Changing the Game: The Role of the Private and Public Sectors in Protecting Data U.S. National Issues Dialogue 2
Description
According to the study, recent events in the financial services industry remind us that it is absolutely vital to stay prepared. The question is not what to do if the next crisis occurs, but what to do when it occurs. One area that calls for greater preparation is data protection.
Informations
| Publié par | deloitte |
| Nombre de lectures | 197 |
| Langue | English |
| Poids de l'ouvrage | 2 Mo |
Extrait
National Issues Dialogues Changing the game: The role of the private and public sectors in protecting data
Deloitte Research Discussion Summary Washington, DC
Contents
1 Foreword
2 Introduction
3 Imperative for change
5 Guiding principles
7 The Roadmap
17 Conclusion
18 Appendix: Graphic illustrations of discussions
29 Recent Deloitte Research public sector thought leadership
30 Contacts
About the Deloitte Public Leadership Institute The Deloitte Public Leadership Institute, a part of Deloitte Touche Tohmatsu’s (DTT) public sector industry group, identifi es, analyzes and explains the major issues facing governments today. The focus of the Institute is to help public leaders tackle their most complex policy and management challenges. Through the Institute, Deloitte member firms deliver cutting edge thought leadership, innovative solutions to issues facing governments and strategic policy development. With offi ces in Washington, DC, London, Ottawa and Sydney, the Institute delivers practical insights governments can use to improve their operations and deliver better value to their citizens. The Institute realizes these objectives through four major programs: Thought leadership.conjunction with Deloitte Research, a part of DeloitteIn Services LP in the United States, Institute staff and Fellows produce provocative books, studies and commentaries on the most pressing issues facing public leaders. Public leaders dialogues.The Institute regularly brings together distinguished current and former senior public offi cials, management experts and academics to discuss topical issues and share best practices. Benchmarking.The Institute regularly surveys government executives to better understand the magnitude of 21stcentury challenges across government agencies. Survey data is then used to develop a clearer picture of the areas of greatest weakness and to help discern best practices that can be more widely disseminated. Academic partnerships.Institute works closely with the world’s leadingThe graduate schools of public policy and administration to co-sponsor forums and co-produce books and studies. About Deloitte Research Deloitte Research, a part of Deloitte Services LP, identifi es, analyzes and explains the major issues driving today’s business dynamics and shaping tomorrow’s global marketplace. From provocative points of view about strategy and organizational change to straight talk about economics, regulation and technology, Deloitte Research delivers innovative, practical insights companies can use to improve their bottom-line performance. Operating through a network of dedicated research professionals, senior consulting practitioners of the various member fi rms of Deloitte Touche Tohmatsu, academics and technology specialists, Deloitte Research exhibits deep industry knowledge, functional understanding and commitment to thought leadership. In boardrooms and business journals, Deloitte Research is known for bringing new perspective to real-world concerns. For more information, please contact William Eggers, Deloitte Services LP, at +1 202 246 9684 or weggers@deloitte.com. Disclaimer This publication contains general information only and Deloitte Services LP is not, by means of this publication, rendering accounting, business, fi nancial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualifi ed professional advisor. Deloitte Services LP, its affi liates and related entities shall not be responsible for any loss sustained by any person who relies on this publication.
Foreword
Recent events in the financial services industry remind us that it is absolutely vital to stay prepared. The question is not what to doifthe next crisis occurs, but what to dowhenit occurs. One area that calls for greater preparation is data protection. In today’s world, data is everywhere and its value is growing. While this environment brings many benefits, it also creates a grave responsibility: to safeguard our data against an increasing multitude of skilled and resourceful thieves.
Data protection is a global issue that plagues both the private and the public sectors. It is also a daunting issue— an evolving problem with a diverse set of culprits and no clear-cut solution. Data drives our enterprises; we need to understand and mitigate the risks that cyber criminals pose to our business operations. Until we do, data thieves will continue to thrive in a disorganized, ill-equipped and often naïve world.
The Obama administration has signaled that it understands this imperative. In February 2009, President Obama appointed Melissa Hathaway, a leading expert on cybersecurity, to investigate all the ways in which the federal government manages and safeguards data. The Obama administration ordered the 60-day review to improve coordinating efforts by the government and the private sector to protect the nation’s data infrastructure.
But even while our nation launches these efforts, criminals are continuously refi ning their game, finding new ways to exploit our systems and steal our information. It is time to raise our game, to better prepare ourselves, and to work together to protect data from individuals waiting to exploit it. Motivated by this common goal, we gathered executives from the private and public sectors in Washington, DC on October 8, 2008. They came to collaborate on raising their data protection game. Bringing together private and public organizations afforded several benefi ts. It enabled participants to directly examine the impact of government regulations on private industry. It also gave participants a chance to share valuable insights regarding leading industry and government practices for addressing universal challenges in data protection.
The meeting used electronic polling and real-time graphic recording to stimulate discussion and capture key insights. Among topics that participants explored were3rdParty Data Exchange, Creating a Culture for Data Protection, Insider ThreatandOperational Fraud.
While data protection is undeniably a complex issue, one thing is clear: We must take collective action to assert a new, formidable presence in a previously one-sided game. We are pleased to present you with the fi ndings from this unique forum. We hope you fi nd them useful in your efforts to safeguard data.
Principal Federal Financial Services Industry Deloitte Consulting LLP
Rich Baich Principal Security & Privacy Deloitte & Touche LLP
Deloitte Research – Changing the game: The role of the private and public sectors in protecting data
1
2
Introduction
Today, data pervades every aspect of society. Citizens On October 8, 2008, 140 leaders from the public and pay bills, swap photos and attend school online. private sectors convened in Washington, DC to examine Companies use IT systems to manage the movement of the challenge and start rewriting the rules of the data everything from freight to electrical power to vast sums protection game. Attendees included professionals of money. Governments build networks to run systems from banks, credit card companies, insurance fi rms, as mundane as traffic signals and as critical as armies. business intelligence firms and other corporations, Whether we’re trading stocks, prosecuting criminals, plus federal agencies. Together, they discussed how to performing emergency surgery, designing offi ce towers protect data outside an organization’s four walls, how or just talking on the phone, we depend on digitally to build a culture for data protection, how to manage encoded information. internal threats and how to collaborate to combat operational fraud.1 Not only is data everywhere, it’s growing increasingly valuable to a broad range of people, including those During the program, four sessions focused on four who intend harm. Just as business and government aspects of data protection:2 leaders understand the value of the information Third party data exchange: Protecting data beyond stored in their computer systems, so do criminals your walls and spies. Our national security, our economy and our personal well-being all depend on our ability to Building a culture for data protection protect information systems against identity theft, embezzlement, sabotage, espionage and more. As Insider threat: The threat within your walls nations grow more internationally interdependent and data systems more interlinked, data protection has Operational fraud: A new collaborative approach to become a top global priority. detecting fraud and minimizing the impact
Data thieves are highly sophisticated and grow more so every day. Their game changes constantly, with new technologies and new strategies. To keep up with them, government and business leaders will have to change their own game.
Deloitte Research – Changing the game: The role of the private and public sectors in protecting data
Imperative for change
The data security landscape today is very different from what it was 10 or 20 years ago. Today, more people have access to sensitive data and use it in their daily work than any time in the past. Monitoring the access and activities of thousands of employees, contractors and customers, including individuals who gain temporary access for specifi c projects, is no easy job. The trend toward outsourcing makes it especially challenging to secure data, as information is handled by people throughout the supply chain and stored on media that the owner of the data doesn’t directly control.
Organizations working to safeguard their data need to worry about more than the typical hackers and other outside threats. Basic internal carelessness is also a significant vulnerability. Just as a person may leave a car door unlocked or forget a wallet on a checkout counter, people are not always careful with data. It’s easy to forget a laptop in a taxi, drop a thumb drive or jot down a password and leave the paper exposed on a desk. But it’s difficult to monitor a staff of thousands to prevent those kinds of mistakes. And it’s becoming even more challenging as a younger generation enters the workforce. Millennials, while often impressively tech savvy, seem to be comfortable sharing every aspect of their lives on Facebook and Twitter as a matter of course. When translated to the workplace and protecting data, this trusting and casual nature can have serious consequences today as well as in the future.
The influx of foreign-born employees into the workplace poses another challenge. Talented employees from abroad bring crucial skills; U.S. companies want and need them. But how do you
conduct a thorough background check on someone who spent his first 25 years in another country? If one of your employees were actually an agent of a foreign government, how would you know? In some countries, the process of conducting a background investigation simply means calling someone on the phone to ask them if they know an individual.
The current global financial crisis increases the data security threat as well. When many people suffer major financial losses, as they have in the current crisis, more individuals face temptation—whether to use their legitimate access to a data system to commit fraud, or to pass information to outsiders who offer to pay them. Economic turmoil, including the collapse of banks and other corporations, has destroyed many traditional safeguards. Loyalties have worn thin, and employees who learn they have lost their jobs may feel bitter enough to “get even” as they walk out the door. Together, those conditions make this an era of particular vulnerability and the daily examples highlighted in the press demonstrate the reality of the threat.
The challenges will only become more acute as smart criminals step up their game. “We haven’t seen the bad stuff yet,” warned a banking offi cial at the October 8 forum. “The bad guys are still taking the easy pickings.” Organized criminals continually study the security strategies that corporations and governments put in place and re-engineer these strategies in order to defeat them, added Rich Baich, former chief information security officer at ChoicePoint, and now a principal with the Security and Privacy practice at Deloitte and Touche LLP.
Deloitte Research – Changing the game: The role of the private and public sectors in protecting data
3
4
The threat of data loss, through both carelessness and theft, is not hypothetical. In the United Kingdom in 2007, a contractor working for the UK Home Offi ce lost a USB drive that contained unencrypted data on all of the prisoners incarcerated in England and Wales— approximately 84,000 individuals. In November of that year, a junior official at Her Majesty’s Revenue and Customs (HMRC) downloaded the entire child benefi t database onto two unencrypted discs and sent them via courier to the National Audit Offi ce in London. The discs disappeared along the way, jeopardizing national insurance numbers, bank account details and other personal information belonging to an estimated 25 million people. In December 2005, HMRC discovered an attempt to make fraudulent claims on two tax credit programs. Officials suspect the perpetrators were insiders using the identities of Department of Work and Pensions staff to access personal information on people in the database.
Deloitte Research – Changing the game: The role of the private and public sectors in protecting data
Organizations that don’t stay ahead of evolving data security threats open the door to huge fi nancial losses for themselves and their customers or constituents. These institutions may lose intellectual property to corporate espionage, jeopardize criminal prosecutions or put national security at risk. And any organization that suffers a data breach stands to lose customers, market share, the value of its brand and the trust of its customers and partners—in short, its reputation.
With so much at stake, the public and private sectors must unite and take collective action. By acting instead of reacting, we can take an offensive role in the data protection game. Only then will we begin to realize a shift in power.
Guiding Principles
In the face of sophisticated, ever-changing threats, efforts to protect data must span every level of an organization—from top executives to front-line employees; from organizational structure to individual behavior; from internal policies to agreements with suppliers, subsidiaries, customers and partners. During each of the sessions at the October 8thforum, panelists and audience members shared information on how to stay ahead in the data security game. Participants from the public and private sectors pooled their insights regarding where things stand today, what the future might bring and which leading practices could shift the balance of power between those who violate data and those who protect it. From these discussions, five guiding principles emerged. We consider each in turn.
Safeguard Third Party Data Exchange Data that passes into the hands of a third party provider must remain as safe as it would be behind the firewall of the primary owner of the data. To achieve this, the primary owner must conduct risk assessments, carefully structure its contract with the third party, continually audit the third party’s compliance and develop a detailed action plan for dealing with third party breaches. Know the risks of doing business with third parties.
Build a Culture for Data Protection A corporation or government agency must develop a culture in which each individual appreciates the importance of data security and takes personal responsibility for maintaining it. Top executives must lead this effort and reinforce it through the compensation structure. Data is the most valuable asset; it is everyone’s personal responsibility.
Be Alert to Insider Threats Security professionals must be able to identify people within the organization who are likely to misuse data, either on purpose or through carelessness. By giving these people training, or helping them with personal crises that might tempt them to err, the organization can work to further avert potential data breaches. It is important to expend time and effort on both internal and external threats. Reduce Organizational Fraud by Taking an Integrated Approach Facing inward, an organization needs an enterprise risk management strategy, bringing together all the domains that deal with security (fraud prevention, loss prevention, network security, etc.) to attack the problem in an integrated fashion. Facing outward, different public and private sector organizations must establish rules of engagement for exchanging actionable information, so they can collaborate against common threats. Success demands the right combination of tactics, tools and collaboration. Fusing data and performing analysis from multiple information sources can provide relevant insight and allow an organization to discover inappropriate activities.
Strike a Balance Finally, organizations must strike a balance between data security and information sharing. While protecting sensitive data is absolutely essential, success in the 21st century also requires creative collaboration. Figuring out how to do both won’t be easy, but solving this dilemma is an essential element of taking the data security game to the next level.
Deloitte Research – Changing the game: The role of the private and public sectors in protecting data
5
6
LexisNexis’s Nine-Point Approach for Data Security In her keynote address at the October 8 meeting, Carol DiBattiste, senior vice president of Privacy, Security, Compliance and Government Affairs for LexisNexis Group, laid out the nine-point plan that guides her company’s data security activities:
1. Conduct an inventory of your data and limit access to it. 2. Set up a credentialing program for employees, customers and vendors. 3. Establish corporate accountability, starting at the highest levels of the organization. 4. Execute standards, procedures and guidelines. 5. Use a third party to audit whether everyone is complying correctly with data security policies. 6. Keep investigating new technology solutions to help enforce your policies. 7. Provide mandatory training programs for employees and customers. 8. Conduct education and outreach, targeted internally to your organization and externally to stakeholders. 9. Maintain transparency in everything you do.
DiBattiste also recommended that organizations: Conduct an annual data security risk assessment. Annually evaluate vendors to identify the ones that pose a high risk. Establish a strong audit program to make sure customers and employees are using data properly, and let them know they are being monitored.
Deloitte Research – Changing the game: The role of the private and public sectors in protecting data
According to DiBattiste of LexisNexis, two of the biggest challenges are gaining buy-in for the data security program from the entire organization and instilling a sense of urgency within the organization’s culture. If an organization has never had a breach, it’s hard to convince people to take the problem seriously. One of the most effective solutions, she said, is to explain in great detail how breaches have occurred in other companies and describe who suffered as a result. Talking with upper management and with individual business units, it’s possible to convince people not only that they don’t ever want to risk a data breach, but that a solid security policy can give their organization a competitive advantage.
Developing the right team to work on data security is another challenge, DiBattiste said. So is learning to deal with government regulators, whose attitude can seem punitive, but whose presence can help ensure that your security initiatives work. “Embrace them,” she said of regulators.
Another difficult challenge, DiBattiste said, is developing a sense of credibility and transparency. If a breach does occur, it’s important to make every effort to rebuild customer trust. Work one-on-one “ with people,” she said. “Show them, ‘Here’s the plan. Here’s how we’re implementing the plan.’”
The Roadmap
To address these challenges, organizations need to prepare for a broad variety of data breaches—those perpetrated internally and those committed by third parties; those caused by malicious activities and those committed through carelessness.
Safeguarding Third Party Data Exchange The Challenge: When an organization works with a third party, differences of opinion can pose serious obstacles. What if the primary organization believes that a data breach has occurred, but the partner doesn’t agree that this is the case? One is tempted, in this situation, to end the relationship with the third party. But a hasty break could cause problems for customers, constituents or other stakeholders. If you don’t have another partner ready to step in immediately, ending the relationship could stop the flow of information on which stakeholders depend.
For a company that provides third party services to many clients, big problems arise when each client requires you to follow a different set of data security standards. The cost of complying separately with so many standards quickly gets out of control. Data security professionals need to develop a uniform approach to working with third parties, so these partners can use one set of processes to protect the data of all their clients.
Recommendations: Spell out the requirements for data security and privacy, and for breach notifi cation, in a contract with your third party provider.A majority of forum participants found including such language in the contract to be the most effective means of managing third party providers (see fi gure 1). You need to stress the importance of your data security policies and insist that all third party providers learn the procedures Enumerating these items, however, does not absolve the primary organization from responsibility for keeping the data secure. The original owner of the data remains responsible and must help its partners comply with its security policies and procedures. Figure 1. Which proactive measure is most effective when managing third party providers handling your organization’s sensitive information? 2% 24% 18%
25%
18% 31%
25%
24%
2%
31%
Send security and privacy self-assessments prior to doing business, review for high-risk vulnerabilities, require remediation Include language in every contract detailing security and privacy policy requirements as well as breach notification requirements Perform on-site assessments of all third party service providers that would handle your organization’s sensitive data Implement a risk-based approach to deter-mine which risks pose the greatest threat to help concentrate on-site assessments and resources Other
Deloitte Research – Changing the game: The role of the private and public sectors in protecting data
7
8
Thoroughly vet your partners, and then follow up.Before reaching an agreement with a third party, it’s important to conduct an on-site assessment to ensure that the right data protection processes are in place. Then, perform periodic on-site re-evaluations to make sure the partner is complying with the provisions in your contract. If the partner falls short in any area, provide help with the items that need improvement. Consider the “how” as well as the “what.”In both establishing policies and monitoring compliance, widen the scope to consider more than simply which information your partners access. How you expect partners to use that data is equally important. Consider limiting a partner’s access to a particular kind of data—for example, allowing read-only access without the ability to download.
Take a risk-based approach.Since a large organization often handles a great deal of data and relies on many partners, it’s impossible to monitor everything and everyone for 100 percent compliance with data security procedures. Under a risk-based approach, you identify the relationships, the data and the procedures that need to be monitored most closely, and focus your energies there. To monitor partners more effectively, an organization might build process metrics, creating benchmarks and providing a way to identify irregularities before large problems develop.
Conduct a risk assessment to determine how to focus the response to a breach.Factors to consider in that risk assessment include the severity of the breach, how badly it might harm the organization’s reputation and whether there are other third parties available to take over the work of the partner that caused the breach. An evaluation of these various risks will help determine the course of action. The response also will vary depending on whether you face an isolated breach or have detected a systemic problem.
Deloitte Research – Changing the game: The role of the private and public sectors in protecting data
Along with investigating to determine a course of action, it’s also important to go on-site to fi nd out what actually happened, to prevent future incidents. What caused the breach? Did someone ignore a provision of the data security policies, or did the policies themselves contain a flaw? An overwhelming majority of forum participants, 79 percent, agreed that an on-site security and privacy assessment was most appropriate following a third party security breach, in addition to the remediation of all high-risk vulnerabilities within a short period of time (see fi gure 2). Finally, to regain the confidence of stakeholders after any data breach, the organization must work to take full accountability. Figure 2. After a third party security breach, what is the most appropriate action to take in order to address risk and protect your organization?
9%
79% 8% 4%
9%
4%
8%
79%
Immediately discontinue dealings, even if this negatively affects business, until a new service provider can be procured Perform an on-site security and privacy assessment and require all high-risk vulner-abilities be remediated within a short time period Reevaluate your organization’s third party policies and procedures to identify gaps Other
Create a response plan and test it often.Before any breach occurs, the organization should establish an incident response team. Everyone on that team should keep the plan easily at hand and be prepared to swing into action as soon as a problem occurs. Proceed carefully with the response. Before notifying anyone about the breach, fi nd out whether you need to coordinate your activities with law enforcement. The key to a successful response is getting the right people involved, including the legal department. After ensuring that the right people have been involved and a response plan has been put in place, affected stakeholders should be notifi ed, regardless of whether the third party has notifi ed the public of the breach (see fi gure 3).
Establish a call center.After notifying stakeholders about a breach, an organization is bound to get a barrage of calls from people who want to know if the notification is legitimate. You will need a call center to handle those and a host of other inquiries. Figure 3. After a third party security breach, what is the most effective way to communicate this breach to your affected stakeholders? 0% 18%
38%
0%
44% 38% 18%
44%
Wait for the third party to publish an offi cial breach notice on their website Send letters to your stakeholders, even though the third party has not revealed this breach to the general public Notify your legal department so that they can research legal requirements for reporting the breach Other
Building a Culture for Data Protection The Challenge: While it’s essential to protect data, it’s also essential to share information. The intelligence community knows all too well what happens when agencies are so afraid to incur any risk that they refuse to share information even with their natural allies. The fact that it’s important though, doesn’t mean it’s easy to strike the right balance between protecting data and collaborating to support the mission. Within one organization, for example, one group might be working on a plan to block all access to USB ports, making exceptions only for selected individuals on an approved list. At the same time, another group might be working on a plan to develop all training materials as podcasts, so employees can download them through their USB ports onto MP3 players. The idea being that by making trainings more accessible, employees are more likely to complete the trainings in a timely manner.
Another obstacle that organizations face when trying to develop a culture of data protection is over-communication. Some managers rely so heavily on e-mails that employees ignore all messages that don’t look immediately relevant to their jobs. Particularly if the memo comes from the upper levels of the organization, people may assume it’s a routine message and delete it. These tendencies challenge organizations to find better ways to get out the word about data security.
The new generation also poses another obstacle. Younger workers often fi nd the restrictions that security policies impose to be aggravating. If a security-intensive culture becomes too unpleasant for them, they may leave that employer to fi nd a more relaxed, collaborative atmosphere. Even when employees accept the idea that they should make special efforts to protect data, it’s hard to fi gure out how to evaluate people on their performance.
Deloitte Research – Changing the game: The role of the private and public sectors in protecting data
9
© 2010-2024 YouScribe