This document discusses risks to data protection and privacy. It notes that the majority of data breaches are caused by insiders like former employees exploiting old accounts. The impacts of data breaches include reputational risk, business continuity risk, financial risk, and regulatory risk. The document also discusses emerging risks from trends like social media, mobile computing, and cloud computing and emphasizes that basic security measures are no longer enough due to new threats emerging daily. A holistic approach involving technology, processes, and educating users is needed to manage these evolving risks.
6. Data Protection & Privacyy
Protection PrivacyProtection
‐ All confidential data –
company, IP, clients,
partners employee
Privacy
‐ Personally identifiable
information,
t / lpartners, employee
‐ Information Security
Policy
customer/employee
confidential information –
credit card, social security
numbers health records
DATA
‐ CISO
‐ Information Security
Assessment
numbers, health records,
employment records
‐ Data Privacy Policy
D P i Offi
‐ Standards – ISO 27001,
laws & regulations
‐ Data Privacy Officer
‐ Laws & regulations
27 Jun 2013 6PARAG DEODHAR ‐ OP RISK ASIA
7. Who owns data?
Is data protection only about IT risk?
If ll IT it t l i l t d illIf all IT security controls are implemented, will
there be no security breach?
Who uses data?Who uses data?
What about people and processes? Whose
responsibility it that?
People are weakest link
Processes may not change in line with business
and technologand technology.
Who controls data?
27 Jun 2013 7PARAG DEODHAR ‐ OP RISK ASIA
8. Where is the data?
Creation /
Acquisition
Data Processing
E l
Data Storage
E lAcquisition
• Employees
• Partners
• Customers
• Employees
• Partners
• Outsourcing
• Printing
• Employees
• Partners
• Outsourcing
• Datacenters
Data TransferData RetentionData Destruction
• Physical form
• Email
• Internet
M di
• Data Centers
• DR Sites
• Backup media
Ph i l i
• Regulations
• Backup media
• Devices / Servers
Ph i l i • Media• Physical copies ‐
offsite
• Physical copies
27 Jun 2013 8PARAG DEODHAR ‐ OP RISK ASIA
How can you protect DATA if you don’t know where it is?
13. Cloud Computing
Source: ISACA
p g
IT Department
l h d is no longer the provider…
SAAS, IAAS…
Ri k !!!Risks!!!
Regulatory compliance ‐ storage, outsourcing, privacy
regulationsregulations
Shared environment
Identity & Access managementy g
Unencrypted data transfer
Data Destruction
27 Jun 2013 13PARAG DEODHAR ‐ OP RISK ASIA
14. Proactive & Preemptive measuresp
Technology Process People
New threats are emerging every day! We can’t run away from it…
• Basic measures
like – Anti‐Virus,
ll
• Use frameworks
and standards as
f
• Background
verification
Firewalls,
Encryption are no
longer enough
a foundation
• Risk Assessment ‐
Data Flow /
• Continuous
monitoring &
incident response
• Tools like SIEM,
IPS, DLP, DRM…
are now standard
Privacy
Assessments
• Regular audits
p
• Awareness!
Awareness!!
Awareness!!!
requirement
• MDM / MAM is a
MUST!
Regular audits
and tests
Awareness!!!
MUST!
27 Jun 2013 14PARAG DEODHAR ‐ OP RISK ASIA
15. It’s not a Goal – But a journey
THANK YOU
It s not a Goal But a journey…