Protecting Data Privacy:

A Practical Guide to Managing Risk

Nathan Johns
Senior Audit Manager,
Crowe Chizek
Introductions

Nathan Johns

Executive

Over 15 years of experience in conducting IT audits and examinations

Former FDIC regulator – oversaw the IT Examination program for the FDIC

Certifications include CISA and commissioned bank examiner
Agenda

The Goal

Current Data Privacy Landscape

Data Privacy Roadmap

Develop a Program Charter

Conduct a Risk Assessment

Develop a Data Safeguarding Program

Develop and execute ongoing processes

Questions
The Goal: Prevent Disclosure

Understand Legislation, Regulations, Pending Legislation and Best
Practices related to Data Privacy

Assemble a data protection/safeguarding that is practical, yet
effective

Conduct an assessment to understand risks

Identification and Inventory of Data

Systems

Files/Forms

Magnetic Media

Classification of Data

What is and is not Personally Identifiable Information?

Educate staff on privacy and information security

Implement controls that are reasonable

Mitigate reputation, regulatory, litigation, and financial risks
Current Landscape: Numerous
Breaches

TJMaxx – Wireless Network Hacked

Lost 45.7 million consumer credit and debit card numbers due
to an intrusion is believed to be linked to weaknesses in its
wireless network.

Expenses estimated at $500 million to $1 billion - Settlement
with VISA USA- $40.9 million to fund an alternative recovery
payments program

At least 19 lawsuits have been filed, investigations underway by
the FTC and 37 state Attorneys General.

Bank of America – Backup Tape lost

Shipping vendor lost computer data tapes containing personal
information on up to 1.2 million federal employees, including
some members of the U.S. Senate.

Veterans Administration – Laptop stolen

A laptop containing sensitive data was stolen from a VA
employee's home.

For more stories like this go to:

http://www.privacyrights.org/ar/ChronDataBreaches.htm
Current Landscape: Laws for Customer Notification

Highest profile regulations/laws in privacy environment

Significant reputational risk impact, potential financial
and legal impacts

Over 40 State Laws – all differ as to the liability, the
instances in which notification is required, the types of
data considered nonpublic, etc.

FACT Act – requires notification in the event of breach
for regulated Financial Institutions, FTC regulated
companies and SEC regulated companies

Four pending Federal Bills

ID Theft Red Flags
Current Landscape – Causes of a Breach

From Ponemon Institute, 2007 Annual Study: U.S. Cost of a Data Breach
Understanding Financial Impact, Customer Turnover, and Preventative Solutions
Data Privacy Roadmap: The long term plan

1. Establish a Program Charter

Identify objectives

Obtain Senior Management Buy In
2. Conduct a Privacy Risk Assessment

Top Down Approach

Identify Gaps

Plan Remediation
3. Establish or Update the Information Security Program

Set standards for data protection based on the risk assessment

Establish or Update the Incident Response Plan

Plan to act timely and appropriately in the event of an
incident
Data Privacy Roadmap: The long term plan

4. Build a Sustainable Process for Data Privacy

Ongoing awareness and training

Ongoing monitoring and testing

Periodic environment scan

Program modifications as necessary

Ongoing Control improvement as identified
5. Test information Security Program effectiveness (and Risk
Assessment Accuracy!)
Establish a Program Charter

Identify and document management’s goals for data protection

Levels of risk management is willing to accept

Types of data to be included in the program (customer, internal)

Discuss and document implications in the charter

Business Processes may need to be adjusted

Investments may need to be made in data protection

Security is not a one time project, its an ongoing program

Gain written approval of program charter

Communicate new program to all employees

Define the data to include:

Customer information – customers of the institution

Consumer information – an individual the institution has contact with

Business sensitive information – information that is critical to the operation of the
institution
The role of the Information Security/Privacy Program

Establish Information Security Program standards

Work with each department to understand business processes that
affect Consumer data

Help increase awareness about the risks of poor data safeguarding

Help everyone understand their role in protecting consumer data

Review objective data from the Risk Assessment and make
educated subjective determinations of risk
The role of the individual departments

Provide a comprehensive inventory of applicable information assets
on behalf of their department

This may involve investigation within their department

Report accurately regarding the type of data stored as well as the
volume of data

Report accurately about the controls in place to protect this data.

Ultimately, represent their department in identifying areas where the
organization can improve in the protection of consumer data
Conducting a Data Privacy Risk Assessment

The Goal – To determine:

What data do you have and where, how, why do you store and
transmit it

How do you protect the data? Are the safeguards appropriate
given the volume and type of data?

What control gaps exist? What is the appropriate strategy for
gap remediation?

What is your residual risk level?

Getting started

Put together a project plan for the initial risk assessment

Build a core team to execute the project

Project coordinators/champions

Departmental representatives
Overall Approach: Phased Data Gathering

Step One: Identification of Departments and discussion of

Processes and their applicability

Information Security expert determines how each uses
consumer data in its role in the organization

Step Two: Inventory of “Information Assets” associated with each
process

Applications

Paper Documents

Media

Can be classified as is most appropriate

Step Three : Sensitivity Analysis

Determination of the volume and type of consumer data.

This should be based on a formal data classification scheme.
Overall Approach: Phased Data Gathering

Step Four: Control Analysis

Each Information Asset should be measured against the control
objectives defined for that asset type.

Controls can be Physical, Operational or Technical

Example: Mobile Media

Operational Controls

Data is appropriately safeguarded and risks mitigated while
media is in transit.

Secure electronic transmission is utilized to minimize the
media that need to be transported.

Media is not stored temporarily or transported in ways that
are inappropriate. (ie stored in car trunks, checked in
luggage, sent via carrier without tracking capability etc)

Media disposal is appropriate.

Media is shredded or otherwise destroyed when purged.

Technical Controls

Encryption controls have been appropriately implemented.

Mobile Media has been encrypted prior to transit.
Closing the loop – Threat Assessment

When you’re done with your detailed data privacy risk assessment, you will
have a large volume of information on the risks your company takes as it
relates to data

In order to close the loop…consider the “so what” factor

We can do this by assembling our results in the form of a threat assessment

This step is also required under the Gramm-Leach-Bliley Act.

The basic goal

Identify the types of incidents that could happen

Determine the likelihood of occurrence

Determine the potential damage

Determine the sufficiency of controls to prevent this type of incident

Leverage what you’ve just done to add validity to your threat assessment

You know exactly where, what, why and how data is stored

Complete with a group

Effective as a workshop for your key data protection team
A successful data safeguarding program…

Is aligned with the organization’s strategic objectives;

Has the full and visible support of senior leadership;

Starts at the top of the organization and permeates all business
units, divisions, and departments;

Is championed and managed by individuals with sufficient expertise
in information and IT security;

Is effectively communicated to all employees;

Is actively monitored and tested for effectiveness.
Fitting this into the policy puzzle…

Companies already have so many policies,

many which touch on Information Security

IT policies and procedures

Employee handbooks and codes of ethics

Privacy Notice policies and data sharing policies

Key points in making the fit

Link them - Use references to show policy ties

Do not duplicate – Try to avoid putting the same
policy verbiage in multiple places

Exception: Audience specific policies, such as an
end user Information Security Policy

Create an outline – As a management team,
develop a structure or system in which the policies
will be organized

Remember your goal – Safeguarding data in all
forms
 Questions?
Click on the questions tab on your screen, type in your question
(and name if you wish) and hit submit.