drives the Metamorphose of the value chain

Mobile devices

FintechOpenSource

Industrie 4.0

Cloud

Big data

Connected car

Internet of things

Mobile online services


PwC Insights

The transformation drives the need of trust within the whole corporate IT

• The volume of investment in the different sectors of a company is very different and requires differing prioritization of the topic of "security".

Investment

• The development in the areas is based on deviating parameters. While the products are oriented towards the customer market, the production is based on efficiency and the business IT is based on functionality.

Evolution

• All three areas are usually subdivided into different departments, which can follow divergent strategies.

Organization


PwC Insights

„The executive board has to take appropriate measures, […] , to detect early on developments jeopardizing the continued existence of companies. “1

A management system for information security is, in our opinion an important subsystem.Detailed requirements come from • laws2/jurisprudence and• norms/standards.

Information security needs to be implemented company-wide and across sectors.Needs-oriented, individual design according to the current state of the artwith regard to • organization,• structures and• technologies.

Foreseeable, more concrete regulatory requirements in the course of the digitalization• Car Spy Act• IT security act• EU-NIS-guideline

Tendency to increasingly exposed responsibility of the executive board in case of compliance and security violations.• ISMS supports amongst others • Effectiveness review, • Documentation and• Further development of

requirements.

The ISMS supports the executive board in meeting its organizational duties in the subject of information security.

Appropriate measures are• designed,• implemented,• sufficiently monitored,• audited and • adequately documented.

Management of Cyber Security is a compliance issue for our digital clients

1 § 91 II AktG2 Examples: protection of business secrets, Know-how ; protection of industrial property rights (z. B. Patents, brands in design and registration phase or UrhG); surveillance of third

parties like e.g. suppliers for the purpose of third party compliance (e.g. BGB, ProdHG, PatG, UWG)

FundamentalsCorrect implementation OutlookDesign

§ National provisions

International provisions

Business specific provisions

Information security Compliance

Integrated management system

…


Data Privacy

www.pwc.de

PwC Insights

Daten in Unternehmen – die Wissenspyramide

May 2017Data Privacy24

Entscheiden

Zusammenfassung

Synthese

Analyse

Ordnen

Sammeln

Syntax

Semantik

Pragmatik/VernetzungInformationen werden mit Erfahrungen und

Kontext-Informationen verknüpft

Hans-Hermann Gröger, PwC GmbH, Dipl Kfm, CISA, Experte Informationssicherheit,

Mobil-Nr.: 0170-7864 279

Aussagen/Daten wird eine Bedeutung zugewiesen

Mobil-Nr.: 0170-7864279

Einzelne Zeichen werden mittels Syntax zu einer Aussage angeordnet

0170-7864 279

01707864279

Aktion

PwC Insights

Daten in Unternehmen


Welche Datenquellen werden in Ihrem Unternehmen am stärksten wachsen?Angaben in Prozent, n=254, Mehrfachnennungen möglich. Quelle: IDC, Oktober 2012

Marketing, Vertrieb

Beschaffung/Logistik

Innovation

Personal

IT

öffe

ntlic

hin

tern

gehe

im2

vert

raul

ich1

Proz

ess

Wertschöpfung

Finanzen/Steuerung

Produktion

PwC Insights

Information Lifecycle Management


• How can specific data help you to gather a competitive advantage?

• Which data are required to support the business goals?• Which type of information do you want to store and which

regulations require compliance?• Will you acquire data from external resources or create

them with the company?• How often are the data updated?• How are new data sources and information objects

incorporated and managed?

• Are there requirements to store information in a specific form (standard data type)?

• Which storage type is the best fit for business and legal requirements?

• Is there a single source of truth for specific information?• Are information stored in their original data form or

managed in a central vault (MDM)?• Is it required to keep different versions of data (files)• Are there disaster recovery processes in place?• What is the expected volume (in GB or TB) of data and

how high is the traffic/change rate?• How long does each data type need to be kept?• How often and on which time frame will you evaluate

data?• Who is responsible for the various data collections?

• Who needs to access the data and who explicitly not?• Is there a specific level of detail to which access needs to

be granted (raw information, aggregated information, insights/trends)?

• Which processes depend on a specific data collection?• Do you have the required data aggregation and integration

skillsets and infrastructure?• In which frequency are data accessed, modified,

aggregated and analyzed?

• How fast can data be “activated” and staged?• In which interval will data be used?• Is access to raw data or insights required?• Does meta data have to be restored as well?

• What kind of information will be published and in which form?

• What processes /distribution channels are used to share information?

• Which distribution spaces exists (group-specific, company-wide, third-parties, public)?

• Are there any established copyrights on data?• In which level of detail are data to be shared?• Will data sharing be restricted due to e.g. publishing or

patenting?• Do you intend to make all your data available for

sharing?• In which repository do you plan to deposit and share

your data?• Will a data sharing agreement be required?• What other documentation and contextual information

will be available in order to help others to understand the data?

• Which medium (physical, digital), form (pdf, odf), and location (local, region, global) is required to archive data?

• What are the legal requirements and which information objects are affected?

• Which internal/company-specific policies exist?• How will data security be guaranteed (e.g. encryption)?• Is the available storage sufficient or will you need to invest

in additional services?

• After which time period can data be destroyed?• Which processes and technologies assure that no

information can be restored?• Which policies exists for the different information objects?

1 Create

4 Share

5 Archive

2 Store

3 Use

6 Re-Use

7 Destroy

PwC Insights

Information Lifecycle Management: Stetige Abstimmung zwischen Strategie, Governance, Archtitektur&Technologie sowie Analytics


Bedingungen/Leitlinien Wertschöpfung

Vorgaben

Risiko minimieren durch Transparenz

bei Rollen & Prozessen sowie

klaren Vorgaben im Umgang mit Daten

Kosten rechtfertigen

durch effiziente Umsetzung der Vorgaben sowie Realisierung des Wertschöpfungs-

potentials der Daten

Wert generieren durch Umsatzsteigerung,

Kostenoptimierung und Nachhaltigkeit

Was wird reguliert, wer kontrolliert und welche Daten brauchen wir?

Was für neue Erkenntnisse haben wir gewonnenund welche Insights ergeben sich daraus?

Wie positionieren wir uns und welchen Fokus haben wir?

Use Cases

Anforderungen

PwC Insights

Unternehmens-Risiken aus Daten (Beispiele)


Beeinträchtigte Schutzziele

Integrität

Vertraulichkeit

Vertraulichkeit

Verfügbarkeit

Verfügbarkeit

Integrität, Verfügbarkeit

Unternehmens-Risiko

Cash-Out durch Verarbeitung der manipulierten Daten

Innovations-Verlust

Ahndung von Datenschutz-Verstößen,Reputationsschäden

Steuerschätzung,Ahndung einer nicht-ordnungsmäßigen Buchführung

Ausfälle in der Lieferkette,Entgangener Umsatz

Unterbrechung von Produktion oder Dienstleistung

Ereignis

Unberechtigte Manipulation von Buchhaltungsdaten

Datendiebstahl,Diebstahl von Hardware

Veröffentlichung personenbezogener Daten

Ausfall von Archivsystemen für Buchhaltungsdaten

Fehlerhafte Verarbeitung Bestellungen oder Lieferabrufen

Asset-Sabotage

Ereignis Beeinträchtigte Schutzziele Unternehmens-Risiko

PwC Insights

Internet-Risiken aus Sicht von Entscheidergruppen

May 2017Security Management29

PwC Insights

Datensicherheit und Datenschutz


Beeinträchtigte Schutzziele

Schutz von Unternehmen und deren Organen vor Risiken aus Daten

Sicherstellung von• Vertraulichkeit,• Integrität und• Verfügbarkeit

Handelsgesetzbuch (HGB),Abgabenordnung (AO),IT-Sicherheitsgesetz (ITSiG),Bürgerliches Gesetzbuch (BGB)

Cash-Out,Produktionsausfall

Unternehmens-Risiko

Schutz von Grund- und Persönlichkeitsrechten natürlicher Personen

Sicherstellung der• Informationellen

Selbstbestimmung

Bundesdatenschutzgesetz (BDSG),Datenschutzgrundverordnung (EU-DSGVO)

Strafgelder bei Compliance-Verstößen,Reputationsschäden

Beschreibung

Ziele

Quellen / Grundlagen

Beispielhafte Risiken

Datensicherheit Datenschutz

PwC Insights

Datensicherheit im Information Lifecycle


• Klassifizierung von Daten nach Schutzbedarf (Vertraulichkeit, Integrität, Verfügbarkeit)

• Eingabe- und Erfassungs-Kontrollen (Integrität)

• Verschlüsselung von Datenträgern und Datenbanken (Vertraulichkeit)

• Durchführung von Backups und redundante Massenspeicher (Verfügbarkeit)

• Zugriffs-, und Zugangsregelungen (Vertraulichkeit, Integrität)

• Kontinuierliche Überwachung der Systemverfügbarkeit (Verfügbarkeit)

• Regelmäßige Tests von Verfahren zum Abruf von Informationen aus dem Archiv (Verfügbarkeit)

• Überwachung von Schnittstellen (Verfügbarkeit)

• Absicherung der Kommunikation durch PKI (Integrität)

• Technische Maßnahmen zur Sicherstellung des Read-Only-Zugriffs (Integrität)

• Schutz vor physischer Beschädigung der Datenträger (Verfügbarkeit)

• Vorgabe von Verfahren zur Vernichtung von Datenträgern (Vertraulichkeit)

• Mehrstufige Genehmigungsverfahren vor der Vernichtung (Verfügbarkeit)

1 Create

4 Share

5 Archive

2 Store

3 Use

6 Re-Use

7 Destroy

PwC Insights

Datenschutz im Information Lifecycle


• Einholen/prüfen der Einwilligung zur Datenverarbeitung personenbezogener Daten

• Information über Datenerhebung und Verarbeitung an Betroffene

• Sicherstellung des Speicherortes (insb. Cloud-Speicher)

• Einholen/prüfen der Einwilligung bei Speicherung in Drittländern

• Anonymisierung/Pseudonymisierung

• Prüfung, ob der Zweck der Datenverarbeitung / -nutzung zulässig ist und der Einwilligung entspricht

• Prüfung, ob Daten noch verwendet werden dürfen

• Prüfung, ob der Zweck der Datenverarbeitung / -nutzung zulässig ist und der Einwilligung entspricht

• Überprüfung der Einwilligung zur Datenweitergabe

• Meldeverfahren für unbeabsichtigte Weitergabe/Offenlegung

• Festlegung einer maximalen Aufbewahrungsdauer bei Archivierung

• Sicherstellung des Speicherortes (insb. Cloud-Speicher)

• Sicherstellung der Löschung personenbezogener Daten auch bei Dritten (z.B. Auftragsdatenverarbeitung)

• Technische Maßnahmen zur unwiederbringlichen Löschung

1 Create

4 Share

5 Archive

2 Store

3 Use

6 Re-Use

7 Destroy

PwC Insights

Datenschutzgrundverordnung in a Nutshell (EU-DSGVO)


Anwendungsbereich• Verarbeitung personenbezogener Daten im Rahmen der Tätigkeit einer Niederlassung in der Union

• Unabhängig vom Ort der Verarbeitung

• Eingeschränkt auf den Schutz natürlicher Personen

• Unabhängig vom Automatisierungsgrad der Verarbeitung

• Nicht auf Verarbeitung in IT-Systemen beschränkt

Grundprinzipien• Verbot mit Erlaubnisvorbehalt: Bis auf Ausnahmefälle ist eine Einwilligung der betroffenen Person erforderlich

• Datensparsamkeit: Beschränkung der Verarbeitung auf das dem Zweck angemessene Maß

• Zweckbindung: Personenbezogene Daten dürfen nur für festgelegte, eindeutige und rechtmäßige Zwecke erhoben werden

• Datensicherheit: Geeignete technische und organisatorische Sicherheitsmaßnahmen zum Schutz der personenbezogenen Daten sind erforderlich

Einschätzung der Angemessenheit erfordert eine Risikobeurteilung

• Übermittlung in Drittstaaten: Die Übermittlung von personenbezogenen Daten in Drittstaaten ist zulässig, wenn ein angemessenes Schutzniveau gewährleistet ist.

Nachweis ist u.a. möglich durch Entscheidung der Europäischen Kommission

Außerdem in Sonderfällen durch Einwilligung der betroffenen Person

• Rechenschaftspflicht: Nachweis der Datenschutz-Compliance durch Verantwortlichen/Auftragsverarbeiter

PwC Insights



Betroffenenrechte• Informationspflicht

Betroffene Personen sind bei Erhebung der Daten zu informieren.

Art und Umfang der Information sind abhängig davon, ob die Daten direkt bei der betroffenen Person erhoben werden.

Dabei ist u.a. der Zweck der Datenerhebung und -verarbeitung anzugeben.

• Auskunftsrecht

Auf Anfrage ist natürlichen Personen zu bestätigen, ob personenbezogene Daten verarbeitet werden.

Zudem sind die personenbezogenen Daten sowie umfangreiche Auskünfte zur Datenverarbeitung mitzuteilen. (u.a. Zweck, Dauer und Empfänger denen die Daten offengelegt wurden)

Die Rechte und Freiheiten anderer Personen sind bei der Beantwortung der Anfragen zu beachten.

• Berichtigung und Löschung

• Betroffenen Personen ist das Recht auf Berichtigung der personenbezogenen Daten einzuräumen.

• Betroffene Personen haben das Recht die unverzügliche Löschung der personenbezogenen Daten zu verlangen wenn z.B.

die Daten für den Erhebungszweck nicht mehr notwendig sind,

die Einwilligung für die Verarbeitung widerrufen wird oder

die Daten unrechtmäßig erhoben wurden.

• Die Daten sind nach Offenlegung gegenüber Dritten auch bei diesen zu löschen.

PwC Insights



Technischer und organisatorischer Datenschutz• Privacy by Design und Privacy by Default

Standardeinstellungen zur Verarbeitung personenbezogener Daten sollen so ausgelegt werden, dass nur für den konkreten Zweck notwendige Daten verarbeitet werden.

Die Regelung hat mittelbare Auswirkungen auf IT-Produkte und –Verfahren.

• Meldung von Datenschutzverletzungen

Verletzungen des Schutzes personenbezogener Daten sind innerhalb von 72 Stunden an die zuständigen Aufsichtsbehörden zu melden.

• Datenschutz-Folgenabschätzung

Bei voraussichtlich hohem Risiko für persönliche Rechte und Freiheiten durch die Datenverarbeitung ist eine Folgenabschätzung für den Schutz der personenbezogenen Daten durchzuführen. (z.B. Videoüberwachung)

Einbindung des betrieblichen oder behördlichen Datenschutzbeauftragten ist erforderlich.

• Pflicht zur Bestellung eines Datenschutzbeauftragten

Alle öffentlichen Stellen sowie Unternehmen deren Kerntätigkeit in der Datenverarbeitung besteht müssen einen Datenschutzbeauftragten benennen.

Mitgliedsstaaten können im nationalen Recht weitere Fälle vorschreiben.

• Verhaltensregeln und Zertifizierungen

Verhaltensregeln und Zertifizierungen sollen Erleichterungen in den Verfahren nach der EU-DSGVO (z.B. in der Nachweisführung) ermöglichen und einen Wettbewerbsvorteil darstellen.

Zertifizierungen können durch die Aufsichtsbehörden oder akkreditierte Stellen erfolgen.

PwC Insights

Herausforderungen von Datenschutzprojekten (Beispiele)


Text• Text• Text• Text

PwC Insights

Herausforderung: GovernanceHintergrund und exemplarische Maßnahmen


Statt eines einmaligen Projektes müssen Maßnahmen und Verfahren ergriffen werden, die eine dauerhafte, adaptive

Anforderungserfüllung sicherstellen

Zentrale Stelle für die Steuerung und Überwachung der Anforderungseinhaltung

Grundsätzliche verpflichtende Beurteilung im Rahmen neuer Entwicklungen und Projekte

Vorgaben für die Erfassung und Dokumentation der

• Erhebung von Daten

• Nutzung von Daten

PwC Insights

Herausforderung: DateninventarHintergrund und exemplarische Maßnahmen


Sowohl die Daten des Unternehmens an sich als auch der Kontext, in dem sie erhoben und genutzt werden, müssen vollständig

identifiziert und bewertet werden

Analyse der Daten zur Ermittlung des Personenbezugs• originär oder• durch Verknüpfung mit anderen pbz. Daten

Vollständige Identifikation und Dokumentation der• Geschäftsprozesse sowie der• in den Geschäftsprozessen erhobenen bzw.

genutzten Daten

PwC Insights

Herausforderung: Consent ManagementHintergrund und exemplarische Maßnahmen


Im Hinblick auf die vorhandenen personenbezogenen Daten muss verwaltet werden, zu welcher Nutzung dieser Daten eine

Zustimmung vorliegt

Identifikation und Klassifikation der Nutzungsarten / -varianten für die einzelnen Daten Aufbau eines Systems zur

• Verwaltung der Zustimmungen für die Nutzung der einzelnen Daten

• Änderung der Zustimmung zur Nutzung

Einrichtung verlässlicher organisatorischer Maßnahmen zur Sicherstellung, dass Daten nur mit Zustimmung verarbeitet werden

PwC Insights

Herausforderung: BetroffenenrechteHintergrund und exemplarische Maßnahmen


Es muss eine Plattform bereit gestellt werden, mit deren Hilfe die Auskunft, die Korrektur, die Löschung und die Bereitstellung der

zu einer Person gespeicherten Daten möglich ist

Aufbau Repository zur automatischen Ermittlung der in den einzelnen Systemen gespeicherten Daten

Entwicklung einer zentralen Plattform zur Verwaltung der Betroffenenanfragen

Einrichtung geeigneter Authentisierungs- und Autorisierungsverfahren

Erweiterung der Bestandssysteme um (Schnitstellen-)Funktionen zur Auskunft, Korrektur, Löschung, Bereitstellung

Technical Security

www.pwc.de

PwC Insights

IoT Security

Example Connected Car

42May 2017IoT Security

PwC Insights

Lack of security arise from the insufficient project environment

Limited capabilities & capacity

Competitive/ market pressure

Budget pressure

Lag of responsibility

Timepressure

Conflicts of

interest

Current project environmentConnected car: Influencing factors & project environment

Automotive IT

Tim

e

Competition

Bu

dge

t

Compliance

Connected Car and Autonomous Driving is a new topic for Car Manufactures within a new environment for people in IT, R&D, Sales and Security. Based on tough competition and market pressure it is important to deliver working solutions on the date of SOP. The path to get this working solutions and the solution itself shows some significant challenges.


PwC Insights

Missing synchronization of the classic car development and the related IT projects leads to insufficient security

SOP

Mar

keti

ng&

Sal

es

Development Prototyping & Test

Car

de

velo

pmen

tB

acke

nd

deve

lopm

ent

DevelopmentPrototyping &

Test

Development Pre-sales

Minimum requirementspecification

Unsecuresolution


PwC Insights

IoT Security - Automotive Security from the technological perspective

Internet and Backend 1)

• Backend Services

• Navigation services

• Wireless Update / OTA / Cloud Dienste

• SMS, intelligent emergency call(eCall) 2)

Interfaces to the the Vehicle• Mobile

communications

• WLAN

• Bluetooth

• Kessy

1) Croup backend as well as provider backend 2) possibly belongs to provider backend

Internet and BackendIT-Security in the Vehicle

• CANBus network

• FlexRay

• Ethernet

• MOST

• LIN Bus

• Control devices

Interfaces to the Vehicle

• TPMS

• Diagnosis (ODB2)

• OCU1


PwC Insights

• Systematic, risk based and criticality driven approach• Framework for the evaluation of risks• Iterative approach

IoT Security – Information security has to be part of the vehicle development process

Methods

Modelling of the Threat Detection

Map

Set up Documentation

Risk Assessment and

Derive Measures

Perform Analyses

Determining the

Examination Catalog

11 33 44 6655Documentation

Review

22

11 33 55

44 6622

1. Systematic registration und decomposition of the vehicle

2.Conception of the data flowchart3. Valuation of assets and protection

objectives4.Representation and weighting of

direct and indirect attack paths

1. Review of the documentation2. Validation and itemisation of the

identified threat scenarios3. Identification and assessment of

available protection measures4. Assessment of the feasibility of

threat scenarios

1. Conception of the priorities for security tests (test depth will be determined based on the criticality of components)

2.Derivation of audit objectives3. Conception of the examination

catalog

1. Performing the analysis according to the examination catalog Functional tests (e.g. based on

ISO 29119) Explorative penetrationtests

1. Valuation of risks2.Measures to adress the risks and

formulate assessment of the residual risk

3. Updating the threat detection map

1. Overview of the results2.Correlation and processing of the

results3. Recommendation of measures for

removal of deficiencies4.Overall evaluation and risk

classification


PwC Insights

Combination of different technical test methods have to be implemented

Only a combination of functional test methods based in a risk approach and explorative tests based in the view of an attacker can give a realistic level of the build-in security.

Security functions Defined strategic security level

Results of the risk analyses

Test & hacking experiences

Test catalogue for EE-Systems and functions

Functional tests

Comprehensive analysis of the effectiveness of built-in protection measures with regard to the information security risk.

Explorative tests

Analysis of the actual information security risk caused by a cyber attack.


PwC Insights

Set-up of test catalogues follows a structured approach

• Systematic risk-based and criticality-driven approach

• documentation Review

• Functional testing (including ISO 29119) as well as exploratory penetration testing

• Framework for the assessment of risks

• Iterative procedure

• A comprehensive overview of the threats and security risks

• Comprehensible, structured and repeatable test methodology

• Overview of existing vulnerabilities

• Recommendation for the removal of weaknesses (before start of production)

Methods and tools Advantages

Modeling the threat map

Reporting of the test results

Risk evaluation and definition

of measures

Performing of analysis

Test catalogue set-up

I III IV VIV

IoT Test

• High complexity of the whole system

• Completeness of analyzes concerning the vehicle architecture

• Consistent and efficient execution of analyzes

• Consistent assessment of risks

Challenges

Documentation review

II


PwC Insights

Supply Chain Security

Example TISX Certification

49May 2017Supply Chain Security

PwC Insights

Information Security within the supply chainSecurity integration within the cyber chain

Ind

ust

riel

leW

erts

chöp

-fu

ng

sket

te

R&D Product-innovation & -development

SalesProduct Produktion Produkt-

Logistik

Produktbetrieb/Ersatzteil und Service Management

R&D Produkt-innovation & -entwicklung

SalesProdukt-verkauf

Produktion Produkt-Logistik

Produktbe-trieb/Ersatzteilund Service Management












Produkt-betrieb/Ersatz-teil und Service Management

The highly integrated automotive industry requires an exchange of confidential information along the value chain.


PwC Insights

Information Security within the supply chain

The TISAX Audit standard provided trusted audit reports from the supplier to the OEM in the automotive industry by accreditation of auditors.

Auditor

Participant(e.g. OEM)

Auditee(Participant of

the supply chain)Trusted Anchor

AccreditationENX-Network

Audit applicationReport provision

Release of the reportLink to the report

Audit & ReportReport request


PwC Insights

TISAX as an trusted anchor within the supply chain

OEMSupplier

Registered Audit Provider

AssessmentContract

CertificationServices GmbH

Registered Participants 2 3 4 5O

ptio

nal

Con

nect

ion

to th

ird

part

y

Opt

iona

lD

ata

prot

ecti

on

Not

yet

def

ined

(Clo

ud) p

rovi

der

secu

rity

1

ISM

SO

ptio

nal

Prot

otyp

e pr

otec

tion

ISMSModule to assess the maturity of the Information security management processes.This basic Module is always required.

Prototype protectionThis module is required if the supplier have to handle highly confidential information about prototypes. The focus is the maturity of the physical security measures.

Connection to third partyThis module is required if the supplier is connected to the IT network or an other technical connection to exchange confidential information is established.

Data protectionThis Module is required if the supplier handle personal information of customers. The result of this module only indicates extensive data privacy compliance assessments.

(Cloud) provider securityThis module is not yet released. Should be required if the supplier used cloud services to process confidential information of the client.


PwC Insights

The Parents of TISAX

“Trusted Information Security Assessment Exchange (TISAX) is a part of the ENX platform and works as a verifying and exchange mechanism that serves cross-company as a recognition of information security assessments.“

“ENX is a non-profit organization that was build in the year 2000 by automobile companies and serves as umbrella for the network standard ENX. ENX is used for the exchange of information and for the initiation of pre-competitive cooperation projects in the field of IT.”

www.enx.com www.enx.com

Based on the results of the Working Group “Information Security,” the VDA has recommended its members to bring their information protection into line with the international standard ISO 2700x […].

The VDA published the questionnaire for checking Information Security Assessment and Information Security Management, Version 3.0.2 (12.01.2017).

www.vda.de

Currently registered to perform assessments:

• PwC Certification Services GmbH

• Operational Services GmbH

• TÜV

• EY

• (KPMG)


PwC Insights

To check information security systems TISAX accredited auditors have to adhere to precisely defined procedures.

Assessment ApproachPhase overview

Initial Assessment

Corrective Action Plan Assessment

Follow-UpAssessment proceeding Concluded

Phase I Phase III-optional

Phase II-optional

Phase IV

• Opening meeting• Definition of objectives,

project scope and characteristics

• Provisioning of documents

• Interview or on-site inspection

• Initial assessment report

• Is only conducted if there were non-conformities

• Verification of auditee‘s corrective action plan and time plan

• The result is a suitable corrective action plan

• Has to be conducted within 9 months after the initial assessment

• Is conducted to verify that the previously identified non-conformities are resolved

• The result is a Follow-up Assessment Report

• In the closing meeting the assessment findings and results will be presented to the auditee

• The final assessment report will be issued after the acceptance of the auditee


PwC Insights

Assessment LevelsSpecification of the necessary assessment

Assessment Level Short Description Protection Level

AL 2 Plausibility check of self-assessment restricted to evaluation of evidences and an expert interview

High protection level

AL 3 Full assessment including evaluation of evidences, on-site inspection and expert interviews

Very high protection level

Overview

TISAX uses Assessment Levels to introduce different intensities and methodologies for different needs of the auditee. A higher

Assessment Level increases the accuracy of the assessment as well as the efforts needed to be invested to complete the

Assessment. An assessment made with a higher Assessment Level always satisfies the requirements for lower Assessment

Levels. Assessment Level 1 is a special case only used in group-assessments or for self-assessments by the auditee.


PwC Insights

For each control the current maturity level is determined. The overall target maturity level has been set at 3.00. Deviations of up to 10% from the target maturity level (2,70) may be acceptable. Deviations between 10% and 30% may be considered a minor non-conformity. Deviations of more than 30% must be considered a major non-conformity regardless of the actual risk for information security.

Level

0 – Incomplete

1 – Performed

2 – Managed

3 – Established (Implemented)

4 – Predictable

5 – Optimizing

Maturity LevelsOverview


PwC Insights

Production Security

Example SCADA Security

57May 2017Production Security

PwC Insights

ICS/SCADA Security

RisksIndustrial-IT

Risks Industry 4.0

RisksBusiness-IT

?


PwC Insights

Industrial Security vs. Office IT-Security

Production (from clean till tough)

Engineer from Manufacturer

Depends on ICS/SCADA system

Location

Latency < 300ms

Low, switches just have a few ports

Installation

Topology

Availability

Amount

Part of the System (functional) Monitoring

Climate Office and Data Center

Specialized IT-engineers

Meshed in most cases, mainly IP-based

Seconds or minutes of outage are acceptable

Quite high with switches consisting high port density

IT-Expert, Network Monitoring, SIEM, Vulnerability Management etc.…

Up to 20 years or more Product Lifecycle One to three years


PwC Insights

ICS/SCADA Security

Industrial Control Systems (ICS) have beendeveloped with a focus on:safety, but not on security,

functionality, but not on fault reaction,persistence, but not on transformation.


PwC Insights

ICS/SCADA Security in an Industry 4.0 World

ICSs enable Industry 4.0

Industrial Control Systems (ICS) build the backbone of Industry 4.0.

Success of new business models for the production depends on gaining control over the Industry 4.0 security.

Effective Industry 4.0 security is based on a strong ICS risk and vulnerability management.

Industry 4.0 pushes the ICS development


PwC Insights

ICS/SCADA Security in an Industry 4.0 World

ICS threats to be identified

The necessary ICS threat, risk and vulnerability management is based on a transparent IT and production security.

Common IT security tools are not suitable for ICSs.

ICS Security Scanning tools are not available on the market.

Managing the ICS security is key


PwC Insights

ICS/SCADA SecurityVulnerabilities


PwC Insights

ICS/SCADA TestingSCADA Exploitation Frameworks

SCADA Exploitation Frameworks and Tools:

• Metasploit – Popular Exploitation Framework (free)

• Core Impact – Elite and expensive Exploitation Framework ($)

• Immunity Canvas – Elite and expensive Exploitation Framework ($)

• Gleg SCADA+ Exploit Pack – Collection of unique Exploits ($)

• Gleg SCADA+ Pack Latest Updates – Updates ($)

• Modscan – A MODBUS/TCP scanner (free)

• Scadascan – Audit SCADA network for vulnerabilities (free)

• Nessus – basics (free)


PwC Insights

Special technical features.

• Includes protocol implementation of PROFINET to preform detailed ICS/SCADA service analysis

• Includes protocol implementation of Siemens custom S7 protocol to receive detailed information from S7-based ICS/SCADA Systems

• Implementation of custom scanning modes to mitigate the risk of scanning sensitive ICS/SCADA environments

• Offers detailed scanning timing, white- and black-listing settings

PwC MonitoringSystem

Update Server

ExterneFirewall

SCADA Server(MTU)

Modem

RTU/PLC

SCADA Server (Sub MTU)

Modem Modem

RTU/PLC

RTU/PLC

Modem

Modem

Modem

ICS Scan Node

Control Center Intermediate SCADA Field Sites

ICS Scan Node

ICS Security Service Center

May 2017Production Security65

Thanks for your attention.

© 2017 PricewaterhouseCoopers GmbH Wirtschaftsprüfungsgesellschaft.Alle Rechte vorbehalten. „PwC“ bezeichnet in diesem Dokument die PricewaterhouseCoopers GmbH

Wirtschaftsprüfungsgesellschaft, die eine Mitgliedsgesellschaft der PricewaterhouseCoopers International Limited (PwCIL) ist. Jede der Mitgliedsgesellschaften der PwCIL ist eine rechtlich selbstständigeGesellschaft.

vorlesung 20170523 unihh - is in der wirtschaft - handout · mindset of the employees and moreover...

Documents