Security & Privacy The changing world of Privacy and the core drivers.

Privacy Issues   Authentication of a customer prior to disclosure of information.   There is a need to beef up practices, policies and governance while remaining sensitive to customer circumstances in order to anticipate possible privacy issues.

Privacy Issues   Negotiation of confidentiality and privacy provisions in service provider contracts   Service providers must be clear in identifying their obligations, we are not responsible for their compliance obligations.

Privacy Issues   Identity Theft   Limit the data that is shared with third party service providers.   Minimize the data to that required for them to perform their service.   Limit data included on customer communications   Needs to know policy and governance

Privacy Impacts   Privacy impacts to Infrastructure Protection operations.   LEA Requests …electronic wiretap   Background checks … (potential) employees   Security Clearances …personal employee data   Fraud … customer information protection

Privacy Driver SOX

Tactical Response Data Mining and Correlation Does the need for protection of privacy override the Business operational needs?

Compliance Matrix Functional Requirements PCISOXPrivacy Comprehensive, granular view to know precisely who did what to which information Be able to reconstruct a wide range of events tied to cardholder information COBIT and ISO requirements Disclosure of personal information must be audited Scales across the enterprise Audit all accesses to cardholder data Corporations must demonstrate that they have insight into and control over systems that can impact their ability to faithfully report financial status Disclosure of personal information is audited Cross-application, Cross- data source Be able to reconstruct a wide range of events tied to cardholder information, independent of information source Comprehensive, corporate information sources Disclosure of personal information must be audited, independent of data source Real-time architecture Review logs for all system components at least daily. Limit risk exposure Detect suspicious or anomalous user behavior Alert suspicious behavior Policy-based flexibility to respond to changing auditing requirements SOX doesn’t explicitly define operational control methodologies. Federal governments, as well as many local governments are currently enacting legislation. Simplified Reporting Review logs for all system components at least daily. Corporations must demonstrate that they have insight into and control over systems that can impact their ability to faithfully report financial status Demonstrate that disclosure of personal information is monitored, logged and audited

Requirement Establish a process for linking all data access activities (especially those with root or administrative privileges) to an individual user or system Implement automated audit trails to reconstruct the following events: All accesses to customer data All actions taken by any individual with root or administrative privileges Access to all audit trails Invalid logical access attempts Use of identification and authentication mechanisms Initialization of the audit logs Creation and deletion of system level objects 10.3 Record at least the following audit trail entries for each event: User identification Type of event Date and time Success or failure indication Origination of event Identity or name of affected data, system component, or resource 10.5 Secure audit trails so they cannot be altered in any way Review logs for all system components at least daily Retain your audit trail history for a period that is consistent with its effective use, as well as legal regulations. An audit history usually covers a period of 2 years or more. Audit Checklist

The SOX Compliance Challenge Section 404 of the Sarbanes-Oxley Act requires enterprises to have insight into and control over systems that can impact their ability to faithfully report financial status. Non-compliance and/or incorrect information can result in punitive penalties.

COBIT 13.6 and ISO SOX doesn’t explicitly define operational control methodologies. COBIT and ISO are the two most commonly used frameworks for SOX compliance. Both of these standards demand that a company have insight into the following areas key to maintaining control over critical data activities: Logins and Logouts Application and data trigger modifications Changes to user definitions and privileges Data structure changes Access to and usage of sensitive data Errors and exceptions Sources of client access Time of access

The Information Protection and Privacy Challenge Across the country and around the world, organizations are discovering how serious the threat of information and identity theft can be. Some are discovering the hard way, as the recent large identity theft incidents major corporate databases illustrate. The cost of failure has proven to include the loss of brand equity and public trust. Because information and identity theft incidents are typically perpetrated by authorized users, stronger perimeter security and encryption have limited benefit in detecting and stopping them.

Use Cases for Information and Identity Theft MASQUERADER Phishing, Key log, Spyware SECONDARY ATTACKS Worms/viruses, Trojans INACTIVE ACCOUNTS Incomplete Account Decommissioning ACCIDENTAL MISUSE “innovative” employee INSIDER Good guy gone bad WEAK AUTHENTICATION Lost passwords OUTSOURCING Trusted partner gone bad

Tactical Response Data Management “ Needs to know ” Privacy can be protected and business can continue with a good strategy and a practical tactical response.

The Compliance Reality  Database Logging  Traffic Anomaly Systems  Intrusion Detection Systems  Content Filtering Traditional security products are not designed to monitor user activities at the data server

Detection of Information Theft Catching Information Theft requires determining in real time that the BEHAVIOR of an individual’s information access is ANOMALOUS compared to his/her normal access behavior. u Behavior of information access: “WHO is doing WHAT to WHICH and HOW MUCH critical information, WHEN and from WHERE”

Traditional Audit Solutions Traditional audit solutions are not user behavior aware. They have been point application-driven, custom-coded, after-the-fact report-driven and lacking correlation and analytics.

Solution: Activity Auditing   Provides a comprehensive, granular view into key compliance activities   Transparent solution that scales across the enterprise   Policy-based flexibility to respond to changing auditing requirements   Inherently real-time architecture that supplies compliance-driven audit reports and real-time security alerts and forensic information   Intelligent solution that provides automated correlation and analytics to specify and detect composite or anomalous behavior

PCI Compliance Solves the difficult challenge to monitor all access to cardholder information including:   Identify sensitive data to reduce audit “information glut”   Monitor and log access to sensitive data across multiple applications   Audit all actions taken by individuals with root or administrative privileges   Capture full context for each event record, including exact commands given to data server to facilitate forensic reconstruction of activity and the precise exposure of a PCI violation   Generate audit reports   Detect unauthorized access to sensitive information while it’s happening, in real-time

SOX Compliance Provides a single, flexible, enterprise level solution that can handle both current and future requirements including:   Identify SOX-appropriate assets and activities   Monitor privileged user activity to ensure accuracy of financial information   Audit specific data access activity to demonstrate compliance with documented policies and procedures   Capture full context for each event record, including exact commands given to data server to facilitate forensic reconstruction of activity   Generate audit reports

Information and Identity Theft Protection   Identify sensitive data to reduce audit “information glut”   Monitor and log access to sensitive data across multiple applications   Audit all actions taken individuals with root or administrative privileges Monitor user activity to mission-critical information and applications   Detect unauthorized access to high-risk information while it’s happening, in real-time   Real-time alerting to minimize the impact of breach

Contact William (Bill) G. O’Brien Systems Security Architect Bell Canada