Presentation is loading. Please wait.

Presentation is loading. Please wait.

Privacy and Security Audits/PIAS/TRAS Information Privacy and Data Protection Lexpert Seminar Bruce McWilliamDecember 9, 2013.

Published byBarnaby Chase Modified over 8 years ago

Similar presentations

Presentation on theme: "Privacy and Security Audits/PIAS/TRAS Information Privacy and Data Protection Lexpert Seminar Bruce McWilliamDecember 9, 2013."— Presentation transcript:

1 Privacy and Security Audits/PIAS/TRAS Information Privacy and Data Protection Lexpert Seminar Bruce McWilliamDecember 9, 2013

2 Privacy and Security Audits

3 Importance of privacy and security audits –Reported incidents of large-scale loss, theft, or exposure of personally identifiable information have increased from 21 to 1,622 from 2003 to 2012 –The hacking of Sony’s PlayStation Network cost the company an estimated $171M in cleanup costs –Reputational harm is severe – one company’s stock price fell 70% in the 3-month period following a single hacking incident –Average loss in brand value ranged from $184M to $330M (minimum brand loss was 12%) 3

4 Goals of a Privacy and Security Audit Determines the level of compliance with: –Applicable privacy laws and regulations –Internally adopted privacy practices 4

5 Benefits of a Privacy and Security Audit –Measures privacy effectiveness –Demonstrates compliance –Identifies gaps between required and actual privacy controls –Forms the basis for a privacy remediation and improvement plan 5

6 Scope of audit – internal parties –Departments or groups dealing directly with customers Public affairs Call centers Reception –IT department –HR –Finance 6

7 Scope of audit – external parties –Business partners –Technology partners –Business customers/vendors –Final consumer 7

8 Who conducts audits –Internal (not recommended – outsiders spot problems you will miss) –Accounting firms –Large IT Organizations –Small firms specializing in security 8

9 Hiring an auditor –Look at the audit team’s real credentials –Review résumés –Find the right fit –Insist on details –Ask for a statement of work –Prepare to be audited –Set the ground rules in advance –Prepare all documentation/information to be provided to auditors 9

10 A typical audit –The auditor will evaluate and test the information technology processes and systems to obtain sufficient, reliable, and relevant evidence to achieve the objectives of the audit. –The findings and conclusions of the audit should be supported by appropriate analysis and interpretation of the evidence. 10

11 The audit process –Establish a baseline through annual audits –Define the scope and objectives of the audit –Outline the approach to be taken in carrying out the audit –Identify stakeholders and their roles/responsibilities –Create an audit plan –Identify the audit criteria –Conduct the audit –Prepare the audit report –Take remedial steps, if any 11

12 Comprehensive risk assessment –Sensitivity of the data –Collection processes –Storage techniques –Complexity of processing and interfaces –Third parties –Disclosure policies and procedures Employee training Management accountability –General security policies and procedures 12

13 Auditing Standards 13

14 Standards StandardOrganization Generally Accepted Privacy Principles (GAPP) Canadian Institute of Chartered Accountants (CICA) and American Institute of Certified Public Accountants (AICPA) Payment Card Industry Data Security Standard (PCI DSS) Payment Card Industry Security Standards Council Canadian Standard on Assurance Engagements (CSAE) 3416, “Reporting on Controls at a Service Organization” CICA Information Technology Control Guidelines (ITCG) CICA 14

15 StandardOrganization Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization (AT Section 101) AICPA International Standards for Assurance Engagements (ISAE) No. 3402, Assurance Reports on Controls at a Service Organization International Auditing and Assurance Standards Board (IAASB) SysTrust/WebTrustCICA/AICPA ISO/IEC 27001:2005 Information technology -- Security techniques -- Information security management systems -- Requirements International Organization for Standardization (ISO) 15 Standards cont’d

16 StandardOrganization ISO/IEC 27002:2005 Information technology -- Security techniques -- Code of practice for information security management ISO ISO 22307:2008 Financial services -- Privacy impact assessment ISO Harmonized Threat and Risk Assessment Methodology Communications Security Establishment Canada and Royal Canadian Mounted Police Enterprise Risk Management - Integrated Framework Committee of Sponsoring Organizations of the Treadway Commission (COSO) Control Objectives for Information and Related Technology (COBIT) Information Systems Audit and Control Association (ISACA ) 16 Standards cont’d

17 StandardOrganization IT Audit and Assurance Standards and Guidelines (includes code of professional conduct) Information Systems Audit and Control Association (ISACA) Information Technology Infrastructure Library (ITIL) UK Office of Government Commerce NIST SP 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems U.S. National Institute of Standards and Technology (NIST) Common Criteria for Information Technology Security Evaluation (Common Criteria or CC) Common Criteria Recognition Arrangement (CCRA) 17 and others. Standards cont’d

18 Privacy Impact Assessments (PIA) 18

19 What are privacy impact assessments? –A systematic process for evaluating the potential effects on privacy of a project, initiative or proposed system or scheme and finding ways to mitigate or avoid any adverse effects –PIA’s are a tool used to ensure privacy protection is a core consideration when a project is planned and implemented –In Canada, virtually all government institutions must conduct PIA’s for new or redesigned programs and services that raise privacy issues –Also used by some private organizations

20 Typical content of a PIA –Describes how personal information flows in a project –Analyses the possible privacy impacts on individuals’ privacy –Identifies and recommends options for managing, minimizing, or eliminating these impacts –Contains recommendations to address issues identified

21 Risks of foregoing a PIA –Non-compliance with relevant privacy law leading to a breach and/or negative publicity –Loss of credibility and damage to reputation –Potential system redesign, which can be very costly and time consuming when done mid-stream

22 PIAs as a compliance tool –A PIA should: –Include information on relevant privacy laws and regulations –Identify necessary adjustments for compliance –Discuss how a project’s practices, systems and rules comply with specific legal obligations

23 Threat Risk Assessments (TRA) 23

24 What is a threat risk assessment? –Formalized process used to assess potential impacts to information assets and supporting resources, and to recommend safeguards and controls

25 Threat and risk assessment –Differing methodologies aimed at answering question such as: –What needs to be protected? –Who/what are the threats and vulnerabilities? –What are the implications if they are damaged or lost? –What is the value to the organization? –What can be done?

26 TRA typical components –Scope –Data collection –Analysis of policies and procedures –Threat/vulnerability analysis –Assessment of risk acceptability

27 TRA components - scope –Must identify what is covered and what is not covered in the assessment –Identifies what needs to be protected, the sensitivity of what is being protected and to what level and detail –A scope that is too broad will be cumbersome, while one that is too narrow may miss important threats/risks

28 TRA components – data collection –Collect all policies and procedures currently in place and identify those that are missing or undocumented –Interviews with key personnel –Information on vulnerabilities and threats against specific systems and services is documented

29 TRA components – analysis of policies and procedures –Existing policies and procedures are analyzed –Sources for policy compliance that can be used as a base line are: –ISO 17799, BSI 7799, Common Criteria – ISO 15504

30 TRA components – threat/vulnerability analysis –Threats are anything that could contribute to the tampering, destruction, or interruption of any service or item of value –Identify and assess both human and non- human threats –Current exposure is identified and quantified –Should use a grading system that incorporates both the probability of occurrence and the impact of occurrence

31

32 TRA components – assessment of risk acceptability –Review of existing and planned safeguards to determine if discovered risks and threats have been mitigated –Identification of what level of risk is acceptable to the organization –Selection of appropriate security measures

33 Integration of PIA/TRA –Threat risk assessments are a broad tool that capture all kinds of risks, including those related to private information –Integration with a PIA is possible and can save both time and money –Some consulting firms conduct integrated assessments

34 34 For further information regarding this presentation and its content please contact: Bruce McWilliam Direct: (416) 865-7214 bruce.mcwilliam@mcmillan.ca McMillan LLP Brookfield Place 181 Bay Street, Suite 4400 Toronto, Ontario M5J 2T3

Download ppt "Privacy and Security Audits/PIAS/TRAS Information Privacy and Data Protection Lexpert Seminar Bruce McWilliamDecember 9, 2013."

Similar presentations

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY.

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY.
Additional Assurance Services: Other Information

Additional Assurance Services: Other Information
Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.

Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.
Chapter 14 Fraud Risk Assessment.

Chapter 14 Fraud Risk Assessment.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Navigating Compliance Requirements DCM 6.2 Regs and Codes linford & co llp.

Navigating Compliance Requirements DCM 6.2 Regs and Codes linford & co llp.
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
Control and Accounting Information Systems

Control and Accounting Information Systems
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley 2 - 1 The CPA Profession Chapter 2.

©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley The CPA Profession Chapter 2.
Dr. Mohamed A. Hamada Lecturer of Accounting Information Systems Advanced Auditing Lecture 1 Assurance and Attestation Services.

Dr. Mohamed A. Hamada Lecturer of Accounting Information Systems Advanced Auditing Lecture 1 Assurance and Attestation Services.
Development of internal control: methodology and responsibility

Development of internal control: methodology and responsibility
Welcome! Internal Auditing CHAPTER 1. Definition Internal auditing is an independent, objective, assurance and consulting activity designed to add value.

Welcome! Internal Auditing CHAPTER 1. Definition Internal auditing is an independent, objective, assurance and consulting activity designed to add value.
Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.

Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.
Dr. Julian Lo Consulting Director ITIL v3 Expert

Dr. Julian Lo Consulting Director ITIL v3 Expert
Information Security Policies Larry Conrad September 29, 2009.

Information Security Policies Larry Conrad September 29, 2009.
Security Controls – What Works

Security Controls – What Works
9.401 Auditing Chapter 1 Introduction. Definition of Auditing The accumulation and evaluation The accumulation and evaluation Of evidence about information.

9.401 Auditing Chapter 1 Introduction. Definition of Auditing The accumulation and evaluation The accumulation and evaluation Of evidence about information.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.

© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

Similar presentations

Ads by Google