Trust Economics: The Critical Linkages Between
Information Assurance, Privacy & Security
Matt Stamper, MPIA, MS, CISA, ITIL, CIPP-US
VP of Services: redIT
President: ISACA San Diego Chapter
Co-Chair: InfraGard San Diego
Board of Advisors: Multiple
Agenda
Trust Economics
Why Information Assurance (IA) matters
ILM, Security, Privacy, and IA Defined
Regulatory Requirements
Frameworks & Approaches
Impact of New Technologies:
Internet of Things (IoT)
Cloud
 Questions & Comments






The import work of the IIA & ISACA
Our organizations play a critical role in assuring trust within our economy.
IIA – The role of Internal Audit:
Internal auditing is an independent, objective assurance and
consulting activity designed to add value and improve an
organization's operations. It helps an organization accomplish its
objectives by bringing a systematic, disciplined approach to
evaluate and improve the effectiveness of risk management,
control, and governance processes
ISACA – Recognizing the dependencies on IT in our organizations
Trust in, and value from, information systems
PAGE 3
Viewing Organizational Trust and Internal Auditing
Trust can also be considered a public good, necessary
for the success of economic transactions and Adam
Smith’s invisible hand may best characterize trust…Trust
is a complex concept. It is multi-dimensional, multilayered, and exists in almost every economic
event…The current business environment is heavily
influenced by globalization, the Internet and
information technology. The Information Age has
increased asymmetry of organizations and actors
correspondingly with political, social and business
volatility.
Cynthia Claybrook, CPA
The IIA Research Foundation
PAGE 4
Trust and Societies: Quantifiable Impact
“If you take a broad enough definition of trust, then it would explain basically all the
difference between the per capita income of the United States and Somalia,” ventures
Steve Knack, a senior economist at the World Bank who has been studying the economics
of trust for over a decade. That suggests that trust is worth $12.4 trillion dollars a year to
the U.S., which, in case you are wondering, is 99.5% of this country’s income (2006
figures). If you make $40,000 a year, then $200 is down to hard work and $39,800 is down
to trust” (http://www.forbes.com/2006/09/22/trust-economy-marketstech_cx_th_06trust_0925harford.html)
Trust is essential to maintaining the social and economic benefits that networked
technologies bring to the United States and the rest of the world” (Consumer Data Privacy
in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in
the Global Digital Economy, February, 2012: White House)
Trust is at the heart of today’s complex global economy. But, paradoxically, trust is also in
increasingly short supply in many of our societies, especially in our attitudes towards big
business, parliaments and governments. This decline threatens our capacity to tackle
some of today’s key challenges (http://www.oecd.org/forum/the-cost-of-mistrust.htm)
PAGE 5
Trust = Economic Value
Trust is Critical for an Information Economy
IA
Security
Privacy
Cultural Norms
PAGE 6
International Data Flows: The Global Currency
“The Growth of the Internet and the ability to move data rapidly and globally has been a key building block of the
global economic order” (The Internet, Cross-Border Data Flows and International Trade, Joshua Meltzer, The
Brookings Institute, February, 2013)
“Exports (emphasis mine) of cloud computing services were estimated to be worth approximately $1.5b in 2010 (and
this is likely a conservative figure and the market for cloud computing services is anticipated to grow by up to 600
percent by 2015” (Policy Challenges of Cross-Border Computing” – Journal of International Commerce and Economics,
November 2012).





Over 2 Billion Individual have access to the Internet
More devices will be connected than people – billions of devices
Nearly free transaction costs
The days of information arbitrage are over
Barriers to innovation & exploitation are equally low
Critical Shared Data Sets

Weather & Climate data

Census data

Healthcare and Disease Control data

Financial & Currency data

Trade data
A McKinsey Global Institute study estimated that the Internet contributed over 10 percent to GDP growth in the last
five years to the world’s top ten economies and for every job lost as a result of the Internet, 2.6 jobs have been
created.
PAGE 7
Open Government Initiatives: Public Sector Data
Governments across the globe recognize that information is both:


Key



A national resource that requires protection
A public good that should be readily disseminated
areas of focus within the Open Government community include:
Transparency with budgets & procurement
Private/Public Sector data sharing
Innovation
“The original and essentially libertarian nature of the Internet is increasingly being challenged by
assertions by government of jurisdiction over the Internet or the development of rules that restrict
the ability of individuals and companies to access the Internet and move data across borders” (The
Internet, Cross-Border Data Flows and International Trade, Joshua Meltzer, The Brookings Institute,
February, 2013)
PAGE 8
How Trust Impacts Our Daily Lives
PAGE 9
When Trust is Lost…
http://www.youtube.com/watch?v=uw_Tgu0txS0
PAGE 10
The SEC is Concerned about Trust w/Public Firms
The Security and Exchange Commission (SEC) is, not
surprisingly, concerned about the impact of trust on public
markets given security issues. Of note:
•
•
Risk Alert: CyberSecurity Initiative 4/15/2014 - The U.S.
Securities and Exchange Commission’s Office of Compliance
Inspections and Examinations (OCIE) is “examining” 50
broker dealers with prescriptive guidance on expected
practices and documentation
Division of Corporate Finance (CF) Disclosure Guidance
10/13/2011 – guidance on impairment of goodwill,
materiality thresholds preventing or detecting events,
cyber-risk focused ERM, recommended disclosures
PAGE 11
Why Information Assurance Matters…


We rarely question the quality of the information we use to make
decisions…putting our organizations, economies, and personal lives at
risk
Information is the most valuable asset in our economy and fuels
innovation & growth (data is the raw material of the global economy)
o
o
o



Commerce
Science
Government
Our dependencies on accurate and timely information are increasing
exponentially
Massive asymmetries in IA practices
Gap between laws & regulations and practice
PAGE 12
Why Information Assurance is Critical Now!
Here’s just a quick sampling of what’s occurring on a daily basis. This is just the US public
sector.
https://www.privacyrights.org/data-breach/new (Must see site)
Anthem – 80 million records (2/5/2015
http://money.cnn.com/2015/02/04/technology/anthem-insurance-hack-data-security/
Organized Criminals in Russia Steal 1b Passwords (8/5/2014)
http://www.nytimes.com/2014/08/06/technology/russian-gang-said-to-amass-more-thana-billion-stolen-internet-credentials.html?_r=0
JP Morgan Potentially Compromised (8/18/2014)
http://online.wsj.com/articles/fbi-probes-possible-computer-hacking-incident-at-j-pmorgan-1409168480
Hospital Hacked – 4.5 Million Records Compromised (8/18/2014)
http://money.cnn.com/2014/08/18/technology/security/hospital-chs-hack/
Home Depot
http://www.forbes.com/sites/quickerbettertech/2014/09/22/why-the-home-depotbreach-is-worse-than-you-think/
Target
http://online.wsj.com/news/articles/SB10001424052702304773104579266743230242538
The Car (2014 Moving Forward)
http://money.cnn.com/2014/06/01/technology/security/car-hack/
PAGE 13
The Assault on Healthcare & ePHI

According to a Ponemon Institute Study, criminal attacks on healthcare systems
have risen 100% since 2010 with an average cost of a breach is $2m (US)

Over 90% of healthcare organizations have had a breach in the last two years with
38% having had more than five incidents (down from 45% the previous year)

Risks with mandated health information exchanges (third-party considerations) /
weakest link despite security standards from HIPAA-HITECH

Bring Your Own Device (BYOD) - nearly 50% of breaches attributed to a lost or
stolen device and over 88% of organizations allow the use of BYOD

Fortunately, the number of records compromised has decreased based on earlier
detection and incident response – we’re getting better at handling security
breaches…practice makes perfect?
PAGE 14
Information is an easy target…
Our information is at risk. Knowing how information can be impacted is important to
developing the right strategy. Key vectors include:



Integrity:
 Modification
 Fabrication
 Repudiation
Availability:
 Interruption
 Denial of Service (DoS) / Distributed Denial of Service (DDoS)
Confidentiality
 Interception
 Breach
 Loss
PAGE 15
Information Lifecycle & IA
Cloud Security Alliance
Tech Target: http://searchdatamanagement.techtarget.com/feature/Informationassurance-Dependability-and-security-of-networked-information-systems
PAGE 16
Security Today: From Prevention to Detection
We are witnessing a sea change in security practices within larger
organizations…there is a recognition that prevention activities appear
inadequate and that now the metric that counts is: From Infection to
Detection.
PAGE 17
Working Definitions
• Security
• Privacy
• Information Assurance
Security - Defined
The easiest way to think about security is to think about the outcome of what good
security provides: confidentiality, integrity, and availability of information (CIA).
Confidentiality is the end-state of ensuring that information is only viewed and
acted upon by those individuals, organizations, or systems that are authorized to
see such information. “A loss of confidentiality is the unauthorized disclosure of
information” – FIPS 199.
Integrity is the end-state of information and its processing such that the
information is believed to be complete, accurate, valid and subject to restricted
access (CAVR)…essentially un tampered with or otherwise modified by
unauthorized activity. “A loss of integrity is the unauthorized modification or
destruction of information” – FIPS 199.
Availability is simply that…that the information is available for its required use
without delay or loss. “A loss of availability is the disruption of access to or use of
information or an information system” – FIPS 199.
Collectively, IT security is the set of processes that are involved with ensuring that
data and information meet the confidentiality, integrity, and availability objectives of
business.
PAGE 19
Privacy - Defined
Definitions of privacy are growing more nuanced over time.
Privacy is “the right to be left alone” (Samual Warren & Louis Brandeis: The Right to
Privacy, Harvard Law Review, 1890).
Privacy is “the right of the individual to be protected against the intrusion into his
(her) personal life or affairs, or those of his (her) family, by direct physical means or by
publication of information” (UK, Calcutt Committee: 1997)
Privacy has contextual considerations:

Information Privacy

Bodily Privacy

Territorial / Physical Privacy

Communications Privacy
(Foundations of Information Privacy and Data Protection, Swire, et. al., IAPP, 2012)
PAGE 20
Information Assurance: Three Perspectives
National Defense: Information Assurance as a concept is strongly
influenced by the defense and national security communities and the
concept of network centric warfare techniques:
“Measures that protect and defend information systems by ensuring their
availability, integrity, authentication, confidentiality, and non-repudiation.
This includes providing for restoration of information systems by
incorporating protection, detection, and reaction capabilities” (Department
of Defense Directive Number 8500.1: October 24, 2002)
Corporate View: Intellectual Property, Financial, Client & Partner Data,
is subject to appropriate governance & controlled – CAVR.
Consumer View: Personal Health, Financial and other UII Data is
controlled by the individual and disclosure is also controlled by the
individual.
PAGE 21
Bringing It All Together: IA, Security, and Privacy
If we agree that information is the new global currency and that innovation and growth
are predicated on the quality of the information and data we use, it’s important that
we couple IA, Security, and Privacy and make information governance a top priority for
our organizations.
Let’s think about how these disciplines impact our
profession!
PAGE 22
Privacy & Security – Inextricably Linked
Security can exist without privacy but privacy
cannot exist without security. Consequently,
privacy frameworks offer insights into good
governance and security practices though many
standards and frameworks have been challenged
by recent events – notably the Payment Card
Industry – Data Security Standard (PCI-DSS).
PAGE 23
Privacy Laws & Standards
By Country / Region
• Mexico
• Canada
• US
• EU
• APEC
By Industry
 HIPAA-HITECH
 Financial Services
Laws & Regulations: Mexico, Canada and US
Mexico – National Privacy Law
http://www.diputados.gob.mx/LeyesBiblio/pdf/LFPDPPP.pdf
Canada – National Privacy Law
https://www.priv.gc.ca/index_e.asp
https://www.priv.gc.ca/leg_c/leg_c_p_e.asp
US – Sectoral Approach (Federal Trade Commission)
http://www.whitehouse.gov/sites/default/files/privacy-final.pdf
States
Massachusetts - http://www.mass.gov/ocabr/docs/idtheft/201cmr1700reg.pdf
California - http://oag.ca.gov/ecrime/databreach/reporting
Nevada - http://www.leg.state.nv.us/NRS/NRS-603A.html
PAGE 25
Laws & Regulations: Australia, APEC & Europe (EU)
Australia
http://www.oaic.gov.au/privacy/privacy-act/the-privacy-act
http://www.oaic.gov.au/privacy/privacy-resources/privacy-factsheets/other/privacy-fact-sheet-17-australian-privacy-principles
APEC
http://www.apec.org/About-Us/About-APEC/Fact-Sheets/APEC-PrivacyFramework.aspx
European Union
http://europa.eu/about-eu/countries/member-countries/index_en.htm
http://ec.europa.eu/dataprotectionofficer/legal_framework_en.htm
https://safeharbor.export.gov/list.aspx (Safe Harbor Registrants)
PAGE 26
International Privacy Regimes: APEC & OECD
APEC - 2004
OECD - 1980
Preventing Harm
Collection Limitation Principle
Notice
Data Quality Principle
Collection Limitation
Purpose Specification Principle
Uses of Personal Information
Use Limitation Principle
Choice
Security Safeguards Principle
Integrity of Personal Information
Openness Principle
Security Safeguards
Individual Participation Principle
Access and Correction
Accountability
Accountability
PAGE 27
International Privacy (Cont.): FIPS & Madrid
FIPS (1973)
Madrid Resolution (2009)
No Secret Repositories
Principle of Lawfulness & Fairness
Individual Control Over Use
Purpose Specification Principle
Individual Consent
Proportionality Principle
Correction
Data Quality
Precautions Against Misuse
Openness Principle
Accountability
PAGE 28
HIPAA-HITECT: Administrative, Physical & Technical
Security Management Process
164.308(a)(1)
Risk Analysis
Risk Management
System Review
Assigned Security Responsibility
164.308(a)(2)
Accountability
Workforce Security
164.308(a)(3)
Authorization and/or
Supervision, Clearance & Termination
Procedures
Information Access Management
164.308(a)(4)
RBAC Procedures
Security Awareness and Training
164.308(a)(5)
Anti-malware, log-in procedures,
password management
Security Incident Procedures
164.308(a)(6)
Incident Response Procedures
PAGE 29
HIPAA-HITECT: Administrative, Physical & Technical
Contingency Plan
164.308(a)(7)
Backup & Recovery
BC/DR Procedures & Testing
Applications and Data Criticality Analysis
Evaluation
164.308(a)(8)
Review of Systems
Business Associate Contracts and
Other Arrangements
164.308(b)(1)
Contractual Obligations with Service Providers
(Business Associates)
Cascading Liability
Facility Access Controls
164.310(a)(1)
Access Controls, Maintenance of Records,
Contingency Operations
Access Control
164.312(a)(1)
Encryption, Decryption, Log-off, Emergency
Access*
Audit Controls
164.312(b)
Evidence of Review
Transmission Integrity Controls (A)
Security 164.312(e)(1)
Security and Integrity
PAGE 30
Gramm-Leach-Bliley (GLB) – FTC Enforcement
Financial Services Firms have an obligation to safeguard non-public information (NPI)
such as full account numbers, social security numbers (SSNs), etc.
Obligations:





Privacy Notices
Non-Affiliated Third Parties & Opt Out
Ensure the Security & Confidentiality of Customer Records
Protect Against Anticipated Threats or Hazards
Protect Against Unauthorized Access
The FTC has established a clear expectation of security as a corporate
obligation. The SEC, as we saw earlier, is also focused on the cyber posture
of broker dealers.
PAGE 31
Technology and IA
Internet of Things (IoT)
Cloud Computing
How will our professions change?
Internet of Things (IoT)
http://www.theregister.co.uk/2014/05/07/freescale_internet_of_things/
PAGE 33
Internet of Things (IoT) – The Numbers Count
PAGE 34
Auditing the IoT
How prepared is our industry to address these new
technologies?
•
•
•
How do you audit an algorithm?
How do you audit transaction volumes numbering in
the billions or tens of billions?
Can our existing audit tools capture data and interface
with IoT systems?
We are heading into a new world of IT and system audit.
PAGE 35
Cloud & Service Providers
Traditional IT (and IT audit) are changing…
PAGE 36
Cloud Services & Service Demarcation
On Site
Infrastructure
(as a Service)
Platform
(as a Service)
Software
(as a Service)
Applications
Applications
Applications
Applications
Database
Database
Database
Database
O/S
O/S
O/S
O/S
Hypervisors
Hypervisors
Hypervisors
Hypervisors
Servers
Servers
Servers
Servers
Storage
Storage
Storage
Storage
Networks
Networks
Networks
Networks
Backups
Backups
Backups
Backups
Security, Monitoring & Governance: Critical Foundation
Roles & Responsibilities are Crucial Regardless of the Service Model
PAGE 37
Application
Database
Servers
Storage
Network
Backups
Data Center
MONITORING
Hypervisors
SECURITY
OS
ITIL/SERVICE MANGEMENT
Application
• Audit Trail
• Client
• SaaS
• Segregation of Duties
• What is logged?
• Who’s responsible for
the application is based
on the service model
• How is the application
impacted by other
layers?
• What information is
shared among layers?
• Shared administrative
accounts?
PAGE 38
Auditing the Cloud – We Face Serious Challenges
Our ability to audit cloud – third-party services – is
fundamentally challenged:
•
•
•
•
How
How
How
How
do
do
do
do
you
you
you
you
audit APIs and orchestration layer software?
control for multi-tenancy?
audit SaaS sans SSAE?
assess SOD in an IAM / Control Panel world?
As more than 50% of IT workloads move to the cloud, our
industry has important work ahead in preparing to offer
assurance in a cloud context.
PAGE 39
Quick Wins
Information Assurance begins with:
•
•
•
•
•
•
•
•
Know Legal Obligations
Data Classification
Data Inventory
Data Retention
Privacy Impact Assessment
Security / Vulnerability Assessment
Keep The Board Informed – No Surprises
Assume a Breach!
PAGE 40
Common Themes
•
•
•
•
•
•
•
•
Inventory of Information
Inventory of Critical Assets
Supply-Chain / Vendor assessments
Risk Assessments
Security Assessments
Board of Directors
Executive Responsibility
Investment in Training & Competencies
PAGE 41
References
Privacy
https://privacyassociation.org/
https://www.privacyrights.org/data-breach/new
http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachno
tificationrule/breachtool.html
https://www.enisa.europa.eu/activities/identity-and-trust/risksand-data-breaches/dbn
Security
https://www.isaca.org
http://www.sans.org/
http://www.nist.gov/cybersecurity-portal.cfm
https://cloudsecurityalliance.org/
PAGE 42
Matt Stamper, MPIA, MS, CISA, ITIL, CIPP-US
T 858.836.02224
M 760.809.2164
E matt.stamper@redIT.com
us.redit.com