Privacy and Security Audits/PIAS/TRAS Information Privacy and Data Protection Lexpert Seminar Bruce McWilliamDecember 9, 2013

Privacy and Security Audits

Importance of privacy and security audits –Reported incidents of large-scale loss, theft, or exposure of personally identifiable information have increased from 21 to 1,622 from 2003 to 2012 –The hacking of Sony’s PlayStation Network cost the company an estimated $171M in cleanup costs –Reputational harm is severe – one company’s stock price fell 70% in the 3-month period following a single hacking incident –Average loss in brand value ranged from $184M to $330M (minimum brand loss was 12%) 3

Goals of a Privacy and Security Audit Determines the level of compliance with: –Applicable privacy laws and regulations –Internally adopted privacy practices 4

Benefits of a Privacy and Security Audit –Measures privacy effectiveness –Demonstrates compliance –Identifies gaps between required and actual privacy controls –Forms the basis for a privacy remediation and improvement plan 5

Scope of audit – internal parties –Departments or groups dealing directly with customers Public affairs Call centers Reception –IT department –HR –Finance 6

Scope of audit – external parties –Business partners –Technology partners –Business customers/vendors –Final consumer 7

Who conducts audits –Internal (not recommended – outsiders spot problems you will miss) –Accounting firms –Large IT Organizations –Small firms specializing in security 8

Hiring an auditor –Look at the audit team’s real credentials –Review résumés –Find the right fit –Insist on details –Ask for a statement of work –Prepare to be audited –Set the ground rules in advance –Prepare all documentation/information to be provided to auditors 9

A typical audit –The auditor will evaluate and test the information technology processes and systems to obtain sufficient, reliable, and relevant evidence to achieve the objectives of the audit. –The findings and conclusions of the audit should be supported by appropriate analysis and interpretation of the evidence. 10

The audit process –Establish a baseline through annual audits –Define the scope and objectives of the audit –Outline the approach to be taken in carrying out the audit –Identify stakeholders and their roles/responsibilities –Create an audit plan –Identify the audit criteria –Conduct the audit –Prepare the audit report –Take remedial steps, if any 11

Comprehensive risk assessment –Sensitivity of the data –Collection processes –Storage techniques –Complexity of processing and interfaces –Third parties –Disclosure policies and procedures Employee training Management accountability –General security policies and procedures 12

Auditing Standards 13

Standards StandardOrganization Generally Accepted Privacy Principles (GAPP) Canadian Institute of Chartered Accountants (CICA) and American Institute of Certified Public Accountants (AICPA) Payment Card Industry Data Security Standard (PCI DSS) Payment Card Industry Security Standards Council Canadian Standard on Assurance Engagements (CSAE) 3416, “Reporting on Controls at a Service Organization” CICA Information Technology Control Guidelines (ITCG) CICA 14

StandardOrganization Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization (AT Section 101) AICPA International Standards for Assurance Engagements (ISAE) No. 3402, Assurance Reports on Controls at a Service Organization International Auditing and Assurance Standards Board (IAASB) SysTrust/WebTrustCICA/AICPA ISO/IEC 27001:2005 Information technology -- Security techniques -- Information security management systems -- Requirements International Organization for Standardization (ISO) 15 Standards cont’d

StandardOrganization ISO/IEC 27002:2005 Information technology -- Security techniques -- Code of practice for information security management ISO ISO 22307:2008 Financial services -- Privacy impact assessment ISO Harmonized Threat and Risk Assessment Methodology Communications Security Establishment Canada and Royal Canadian Mounted Police Enterprise Risk Management - Integrated Framework Committee of Sponsoring Organizations of the Treadway Commission (COSO) Control Objectives for Information and Related Technology (COBIT) Information Systems Audit and Control Association (ISACA ) 16 Standards cont’d

StandardOrganization IT Audit and Assurance Standards and Guidelines (includes code of professional conduct) Information Systems Audit and Control Association (ISACA) Information Technology Infrastructure Library (ITIL) UK Office of Government Commerce NIST SP Generally Accepted Principles and Practices for Securing Information Technology Systems U.S. National Institute of Standards and Technology (NIST) Common Criteria for Information Technology Security Evaluation (Common Criteria or CC) Common Criteria Recognition Arrangement (CCRA) 17 and others. Standards cont’d

Privacy Impact Assessments (PIA) 18

What are privacy impact assessments? –A systematic process for evaluating the potential effects on privacy of a project, initiative or proposed system or scheme and finding ways to mitigate or avoid any adverse effects –PIA’s are a tool used to ensure privacy protection is a core consideration when a project is planned and implemented –In Canada, virtually all government institutions must conduct PIA’s for new or redesigned programs and services that raise privacy issues –Also used by some private organizations

Typical content of a PIA –Describes how personal information flows in a project –Analyses the possible privacy impacts on individuals’ privacy –Identifies and recommends options for managing, minimizing, or eliminating these impacts –Contains recommendations to address issues identified

Risks of foregoing a PIA –Non-compliance with relevant privacy law leading to a breach and/or negative publicity –Loss of credibility and damage to reputation –Potential system redesign, which can be very costly and time consuming when done mid-stream

PIAs as a compliance tool –A PIA should: –Include information on relevant privacy laws and regulations –Identify necessary adjustments for compliance –Discuss how a project’s practices, systems and rules comply with specific legal obligations

Threat Risk Assessments (TRA) 23

What is a threat risk assessment? –Formalized process used to assess potential impacts to information assets and supporting resources, and to recommend safeguards and controls

Threat and risk assessment –Differing methodologies aimed at answering question such as: –What needs to be protected? –Who/what are the threats and vulnerabilities? –What are the implications if they are damaged or lost? –What is the value to the organization? –What can be done?

TRA typical components –Scope –Data collection –Analysis of policies and procedures –Threat/vulnerability analysis –Assessment of risk acceptability

TRA components - scope –Must identify what is covered and what is not covered in the assessment –Identifies what needs to be protected, the sensitivity of what is being protected and to what level and detail –A scope that is too broad will be cumbersome, while one that is too narrow may miss important threats/risks

TRA components – data collection –Collect all policies and procedures currently in place and identify those that are missing or undocumented –Interviews with key personnel –Information on vulnerabilities and threats against specific systems and services is documented

TRA components – analysis of policies and procedures –Existing policies and procedures are analyzed –Sources for policy compliance that can be used as a base line are: –ISO 17799, BSI 7799, Common Criteria – ISO 15504

TRA components – threat/vulnerability analysis –Threats are anything that could contribute to the tampering, destruction, or interruption of any service or item of value –Identify and assess both human and non- human threats –Current exposure is identified and quantified –Should use a grading system that incorporates both the probability of occurrence and the impact of occurrence

TRA components – assessment of risk acceptability –Review of existing and planned safeguards to determine if discovered risks and threats have been mitigated –Identification of what level of risk is acceptable to the organization –Selection of appropriate security measures

Integration of PIA/TRA –Threat risk assessments are a broad tool that capture all kinds of risks, including those related to private information –Integration with a PIA is possible and can save both time and money –Some consulting firms conduct integrated assessments

34 For further information regarding this presentation and its content please contact: Bruce McWilliam Direct: (416) McMillan LLP Brookfield Place 181 Bay Street, Suite 4400 Toronto, Ontario M5J 2T3