1 / 12

Internal measures for risk management Keeping data safe, and Dealing with a failure

Internal measures for risk management Keeping data safe, and Dealing with a failure. David Vaile, Executive Director Cyberspace Law and Policy Centre UNSW Law Faculty June 2009 http://cyberlawcentre.org/. Outline. What data is targeted? How to reduce the risk of data breaches?

acton-buck
Download Presentation

Internal measures for risk management Keeping data safe, and Dealing with a failure

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Internal measures for risk managementKeeping data safe, and Dealing with a failure David Vaile, Executive Director Cyberspace Law and Policy CentreUNSW Law Faculty June 2009 http://cyberlawcentre.org/

  2. Outline • What data is targeted? • How to reduce the risk of data breaches? • Improving processes for data loss protection • Assessing risk • Interaction with Digital Document Retention and Destruction policy issues • Damage control • What happens after disclosure? • Examining the potential mandatory disclosure breach notification rules being proposed

  3. What data is targeted by e-criminals? • Wide range: some direct, some peripheral • Customer authentication, staff authentication • Passwords! • System controls and security architecture, crypto systems etc. • Contact lists: customers, suppliers, intermediaries • Organisational structure: names and roles • Transaction data, commercially sensitive data • Demographic data

  4. How is data is targeted by e-criminals? • Complex mix of techniques • Social engineering • Straight hacking (rarer) • Interfering in secure transactions (rare) • Malware: spam, zombie bot net, root kits • Phishing and other hybrids • Insiders / expellees • Suppliers

  5. How can organisations reduce the risk of data breaches? • ID what you hold, who it might tempt, how they’d get it • Review your governance model for commercial and personal information security • Risk assessment • Digital document retention and destruction policies • Audits and process improvement • Reward the whistleblower, don’t suppress bad news • Value data for the worst loss it could cause a stakeholder • Review IT security infrastructure, malware protection • Assume security will fail • Damage management policies: for you and data subject

  6. Improving your business processes for data loss protection • Identify data ‘owners’, localise responsibility • Value errors, mistakes, problems, niggling doubts, reward open reports and good response • Stop suppression of bad news, hiding, denial • Model the lifecycle of data, ID the weak links • Review policies to ensure they value data • Audits, run-throughs, external attack simulation • Avoid ‘stupid security’, insist on good security • Subjects get reasonable access to own records? • Logging and transaction analysis, anomaly detection, investigation

  7. Assessing risk of data breach • Whose risk? Yours, staff, suppliers, customers, their associates ... • Very wide multi-pass audit for risk vectors • External reality checks, industry scan • Do your internal systems and processes support protection and detection? • Can you cope with a breach? Policy, procedures, customer centric response?

  8. Interaction with retention & destruction policy? • Digital Document Retention & Destruction policy: critical for bringing 3 tribes together • Know why and how long you retain, when you destroy • Review evidentiary value of your metadata and logs • Breach risk should drive some of the policy: • shorter retention periods? • de-identified storage? • Review every 3 years, react to risk changes

  9. Damage control • It’s D-Day, the horse has bolted. • You must have a plan sorted out first! • Assume the worst happens: who gets hurt, who needs help, what you can you keep quiet? • Get help quick: law enforcement, external security, smart PR • Offer help quick: victims, staff, intermediaries • Reassure victims • Be open with media and inquirers, hiding makes it worse.

  10. What happens after disclosure? • Identify what is lost, who is affected, scope of risk, how far it has gone -- Assume the worst! • Work out how to protect your own interests, and stakeholders who may be affected. • Notification: not open-ended, consider how far is needed • Offer practical assistance to those affected • Don’t lay blame easily. • Consider accepting some liability for minor remedies and losses: great for retaining trust and confidence • Move quickly for first responses, but buy time to carefully review the actual outcome

  11. Potential mandatory disclosure breach notification rules • Review global developments, see where it is headed in Australia – some years to go • Not an option to stay in denial • See Australian Privacy Commissioner voluntary guidelines, US approach, EU model • Consider opting for world’s best practice, which may be higher than current mandatory requirement • Disclose in a way that is of most help to the recipient: in some case will just be online, may be by direct contact, or advertisement

  12. David Vaile, Executive Director Cyberspace Law and Policy CentreUNSW Law Faculty d.vaile@unsw.edu.au (02) 9385 3589 http://cyberlawcentre.org/

More Related