340 likes | 618 Views
Privacy and Security Audits/PIAS/TRAS. Information Privacy and Data Protection Lexpert Seminar Bruce McWilliam December 9, 2013. Privacy and Security Audits. Importance of privacy and security audits.
E N D
Privacy and Security Audits/PIAS/TRAS Information Privacy and Data Protection Lexpert Seminar Bruce McWilliam December 9, 2013
Importance of privacy and security audits • Reported incidents of large-scale loss, theft, or exposure of personally identifiable information have increased from 21 to 1,622 from 2003 to 2012 • The hacking of Sony’s PlayStation Network cost the company an estimated $171M in cleanup costs • Reputational harm is severe – one company’s stock price fell 70% in the 3-month period following a single hacking incident • Average loss in brand value ranged from $184M to $330M (minimum brand loss was 12%) 3
Goals of a Privacy and Security Audit Determines the level of compliance with: • Applicable privacy laws and regulations • Internally adopted privacy practices 4
Benefits of a Privacy and Security Audit • Measures privacy effectiveness • Demonstrates compliance • Identifies gaps between required and actual privacy controls • Forms the basis for a privacy remediation and improvement plan 5
Scope of audit – internal parties • Departments or groups dealing directly with customers • Public affairs • Call centers • Reception • IT department • HR • Finance 6
Scope of audit – external parties • Business partners • Technology partners • Business customers/vendors • Final consumer 7
Who conducts audits • Internal (not recommended – outsiders spot problems you will miss) • Accounting firms • Large IT Organizations • Small firms specializing in security 8
Hiring an auditor • Look at the audit team’s real credentials • Review résumés • Find the right fit • Insist on details • Ask for a statement of work • Prepare to be audited • Set the ground rules in advance • Prepare all documentation/information to be provided to auditors 9
A typical audit • The auditor will evaluate and test the information technology processes and systems to obtain sufficient, reliable, and relevant evidence to achieve the objectives of the audit. • The findings and conclusions of the audit should be supported by appropriate analysis and interpretation of the evidence. 10
The audit process • Establish a baseline through annual audits • Define the scope and objectives of the audit • Outline the approach to be taken in carrying out the audit • Identify stakeholders and their roles/responsibilities • Create an audit plan • Identify the audit criteria • Conduct the audit • Prepare the audit report • Take remedial steps, if any 11
Comprehensive risk assessment • Sensitivity of the data • Collection processes • Storage techniques • Complexity of processing and interfaces • Third parties • Disclosure policies and procedures • Employee training • Management accountability • General security policies and procedures 12
Standards 14
Standards cont’d • and others. 17
What are privacy impact assessments? A systematic process for evaluating the potential effects on privacy of a project, initiative or proposed system or scheme and finding ways to mitigate or avoid any adverse effects PIA’s are a tool used to ensure privacy protection is a core consideration when a project is planned and implemented In Canada, virtually all government institutions must conduct PIA’s for new or redesigned programs and services that raise privacy issues Also used by some private organizations
Typical content of a PIA Describes how personal information flows in a project Analyses the possible privacy impacts on individuals’ privacy Identifies and recommends options for managing, minimizing, or eliminating these impacts Contains recommendations to address issues identified
Risks of foregoing a PIA Non-compliance with relevant privacy law leading to a breach and/or negative publicity Loss of credibility and damage to reputation Potential system redesign, which can be very costly and time consuming when done mid-stream
PIAs as a compliance tool • A PIA should: • Include information on relevant privacy laws and regulations • Identify necessary adjustments for compliance • Discuss how a project’s practices, systems and rules comply with specific legal obligations
What is a threat risk assessment? Formalized process used to assess potential impacts to information assets and supporting resources, and to recommend safeguards and controls
Threat and risk assessment • Differing methodologies aimed at answering question such as: • What needs to be protected? • Who/what are the threats and vulnerabilities? • What are the implications if they are damaged or lost? • What is the value to the organization? • What can be done?
TRA typical components Scope Data collection Analysis of policies and procedures Threat/vulnerability analysis Assessment of risk acceptability
TRA components - scope Must identify what is covered and what is not covered in the assessment Identifies what needs to be protected, the sensitivity of what is being protected and to what level and detail A scope that is too broad will be cumbersome, while one that is too narrow may miss important threats/risks
TRA components – data collection Collect all policies and procedures currently in place and identify those that are missing or undocumented Interviews with key personnel Information on vulnerabilities and threats against specific systems and services is documented
TRA components – analysis of policies and procedures • Existing policies and procedures are analyzed • Sources for policy compliance that can be used as a base line are: • ISO 17799, BSI 7799, Common Criteria – ISO 15504
TRA components – threat/vulnerability analysis Threats are anything that could contribute to the tampering, destruction, or interruption of any service or item of value Identify and assess both human and non-human threats Current exposure is identified and quantified Should use a grading system that incorporates both the probability of occurrence and the impact of occurrence
TRA components – assessment of risk acceptability Review of existing and planned safeguards to determine if discovered risks and threats have been mitigated Identification of what level of risk is acceptable to the organization Selection of appropriate security measures
Integration of PIA/TRA Threat risk assessments are a broad tool that capture all kinds of risks, including those related to private information Integration with a PIA is possible and can save both time and money Some consulting firms conduct integrated assessments
For further information regarding this presentation and its content please contact: Bruce McWilliam Direct: (416) 865-7214 bruce.mcwilliam@mcmillan.ca McMillan LLP Brookfield Place 181 Bay Street, Suite 4400 Toronto, Ontario M5J 2T3 34