Protecting Personal InformationBuilding your Security for Privacy program

Kris Budnik

2014

Information is a valuable asset…

• Incidence and costs of fraud rose markedly in the past 12 months

• Information related fraud is common and evolving

• Employee abuse still the major cause (39%) but instances of

external hacking almost

doubled (35% vs 18%)

• Worse still, instances of hacking via 3rd party supplier or

service provider have trebled(17% vs. 5%)

• Complexity of IT infrastructures seen as contributing factor

Source: 2013/2014 Kroll Global Fraud Report

The fraud case involving a single location is now a rarity: the

client is in one country, the fraud in a second, the perpetrator

in a third and the money...well, that’s often the challenge.

Volume and frequency of personal data theft on the increase…

Pesonal data a commodity on a vast underground market…

• Online Bank Accounts:– Name your Bank and Country preference

• Fullz available here!– US, EU, Australia, UK, Canada, Asia

• Malware Infected Computers– 1k, 5k, 10k or 20k?

• Malware and Exploit Kits to lease– 3mts, 6mths and 1yr terms

• Hacker Services for Hire– DDoS Attacks

– Hacking of Websites

– Doxing

Services Price

VISA & Master Card (US) $4

VISA & Master Card (EU) $7 - $8

Credit Card with track 1 & 2 data (UK)

$19 - $20

Credit Card with track 1 & 2 data (EU)

$28

Fullz (UK, EU) $30 - $40

Bank Accounts with $70k -$115k

$300

Doxing $25 - $100

Health Data $150 - $200

Infected Computers (5k bots) $90

Denial of Service $3 -$5 per hour$400 -$600 per

week

Source: Dell SecureWorks, 2013

Corporate response often inadequate or misplaced...

Consequences avoidable…

Analysis of over 50 incidents reported in 2009 – 2013

(source: wiki.openrightsgroup.org/wiki/UK_Privacy_Debacles)

0

100000

200000

300000

400000

500000

600000

Design error Email error Insecuredisposal

Insecurehandling

Lost/StolenLaptop

Lost/StolenMedia

55

00

0 58

85

23

5

17

3

39

77

48

53

98

40

No. of records lost

Learning from others…

Our Framework

For the Enterprise…

ASSIGN RESPONSIBILITY

In IT…

DOCUMENT POLICIES & NOTICE STATEMENTS

DEFINE INCIDENT RESPONSE PROCESS

RAISE AWARENESS

Privacy Officer and Deputy TORs

PPI Operating Model

PPI Roles & Responsibilities

Core T&Cs (employment contracts, contracts,terms of engagement etc.)

Privacy Policy (for the handling of personal information in the enterprise)

Fair processing notice (directed at the Data Subject)

Alignment with other applicable laws, regulations & practices (Retention, Protection, Privacy)

PERFORM ISMS GAP ASSESSMENT

Security safeguards for Information Protection

Strategy for privacy incident response

Privacy training and Awareness content

Use & Retention criteria

Destruction methods

Information Security Tools & Techniques

Outsource arrangements

Data Subject Access provisions

Compliance Management and Reporting

Direct Marketing implications

Quality & Integrity

Disclosure provisions

Notice provisions

In the Line of Business…

Rights of the individual

Information Lifecycle

Management

Control over Information

Collection rules

Cross border flow considerations

Our QuickStart Approach

Governance model1.

Standard Contract Clauses2.

Retention Schedules3.

Technical Security Baselines4.

Training & Awareness Strategy5.

Incident Management Process6.

• ToRs for Privacy Officer• Information Protection Committee• Reporting requirements

• Employment contracts• Procurement contracts• Service level agreements

• Key information groups• Key applicable legislative requirements

• Encryption• Data transport• Leak management

• Induction• Call center agent awareness• Incident reporting procedure

• Incident handling procedures• Reporting practices (to regulator)• Incident resolution practices

Gap Analysis/ Implementation roadmap/ enabling technology solutions

Preparing a suitable IT response…

Your IT team can help…consider the following as minimum response strategies:

• eLearning to raise awareness

• Access Governance to ensure authorised access to:

– networks,

– systems,

– applications

– data

• Data Leak Management to ensure accountability and enforce policy

• Security Event and Information Management for early problem detection and efficient resolution

1745

763

468

483

340

395

895

152

87 110

100

121

927

153

92 116

100

121

0200400600800

100012001400160018002000

January February March April May June

Month

Unauthorized Webmail Attachments Rule Prompt -2008

# Prompts Associates Workstations

Thank you

For a further conversation:

Kris Budnik

kris.budnik@slva.co.za

082 600 7311