1. Implications of Privacy Risks in IT and Operations Virginie Hupé Strategist, Trustworthy Computing Microsoft Corporation

2. AGENDA Presentation objectives The privacy landscape Trends and associated privacy risks Practical solutions and controls to remediate What about the cloud Conclusion

3. Presentation objectives Get an understanding of current and upcoming privacy trends and associated risks Discuss some practical solutions and controls to remediate the risks

4. THE PRIVACY LANDSCAPE

5. Critical to Business Success: External 5

6. What is Privacy Privacy allows individuals to determine how (and to what extent) their personal information will be collected, used and shared with others.

7. Privacy in Internal Audit Internal auditors are uniquely positioned to evaluate an organization’s privacy framework and identify the significant risks with the appropriate recommendations for their mitigation.

8. Differing Business Views What are the key business drivers to data protection within your organization? Data Source: October 2007 Ponemon Institute Study 8% 24% 64% 83% 26% 48% 64% 36% 23%

9. Why do we care? Privacy compliance is critical to business success –Evolving business models require greater use of data –Consumers demanding accountability –Lower risk, greater trust, and protection for brand and business reputation Impact of a privacy incident –Company image suffers –Lost revenue –Cost per privacy incident –16 million Americans were victims of ID theft in 2006

10. Impact of a privacy incident Companies spent nearly $6.65 million on average to recover from lost / stolen corporate data. Average cost of a data breach: $202 per lost customer record Breaches involving malicious acts are more expensive than breaches from negligence Data Source: Annual data breach Ponemon Institute Study

11. IT Governance and Data Governance IT focuses on the technology infrastructure, the network, the computers, the software, etc. DG focuses on the data that lives within that technology infrastructure ITG focuses on the “pipes,” DG focuses on the “water” in the pipes* *Thomas, G. “Alpha Males and Data Disasters. The case for Data Governance”

12. TRENDS AND ASSOCIATED PRIVACY RISKS

13. Trends and associated privacy risks Data breach –Impact of breach notification –Data exposure Outsourcing of sensitive information to third parties –Limited control over protection of the information –Outsourcing of outsourced processes Mobile and remote workforce –Authentication challenges –Challenges to protect data

14. Trends and associated privacy risks Cybercrime –Loss of sensitive information Mobile devices –Lost laptop, primary cause of data breaches –Challenges to control or identify data stored P2P File Sharing –Increased risk of malware –Loss of sensitive information Cloud Computing –Discussed later

15. Data Governance is not for IT …. only DG involves detailed knowledge about the data life cycle: –Collecting –Updating –Processing –Storing –Transferring –Deleting

16. Data Governance Lifecycle Collection In Person Online From 3 rd Party Storage Structured Databases Unstructured Data Electronic Databases Backup Usage In Applications By Employees, Marketers Shared with 3 rd Parties Retention/ Destruction Archive Destruction Framework for Data Governance People Policy Process Technology 16

17. PRACTICAL SOLUTIONS AND CONTROLS TO REMEDIATE

18. A robust governance framework Policy Management Compliance Management Internal Communications People & Business Enablement Risk Management

19. Challenges to Effective Data Governance Aligning different view points and priorities: –How and when to use data –Just compliance vs. a more comprehensive approach to privacy and information security Translating governance policies and compliance requirements into actual controls –Lack of common language or framework of reference between IT and privacy, legal, HR and finance Continuously changing meaning of “reasonable security”

20. The Four Principles Honor policies throughout the information lifecycle Minimize risk of data misuse Minimize impact of data loss Demonstrate effectiveness of data protection policies and measures

21. First Data Protection Principle Honor policies throughout the information lifecycle –Private data is tagged with policy associated classification and attributes –Where appropriate, mechanisms enable individuals to access, understand and manage their private data as well as the policies pertaining to it

22. Second Data Protection Principle Minimize risk of data misuse or unauthorized modification –Permanently tag sensitive data with governing attributes such as policies, access and usage history, and contractual terms of use –Enforce role-based access to and use of sensitive data –Restrict data access and usage rights by people and processes to the minimum –Set and enforce clear data retention policies

23. Third Data Protection Principle Minimize impact of data loss –Routinely search to uncover hidden caches of private data (leakage) –Encrypt sensitive data while in storage and in transit, on all devices and across all connections

24. Fourth Data Protection Principle Demonstrate the effectiveness of data protection policies and measures –Produce an audit trail detailing access and use of private data in addition to the governing policies and controls. –Monitor and analyze patterns of usage and access of private data to identify and respond to emerging control threats

25. How can technology help InformationProtection Auditing and reporting Identity and Access control Secure Infrastructure Safeguards against malware and intrusions Safeguards against unauthorized access to personal info Protect data while on the net Protect systems from evolving threats Protect personal information from unauthorized access or use Provide management controls for identity, access and provisioning Protect sensitive personal information in structured databases Protect sensitive personal information in unstructured documents, messages and records, through encryption Monitor to verify integrity of systems and data Monitor to verify compliance with business processes 25

26. Gap Analysis toolInformationProtection Auditing and reporting Identity and Access control Secure Infrastructure Collect Update Process Delete Transfer Storage 1 st Principle 2 nd Principle 3 rd Principle 4 th Principle 26

27. About the Gap Analysis Requires significant amount of work –Reserve for most sensitive information Requires proper classification and tagging of information: –Impact/sensitivity level (HBI, MBI, LBI) –Associated with compliance source (SoX, GLBA, EDPD, HIPAA, PCI, Internal policy, etc.) Requires you take action to bridge the gap: –It is the beginning of a process

28. Steps to Gap Analysis Process Define purpose of flow and data elements involved Model flow: –Construct a diagram of the systems involved –Match flow to information lifecycle phases Determine the Gap and mitigation –How do current technology elements in each of the technology groups meet the principles of data protection? –Determine gaps and mitigation Implement mitigation Validate Define flow purpose Model Flow Determine Gap and Mitigation ActAct Validate

29. WHAT ABOUT THE CLOUD?

30. NIST Delivery Models SaaS, Software as a Service “…applications running on a cloud infrastructure and accessible from various client devices through a thin client interface such as a Web browser.” Examples: Hotmail, Microsoft Online Services SaaS, Software as a Service “…applications running on a cloud infrastructure and accessible from various client devices through a thin client interface such as a Web browser.” Examples: Hotmail, Microsoft Online Services PaaS, Platform as a Service “…to deploy onto the cloud infrastructure consumer-created applications using programming languages and tools supported by the provider.” Example: Windows Azure IaaS, Infrastructure as a Service “…provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications.“ Example: Amazon EC2

31. Look at the Forest …. Does the cloud provider have a comprehensive SIMS? –Are they certified or plan to be certified? ISO 27001 SAS 70 Type I and Type 2 Ask to see independent third party attestations or plans for these –Check what is certified: certification of the platform does not imply certification of the whole stack

32. Look at the Forest …. (cont) Understand how provider complies with applicable laws –Laws applicable to you and to them –Will this be enough for overall compliance with your organization’s policies as well? –How will your organization demonstrate compliance? Keep in mind that in the eyes of your employee, customer, partner or shareholder; you are responsible for sensitive data

33. Look at the Forest …. (cont) Your cloud provider is another type of outsourcing partner –What can you learn from your organization’s previous outsourcing practices that applies to the cloud? Last but not least, what if the worst should happen? The B word (breach) …. –What is the notification process? –What actions do you need to take? Before and after

34. Then look at the Trees …. Will your provider be housing multiple tenants on the same box? –How will your provider prevent other customers from accessing your data? Does your provider check for viruses and other malware? What happens if they find it? Secure Infrastructure

35. Then look at the Trees …. (cont) How does provisioning work? –How do you add, change and revoke access rights and accounts? Chances are someone in your cloud provider’s staff would be able to see your data –How is the provider mitigating this risk? –If there is unauthorized access, how does your provider find out? What happens then? Identity and Access control

36. Then look at the Trees …. (cont) Can you or your provider encrypt sensitive data that is moved to the cloud? –In transit? –While in storage? How can you prevent data loss (creeping out of the cloud) –Rights management, encryption? InformationProtection

37. Then look at the Trees …. (cont) What kind of reporting can your provider deliver? –Is it useful to you? Auditing and reporting

38. QUESTIONS?