The document discusses privacy, data protection, and risk management definitions and how they relate. It provides an example of a ransomware attack on a Dutch railway operator to illustrate risk management concepts. It describes how ISO 27701 establishes requirements for a privacy information management system that maps to other ISO standards and the EU GDPR for protecting personally identifiable information.
George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1.0.pptx
1.
2. Agenda
Introductions
Privacy, Data Protection, and Risk
Management Definitions
Risk Management – Real world
example
Data Protection – How would it apply
to the example?
Privacy (27701) and how it applies
Privacy, Data Protection , and Risk
Management Inter-relationship
4. ISO/IEC 27701
Definitions
An ISO standard that is an extension to ISO/IEC 27001 (Information Security
Management System standard) and ISO/IEC 27002
A set of requirements and guidelines dedicated to privacy information management
Maps to ISO/IEC 29100, ISO/IEC 27018, ISO/IEC 29151 and the EU GDPR
Focused on the protection of Personally Identifiable Information (PII)
https://store.pecb.com/standards
5. Data Protection
Definitions
The protection of important data from corruption, loss, or
compromise.
“Important data” could be trade secrets, confidential corporate
information, etc. sometimes referred to as information privacy.
6. Risk Management
Definitions
The identification of threats, vulnerabilities and impacts to
then calculate risk and apply appropriate mitigations or
determine the risk action plan
The goal of risk management is to reduce risk where possible
(risk can never be completely eliminated)
8. Risk Management
Context of a real life
ransomware attack
At an undisclosed Dutch railway operator,
an external supplier’s hardware has been
breached while connected to the train.
Eking ransomware automatically
installed via a remote desktop
configuration (easily guessed passwords
= doors wide open)
Happened shortly after CISO Office and
Risk Department were combined – joint
investigation and follow up!
9. Risk Management
Ransomware attack timeline
Hardware and peripherals
disconnected and train in
shutdown
Coordinator connects
surface laptop– sees
notification of ransom
and calls belt PM team
Joint assignment to connect
device to the internet for
updates for test night
Project team +
supplier
Executes order
During connection for updates
ransomware is being installed
automatically
Tuesday March
16 PM team (on
stand-by during
tests) receives
message
Orders to
disconnect
hardware
completely and
turn train into
shutdown mode
Operational
Coordinator
Late uurtjes
Hardware
Thursday March 18
Device is now connected
to the internet
Za 20 maart 21:30
Hardware device
signals ransom
notification (no screen)
>21:30
Executes order
Program manager
does futile attempts to
reach senior
management and
CERT
Undesired event
Possible learning
point Event
10. Risk Management
Aftermath of ransomware attack timeline (organisation response)
Forensic investigation
slow and limited depth
of analysis.
Advices PM and says prompt focus
by mngt on servicelaptops doesnt
help to learn from the incident
Tries to alert CERT and CISO and senior
mngt. Distressed message to lower
technology dept. , much unclear about nature
of infection and what hardware has been
contaminated
(peripheral laptop or installed hardware)
Project team
By sheer luck, ISO notices distress
message and goes to work, informs CERT,
gives PM team the order to only tow train
and complete shutdown. Senior Mngt still
not reached.
Manager train digitization reads
messages, directors of Tech and IT
involved – action and comms
established.
Sunday March 21
Security officer
(SO)
CERT
Registers incident – complains untimely
notification but process and availability
CERT not guaranteed for OT
Monday March 22
Multiple meetings, tests and evaluates
hardware and peripherals. Diagnosed
Eking ransom and contaminated hardware
from supplier in stead of surface laptop.
Forensic investigation initiated.
Later
Betrokken
management
Undesired event Possible learning point Event
Research and evaluation proces drawn
closer to train digitization team. Focus shifts
from incident towards external suppliers’
laptops and ransomware.
Decision to let train free for
service as systems proved to
uphold integrity after contact
with supplier. Incident reported
to CISO and Director of Risk for
evaluation
Takes additional measures with SO and
CERT for different system design and
prevent repition of scenario.
Independent evaluation
by CISO and Risk
Major focus on external service laptops, which
already has been esatblished to not be the root
cause, althoug widely communicated als
mitigating measure after incident.
11. Risk Management
Ransomware
attack
Hardware
system
accessible by
internet
Cybercriminals scan
automatically for
vulnerabilities
Time/costs
investigations
Delay
programma and
tests
Responsibilities
security/safety
unclear
Events
Causes Main
event
Impact
Demand with
regard to security
not clear
COVID-19
Legacy unsafe
software
Simple
passwords
Time pressure op project
Remote access
applied
Minimal cyber
security
measures +
auditing
suppliers
Train drivers
Separate train
network
Cyber
requirements
in contracts
No or
insufficient
change
management
proces
Accident
No CERT
cyberincident
process for
OT
Spread of
ransomware
Controls
Issues/
learnings
Old contract with supplier
(specification limited)
Cyber within OT not enough
focus
Train systems
and tests shut
down
Scarce cyber security
expertise
Firewall
(failed)
Reputational
damage
(not yet)
obligation
to report
Bowtie Analysis
12. Risk Management
Conclusions of working together
with CISO Office and Risk
First business control incident since working together so
closely
Local information security officer wanted this
investigation to be as independent as possible. Having
infosec expertise in the second line of defense with the
Risk department was immediately helpful.
CISO Office happy with the broad view of systemic risk
by Risk Manager.
Cost a lot of time to get investigation up to speed and
understand the true cause of the breach – second line of
defense needs to reserve more time for investigations
like these.
It was a necessary investment of time, otherwise senior
management would not have addressed the actual real
systemic cause of the vulnerability (lack of Management
of Change)
19. What Should I Consider?
Know Your Risk Areas
Everyone Should Know Their Responsibilities
Transparency & Visibility
https://cloudian.com/guides/data-protection/data-protection-regulations/
20. What Businesses Should Be Doing Right Now
https://cloudian.com/guides/data-protection/data-protection-regulations/
Security
Program
Privacy
Program
Governed
cyber risk
GRC
22. Privacy Information Management
ISO 27701
27701 is an
extension to
ISO/IEC 27001
27701 adds privacy
requirements to the
27001 Annex A
controls
ISO/IEC 27001 is
dedicated to
providing guidance
on building an
Information
Security
Management
System (ISMS)
27701 outlines how
to establish a
Privacy Information
Management
System (PIMS)
23. Based on ISO/IEC 27001 so it has the underlying security that is
included in 27001:
ISO 27701
24. Applicability to scenario
ISO 27701
Because 27701 is built upon 27001, the PIMS for privacy would be directly linked to the
ISMS for security
In the scenario, the CISO office and the Risk Management team were recently combined
so ensuring the various management systems were updated for this change would have
been important in order to avoid chaos during an incident response or panning for
incident response
26. ISO 27701, Data Protection,
and Risk Management
Mapping
Data Protection and Risk Management
are core components of any ISMS
Although data protection could cover any
sort of confidential or critical data, ISO
27701 focuses on the protection of PII
ISO 27701 describes a PIMS based on an
ISMS so the relationship between overall
information security (including data
protection and risk management) is
clearly established in this standard
Swift pickup by ISO was more luck than good procedure. Management focused quickly on external laptop (supplier) policy rather than looking at own lack of arranging management of change.
This was a real risk+ciso result, to fill the bow tie together.
Lessons learned:
to focus more on the thin line between IT and OT.
The killchain for ransomware across multi system networks needs to be reassessed.
Organisational responsibilities and procedures during a cyber incident on assets or OT needs to be more clear.
Ransomware is a real threat, lucky this happened in a test setting, work on awareness, management of change and common sense.
The approach taken with ISO/IEC 27701 is similar to that of the ISO/IEC 22301 standard for business continuity: build a management system specific to the critical topic area (a PIMS for privacy, a BCMS for business continuity and an ISMS for information security).
The approach taken with ISO/IEC 27701 is similar to that of the ISO/IEC 22301 standard for business continuity: build a management system specific to the critical topic area (a PIMS for privacy, a BCMS for business continuity and an ISMS for information security).
Identify risk areas—you should assess the risks involved with any activity that uses personal data. This can help you identify gaps in your existing security policies, so you can update your compliance measures.
Enterprise-wide understanding of obligations—everyone in your organization should know what their responsibilities include. You may also need to comply with additional, local regulations in your country of operation, or affecting your industry. Ensure that every employee knows how to respond to data security events, and is at least familiar with the seven key principles of the GDPR.
Maintain visibility and transparency—use measures such as data mapping to keep track of all personal data that your organization processes. This should include documenting what types of data you collect, where you store it, and why you need to process it.
Identify risk areas—you should assess the risks involved with any activity that uses personal data. This can help you identify gaps in your existing security policies, so you can update your compliance measures.
Enterprise-wide understanding of obligations—everyone in your organization should know what their responsibilities include. You may also need to comply with additional, local regulations in your country of operation, or affecting your industry. Ensure that every employee knows how to respond to data security events, and is at least familiar with the seven key principles of the GDPR.
Maintain visibility and transparency—use measures such as data mapping to keep track of all personal data that your organization processes. This should include documenting what types of data you collect, where you store it, and why you need to process it.
The approach taken with ISO/IEC 27701 is similar to that of the ISO/IEC 22301 standard for business continuity: build a management system specific to the critical topic area (a PIMS for privacy, a BCMS for business continuity and an ISMS for information security).