Data Protection. Practical Strategies for Getting it Right. Jamie Ross Data Security Day June 8, 2016

Similar documents
13.f Toronto Catholic District School Board's IT Strategic Review - Draft Executive Summary (Refer 8b)

The Deloitte-NASCIO Cybersecurity Study Insights from

Emerging Technologies The risks they pose to your organisations

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Common approaches to management. Presented at the annual conference of the Archives Association of British Columbia, Victoria, B.C.

Cyber Incident Response. Prepare for the inevitable. Respond to evolving threats. Recover rapidly. Cyber Incident Response

The Future of IT Internal Controls Automation: A Game Changer. January Risk Advisory

GDPR: A QUICK OVERVIEW

Achieving effective risk management and continuous compliance with Deloitte and SAP

Information Technology Branch Organization of Cyber Security Technical Standard

Security Hygiene. Be in a defensible position. Be cyber resilient. November 8 th, 2017

Plan a Pragmatic Approach to the new EU Data Privacy Regulation

Vulnerability Management. June Risk Advisory

Cyber Risk and Networked Medical Devices

How to avoid storms in the cloud. The Australian experience and global trends

Real estate predictions 2017 What changes lie ahead?

INTELLIGENCE DRIVEN GRC FOR SECURITY

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

Cyber security and awareness for non-financial services. 24/25 May 2017

Privacy By Design: Privacy smart from the start. Agenda. 1. About Deloitte. 2. Privacy Incidents Around the World. 3. Privacy Smart from the Start

Cybersecurity Protecting your crown jewels

Deloitte Shared Services Conference 2018 Lab: Scaling RPA David Wright, Kim Burton, Dupe Witherick and Marina Gordeeva, Deloitte

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

LTI Security Services. Intelligent & integrated Approach to Cyber & Digital Security

Internet of Things (IoT) Securing the Connected Ecosystem

THE ISACA CURACAO CHAPTER IS ORGANIZING FOLLOWING INFORMATION SECURITY AND TECHNOLOGY SESSIONS ON MAY 15-MAY :

Building and Testing an Effective Incident Response Plan

Cloud Computing Overview. The Business and Technology Impact. October 2013

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Anticipating the wider business impact of a cyber breach in the health care industry

PA TechCon. Cyber Wargaming: You ve been breached: Now what? April 26, 2016

Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments

Canada Highlights. Cybersecurity: Do you know which protective measures will make your company cyber resilient?

Cyber Security is it a boardroom issue?

Cyber Security Law --- Are you ready?

Data Protection. Plugging the gap. Gary Comiskey 26 February 2010

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

GDPR: An Opportunity to Transform Your Security Operations

RSA Solution Brief. Managing Risk Within Advanced Security Operations. RSA Solution Brief

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

The New Healthcare Economy is rising up

Big data privacy in Australia

01.0 Policy Responsibilities and Oversight

State of South Carolina Interim Security Assessment

Webcast title in Verdana Regular

MassMEDIC s 21st Annual Conference

Vulnerability Assessments and Penetration Testing

Application Security Kung-Fu Competitive Advantage from Threat Modeling

FRAMEWORK MAPPING HITRUST CSF V9 TO ISO 27001/27002:2013. Visit us online at Flank.org to learn more.

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

Business Continuity Management Standards A Side-by-Side Comparison

locuz.com SOC Services

Cybersecurity and the Board of Directors

Agenda. Security essentials. Year in review. College/university challenges. Recommendations. Agenda RSM US LLP. All Rights Reserved.

Optimisation drives digital transformation

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

Enterprise GRC Implementation

Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure

Cyber Security Incident Response Fighting Fire with Fire

IT MANAGER PERMANENT SALARY SCALE: P07 (R ) Ref:AgriS042/2019 Information Technology Manager. Reporting to. Information Technology (IT)

Aligning IT, Security and Risk Management Programs. Ahmed Qurram Baig, CISSP, CBCP, CRISC, CISM Information Security & GRC Expert

The NIS Directive and Cybersecurity in

Ottawa Central Library Development Project. P3 Screening Assessment Report

What It Takes to be a CISO in 2017

Why you should adopt the NIST Cybersecurity Framework

Risk Advisory Academy Training Brochure

Cybersecurity and the role of internal audit An urgent call to action

The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance

From Dabbling to Doing The Age of the Intuitive Enterprise

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

PREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice

Implementing ITIL v3 Service Lifecycle

Better together. KPMG LLP s GRC Advisory Services for IBM OpenPages implementations. kpmg.com

Cyber Security. It s not just about technology. May 2017

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

Integrating Cyber Security with Business Continuity Management to Build the Resilient Enterprise

Improving Data Governance in Your Organization. Faire Co Regional Manger, Information Management Software, ASEAN

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Are we breached? Deloitte's Cyber Threat Hunting

Medical Devices and Cyber Issues JANUARY 23, American Hospital Association and BDO USA, LLP. All rights reserved.

ISE Canada Executive Forum and Awards

RBI GUIDELINES ON CYBER SECURITY AND RAKSHA APPROACH

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

2016 Nationwide Cyber Security Review: Summary Report. Nationwide Cyber Security Review: Summary Report

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

Disaster recovery strategic planning: How achievable will it be?

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Code of practice for information security management

The value of visibility. Cybersecurity risk management examination

PREPARE FOR TAKE OFF. Accelerate your organisation s journey to the Cloud.

Government of Ontario IT Standard (GO-ITS) Number 30.2 OPS Middleware Software for Java Platform

EY s data privacy service offering

ISSMP is in compliance with the stringent requirements of ANSI/ISO/IEC Standard

Evaluating Cybersecurity Coverage A Maturity Model. Presented to: ISACA Charlotte Chapter Vision for IT Audit 2020 Symposium

REPORT 2015/149 INTERNAL AUDIT DIVISION

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

Key Findings from the Global State of Information Security Survey 2017 Indonesian Insights

Transcription:

Data Protection Practical Strategies for Getting it Right Jamie Ross Data Security Day June 8, 2016

Agenda 1) Data protection key drivers and the need for an integrated approach 2) Common challenges data protection in the public sector 3) Data protection programs strategies for getting it right Data Security Day June 8, 2016 2

Data protection Key drivers and the need for an integrated approach Data Security Day June 8, 2016 3

Data protection in BC Increased focus on security, information management, privacy and access Drivers Increased awareness growing focus on information incidents, information management and information protection Increased priority - data security highlighted by the OCIO as a key priority across Government for 2016/2017 Updated regulatory requirements- significant updates recently completed or under consideration for relevant legislation (e.g., Information Management Act) Focus on performance - Increased focus on improving performance related to security, records management, privacy and information access. Priorities include: Training ensuring the necessary training materials are available and that the right individuals receive regular training and awareness regarding records management, privacy and access Compliance monitoring and reporting - goal of establishing a performance baseline across government and enabling improvement over time Data Security Day June 8, 2016 4

Common challenges Data protection in the public sector Data Security Day June 8, 2016 5

Data protection in the public sector The current state Trends Requirements/Guidance Observations Complexity Increasing volume and complexity of data flows, uses and systems Threats Increasing sophistication and capabilities of threat actors Data Increasing use of data and analytics to drive program delivery and improvement Expectations Increasing expectations regarding data protection and compliance Policies & Regulation Extensive requirements in place Standards & guidance Standards, guidance and tools have been developed Implementation is a challenge Accountability Data flows & inventories Data classification Consistency in approach Working in the grey zone Technology Rapid increase in the pace of technological change Data Security Day June 8, 2016 6

Lack of clarity regarding accountability Roles and responsibilities with respect to data protection are not always clearly understood Recognition that data protection is a shared responsibility but lack of clarity regarding specific accountabilities CISO Responsibilities* Data governance programs are increasingly common and define accountability across all types of data users within an organization (users, custodians, stewards, etc.) Responsibilities are becoming more formal, and are being incorporated into job descriptions The Rise of the Privacy Officer* 2012 2014 CISOs 92% 96% CPOs 18% 29% *Deloitte-NASCIO Cybersecurity Study (2014) Data Security Day June 8, 2016 7

Inconsistent awareness of data flows and assets Inventories support focus and prioritization Most organizations do not have an enterprise-wide inventory of key data flows and inventories DIVISION A Data flow diagram (example) Collection Use Disclosure Risk-based data protection requires an understanding of data throughout its lifecycle (collection, use, storage, access/disclosure and disposition) High-level data-flow diagrams and inventories, combined with classification, can be a critical tool in prioritization and resource allocation BRANCH 1 Process 1 Process 1 Electronic Repositories of Information Source Recipient Source Process 2 Source Source Source System 1 System 2 System 5 System 3 Contracted Service Outsourced System 1 System 4 LAN Drive Paper Records Locked Filling Cabinet Locked File Room BC Mail Recipient Recipient Process 2 Recipient Recipient Recipient Process 3 Recipient Recipient Data Security Day June 8, 2016 8

Lack of priority for data classification & protection Data protection is poorly understood and not widely adopted Organizations are resourceconstrained, making a coordinated, risk-based approach to data protection seem difficult to implement Focus is often on program management and/or major IT and business transformation program delivery Visibility across the organization is variable (strategy, monitoring, reporting, remediation, etc.) US States with Approved Strategies* *Deloitte-NASCIO Cybersecurity Study (2014) Data Security Day June 8, 2016 9

Inconsistent data protection practices Examples of good practice exist, but are often not consistent across the organization Within most organizations there are excellent examples of leading practice with respect to data security and privacy These practices are often not consistently deployed leading to significant variability in the level of risk across the organization Monitoring and reporting on data security metrics provides greater visibility to areas of good practice and can also support improved consistency Effective measurement & reporting are works in progress* *Deloitte-NASCIO Cybersecurity Study (2014) Data Security Day June 8, 2016 10

Working in the grey zone Effective data protection is a result of numerous decisions made on a daily basis Clear policies and procedures are often in place with respect to open data and data that is understood to be highly sensitive With increased potential for data linkage, data integration, analytics and visualization, the challenge is often in understanding how new data products should be classified and managed Sensitivity of aggregated information can often be context-specific De-identification doesn t eliminate the risk (however, the risk can be quantified) Training and awareness are critical in supporting risk-based decision-making *Deloitte-NASCIO Cybersecurity Study (2014) Focus on training at all levels is increasing significantly* Data Security Day June 8, 2016 11

Data protection programs Strategies for getting it right Data Security Day June 8, 2016 12

A risk-based approach Key considerations for data protection 1. Focus on Ministry-wide risk mitigation Develop a Ministry-wide assessment of risk and avoid siloed solutions to data security and data protection. Central coordination can facilitate an enterprise view of risks and potential threats. 2. Build and maintain a comprehensive inventory of crown jewels Allocate resources to the identification, classification and protection of key data assets. 3. Focus on defining threat scenarios and implementing solutions to secure information Understand internal and external threat scenarios to support the identification and implementation of solutions to secure data in transit, at rest, in use. 4. Establish an information protection program Develop an information protection program that includes governance, people, policy/process, technology, risk assessment, communication, training/awareness and measurement and reporting to secure critical information 5. Consistently execute security fundamentals Organizations need to consistently execute security capabilities (e.g., patching, access management, security monitoring, incident response). A lack of a focus on the fundamentals reduces the ability to protect critical data. Data Security Day June 8, 2016 13

Managing data risk across the lifecycle Identify risks and mitigation strategies at each stage Data Security Day June 8, 2016 14

Data protection programs Formalize your approach and focus on the fundamentals Data Security Day June 8, 2016 15

Accountability and governance Ensure clarity with respect to roles & responsibilities (illustrative) Co-owned and managed by IT / Business Owned and managed by IT Owned and managed by Records Mgmt. Owned and managed by Enterprise Security DM Governance People Co-owned and managed by Corporate / Business Owned and managed by Human Resources Owned and managed by Legal & Compliance Owned and managed by Corporate Policy & Process Technology Measurement & Reporting Information Protection Capabilities Identify Protect Detect Respond Recover Governance Risk & Compliance Policy & Standards Data Protection (in motion, at rest, in use) Identity & Access Management Vendor Management Log Monitoring & Reporting Incident Management & Response Disaster Recovery Asset / Info. Ownership & Inventory Info. Classification / Data Mapping Application Protection Records Management Human Resource Management Records Discovery Training & Awareness Infrastructure Protection Physical Security Threat Intelligence Data Security Day June 8, 2016 16

The journey from here Concluding comments With increased focus on information management and protection, a right-sized data protection program is critical Utilize existing guidance and tools to establish clear objectives, governance, accountabilities and processes for data protection Start by understanding current maturity and take a risk-based approach to enhancements Build on existing capabilities, tools and successes where possible to maximize investments to date Communication, monitoring and reporting ensure appropriate visibility and priority are maintained Data Security Day June 8, 2016 17

Deloitte, one of Canada's leading professional services firms, provides audit, tax, consulting, and financial advisory services. Deloitte LLP, an Ontario limited liability partnership, is the Canadian member firm of Deloitte Touche Tohmatsu Limited. Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. The information contained herein is not intended to substitute for competent professional advice. Deloitte LLP and affiliated entities. Data Security Day June 8, 2016 18

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback