SlideShare a Scribd company logo

A practical data privacy and security approach to ffiec, gdpr and ccpa

Download as PPTX, PDF
Ulf Mattsson
Ulf Mattsson

The document discusses a comprehensive overview of data privacy and security regulations, including key frameworks like GDPR and CCPA, alongside the growing threat of data breaches in the financial sector. It highlights the importance of implementing robust security measures such as encryption, tokenization, and compliance with established standards like ISO and NIST. The document also presents various data protection techniques and the evolving landscape of privacy regulations and fines associated with breaches.

Technology
1 of 60
Downloaded 25 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
1 Ulf Mattsson www.TokenEx.com A Practical Data Privacy and Security Approach to FFIEC, GDPR and CCPA threatpost.com
2 Ulf Mattsson www.TokenEx.com A Practical Data Privacy and Security Approach to FFIEC, GDPR and CCPA threatpost.com
3 Ulf Mattsson • Head of Innovation at TokenEx • Chief Technology Officer at Protegrity • Chief Technology Officer at Atlantic BT Security Solutions • Chief Technology Officer at Compliance Engineering • Developer at IBM Research and Development • Inventor of 70+ issued US patents • Provided products and services for • Benchmarking/Gap-analysis, • Data Discovery, • Data Encryption and Tokenization, • Robotics, ERP, CRM in Manufacturing, • Cloud Application Security Broker (CASB), • Web Application Firewall (WAF), • Managed Security Services, • Security Operation Center (SOC)
4 Agenda 1. The Breach Epidemic – Financial Industry • Version Data Breach Investigations Report (DBIR) and Ponemon Institute 2. EU General Data Protection Regulation (GDPR) • GDPR Security Framework 3. California Consumer Privacy Act (CCPA) • CCPA Redefines Personal Data 4. International Organization for Standardization (ISO) • ISO Risk Management Principles and Guidelines • ISO Data Privacy and Security Standard 5. US National Institute of Standards and Technology (NIST) • NIST Cybersecurity Framework (CSF) • NIST Security Controls Requirements 6. Information Systems Audit and Control Association (ISACA) • Control Objectives for Information and Related Technology (COBIT) • COBIT, ValIT and Risk IT 7. Federal Financial Institutions Examination Council (FFIEC) • FFIEC Information Technology Examination Handbook (IT Handbook) 8. Payment Card Industry Data Security Standard (PCI DSS) • PCI DSS version 4.0 9. Deployments on-premises and cloud
5 The Breach Epidemic
6 The privacy breach trend is alarming The US FEDERAL TRADE COMMISSION (FTC) reported that credit card fraud tops the list of identity theft reports in 2018. FTC received nearly three million complaints from consumers in 2018. The FTC received more than 167,000 reports from people who said their information was misused on an existing account or to open a new credit card account Source: Redhat / IBM
7 Source: Bitglass, Ponemon, 2019 The cost per breached record within financial services exceeds that of all other industries except healthcare (which was $429). Technology came in third place at $183, while the public sector came in last at $78.
8 Source: Bitglass, 2019 With global Cloud Adoption reaching 86% and bring your own device (BYOD) policies finding their way into 85% of organizations, it can be challenging to maintain proper visibility and control over data—particularly when the appropriate cloud and mobile security solutions are not put in place.
9 Global Map Of Privacy Rights And Regulations
10 Privacy Fines • British Airways was fined £183 million by the UK ICO for a series of data breaches in 2018, followed by a £99 million fine against the Marriott International hotel chain. • French data protection regulator CNIL fined Google €50 million in 2019. • Some companies narrowly avoided a GDPR-scale fine, as their data incident occurred prior to GDPR's implementation date. • Both Equifax and Facebook received the maximum fine possible - £500,000 - as per the previous Data Protection Act 1998. • In 2019, Facebook settled with the Federal Trade Commission in the United States over privacy violations, a settlement that required the social network to pay $5 billion
11 GDPR & CCPA
12 Source: IBM Encryption and TokenizationDiscover Data Assets Security by Design GDPR Security Requirements – Encryption and Tokenization
13 13 Source: BigID
14 Data sources Data Warehouse In Italy Complete policy- enforced de- identification of sensitive data across all bank entities Example of Cross Border Data-centric Security • Protecting Personally Identifiable Information (PII), including names, addresses, phone, email, policy and account numbers • Compliance with EU Cross Border Data Protection Laws • Utilizing Data Tokenization, and centralized policy, key management, auditing, and reporting
15
16 CCPA Redefines Personal Data • According to “PI Vs PII: How CCPA Redefines What Is Personal Data” the CCPA definition “creates the potential for extremely broad legal interpretation around what constitutes personal information, holding that personal information is any data that could be linked with a California individual or household.” • CCPA states that ”Personal information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.“ • This goes well beyond data that is obviously associated with an identity, such as name, birth date, or social security number, which is traditionally regarded as PII. • It’s ultimately this “indirect” information–such as product preference or geolocation data that is material since it is much more difficult to identify it and connect it with a person than well-structured personally identifiable information
17 ISO & COBIT
18 GDPR Related to ISO International Standards ISO/IEC 27018 PII in Cloud (Basic Requirements) ISO/IEC 27002 Security Controls ISO/IEC 27001 PII OnPrem ISO/IEC 27005 Risk Management ISO/IEC 29134 Privacy Impact ISO/IEC 17789 Cloud Architecture ISO/IEC 29101 Privacy by Design ISO/IEC 29100 Privacy for Cloud ISO/IEC 17788 Definitions ISO/IEC 27000 series – ITSEC Management + PII Processor (Enforcement) PII Controller (Privacy Rules) GDPR (Adding Requirements) +
19 ISO/IEC 27002 Information technology — Security techniques — Code of practice for information security controls The ISO/IEC 27000 family of standards helps organizations keep information assets secure
20 ISO/IEC 27001 - PII OnPrem 3 Terms and definitions 4 Context of the organization 4.1 Understanding the organization and its context 4.2 Understanding the needs and expectations of interested parties 4.3 Determining the scope of the information security management system 4.4 Information security management system 5 Leadership 5.1 Leadership and commitment 5.2 Policy 5.3 Organizational roles, responsibilities and authorities 6 Planning 6.1 Actions to address risks and opportunities 6.2 Information security objectives and planning to achieve them 7 Support 7.1 Resources 7.2 Competence 7.3 Awareness 7.4 Communication 7.5 Documented information 8 Operation 8.1 Operational planning and control 8.2 Information security risk assessment 8.3 Information security risk treatment 9 Performance evaluation 9.1 Monitoring, measurement, analysis and evaluation 9.2 Internal audit 9.3 Management review 10 Improvement 10.1 Nonconformity and corrective action 10.2 Continual improvement Annex A (normative) Reference control objectives and controls
21 ISO 27001 vs COBIT Source: Securityboulevard
22 Positioning COBIT, ValIT and Risk IT (ISACA)
23 ISO/IEC 27002 Security Controls ISO/IEC 27018 PII in Cloud ISO/IEC 27002 Security Controls ISO/IEC 27001 PII OnPrem ISO/IEC 27005 Risk Management ISO/IEC 29134 Privacy Impact ISO/IEC 17789 Cloud Architecture ISO/IEC 29101 Privacy by Design ISO/IEC 29100 Privacy for Cloud ISO/IEC 17788 Definitions ISO/IEC 27000 series – ITSEC Management ISO/IEC 27002 5 Information security policies 6 Organization of information security 7 Human resource security 8 Asset management 9 Access control 10 Cryptography 11 Physical and environmental security 12 Operations security 13 Communications security 14 System acquisition, development and maintenance 15 Supplier relationships 16 Information security incident management 17 Information security aspects of business continuity management 18 Compliance GDPR
24 Risk Management
25 ISO 31000 Framework Source: Doug Newdick
26 ISO 31000 in Summary Source: Doug Newdick
27 Source: Modulo / SAI Global 27 Example – Risk and Compliance Tool
28 Example – Risk Management Tool Are your security controls covering all sensitive data? Are your deployed security controls failing? Source: innosec.com
29 NIST SP 800-39 Risk Management Source: https://csrc.nist.gov/csrc/media/publications/nist ir/8170/draft/documents/nistir8170-draft.pdf NIST (National Institute of Standards and Technology) is part of the U.S. Department of Commerce. NIST promotes the U.S. economy and public welfare by providing technical leadership for the nation’s measurement and standards infrastructure
30 NIST 800-137 Cybersecurity Framework (CSF) • The NIST Cybersecurity Framework provides a policy framework of computer security guidance for how private sector organizations in the United States can assess and improve their ability to prevent, detect, and respond to cyber attacks. • It is unrecognized outside the USA. It "provides a high level taxonomy of cybersecurity outcomes and a methodology to assess and manage those outcomes." • Is being used by a wide range of businesses and organizations and helps shift organizations to be proactive about risk management. • A security framework adoption study reported that 70% of the surveyed organizations see NIST's framework as a popular best practice for computer security, but many note that it requires significant investment • It includes guidance on relevant protections for privacy and civil liberties
31 NIST Cybersecurity Framework (CSF) Source: https://www.ftc.gov/news- events/blogs/business-blog/2016/08/nist- cybersecurity-framework-ftc
32 Source; Corserva NIST 800-171 Family of Requirements 3.1 Access Control 3.2 Awareness and Training 3.3 Audit and 3.4 Configuration Management 3.5 Identification and Authentication 3.6 Incident Response 3.7 Maintenance NIST Requirements Family 3.8 Media Protection 3.9 Personnel Security 3.10 Physical Protection 3.11 Risk Assessment 3.12 Security Assessment 3.13 System and Communications Protection 3.14 System and Information Integrity
33 FFIEC
34 FFIEC is a formal U.S. government interagency body that includes five banking regulators— the Federal Reserve Board of Governors (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Consumer Financial Protection Bureau (CFPB). It is "empowered to prescribe uniform principles, standards, and report forms to promote uniformity in the supervision of financial institutions" Source: WIKPEDIA Federal Financial Institutions Examination Council (FFIEC)
35 Mapping FFIEC to NIST Cybersecurity Framework – Some Examples Source: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_App_B_Map_to_NIST_CSF_June_2015_PDF4.pdf The content of the Assessment is consistent with the principles of the FFIEC Information Technology Examination Handbook (IT Handbook) and the National Institute of Standards and Technology (NIST) Cybersecurity Framework
36 FFIEC Cybersecurity Assessment Source: https://www.ffiec.go v/pdf/cybersecurity/ FFIEC_CAT_App_B_M ap_to_NIST_CSF_Jun e_2015_PDF4.pdf Risk Resources Controls
37 PCI DSS
38 PCI Vs. GDPR: What’s The Difference? Source: securitymetrics.com PCI DSS 12 Requirements
39 Best Practices for Maintaining PCI DSS Compliance Source: Verizon 2019 Payment Security Report
40 Compliance Program Performance Evaluation Framework Source: Verizon 2019 Payment Security Report • There are no significant concerns about capacity, capability, competence, commitment or communication • The competence , control risk, does not exist • There is uncertainty whether the needed competence exists internally
41 Encryption and Privacy Models
42 Source: Forrester Data Security And Control Framework 1) defining the data 2) dissecting and analyzing the data 3) defending the data Anonymization is: “A method of de-identification that removes all personally identifiable information from a data set to the extent that makes the possibility of re-identification of the data negligible” Defining your data via data discovery and classification
43 Source: Forrester Examples of de- identification techniques • Interest in technical capabilities for anonymizing data expanded as the GDPR came into force • With truly anonymized data, data protection authorities no longer consider it personally identifiable information and it falls outside of scope for the regulation De-identification of data
44 • Privacy enhancing data de-identification terminology and classification of techniques Source: INTERNATIONAL STANDARD ISO/IEC 20889 Encrypted data has the same format Server model Local model Differential Privacy (DP) Formal privacy measurement models (PMM) De-identification techniques (DT) Cryptographic tools (CT) Format Preserving Encryption (FPE) Homomorphic Encryption (HE) Two values encrypted can be combined* K-anonymity model Responses to queries are only able to be obtained through a software component or “middleware”, known as the “curator** The entity receiving the data is looking to reduce risk Ensures that for each identifier there is a corresponding equivalence class containing at least K records *: Multi Party Computation (MPC) **: Example Apple and Google ISO Standard for Encryption and Privacy Models
45 Positioning of some Encryption and Privacy Models Source: INTERNATIONAL STANDARD ISO/IEC 20889 Clear 123 897 Differential Privacy (DP)Format Preserving Encryption (FPE) Homomorphic Encryption (HE) FPE Enc **: Example Apple Clear_D1 Protected Curator** Filter Clear Cleanser Filter Clear __ __ __ *: Multi Party Computation (MPC) Op (Enc_D1, Enc_D2) HE Dec HE Enc HE Enc Clear12 FPE Dec Clear 123 Protec ted DB Protected Keys Protected Key Clear_D2 Enc_D1 Enc_D2 “Untrusted Party*” k-Anonymity Model __ __ __ Clear Cleanser Filter DB
46 Data Warehouse Centralized Distributed On- premises Public Cloud Private Cloud Vault-based tokenization y y Vault-less tokenization y y y y y y Format preserving encryption y y y y y Homomorphic encryption y y Masking y y y y y y Hashing y y y y y y Server model y y y y y y Local model y y y y y y L-diversity y y y y y y T-closeness y y y y y y Formal privacy measurement models Differential Privacy K-anonymity model Privacy enhancing data de-identification terminology and classification of techniques De- identification techniques Tokenization Cryptographic tools Suppression techniques Example of mapping of data security and privacy techniques (ISO) to different deployment models
47 Risk reduction and truthfulness of some de-identification techniques and models Singling out Linking Inference Deterministic encryption Yes All attributes No Partially No Order-preserving encryption Yes All attributes No Partially No Homomorphic encryption Yes All attributes No No No Masking Yes Local identifiers Yes Partially No Local suppression Yes Identifying attributes Partially Partially Partially Record suppression Yes Sampling Yes N/A Partially Partially Partially Pseudonymization Yes Direct identifiers No Partially No Generalization Yes Identifying attributes Rounding Yes Identifying attributes No Partially Partially Top/bottom coding Yes Identifying attributes No Partially Partially Noise addition No Identifying attributes Partially Partially Partially Cryptographic tools Suppression Generalization Technique name Data truthfulness at record level Applicable to types of attributes Reduces the risk of Source: INTERNATIONAL STANDARD ISO/IEC 20889
48Source: Forrester Example of 29 Vendors Providing Different Data Protection Options # Employees De-identification Data in-use protection Application-level encryption Data at-rest encryption Data masking 72000 to 350000 600 to 5600 14000 to 15000 3 to 15 20 to 30 50 to 93 104 to 500
49 Source: Forrester, USPTO Example of 21 Smaller Vendors Innovating in Data Protection (Patent Applications) # Employees Data in-use protection De- identification App level encryption Data at rest encryption Data masking Format Preserving Encryption # Patent Applications Innovative Patent Applications 0 0 0 2 10 0 2 14 16 2 1 0 12 0 0 0 15 5 5 1 6 3 to 25 30 to 95 104 to 180
50 User Payment Applicatio n Payment Network Payment Data Tokenization (VBT), encryption and keys User CASB User Call Center Applicatio n Format Preserving Encryption (FPE) PII Data Vault-based tokenization (VBT) Examples of Data Protection Use Cases User Data Warehous e PII Data Vault-less tokenization (VLT) Salesforce
51 User Payment Applicatio n Payment Network Tokens User Call Center Applicatio n Example of a Payment Application Tokenization (VBT), encryption and keys A Gateway can work in the background, enabling an organization to keep existing business operations with few modifications. Tokenization is turning sensitive data into non-sensitive data called "tokens" that can be used in a database or internal system without bringing it into scope. BROWSER Browser-Based Encryption with iFrames MOBILE Native Applications or Web-Based Applications Private Cloud (example - Armor.com) can provide security and compliance benefits by mapping security controls to PCI compliance mandates that reduces regulatory scope, simplifying the auditing process and lowering management costs.
52 Cloud transformations are accelerating Risk Elasticity Out-sourcedIn-house On-premises system On-premises Private Cloud Hosted Private Cloud Public Cloud Low - High - Compute Cost - High - Low Risk Adjusted Computation
53 Minimization Devaluation/Pseudonymisation/ Tokenization Data Hashing/Masking Encryption DataUtility Data Protection Max Utility Min Utility Min Protection Max Protection Source:TokenEx Data Security Approaches
54 Type of Data Use Case I Structured How Should I Secure Different Types of Data? I Un-structured Simple – Complex – PCI PHI PII Encryption of Files Card Holder Data Tokenization of Fields Protected Health Information Personally Identifiable Information
55 On Premise tokenization • Limited PCI DSS scope reduction - must still maintain a CDE with PCI data • Higher risk – sensitive data still resident in environment • Associated personnel and hardware costs Cloud-Based tokenization • Significant reduction in PCI DSS scope • Reduced risk – sensitive data removed from the environment • Platform-focused security • Lower associated costs – cyber insurance, PCI audit, maintenance Total Cost and Risk of Tokenization in Cloud vs On-prem Source: TokenEx
56 Which of the following most closely describes what ‘hybrid cloud’ means in your organization? Source: Forrester
57 For each of the following data center and IT infrastructure components, how much outsourcing and managed services does your firm use for IT operation? (excluding systems integrators for project implementation) Source: Forrester
58 Cloud transformations are accelerating
59 References: 1. California Consumer Privacy Act, OCT 4, 2019, https://www.csoonline.com/article/3182578/california-consumer-privacy-act-what- you-need-to-know-to-be-compliant.html 2. CIS Controls V7.1 Mapping to NIST CSF, https://dataprivacylab.org/projects/identifiability/paper1.pdf 3. GDPR and Tokenizing Data, https://tdwi.org/articles/2018/06/06/biz-all-gdpr-and-tokenizing-data-3.aspx 4. GDPR VS CCPA, https://wirewheel.io/wp-content/uploads/2018/10/GDPR-vs-CCPA-Cheatsheet.pdf 5. General Data Protection Regulation, https://en.wikipedia.org/wiki/General_Data_Protection_Regulation 6. IBM Framework Helps Clients Prepare for the EU's General Data Protection Regulation, https://ibmsystemsmag.com/IBM- Z/03/2018/ibm-framework-gdpr 7. INTERNATIONAL STANDARD ISO/IEC 20889, https://webstore.ansi.org/Standards/ISO/ISOIEC208892018?gclid=EAIaIQobChMIvI- k3sXd5gIVw56zCh0Y0QeeEAAYASAAEgLVKfD_BwE 8. INTERNATIONAL STANDARD ISO/IEC 27018, https://webstore.ansi.org/Standards/ISO/ ISOIEC270182019?gclid=EAIaIQobChMIleWM6MLd5gIVFKSzCh3k2AxKEAAYASAAEgKbHvD_BwE 9. ISO/TS 25237:2008(E), Health Informatics—Pseudonymization, https://www.sis.se/api/document/preview/911119/ 10. NIST PRIVACY FRAMEWORK: A TOOL FOR IMPROVING PRIVACY THROUGH ENTERPRISE RISK MANAGEMENT, https://www.nist.gov/system/files/documents/2019/09/09/nist_privacy_framework_preliminary_draft.pdf 11. NIST Releases Evaluation of Cloud Computing Services Based on NIST SP 800-145 (NIST SP 500-322), https://www.nist.gov/news- events/news/2018/02/nist-releases-evaluation-cloud-computing-services-based-nist-sp-800-145 , February 23, 2018 12. NIST Special Publication 800-53, https://en.wikipedia.org/wiki/NIST_Special_Publication_800-53 13. NISTIR 8053, De-Identification of Personal Information, https://nvlpubs.nist.gov/nistpubs/ir/2015/NIST.IR.8053.pdf 14. Tokenization Product Security Guidelines, Version: 1.0, April 2015, PCI Security Standards Council https://www.pcisecuritystandards.org/documents/Tokenization_Product_Security_Guidelines.pdf?agreement=true&time=15708805 09645 15. Trust the IAPP for actionable information on the California Consumer Privacy Act, https://iapp.org/l/ccpaga/?gclid=EAIaIQobChMI- cnYtffG5QIVIueGCh09Cw56EAAYBCAAEgIEp_D_BwE 16. Data Security: On Premise or in the Cloud, ISSA Journal, December 2019
60 Thank You! Ulf Mattsson www.TokenEx.com

More Related Content

What's hot (20)

PPTX
ISACA Houston - How to de-classify data and rethink transfer of data between ...
Ulf Mattsson
 
PPTX
Protecting Data Privacy in Analytics and Machine Learning
Ulf Mattsson
 
PPTX
Unlock the potential of data security 2020
Ulf Mattsson
 
PPTX
Privacy preserving computing and secure multi-party computation ISACA Atlanta
Ulf Mattsson
 
PPTX
What I learned at the Infosecurity ISACA North America Conference 2019
Ulf Mattsson
 
PPTX
Bridging the gap between privacy and big data Ulf Mattsson - Protegrity Sep 10
Ulf Mattsson
 
PPTX
New technologies for data protection
Ulf Mattsson
 
PPTX
Practical risk management for the multi cloud
Ulf Mattsson
 
PDF
ETIS Information Security Benchmark Successful Practices in telco security
ETIS - the Global IT Association for Telecommunications
 
PPTX
Advanced PII / PI data discovery and data protection
Ulf Mattsson
 
PPTX
Book
Ulf Mattsson
 
PDF
N-able webinar:Build recurring revenue in 45 days
Solarwinds N-able
 
PDF
Where Data Security and Value of Data Meet in the Cloud
Ulf Mattsson
 
PPTX
New york oracle users group 2013 spring general meeting ulf mattsson
Ulf Mattsson
 
PDF
Key note in nyc the next breach target and how oracle can help - nyoug
Ulf Mattsson
 
PPT
Future data security ‘will come from several sources’
John Davis
 
PDF
Where data security and value of data meet in the cloud brighttalk webinar ...
Ulf Mattsson
 
PPTX
Securing data today and in the future - Oracle NYC
Ulf Mattsson
 
PPTX
How to protect privacy sensitive data that is collected to control the corona...
Ulf Mattsson
 
PDF
Data Virtualization for Accelerated Digital Transformation in Banking and Fin...
Denodo
 
ISACA Houston - How to de-classify data and rethink transfer of data between ...
Ulf Mattsson
 
Protecting Data Privacy in Analytics and Machine Learning
Ulf Mattsson
 
Unlock the potential of data security 2020
Ulf Mattsson
 
Privacy preserving computing and secure multi-party computation ISACA Atlanta
Ulf Mattsson
 
What I learned at the Infosecurity ISACA North America Conference 2019
Ulf Mattsson
 
Bridging the gap between privacy and big data Ulf Mattsson - Protegrity Sep 10
Ulf Mattsson
 
New technologies for data protection
Ulf Mattsson
 
Practical risk management for the multi cloud
Ulf Mattsson
 
ETIS Information Security Benchmark Successful Practices in telco security
ETIS - the Global IT Association for Telecommunications
 
Advanced PII / PI data discovery and data protection
Ulf Mattsson
 
Book
Ulf Mattsson
 
N-able webinar:Build recurring revenue in 45 days
Solarwinds N-able
 
Where Data Security and Value of Data Meet in the Cloud
Ulf Mattsson
 
New york oracle users group 2013 spring general meeting ulf mattsson
Ulf Mattsson
 
Key note in nyc the next breach target and how oracle can help - nyoug
Ulf Mattsson
 
Future data security ‘will come from several sources’
John Davis
 
Where data security and value of data meet in the cloud brighttalk webinar ...
Ulf Mattsson
 
Securing data today and in the future - Oracle NYC
Ulf Mattsson
 
How to protect privacy sensitive data that is collected to control the corona...
Ulf Mattsson
 
Data Virtualization for Accelerated Digital Transformation in Banking and Fin...
Denodo
 

Similar to A practical data privacy and security approach to ffiec, gdpr and ccpa (20)

PDF
Complying with Cybersecurity Regulations for IBM i Servers and Data
Precisely
 
PPT
Pci Europe 2009 Underside Of The Compliance Ecosystem
kpatrickwheeler
 
PPTX
Government Standards for Cybersecurity: Ensuring a Secure Cyber Environment
Boston Institute of Analytics
 
PPTX
Automatski - The Internet of Things - Security Standards
automatskicorporation
 
PDF
Isaca new delhi india - privacy and big data
Ulf Mattsson
 
PPTX
Safeguarding customer and financial data in analytics and machine learning
Ulf Mattsson
 
PDF
Isaca new delhi india privacy and big data
Ulf Mattsson
 
PDF
Cybersecurity solution-guide
AdilsonSuende
 
PDF
Iso 27001 whitepaper
Syzygal
 
PDF
Your organization is at risk! Upgrade your IT security & IT governance now.
Cyril Soeri
 
PDF
Data centric security key to digital business success - ulf mattsson - bright...
Ulf Mattsson
 
PDF
Big Data LDN 2017: Applied AI for GDPR
Matt Stubbs
 
PPTX
Protecting data privacy in analytics and machine learning - ISACA
Ulf Mattsson
 
PDF
Cross border - off-shoring and outsourcing privacy sensitive data
Ulf Mattsson
 
PDF
A Major Revision of the CISRCP Program
GoogleNewsSubmit
 
PPTX
Automatski - The Internet of Things - Privacy Standards
automatskicorporation
 
PDF
Cybersecurity and continuous intelligence
NISIInstituut
 
PDF
IoT PPT Deck
John Yates
 
PPTX
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Sirius
 
PPTX
A Brave New World of Cyber Security and Data Breach
Jim Brashear
 
Complying with Cybersecurity Regulations for IBM i Servers and Data
Precisely
 
Pci Europe 2009 Underside Of The Compliance Ecosystem
kpatrickwheeler
 
Government Standards for Cybersecurity: Ensuring a Secure Cyber Environment
Boston Institute of Analytics
 
Automatski - The Internet of Things - Security Standards
automatskicorporation
 
Isaca new delhi india - privacy and big data
Ulf Mattsson
 
Safeguarding customer and financial data in analytics and machine learning
Ulf Mattsson
 
Isaca new delhi india privacy and big data
Ulf Mattsson
 
Cybersecurity solution-guide
AdilsonSuende
 
Iso 27001 whitepaper
Syzygal
 
Your organization is at risk! Upgrade your IT security & IT governance now.
Cyril Soeri
 
Data centric security key to digital business success - ulf mattsson - bright...
Ulf Mattsson
 
Big Data LDN 2017: Applied AI for GDPR
Matt Stubbs
 
Protecting data privacy in analytics and machine learning - ISACA
Ulf Mattsson
 
Cross border - off-shoring and outsourcing privacy sensitive data
Ulf Mattsson
 
A Major Revision of the CISRCP Program
GoogleNewsSubmit
 
Automatski - The Internet of Things - Privacy Standards
automatskicorporation
 
Cybersecurity and continuous intelligence
NISIInstituut
 
IoT PPT Deck
John Yates
 
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Sirius
 
A Brave New World of Cyber Security and Data Breach
Jim Brashear
 
Ad

More from Ulf Mattsson (15)

PPTX
Jun 29 new privacy technologies for unicode and international data standards ...
Ulf Mattsson
 
PPTX
Jun 15 privacy in the cloud at financial institutions at the object managemen...
Ulf Mattsson
 
PPTX
May 6 evolving international privacy regulations and cross border data tran...
Ulf Mattsson
 
PPTX
Qubit conference-new-york-2021
Ulf Mattsson
 
PDF
Secure analytics and machine learning in cloud use cases
Ulf Mattsson
 
PPTX
Evolving international privacy regulations and cross border data transfer - g...
Ulf Mattsson
 
PDF
Data encryption and tokenization for international unicode
Ulf Mattsson
 
PPTX
The future of data security and blockchain
Ulf Mattsson
 
PPTX
GDPR and evolving international privacy regulations
Ulf Mattsson
 
PPTX
Protecting data privacy in analytics and machine learning ISACA London UK
Ulf Mattsson
 
PPTX
New opportunities and business risks with evolving privacy regulations
Ulf Mattsson
 
PPTX
What is tokenization in blockchain - BCS London
Ulf Mattsson
 
PPTX
What is tokenization in blockchain?
Ulf Mattsson
 
PPTX
Nov 2 security for blockchain and analytics ulf mattsson 2020 nov 2b
Ulf Mattsson
 
PPTX
What is tokenization in blockchain?
Ulf Mattsson
 
Jun 29 new privacy technologies for unicode and international data standards ...
Ulf Mattsson
 
Jun 15 privacy in the cloud at financial institutions at the object managemen...
Ulf Mattsson
 
May 6 evolving international privacy regulations and cross border data tran...
Ulf Mattsson
 
Qubit conference-new-york-2021
Ulf Mattsson
 
Secure analytics and machine learning in cloud use cases
Ulf Mattsson
 
Evolving international privacy regulations and cross border data transfer - g...
Ulf Mattsson
 
Data encryption and tokenization for international unicode
Ulf Mattsson
 
The future of data security and blockchain
Ulf Mattsson
 
GDPR and evolving international privacy regulations
Ulf Mattsson
 
Protecting data privacy in analytics and machine learning ISACA London UK
Ulf Mattsson
 
New opportunities and business risks with evolving privacy regulations
Ulf Mattsson
 
What is tokenization in blockchain - BCS London
Ulf Mattsson
 
What is tokenization in blockchain?
Ulf Mattsson
 
Nov 2 security for blockchain and analytics ulf mattsson 2020 nov 2b
Ulf Mattsson
 
What is tokenization in blockchain?
Ulf Mattsson
 
Ad

Recently uploaded (20)

PDF
Log-Based Anomaly Detection: Enhancing System Reliability with Machine Learning
Mohammed BEKKOUCHE
 
PPTX
WooCommerce Workshop: Bring Your Laptop
Laura Hartwig
 
PPTX
"Autonomy of LLM Agents: Current State and Future Prospects", Oles` Petriv
Fwdays
 
PDF
"Beyond English: Navigating the Challenges of Building a Ukrainian-language R...
Fwdays
 
PDF
Empower Inclusion Through Accessible Java Applications
Ana-Maria Mihalceanu
 
PDF
Python basic programing language for automation
DanialHabibi2
 
PDF
HCIP-Data Center Facility Deployment V2.0 Training Material (Without Remarks ...
mcastillo49
 
PDF
Achieving Consistent and Reliable AI Code Generation - Medusa AI
medusaaico
 
PPTX
Webinar: Introduction to LF Energy EVerest
DanBrown980551
 
PDF
LLMs.txt: Easily Control How AI Crawls Your Site
Keploy
 
PPTX
OpenID AuthZEN - Analyst Briefing July 2025
David Brossard
 
PDF
Newgen Beyond Frankenstein_Build vs Buy_Digital_version.pdf
darshakparmar
 
PDF
Blockchain Transactions Explained For Everyone
CIFDAQ
 
PDF
"AI Transformation: Directions and Challenges", Pavlo Shaternik
Fwdays
 
PDF
Exolore The Essential AI Tools in 2025.pdf
Srinivasan M
 
PDF
Agentic AI lifecycle for Enterprise Hyper-Automation
Debmalya Biswas
 
PDF
Transcript: New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
PPTX
AI Penetration Testing Essentials: A Cybersecurity Guide for 2025
defencerabbit Team
 
PDF
Reverse Engineering of Security Products: Developing an Advanced Microsoft De...
nwbxhhcyjv
 
PDF
Building Real-Time Digital Twins with IBM Maximo & ArcGIS Indoors
Safe Software
 
Log-Based Anomaly Detection: Enhancing System Reliability with Machine Learning
Mohammed BEKKOUCHE
 
WooCommerce Workshop: Bring Your Laptop
Laura Hartwig
 
"Autonomy of LLM Agents: Current State and Future Prospects", Oles` Petriv
Fwdays
 
"Beyond English: Navigating the Challenges of Building a Ukrainian-language R...
Fwdays
 
Empower Inclusion Through Accessible Java Applications
Ana-Maria Mihalceanu
 
Python basic programing language for automation
DanialHabibi2
 
HCIP-Data Center Facility Deployment V2.0 Training Material (Without Remarks ...
mcastillo49
 
Achieving Consistent and Reliable AI Code Generation - Medusa AI
medusaaico
 
Webinar: Introduction to LF Energy EVerest
DanBrown980551
 
LLMs.txt: Easily Control How AI Crawls Your Site
Keploy
 
OpenID AuthZEN - Analyst Briefing July 2025
David Brossard
 
Newgen Beyond Frankenstein_Build vs Buy_Digital_version.pdf
darshakparmar
 
Blockchain Transactions Explained For Everyone
CIFDAQ
 
"AI Transformation: Directions and Challenges", Pavlo Shaternik
Fwdays
 
Exolore The Essential AI Tools in 2025.pdf
Srinivasan M
 
Agentic AI lifecycle for Enterprise Hyper-Automation
Debmalya Biswas
 
Transcript: New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
AI Penetration Testing Essentials: A Cybersecurity Guide for 2025
defencerabbit Team
 
Reverse Engineering of Security Products: Developing an Advanced Microsoft De...
nwbxhhcyjv
 
Building Real-Time Digital Twins with IBM Maximo & ArcGIS Indoors
Safe Software
 

A practical data privacy and security approach to ffiec, gdpr and ccpa

  • 1. 1 Ulf Mattsson www.TokenEx.com A Practical Data Privacy and Security Approach to FFIEC, GDPR and CCPA threatpost.com
  • 2. 2 Ulf Mattsson www.TokenEx.com A Practical Data Privacy and Security Approach to FFIEC, GDPR and CCPA threatpost.com
  • 3. 3 Ulf Mattsson • Head of Innovation at TokenEx • Chief Technology Officer at Protegrity • Chief Technology Officer at Atlantic BT Security Solutions • Chief Technology Officer at Compliance Engineering • Developer at IBM Research and Development • Inventor of 70+ issued US patents • Provided products and services for • Benchmarking/Gap-analysis, • Data Discovery, • Data Encryption and Tokenization, • Robotics, ERP, CRM in Manufacturing, • Cloud Application Security Broker (CASB), • Web Application Firewall (WAF), • Managed Security Services, • Security Operation Center (SOC)
  • 4. 4 Agenda 1. The Breach Epidemic – Financial Industry • Version Data Breach Investigations Report (DBIR) and Ponemon Institute 2. EU General Data Protection Regulation (GDPR) • GDPR Security Framework 3. California Consumer Privacy Act (CCPA) • CCPA Redefines Personal Data 4. International Organization for Standardization (ISO) • ISO Risk Management Principles and Guidelines • ISO Data Privacy and Security Standard 5. US National Institute of Standards and Technology (NIST) • NIST Cybersecurity Framework (CSF) • NIST Security Controls Requirements 6. Information Systems Audit and Control Association (ISACA) • Control Objectives for Information and Related Technology (COBIT) • COBIT, ValIT and Risk IT 7. Federal Financial Institutions Examination Council (FFIEC) • FFIEC Information Technology Examination Handbook (IT Handbook) 8. Payment Card Industry Data Security Standard (PCI DSS) • PCI DSS version 4.0 9. Deployments on-premises and cloud
  • 6. 6 The privacy breach trend is alarming The US FEDERAL TRADE COMMISSION (FTC) reported that credit card fraud tops the list of identity theft reports in 2018. FTC received nearly three million complaints from consumers in 2018. The FTC received more than 167,000 reports from people who said their information was misused on an existing account or to open a new credit card account Source: Redhat / IBM
  • 7. 7 Source: Bitglass, Ponemon, 2019 The cost per breached record within financial services exceeds that of all other industries except healthcare (which was $429). Technology came in third place at $183, while the public sector came in last at $78.
  • 8. 8 Source: Bitglass, 2019 With global Cloud Adoption reaching 86% and bring your own device (BYOD) policies finding their way into 85% of organizations, it can be challenging to maintain proper visibility and control over data—particularly when the appropriate cloud and mobile security solutions are not put in place.
  • 9. 9 Global Map Of Privacy Rights And Regulations
  • 10. 10 Privacy Fines • British Airways was fined £183 million by the UK ICO for a series of data breaches in 2018, followed by a £99 million fine against the Marriott International hotel chain. • French data protection regulator CNIL fined Google €50 million in 2019. • Some companies narrowly avoided a GDPR-scale fine, as their data incident occurred prior to GDPR's implementation date. • Both Equifax and Facebook received the maximum fine possible - £500,000 - as per the previous Data Protection Act 1998. • In 2019, Facebook settled with the Federal Trade Commission in the United States over privacy violations, a settlement that required the social network to pay $5 billion
  • 12. 12 Source: IBM Encryption and TokenizationDiscover Data Assets Security by Design GDPR Security Requirements – Encryption and Tokenization
  • 14. 14 Data sources Data Warehouse In Italy Complete policy- enforced de- identification of sensitive data across all bank entities Example of Cross Border Data-centric Security • Protecting Personally Identifiable Information (PII), including names, addresses, phone, email, policy and account numbers • Compliance with EU Cross Border Data Protection Laws • Utilizing Data Tokenization, and centralized policy, key management, auditing, and reporting
  • 15. 15
  • 16. 16 CCPA Redefines Personal Data • According to “PI Vs PII: How CCPA Redefines What Is Personal Data” the CCPA definition “creates the potential for extremely broad legal interpretation around what constitutes personal information, holding that personal information is any data that could be linked with a California individual or household.” • CCPA states that ”Personal information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.“ • This goes well beyond data that is obviously associated with an identity, such as name, birth date, or social security number, which is traditionally regarded as PII. • It’s ultimately this “indirect” information–such as product preference or geolocation data that is material since it is much more difficult to identify it and connect it with a person than well-structured personally identifiable information
  • 18. 18 GDPR Related to ISO International Standards ISO/IEC 27018 PII in Cloud (Basic Requirements) ISO/IEC 27002 Security Controls ISO/IEC 27001 PII OnPrem ISO/IEC 27005 Risk Management ISO/IEC 29134 Privacy Impact ISO/IEC 17789 Cloud Architecture ISO/IEC 29101 Privacy by Design ISO/IEC 29100 Privacy for Cloud ISO/IEC 17788 Definitions ISO/IEC 27000 series – ITSEC Management + PII Processor (Enforcement) PII Controller (Privacy Rules) GDPR (Adding Requirements) +
  • 19. 19 ISO/IEC 27002 Information technology — Security techniques — Code of practice for information security controls The ISO/IEC 27000 family of standards helps organizations keep information assets secure
  • 20. 20 ISO/IEC 27001 - PII OnPrem 3 Terms and definitions 4 Context of the organization 4.1 Understanding the organization and its context 4.2 Understanding the needs and expectations of interested parties 4.3 Determining the scope of the information security management system 4.4 Information security management system 5 Leadership 5.1 Leadership and commitment 5.2 Policy 5.3 Organizational roles, responsibilities and authorities 6 Planning 6.1 Actions to address risks and opportunities 6.2 Information security objectives and planning to achieve them 7 Support 7.1 Resources 7.2 Competence 7.3 Awareness 7.4 Communication 7.5 Documented information 8 Operation 8.1 Operational planning and control 8.2 Information security risk assessment 8.3 Information security risk treatment 9 Performance evaluation 9.1 Monitoring, measurement, analysis and evaluation 9.2 Internal audit 9.3 Management review 10 Improvement 10.1 Nonconformity and corrective action 10.2 Continual improvement Annex A (normative) Reference control objectives and controls
  • 21. 21 ISO 27001 vs COBIT Source: Securityboulevard
  • 22. 22 Positioning COBIT, ValIT and Risk IT (ISACA)
  • 23. 23 ISO/IEC 27002 Security Controls ISO/IEC 27018 PII in Cloud ISO/IEC 27002 Security Controls ISO/IEC 27001 PII OnPrem ISO/IEC 27005 Risk Management ISO/IEC 29134 Privacy Impact ISO/IEC 17789 Cloud Architecture ISO/IEC 29101 Privacy by Design ISO/IEC 29100 Privacy for Cloud ISO/IEC 17788 Definitions ISO/IEC 27000 series – ITSEC Management ISO/IEC 27002 5 Information security policies 6 Organization of information security 7 Human resource security 8 Asset management 9 Access control 10 Cryptography 11 Physical and environmental security 12 Operations security 13 Communications security 14 System acquisition, development and maintenance 15 Supplier relationships 16 Information security incident management 17 Information security aspects of business continuity management 18 Compliance GDPR
  • 26. 26 ISO 31000 in Summary Source: Doug Newdick
  • 27. 27 Source: Modulo / SAI Global 27 Example – Risk and Compliance Tool
  • 28. 28 Example – Risk Management Tool Are your security controls covering all sensitive data? Are your deployed security controls failing? Source: innosec.com
  • 29. 29 NIST SP 800-39 Risk Management Source: https://csrc.nist.gov/csrc/media/publications/nist ir/8170/draft/documents/nistir8170-draft.pdf NIST (National Institute of Standards and Technology) is part of the U.S. Department of Commerce. NIST promotes the U.S. economy and public welfare by providing technical leadership for the nation’s measurement and standards infrastructure
  • 30. 30 NIST 800-137 Cybersecurity Framework (CSF) • The NIST Cybersecurity Framework provides a policy framework of computer security guidance for how private sector organizations in the United States can assess and improve their ability to prevent, detect, and respond to cyber attacks. • It is unrecognized outside the USA. It "provides a high level taxonomy of cybersecurity outcomes and a methodology to assess and manage those outcomes." • Is being used by a wide range of businesses and organizations and helps shift organizations to be proactive about risk management. • A security framework adoption study reported that 70% of the surveyed organizations see NIST's framework as a popular best practice for computer security, but many note that it requires significant investment • It includes guidance on relevant protections for privacy and civil liberties
  • 31. 31 NIST Cybersecurity Framework (CSF) Source: https://www.ftc.gov/news- events/blogs/business-blog/2016/08/nist- cybersecurity-framework-ftc
  • 32. 32 Source; Corserva NIST 800-171 Family of Requirements 3.1 Access Control 3.2 Awareness and Training 3.3 Audit and 3.4 Configuration Management 3.5 Identification and Authentication 3.6 Incident Response 3.7 Maintenance NIST Requirements Family 3.8 Media Protection 3.9 Personnel Security 3.10 Physical Protection 3.11 Risk Assessment 3.12 Security Assessment 3.13 System and Communications Protection 3.14 System and Information Integrity
  • 34. 34 FFIEC is a formal U.S. government interagency body that includes five banking regulators— the Federal Reserve Board of Governors (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Consumer Financial Protection Bureau (CFPB). It is "empowered to prescribe uniform principles, standards, and report forms to promote uniformity in the supervision of financial institutions" Source: WIKPEDIA Federal Financial Institutions Examination Council (FFIEC)
  • 35. 35 Mapping FFIEC to NIST Cybersecurity Framework – Some Examples Source: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_App_B_Map_to_NIST_CSF_June_2015_PDF4.pdf The content of the Assessment is consistent with the principles of the FFIEC Information Technology Examination Handbook (IT Handbook) and the National Institute of Standards and Technology (NIST) Cybersecurity Framework
  • 38. 38 PCI Vs. GDPR: What’s The Difference? Source: securitymetrics.com PCI DSS 12 Requirements
  • 39. 39 Best Practices for Maintaining PCI DSS Compliance Source: Verizon 2019 Payment Security Report
  • 40. 40 Compliance Program Performance Evaluation Framework Source: Verizon 2019 Payment Security Report • There are no significant concerns about capacity, capability, competence, commitment or communication • The competence , control risk, does not exist • There is uncertainty whether the needed competence exists internally
  • 42. 42 Source: Forrester Data Security And Control Framework 1) defining the data 2) dissecting and analyzing the data 3) defending the data Anonymization is: “A method of de-identification that removes all personally identifiable information from a data set to the extent that makes the possibility of re-identification of the data negligible” Defining your data via data discovery and classification
  • 43. 43 Source: Forrester Examples of de- identification techniques • Interest in technical capabilities for anonymizing data expanded as the GDPR came into force • With truly anonymized data, data protection authorities no longer consider it personally identifiable information and it falls outside of scope for the regulation De-identification of data
  • 44. 44 • Privacy enhancing data de-identification terminology and classification of techniques Source: INTERNATIONAL STANDARD ISO/IEC 20889 Encrypted data has the same format Server model Local model Differential Privacy (DP) Formal privacy measurement models (PMM) De-identification techniques (DT) Cryptographic tools (CT) Format Preserving Encryption (FPE) Homomorphic Encryption (HE) Two values encrypted can be combined* K-anonymity model Responses to queries are only able to be obtained through a software component or “middleware”, known as the “curator** The entity receiving the data is looking to reduce risk Ensures that for each identifier there is a corresponding equivalence class containing at least K records *: Multi Party Computation (MPC) **: Example Apple and Google ISO Standard for Encryption and Privacy Models
  • 45. 45 Positioning of some Encryption and Privacy Models Source: INTERNATIONAL STANDARD ISO/IEC 20889 Clear 123 897 Differential Privacy (DP)Format Preserving Encryption (FPE) Homomorphic Encryption (HE) FPE Enc **: Example Apple Clear_D1 Protected Curator** Filter Clear Cleanser Filter Clear __ __ __ *: Multi Party Computation (MPC) Op (Enc_D1, Enc_D2) HE Dec HE Enc HE Enc Clear12 FPE Dec Clear 123 Protec ted DB Protected Keys Protected Key Clear_D2 Enc_D1 Enc_D2 “Untrusted Party*” k-Anonymity Model __ __ __ Clear Cleanser Filter DB
  • 46. 46 Data Warehouse Centralized Distributed On- premises Public Cloud Private Cloud Vault-based tokenization y y Vault-less tokenization y y y y y y Format preserving encryption y y y y y Homomorphic encryption y y Masking y y y y y y Hashing y y y y y y Server model y y y y y y Local model y y y y y y L-diversity y y y y y y T-closeness y y y y y y Formal privacy measurement models Differential Privacy K-anonymity model Privacy enhancing data de-identification terminology and classification of techniques De- identification techniques Tokenization Cryptographic tools Suppression techniques Example of mapping of data security and privacy techniques (ISO) to different deployment models
  • 47. 47 Risk reduction and truthfulness of some de-identification techniques and models Singling out Linking Inference Deterministic encryption Yes All attributes No Partially No Order-preserving encryption Yes All attributes No Partially No Homomorphic encryption Yes All attributes No No No Masking Yes Local identifiers Yes Partially No Local suppression Yes Identifying attributes Partially Partially Partially Record suppression Yes Sampling Yes N/A Partially Partially Partially Pseudonymization Yes Direct identifiers No Partially No Generalization Yes Identifying attributes Rounding Yes Identifying attributes No Partially Partially Top/bottom coding Yes Identifying attributes No Partially Partially Noise addition No Identifying attributes Partially Partially Partially Cryptographic tools Suppression Generalization Technique name Data truthfulness at record level Applicable to types of attributes Reduces the risk of Source: INTERNATIONAL STANDARD ISO/IEC 20889
  • 48. 48Source: Forrester Example of 29 Vendors Providing Different Data Protection Options # Employees De-identification Data in-use protection Application-level encryption Data at-rest encryption Data masking 72000 to 350000 600 to 5600 14000 to 15000 3 to 15 20 to 30 50 to 93 104 to 500
  • 49. 49 Source: Forrester, USPTO Example of 21 Smaller Vendors Innovating in Data Protection (Patent Applications) # Employees Data in-use protection De- identification App level encryption Data at rest encryption Data masking Format Preserving Encryption # Patent Applications Innovative Patent Applications 0 0 0 2 10 0 2 14 16 2 1 0 12 0 0 0 15 5 5 1 6 3 to 25 30 to 95 104 to 180
  • 50. 50 User Payment Applicatio n Payment Network Payment Data Tokenization (VBT), encryption and keys User CASB User Call Center Applicatio n Format Preserving Encryption (FPE) PII Data Vault-based tokenization (VBT) Examples of Data Protection Use Cases User Data Warehous e PII Data Vault-less tokenization (VLT) Salesforce
  • 51. 51 User Payment Applicatio n Payment Network Tokens User Call Center Applicatio n Example of a Payment Application Tokenization (VBT), encryption and keys A Gateway can work in the background, enabling an organization to keep existing business operations with few modifications. Tokenization is turning sensitive data into non-sensitive data called "tokens" that can be used in a database or internal system without bringing it into scope. BROWSER Browser-Based Encryption with iFrames MOBILE Native Applications or Web-Based Applications Private Cloud (example - Armor.com) can provide security and compliance benefits by mapping security controls to PCI compliance mandates that reduces regulatory scope, simplifying the auditing process and lowering management costs.
  • 52. 52 Cloud transformations are accelerating Risk Elasticity Out-sourcedIn-house On-premises system On-premises Private Cloud Hosted Private Cloud Public Cloud Low - High - Compute Cost - High - Low Risk Adjusted Computation
  • 53. 53 Minimization Devaluation/Pseudonymisation/ Tokenization Data Hashing/Masking Encryption DataUtility Data Protection Max Utility Min Utility Min Protection Max Protection Source:TokenEx Data Security Approaches
  • 54. 54 Type of Data Use Case I Structured How Should I Secure Different Types of Data? I Un-structured Simple – Complex – PCI PHI PII Encryption of Files Card Holder Data Tokenization of Fields Protected Health Information Personally Identifiable Information
  • 55. 55 On Premise tokenization • Limited PCI DSS scope reduction - must still maintain a CDE with PCI data • Higher risk – sensitive data still resident in environment • Associated personnel and hardware costs Cloud-Based tokenization • Significant reduction in PCI DSS scope • Reduced risk – sensitive data removed from the environment • Platform-focused security • Lower associated costs – cyber insurance, PCI audit, maintenance Total Cost and Risk of Tokenization in Cloud vs On-prem Source: TokenEx
  • 56. 56 Which of the following most closely describes what ‘hybrid cloud’ means in your organization? Source: Forrester
  • 57. 57 For each of the following data center and IT infrastructure components, how much outsourcing and managed services does your firm use for IT operation? (excluding systems integrators for project implementation) Source: Forrester
  • 59. 59 References: 1. California Consumer Privacy Act, OCT 4, 2019, https://www.csoonline.com/article/3182578/california-consumer-privacy-act-what- you-need-to-know-to-be-compliant.html 2. CIS Controls V7.1 Mapping to NIST CSF, https://dataprivacylab.org/projects/identifiability/paper1.pdf 3. GDPR and Tokenizing Data, https://tdwi.org/articles/2018/06/06/biz-all-gdpr-and-tokenizing-data-3.aspx 4. GDPR VS CCPA, https://wirewheel.io/wp-content/uploads/2018/10/GDPR-vs-CCPA-Cheatsheet.pdf 5. General Data Protection Regulation, https://en.wikipedia.org/wiki/General_Data_Protection_Regulation 6. IBM Framework Helps Clients Prepare for the EU's General Data Protection Regulation, https://ibmsystemsmag.com/IBM- Z/03/2018/ibm-framework-gdpr 7. INTERNATIONAL STANDARD ISO/IEC 20889, https://webstore.ansi.org/Standards/ISO/ISOIEC208892018?gclid=EAIaIQobChMIvI- k3sXd5gIVw56zCh0Y0QeeEAAYASAAEgLVKfD_BwE 8. INTERNATIONAL STANDARD ISO/IEC 27018, https://webstore.ansi.org/Standards/ISO/ ISOIEC270182019?gclid=EAIaIQobChMIleWM6MLd5gIVFKSzCh3k2AxKEAAYASAAEgKbHvD_BwE 9. ISO/TS 25237:2008(E), Health Informatics—Pseudonymization, https://www.sis.se/api/document/preview/911119/ 10. NIST PRIVACY FRAMEWORK: A TOOL FOR IMPROVING PRIVACY THROUGH ENTERPRISE RISK MANAGEMENT, https://www.nist.gov/system/files/documents/2019/09/09/nist_privacy_framework_preliminary_draft.pdf 11. NIST Releases Evaluation of Cloud Computing Services Based on NIST SP 800-145 (NIST SP 500-322), https://www.nist.gov/news- events/news/2018/02/nist-releases-evaluation-cloud-computing-services-based-nist-sp-800-145 , February 23, 2018 12. NIST Special Publication 800-53, https://en.wikipedia.org/wiki/NIST_Special_Publication_800-53 13. NISTIR 8053, De-Identification of Personal Information, https://nvlpubs.nist.gov/nistpubs/ir/2015/NIST.IR.8053.pdf 14. Tokenization Product Security Guidelines, Version: 1.0, April 2015, PCI Security Standards Council https://www.pcisecuritystandards.org/documents/Tokenization_Product_Security_Guidelines.pdf?agreement=true&time=15708805 09645 15. Trust the IAPP for actionable information on the California Consumer Privacy Act, https://iapp.org/l/ccpaga/?gclid=EAIaIQobChMI- cnYtffG5QIVIueGCh09Cw56EAAYBCAAEgIEp_D_BwE 16. Data Security: On Premise or in the Cloud, ISSA Journal, December 2019