1 / 45

Overview

Overview. Why is the topic important? Identity Theft Headlines Figures ID Theft and Data Privacy Threats and Vulnerabilities How Address Privacy concerns Compliance assessments PCI Privacy and Data Leakage E-banking Q&A. Information Loss Takes Center Stage.

helki
Download Presentation

Overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Overview • Why is the topic important? • Identity Theft • Headlines • Figures • ID Theft and Data Privacy • Threats and Vulnerabilities • How Address Privacy concerns • Compliance assessments • PCI • Privacy and Data Leakage • E-banking • Q&A

  2. Information Loss Takes Center Stage Former White House staffer investigated CNN, Thursday, October 6, 2005 WASHINGTON (CNN) -- A former Marine who worked at the White House is under investigation for allegedly misusing his top-secret clearance to steal classified information from computers, multiple U.S. government sources told CNN late Wednesday. FDIC employees' data stolen FCW.com, BY David Perera, Published on Jun. 17, 2005 Thieves have stolen the personal data of thousands of current and former Federal Deposit Insurance Corp. employees.

  3. Identity Theft: A Growing Concern Consumers Want A Safer Cyberworld Survey Finds Americans Want Congress To Beef Up Web Security - May 24, 2006 By Martin H. Bosworth from ConsumerAffairs.Com • Not too long ago, Americans were up in arms about street crime. Now they are irate that Congress isn't doing more to keep them safe online, according to a survey conducted by the Cyber Security Industry Alliance (CSIA). • 50% are concerned about their financial information being safe online • 24% performed fewer transactions online as a result • 95% identity theft was a prime concern • 19% Okay with sufficiency of existing privacy and data security legislation • Consumer reticence costs businesses $3.8 billion a year in lost transactions Identity Theft Hit 3% of U.S. Households in 2004 • April 3, 2006 • An estimated 3.6 million households, or about 3 percent of all households in the nation, learned that they had been the victims of at least one type of identity theft during a six-month period in 2004, according to the U.S. Justice Department.

  4. Headlines

  5. Headlines (Continued) Privacy is a Rising Consumer Concern • Recent Headlines: • Since January 1, 2005, at least 140 data incidents were reported in the U.S. through public announcements and media reports, affecting more than 56.2 million individuals. (Source: Government Technology Magazine) • Reported incidents of fraud and identity theft in the U.S. increased by at least 52% from 2003 to 2005 (Source: Federal Trade Commission)

  6. Records Compromised http://www.privacyrights.org/ar/ChronDataBreaches.htm

  7. Funding the Insider Threat • Security Breach Notification Requirements: Guidelines and securities law consideration. www.Mondaq.com • U.S. Secret Service and CERT Coordination Center Insider Threat Study • IDC

  8. How Corporate Data Loss Occurs

  9. Records Compromised (Continued) Top five losses in recent history:

  10. No Company wants to be writing this letter:

  11. Phishing

  12. Case Facts: Over 3 Million American taxpayers received an e-mail that claimed to be the IRS. The e-mails promised a $571.94 income-tax refund. The e-mail claimed that they could track their tax return refund online. There were over 10,000 complaints made to the IRS in 2 days. No one knows exactly how many victims. Phishing Example – Hook Line and Sinker

  13. How Bad? http://www.fraud.org/internet/intstat.htm

  14. Threats to Corporate Data Privacy (Attack Vectors) Hacktivists Information Warriors Third-Parties Insiders Governments Terrorists Cyber- Criminals Partners Experimenters & Vandals Active Interception (wiretap, sniffer) Unauthorized access Malicious Code (Virus,Worm, etc.) Competitors Theft of Proprietary Information Hackers Financial (Fraud, theft) Telecomm Eavesdropping Insider Abuse (Net Access) Telecomm Fraud Company Computer Theft (Laptop, PDA) System Penetration Denial of Service Natural disaster Sabotage Abuse of privileges Espionage Unauthorized alteration or deletion Vandalism, Defacement Unintentional alteration or deletion Forgery

  15. Vulnerabilities Reported By CERT 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005

  16. Security Trends and Projections 2005 • Disclosure changed everything • Hacking for profit not pride • Compliance continues to loom • The perimeter continues to melt away • 2005 the year of bad events • Root-kits, Black Hats and Ineffective Response 2006 • Spyware and Spam • Phishing on the run • Decline in server vulnerabilities as applications become exposed • IdM still in play • IPS-NAP-NAC-SIM • Zero day threats as Vista solves all woes • Voip serge

  17. Privacy Legislation • State and Federal Breach Laws (all 50 states, NY City and Washington DC) • California Senate Bill 1386 (CA SB1386) • Gramm-Leach Bliley Act (GLBA) • Health Insurance Portability & Accountability Act (HIPAA) • Failure to comply - $100 per instance up to $25,000 • “knowingly" obtain or disclose PIFI - $50,000 - up to one year • “False pretenses - $100,000 fine - up to five years • “intent” to sell, transfer, or use PIFI - $250,000, - up to ten years. • Driving Records • Student and Minor Information • Others of Note: • Sarbanes-Oxley Act (SOA) • VISA & MasterCard Payment Card Industry (PCI) Standards • International Regulations • EU Privacy Directives • Hong Kong – Personal Data Ordinance • Canada – Personal Information Protection and Electronic Documents Act (C6) and its associated Model Code for the Protection of Personal Information • Mexico – Federal Data Protection Law • Singapore – Model Data Protection Code

  18. Common Elements • Recent increase in regulation has put the need for security in the limelight. • Many of these regulations require companies to comply to similar set of standards. • Most of the regulations follow industry leading practices. • Some of the common elements targeted in these regulations are: • Risk Assessment • Security Monitoring • Incident Response • Vendor Management • Security Awareness • Incident Response and Reporting

  19. The Increasing Business Risk

  20. Companies penalized under GLBA Sunbelt Lending Nationwide Mortgage Group Superior Mortgage Corp. Petco Penalties received: Sunbelt must submit (to FTC) independent bi-annual audits of its information security practices for the next 10 years Nationwide Mortgage Group must submit (to FTC) independent bi-annual audits of its information security practices for the next 10 years Superior Mortgage must submit (to FTC) independent bi-annual audits of its information security practices for the next 10 years Petco must submit (to FTC) independent bi-annual audits of its information security practices for the next 20 years Gramm-Leach Bliley Act (GLBA) –

  21. Introduction: PCI Data Security Standard Securing Visa cardholder data The Payment Card Industry (PCI) Data Security Standard is a result of a collaboration between Visa and MasterCard to create common industry security requirements. Mandated since June 2001, intended to protect Visa cardholder data —wherever it resides. Other card companies operating in the U.S. have also endorsed the Standard within their respective programs. Deadline for compliance: April 2005 – June 2005

  22. PCI Data Security Standard (Digital Dozen)  Source: Visa - http://www.visa.com/cisp

  23. Privacy Process Responsible privacy processes • Protect: • Brand • Customer Trust & Confidence • Customer Loyalty • Shareholder Value • Customer Relationship Management • Business Partner Confidence • Differentiation from Competitors • Prevent: • Litigation • Reputation Damage • Interrupted data flows such as revenue • Privacy Breach Disclosure • Regulatory penalties and fines • Unwanted Attention • Negative Headlines

  24. Would you know if… • A trusted employee pasted confidential acquisition information into a webmail message and sent it to your competitor? • An employee downloaded hacker tools to their work computer with the intention of stealing your customer’s private data? • An employee posted your confidential executive communications or financial data on www.internalmemos.com or some other internet posting site like Yahoo Finance? • An employee is using a P2P client and is inadvertently exposing your proprietary information to millions of other P2P users?

  25. Audit and Assessment Approach American Institute of Certified Public Accountants (AICPA) Privacy Framework Approach Overview • Perform an assessment of a company’s privacy processes, which may include data inventory and flow, based on sound business risk management and leading privacy practices. • Incorporate the AICPA Privacy Framework (at left), as this Framework addresses concepts from significant domestic and international privacy laws and regulations. • Evaluate the Company’s privacy processes within each of the ten components, based on criteria that is key to an effective privacy governance program. • Evaluate compliance with federal and state privacy laws and regulations.

  26. Addressing Privacy Issues from an Audit Perspective Know What You Do, Say What You Do, Do What You Say • Understandwhere and how nonpublic person information (NPI) is collected, stored, and shared. • Has a comprehensive survey of information sharing practices been conducted for all lines of business and affiliates? • How often is the survey updated? • Are controls in place to ensure that changes in NPI collection and sharing practices are consistent with the company’s Privacy Policy and Information Security Program?

  27. Addressing Privacy Issues from an Audit Perspective (cont’d) • Next, evaluate the Information Security Program: • Is the ISP built around a comprehensive risk assessment? • How up to date is the risk assessment? • Do the risk assessment and ISP incorporate all appropriate safeguarding controls set forth in regulatory guidance? • Has the ISP been updated to incorporate recent regulatory changes (e.g., FACT Act requirements related to disposal of consumer report information or Interagency Guidance on Security Breach Response Programs). 1. If not, are these requirements addressed elsewhere in policies or procedures? In this case, is there potential for overlap or inconsistencies between these and similar sections of the ISP? • Evaluate Responses to Security Breaches • Determine whether any security breaches have occurred. • If so, was the action taken in response to the breach consistent with the policies and procedures set forth in the company’s ISP and applicable regulatory guidance? • Was appropriate corrective action designed and implemented with the goal of preventing similar types of breaches in the future?

  28. Conclusions and Takeaways • High profile security breaches are and will likely continue to be a hot topic for the media, politicians, and regulatory agencies. • For the most part, new regulatory requirements allow companies some flexibility in how to respond to breaches. • However, this leeway is likely to be eliminated if companies continue to be unable to protect NPI. • Therefore, it is important not only to build these specific new regulatory requirements into your company’s ISP, but also to ensure that the ISP in general is appropriately designed and is operating effectively in practice.

  29. Resources for Research • Federal Trade Commission (FTC) www.ftc.gov • California Office of Privacy Protection www.privacy.ca.gov • Privacy Knowledge Base by Privacy Council www.privacyknowledgebase.com • International Association of Privacy Professionals www.privacyassociation.org • Organisation for Economic and Co-operation and Development (www.oecd.org) • Office of the Information and Privacy Commissioner / Ontario (www.icp.on.ca). • Managing an Information Security and Privacy Training and Awareness Program (Auerbach Publications, 2005).

  30. Questions?

  31. Booklet Definition e-banking is……..

  32. Account Information Access to funds Business transactions Services and Products

  33. E-Banking Devices • ATMs • Kiosks • PCs • PDAs • Telephones

  34. Inside…… Careers Company Information Investors Relations Merger Information News Room Help Center ATM/Branch Locator Contact Us Frequently Asked Questions Glossaries Search Self Services Site Maps Informational Websites

  35. Transactional Websites and Services Services • Retail • Wholesale Access Accounts • Personal Finance Login • Commercial Account Login

  36. Retail Services • Account aggregation • Account initiation • Account management • Bill presentment and payment • Consumer loans • Investments/Brokerage Services • Wire transfers

  37. Wholesale Services • Account management • Business-to-business payments • Cash management • Employee benefits administration • Small business loans • Wire transfers

  38. E-Banking Risks • Compliance • Credit • Liquidity, interest rate, and price/market • Strategic • Transaction/operations

  39. Risk Management • Administrative controls • Board and management oversight • Information security programs • Legal and compliance issues • Managing outsourcing relationships -

  40. FFIEC Examination Procedures • Asset management • Audit • Compliance • Continuity planning • GLBA security • Control tests • Annual Board Report • Information Security • Outsourcing

  41. Privacy Policies • BSA /AML - 31 CFR 103.18 • SAR • Online Apps - 31 CFR 500 • ID – 31 CFR 103 • Patriot Act – 12 CFR 21

  42. Wireless • Encryption/SSL • WAP exposure • Password Limits/device • Dead Zones/Reliability • Disclosure/Limits • Physical loss of device

  43. Places To Go • FFIEC • ISACA • IIA

  44. Nick Benvenuto Rocco Grillo Office: 212.603.8399 Cell: 201.446.3267 Email: Nick.Benvenuto@protiviti.com Office: 212.603.8381 Cell: 917.693.9700 Email: rocco.grillo@protiviti.com 1290 Avenue of the Americas New York NY 10104 1290 Avenue of the Americas New York NY 10104 Contact Information

More Related