Cybersecurity Risk Oversight: the NIST Framework and EU approaches

Transcription

1 Cybersecurity Risk Oversight: the NIST Framework and EU approaches Antonis Patrikios, Director Privacy & Information Law Group ACC webcast, 10 July 2014

2 Overview Why cybersecurity matters US NIST Framework EU approaches What it all means in practice 2"

3 Don t believe the hype? 3"

4 The evolving threat landscape 4"

5 So what? 5"

6 Everyone is vulnerable (not just Burger King) 6"

7 So, it s not if but when and it s not just cyber Hacked, lost equipment, fat fingers, misdirected comms, cloud failure, eavesdropped, supply chain breakdown 7"

8 People care (or so think Microsoft) 8"

9 Possible impact of a serious cyber attack Loss of IP. confidential information, PII Detecting, containing, remedying and recovering from incident Dealing with complaints and press enquiries Business as usual is disrupted. Costs Adverse publicity, brand damage, loss of trust. Share price drops Satisfying legal requirements and meeting regulatory expectations Breach of law and/or contract Action in court (including class actions) Impact on insurance Regulatory investigation Incident response and dealing with regulators puts strain on human and financial resources. More disruption and costs Enforcement action, fines, stigma of being fined More adverse publicity, brand damage, loss of trust 9"

10 So what should we be doing about it? Socialize the problem and keep it on the agenda Understand systems-based regulation and assess the risk Cyber and data security system Protect against cyber threats Have a plan for failure (remembering that the press, regulators and the public are not fools Respond to cyber incidents 10"

11 The NIST Framework for Improving Critical Infrastructure Cybersecurity 11"

12 NIST Framework: background Initiated by Executive Order 13636, Improving Critical Infrastructure Cybersecurity Led by NIST and DHS, with contributions from private sector, industry and companies Designed primarily for US critical infrastructure owners and operators, but suitable for use by other actors in other countries How about companies that provide services to owners and operators? Applicability to companies of all sizes Voluntary guideline. Not a fool proof formula for cybersecurity Draws heavily from existing standards (e.g. NIST , ISO 27001, COBIT) Provides an approach for managing cybersecurity risk 12"

13 NIST Framework: what does it do? Does not create new standards Leverages existing cybersecurity practices such as those developed by NIST or ISO Provides a risk-based compilation of guidelines to identify, implement and improve cybersecurity Creates a common language Requires proactive cyber risk management Provides an assessment mechanism to determine current cybersecurity capabilities, identify target state and establish a plan for cybersecurity programs 3 primary components: Profile, Implementation Tiers and Core 13"

14 NIST Framework: Profile component Create a Current Profile by measuring the current state of your cybersecurity program and identify a Target Profile Compare the two to identify gaps and create a prioritized roadmap to close them! Implementation Tiers : Tier 1 Partial Tier 2 Risk informed Tier 3 Repeatable Tier 4 Adaptive 14"

15 NIST Framework: core functions 15"

16 NIST Framework: addressing privacy and civil liberties Regarding personal information used, collected, processed, maintained or disclosed in connection with cybersecurity Possible problems: over-collection, over- retention, unrelated disclosure; privacy intrusiveness of cyber defences Activities should be compliant with applicable privacy laws, regulations and Constitutional requirements Incorporate privacy principles such as data minimization at collection, disclosure and retention of personal information; use limitations; transparency; individual consent; redress for adverse impacts; data quality, integrity and security; accountability and auditing Specific provisions concerning the processes for governance; steps to be taken to identify and address privacy concerns; awareness and training; privacy reviews of anomalous activity detection and monitoring; response activities and information sharing 16"

17 NIST Framework: why should you adopt it? For most organizations, it is likely to help you improve riskbased cybersecurity It is likely to improve collaboration, communication, information sharing and threat intelligence It requires engagement at executive, business/process and operational levels, so will help create a security culture at your organization The Executive Order (s 8 (d)) talks about incentives If you are a supplier to critical infrastructure owners or operators, they are likely to expect you to comply In the US, it may become the de facto standard for cybersecurity and may impact legislation, judgements and regulatory thinking It prepares you for compliance with future laws and regulations on cyber and privacy It will help you comply with legal requirements and regulatory expectations on data security (e.g. in Europe!) 17"

18 The EU approach to cybersecurity 18"

19 What shapes EU legislative and regulatory thinking 19"

20 EU data security law and law making Law: Who: Effect: Law: Who: Effect: Personal Data E- communications DP Directive 1995 Data Controllers Cyber Now Now Now Appropriate T&O security measures for personal data Draft DP Regulation 2012 Controllers and Processors PEC Directive 2002/09 Telcos & ISPs Appropriate T&O for service security; breach notification; regulatory audits Better Regulation Directive 2009 Telcos & ISPs Appropriate T&O for network and service security; breach notification Next Next Next Appropriate T&O for personal data; breach notification; regulatory audits; bigger fines No change No change No change Draft Cybersecurity Directive 2013 Utilities, transport, finance, public bodies, food supply Appropriate T&O for NIS; breach disclosure; regulatory audits 20"

21 Duty to protect against personal data loss Data Protection Directive (95/46/EC) Article 17, Security of Processing [ ] the controller must implement appropriate technical and organizational measures to protect personal data [ ] Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected. [ ] the controller must, where processing is carried out on his behalf, choose a processor providing sufficient guarantees in respect of the technical security measures and organizational measures governing the processing to be carried out, and must ensure compliance with those measures. The carrying out of processing by way of a processor must be governed by a contract or legal act binding the processor to the controller [ ] 21"

22 Industry standards flesh out the requirements Examples: ISO 27002, e.g.: Installation and regular update of malicious code detection and repair software to scan computers and media as a precautionary control, or on a routine basis Checks should include checking files on media and files received over networks for malicious code before use Checking attachments and downloads for malicious code before use; check should be carried out at different places, e.g. at servers, desk tops, and when entering the network of the organisation PCI DSS, e.g.: Install and maintain a firewall configuration to protect cardholder data Use and regularly update anti-virus software or products; must be used to protect systems from current and evolving malicious software threats Track and monitor all access to network resources and cardholder data 22"

23 HM Government Cyber Essentials Scheme (UK) Government backed, industry supported scheme to help organisations protect against common cyber attacks Clear statement of basic controls and security measures Also has the goal to function as an Assurance Framework to enable organisations to demonstrate they take cyber security seriously through certification HM Government have pledged to require suppliers bidding for certain personal and sensitive information handling contracts to be certified from 1 October 2014 UK Data Protection regulator has endorsed it 23"

24 The law is actively enforced 24"

25 The technology (and privacy) paradox As threats increase, new more powerful technologies emerge, e.g: Standard Firewalls Anti-virus Anti-spam Emerging DLP SIEM Forensics EnCase As they evolve, obligations and expectations to adopt them increase But increasing technological sophistication increases privacy risks 25"

26 So, what does it all mean in practice? 26"

27 Practical recommendations Good intentions and careful thinking can take us a long way Data security system; due diligence; contracts Understand the IT and network perimeter; who is responsible for legal compliance; consider roles and allocation of responsibilities Before implementing cyber security technologies, do a PIA! Environmental scan and benchmarking against industry standards Consider national particularities legislation, case law, approach of regulators (practice, action and guidance) Risk mitigation How you respond to incidents is paramount! Prepare for the new legal regime 27"

28 Key step 1: get your cybersecurity system right Get senior management buy in and sponsorship Assess current posture, define targets and execute NIST Framework Review, improve, and keep under review: Policies Processes Training Risk assessments Contracts Operational security Engage external support if required 28"

29 Key step 2: privacy impact assessments for cyberdefences Focus/configuration: the person; the data; the network Data type: content; traffic; personal; info stored on terminal equipment Monitoring type: Interception content in course of transmission Traffic data in course of transmission non intercept Retained/stored/archived data Review and use: Anonymous or identifiable Initial review team. Escalation Retention of results Further use (including disclosures and sharing) Essential principles: lawfulness, necessity, proportionality, transparency and purpose limitation 29"

30 Key step 3: get on top of things before the breach happens Have a plan for failure, remembering that the press, regulators and the public aren t fools Understand the information flows and the processing operations Carry out and document a risk assessment Scenario planning Create clear incident management plan, with management roles and reporting lines Establish your positions on breach disclosure Address the regulatory hotspots 30"

31 Key step 4: get incident response right! Detect the breach! Understand what has happened Contain the problem Recover from it Mitigate harm Satisfy legal obligations Protect brand and reputation Learn the lessons 31"

32 Issues we see during our practice Not seeing the nuances and differences between kinds of incidents Misapprehending the gravity of the situation Weak incident management processes Silo d teams handling the matter Back-covering, including told you so Worry about personal consequences Not having a clear position on regulatory issues, including breach disclosure 32"

33 You ve been hacked! The lens of litigation Legal component to your breach response is absolutely essential Obtaining the cloak of privilege for your work Enable you to say that you were taking your legal obligations seriously and were acting on advice Enable you to address your legal obligations correctly and in a timely fashion, e.g. regarding breach notification 33"

34 Beating regulatory fines Fines are beatable, but it takes skill to present the right case and marshal your evidence by reference to the conditions precedent to fining At least in the UK, no or little likelihood of harm has proven to be a strong defence for controllers (Scottish Borders and Tetrus Telecoms) hacking cases, relying upon expert forensic evidence about degree of exposure of data and how they data can be used medical case, relying upon absence of complaints following patient notification expert medical case, obtaining witness statement from patients 34"

35 Thank you! Discussion and Q&A "