Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

Information Security vs. Data Governance vs. Data Protection: What Is the Real Difference

Download as PPTX, PDF
PECB
PECB

This webinar will provide more information on the importance of information security and how you can take security well beyond compliance, an approach on building strong information security, privacy and data governance programs, and the importance of strong data governance in relation to privacy and information security requirements. The webinar covers • Information Security • Importance Of Information Security Today • Taking Information Security Beyond A Compliance First • Importance Of Data Governance In Information Security • Privacy • Changing And Evolving Privacy Requirements • Importance Of Data Governance In Privacy • Data Governance And Data Privacy • Data Privacy - Data Processing Principles Presenters: Moji is a Senior Business Process Analyst working with GemaltoThales, a leading firm in the IT industry. Moji has over fifteen years of experience in leading projects to improve processes, create and implement processes leading to increased revenue generation and eliminate redundancies. She has a zeal for adding value and increasing revenue for organizations. Moji is very passionate about Data Privacy and its application in business and consumer rights. Hardeep Mehrotara has 20+ years of senior leadership experience in Information Technology and Cyber Security working for public and private organizations building security programs from the ground up. He has been featured on Canadian television as a cyber expert and provided advice to various communities on implementing cybersecurity strategy, best practices and controls. He has been a co-author on numerous leading industry security control frameworks, technical benchmarks and industry best practice standards. ------------------------------------------------------------------------------- Find out more about ISO training and certification services Training: https://pecb.com/whitepaper/iso-27001-information-technology--security-techniques-information-security--management-systems---requirements https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27701 Webinars: https://pecb.com/webinars Articles: https://pecb.com/article Whitepapers: https://pecb.com/whitepaper ------------------------------------------------------------------------------- For more information about PECB: Website: https://pecb.com/ LinkedIn: https://www.linkedin.com/company/pecb/ Facebook: https://www.facebook.com/PECBInternational/ Slideshare: http://www.slideshare.net/PECBCERTIFICATION YouTube video: https://youtu.be/aQcS5-RFIEY Website link: https://pecb.com/

Related slideshows

Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecture
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
 
1 of 19
Information Security vs. Data Governance vs. Data Protection: What Is the Real Difference
Summary ◼ INFORMATION SECURITY ◼ IMPORTANCE OF INFORMATION SECURITY TODAY ◼ HIGH PROFILE SECURITY BREACHES (NOTABLE EVENTS) ◼ COMPLIANCE REQUIREMENTS FOR INFORMATION SECURITY (HIPPA, PCI-DSS, ISO 27001, FISMA, SOX) ◼ TAKING INFORMATION SECURITY BEYOND A COMPLIANCE FIRST ◼ BASICS OF INFORMATION SECURITY ◼ IMPORTANCE OF DATA GOVERNANCE IN INFORMATION SECURITY ◼ PRIVACY ◼ IMPORTANCE OF PRIVACY TODAY ◼ CHANGING AND EVOLVING PRIVACY REQUIREMENTS ◼ IMPORTANCE OF DATA GOVERNANCE IN PRIVACY ◼ DATA GOVERNANCE AND DATA PRIVACY ◼ WHY DATA? ◼ DATA PRIVACY - DATA PROCESSING PRINCIPLES ◼ DATA GOVERNANCE (ROPA ) AS A TOOL ◼ RECENT HIGH IMPACT DATA BREACHES ◼ RECENT HIGH PROFILE DATA BREACHES ◼ IMPACT ON CUSTOMER TRUST ◼ IMPACT OF DATA BREACH ◼ FURTHER NOTES
IMPORTANCE OF INFORMATION SECURITY TODAY Hacking as Service Hire hackers to get access to company networks Ransomware as a Service Subscription based model to use already- developed ransomware. Denial of Service as a Service A pre-configured infrastructure for use of DDoS attacks. Supply Chain Attacks Attack of a common vendor or supplier to infiltrate numerous company networks and systems. Companies have a large number of third-party vendors and SaaS solutions that integrate with their systems and networks. Internet of Things According to Gartner, IoT devices in 2020 which will grow to 75 million by 2025. IoT Malware attacks rose 700% during the pandemic. Attacks towards televisions, security cameras, autonomous vehicles, to medical devices/pacemakers. Artificial Intelligence & Automation Cyber criminals use AI for targeted spear-phishing attacks using deepfakes and voice-cloning. Weaponized AI self-seeks vulnerabilities, uses concealed intelligent’ malware to laterally move, executes at specific times, and acquires system knowledge to vary attacks. PassGan uses neural network to lean the statistical distribution of passwords from leaks and generates high-quality guesses.
COMPLIANCE REQUIREMENTS FOR INFORMATION SECURITY
HIGH PROFILE SECURITY BREACHES (NOTABLE EVENTS) Ransomware attack in July that paralyzed as many as 1,500 organizations by compromising tech-management software from a company called Kaseya SolarWinds, a major US information technology firm, was the subject of a cyberattack that spread to its clients and went undetected for months. The hack that took down the largest fuel pipeline in the U.S. and led to shortages across the East Coast. Hackers entered the network through a VPN account, which did not use MFA.
TAKING INFORMATION SECURITY BEYOND COMPLIANCE ◼ Compliance Frameworks help drive business to practice due diligence and make decisions not just based on cost. ◼ Compliance frameworks are the basic building blocks. ◼ Organizations looking to meet compliance requirements may avoid penalties but may not always be secure. ◼ Compliance is important, clearly, but it should be a subset of the overall security strategy. ◼ One must always stay ahead of compliance. E.g., IoT.
START WITH THE BASICS – BASIC CYBER HYGENIE A prioritized and prescriptive set of safeguards mitigate approximately 83% of all attack techniques found in the MITRE ATT&CK Framework. Implementation Group 1 (IG1) of the Controls provide mitigation against the attack techniques found in the top four attack patterns listed in the 2019 Verizon Data Breach Investigations Report (DBIR), including ransomware. Key Next Steps:  Identify business goals and objectives.  Start with a gap assessment.  Get senior leadership buy-in.  Focus on the basics of cyber-hygiene and do it well.  Strengthen your incident response.  Roadmap to compliance & maturity.
“NOT IF BUT WHEN” AN INCIDENT WILL OCCUR ◼ USE the “CYBER KILL CHAIN” to understand how cyber criminals attack and gain access to systems. ◼ Build “DETECTION & PREVENTION” based on the kill chain to reduce the mean time to detect. ◼ Develop an “INCIDENT RESPONSE PLAN” to be prepared and reduce the mean time to respond. Source: 2021 IBM Cost of Data Breach Report found that the average time to detect and contain a data breach is 280 days https://www.ibm.com/security/data-breach Source: Lockheed Martin Cyber Kill Chain https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html
DATA DRIVEN ERA - IMPORTANCE OF DATA GOVERNANCE ◼ Data today is one of the most important assets of the organization. ◼ Data governance saves money reducing duplication, errors and increasing integrity. ◼ Data governance increases access to data sharing across the organization ◼ Strong data governance ensures an organization is complying with all regulatory requirements and compliance frameworks. Data-driven organizations are 23 times more likely to acquire customers. Sources: https://www.mckinsey.com/business-functions/marketing-and-sales/our-insights https://bi-survey.com/big-data-benefits https://www.forrester.com/report/InsightsDriven+Businesses+Set+The+Pace+For+Global+Growth/-/E-RES130848 Businesses that use big data increase their profit by 8 percent. 62% of retailers report that the use of information and analytics is creating a competitive advantage for their organization. Insight-driven businesses are growing at an average of 30% each year; by 2021, they are predicted to take $1.8 trillion annually from their less-informed industry competitors.
WHY DATA? The world’s most valuable resource is no longer oil, but data | The Economist The world’s most valuable resource is no longer oil but DATA. What are you doing to PROTECT your most precious resource? Who has ACCESS to it? Do you know WHERE it is? Do you know its VALUE? What do you know about your most precious resource?
DATA PRIVACY - DATA PROCESSING PRINCIPLES UK GDPR outlines 7 principles for processing data to create a solid framework for minimizing risk exposure: 1. Lawfulness, Fairness and Transparency 2. Purpose Limitation 3. Data Minimization 4. Accuracy 5. Storage Limitation 6. Integrity and Confidentiality 7. Accountability Failure to comply leads to fines, breach of trust, operational disruption ….. Art. 5 GDPR – Principles relating to processing of personal data | General Data Protection Regulation (GDPR) (gdpr-info.eu)
DATA GOVERNANCE & (RECORD of PROCESSING ACTIVITIES) AS TOOLS The GDPR obligates documentation of the processing activities relating to your data. Good data governance and RoPA allow you to understand: 1. What data you have 2. Where your data is located 3. How the data is used 4. Who the data is shared with This ensures data security, availability, integrity and consistency Boosting Cyber Security With Data Governance and Enterprise Data Management (isaca.org) Records of Processing Activities | General Data Protection Regulation (GDPR) (gdpr-info.eu)
HIGH IMPACT DATA BREACHES These data breaches show case the importance of data governance, information security and data privacy in protecting data June 2021 Impact: 700 Million records Hackers scraped data by exploiting LinkedIn’s API Exposed data includes: Email addresses, phone numbers, geolocation records, LinkedIn usernames and profile URLs, other social media accounts & details among others April 2019 Impact: 533 Million records 2 Third party Facebook app datasets exposed to public internet Exposed data includes: Account names, Facebook ID’s, likes, reactions, comments and others July 2021 Impact: Up to 1500 Organizations records Supply Chain Ransom ware Exposed data includes: Organizational database, user names and passwords and sensitive information The 57 Biggest Data Breaches (Updated for 2021) | UpGuard
RECENT DATA BREACH FINES 1. 2. 3. 4. $886 MILLION €50 MILLION €35.3 MILLION £20 MILLION Three years of GDPR: the biggest fines so far - BBC News
IMPACT ON CONSUMER TRUST The average customer is becoming privacy aware, security aware and over all, DATA AWARE Building consumer trust: Protecting personal data in the consumer product industry | Deloitte Insights
IMPACT OF DATA BREACH 1. FINANCIAL LOSS 2. REPUTATIONAL DAMAGE 3. OPERATIONAL DOWNTIME 4. LEGAL ACTION 5. LOSS OF SENSITIVE DATA Boosting Cyber Security With Data Governance and Enterprise Data Management (isaca.org) What’s New in the 2021 Cost of a Data Breach Report - Security Intelligence
FURTHER NOTES Data & Information Governance at UNSW | Data Governance According to a Cisco analysis (2020), companies who have invested in privacy measures experience positive returns on investments. Based on responses from 2,500 professionals across 13 countries, companies on average received $2.70 for every $1 spend on their privacy program. Implementing a mature privacy program, developing a robust data governance in alignment with company goals and implementing an efficient information security system proactive in threat detection and incident response are key to reducing data breaches. Study: Mature privacy programs experience higher ROI (iapp.org)
SUMMARY 1. KNOW YOUR DATA 2. PROTECT YOUR DATA 3. APPLY THE DATA PROCESSING PRINCPLES 4. INVEST IN A MATURE PRIVACY PROGRAM 5. BUILD AND IMPLEMENT A ROBUST INFORMATION SECURITY PROGRAM
THANK YOU ? hardeep.mehrotara@gmail.com Hardeep Mehrotara olasow@yahoo.com Mojisola Abi Sowemimo

More Related Content

Information Security vs. Data Governance vs. Data Protection: What Is the Real Difference

  • 2. Summary ◼ INFORMATION SECURITY ◼ IMPORTANCE OF INFORMATION SECURITY TODAY ◼ HIGH PROFILE SECURITY BREACHES (NOTABLE EVENTS) ◼ COMPLIANCE REQUIREMENTS FOR INFORMATION SECURITY (HIPPA, PCI-DSS, ISO 27001, FISMA, SOX) ◼ TAKING INFORMATION SECURITY BEYOND A COMPLIANCE FIRST ◼ BASICS OF INFORMATION SECURITY ◼ IMPORTANCE OF DATA GOVERNANCE IN INFORMATION SECURITY ◼ PRIVACY ◼ IMPORTANCE OF PRIVACY TODAY ◼ CHANGING AND EVOLVING PRIVACY REQUIREMENTS ◼ IMPORTANCE OF DATA GOVERNANCE IN PRIVACY ◼ DATA GOVERNANCE AND DATA PRIVACY ◼ WHY DATA? ◼ DATA PRIVACY - DATA PROCESSING PRINCIPLES ◼ DATA GOVERNANCE (ROPA ) AS A TOOL ◼ RECENT HIGH IMPACT DATA BREACHES ◼ RECENT HIGH PROFILE DATA BREACHES ◼ IMPACT ON CUSTOMER TRUST ◼ IMPACT OF DATA BREACH ◼ FURTHER NOTES
  • 3. IMPORTANCE OF INFORMATION SECURITY TODAY Hacking as Service Hire hackers to get access to company networks Ransomware as a Service Subscription based model to use already- developed ransomware. Denial of Service as a Service A pre-configured infrastructure for use of DDoS attacks. Supply Chain Attacks Attack of a common vendor or supplier to infiltrate numerous company networks and systems. Companies have a large number of third-party vendors and SaaS solutions that integrate with their systems and networks. Internet of Things According to Gartner, IoT devices in 2020 which will grow to 75 million by 2025. IoT Malware attacks rose 700% during the pandemic. Attacks towards televisions, security cameras, autonomous vehicles, to medical devices/pacemakers. Artificial Intelligence & Automation Cyber criminals use AI for targeted spear-phishing attacks using deepfakes and voice-cloning. Weaponized AI self-seeks vulnerabilities, uses concealed intelligent’ malware to laterally move, executes at specific times, and acquires system knowledge to vary attacks. PassGan uses neural network to lean the statistical distribution of passwords from leaks and generates high-quality guesses.
  • 4. COMPLIANCE REQUIREMENTS FOR INFORMATION SECURITY
  • 5. HIGH PROFILE SECURITY BREACHES (NOTABLE EVENTS) Ransomware attack in July that paralyzed as many as 1,500 organizations by compromising tech-management software from a company called Kaseya SolarWinds, a major US information technology firm, was the subject of a cyberattack that spread to its clients and went undetected for months. The hack that took down the largest fuel pipeline in the U.S. and led to shortages across the East Coast. Hackers entered the network through a VPN account, which did not use MFA.
  • 6. TAKING INFORMATION SECURITY BEYOND COMPLIANCE ◼ Compliance Frameworks help drive business to practice due diligence and make decisions not just based on cost. ◼ Compliance frameworks are the basic building blocks. ◼ Organizations looking to meet compliance requirements may avoid penalties but may not always be secure. ◼ Compliance is important, clearly, but it should be a subset of the overall security strategy. ◼ One must always stay ahead of compliance. E.g., IoT.
  • 7. START WITH THE BASICS – BASIC CYBER HYGENIE A prioritized and prescriptive set of safeguards mitigate approximately 83% of all attack techniques found in the MITRE ATT&CK Framework. Implementation Group 1 (IG1) of the Controls provide mitigation against the attack techniques found in the top four attack patterns listed in the 2019 Verizon Data Breach Investigations Report (DBIR), including ransomware. Key Next Steps:  Identify business goals and objectives.  Start with a gap assessment.  Get senior leadership buy-in.  Focus on the basics of cyber-hygiene and do it well.  Strengthen your incident response.  Roadmap to compliance & maturity.
  • 8. “NOT IF BUT WHEN” AN INCIDENT WILL OCCUR ◼ USE the “CYBER KILL CHAIN” to understand how cyber criminals attack and gain access to systems. ◼ Build “DETECTION & PREVENTION” based on the kill chain to reduce the mean time to detect. ◼ Develop an “INCIDENT RESPONSE PLAN” to be prepared and reduce the mean time to respond. Source: 2021 IBM Cost of Data Breach Report found that the average time to detect and contain a data breach is 280 days https://www.ibm.com/security/data-breach Source: Lockheed Martin Cyber Kill Chain https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html
  • 9. DATA DRIVEN ERA - IMPORTANCE OF DATA GOVERNANCE ◼ Data today is one of the most important assets of the organization. ◼ Data governance saves money reducing duplication, errors and increasing integrity. ◼ Data governance increases access to data sharing across the organization ◼ Strong data governance ensures an organization is complying with all regulatory requirements and compliance frameworks. Data-driven organizations are 23 times more likely to acquire customers. Sources: https://www.mckinsey.com/business-functions/marketing-and-sales/our-insights https://bi-survey.com/big-data-benefits https://www.forrester.com/report/InsightsDriven+Businesses+Set+The+Pace+For+Global+Growth/-/E-RES130848 Businesses that use big data increase their profit by 8 percent. 62% of retailers report that the use of information and analytics is creating a competitive advantage for their organization. Insight-driven businesses are growing at an average of 30% each year; by 2021, they are predicted to take $1.8 trillion annually from their less-informed industry competitors.
  • 10. WHY DATA? The world’s most valuable resource is no longer oil, but data | The Economist The world’s most valuable resource is no longer oil but DATA. What are you doing to PROTECT your most precious resource? Who has ACCESS to it? Do you know WHERE it is? Do you know its VALUE? What do you know about your most precious resource?
  • 11. DATA PRIVACY - DATA PROCESSING PRINCIPLES UK GDPR outlines 7 principles for processing data to create a solid framework for minimizing risk exposure: 1. Lawfulness, Fairness and Transparency 2. Purpose Limitation 3. Data Minimization 4. Accuracy 5. Storage Limitation 6. Integrity and Confidentiality 7. Accountability Failure to comply leads to fines, breach of trust, operational disruption ….. Art. 5 GDPR – Principles relating to processing of personal data | General Data Protection Regulation (GDPR) (gdpr-info.eu)
  • 12. DATA GOVERNANCE & (RECORD of PROCESSING ACTIVITIES) AS TOOLS The GDPR obligates documentation of the processing activities relating to your data. Good data governance and RoPA allow you to understand: 1. What data you have 2. Where your data is located 3. How the data is used 4. Who the data is shared with This ensures data security, availability, integrity and consistency Boosting Cyber Security With Data Governance and Enterprise Data Management (isaca.org) Records of Processing Activities | General Data Protection Regulation (GDPR) (gdpr-info.eu)
  • 13. HIGH IMPACT DATA BREACHES These data breaches show case the importance of data governance, information security and data privacy in protecting data June 2021 Impact: 700 Million records Hackers scraped data by exploiting LinkedIn’s API Exposed data includes: Email addresses, phone numbers, geolocation records, LinkedIn usernames and profile URLs, other social media accounts & details among others April 2019 Impact: 533 Million records 2 Third party Facebook app datasets exposed to public internet Exposed data includes: Account names, Facebook ID’s, likes, reactions, comments and others July 2021 Impact: Up to 1500 Organizations records Supply Chain Ransom ware Exposed data includes: Organizational database, user names and passwords and sensitive information The 57 Biggest Data Breaches (Updated for 2021) | UpGuard
  • 14. RECENT DATA BREACH FINES 1. 2. 3. 4. $886 MILLION €50 MILLION €35.3 MILLION £20 MILLION Three years of GDPR: the biggest fines so far - BBC News
  • 15. IMPACT ON CONSUMER TRUST The average customer is becoming privacy aware, security aware and over all, DATA AWARE Building consumer trust: Protecting personal data in the consumer product industry | Deloitte Insights
  • 16. IMPACT OF DATA BREACH 1. FINANCIAL LOSS 2. REPUTATIONAL DAMAGE 3. OPERATIONAL DOWNTIME 4. LEGAL ACTION 5. LOSS OF SENSITIVE DATA Boosting Cyber Security With Data Governance and Enterprise Data Management (isaca.org) What’s New in the 2021 Cost of a Data Breach Report - Security Intelligence
  • 17. FURTHER NOTES Data & Information Governance at UNSW | Data Governance According to a Cisco analysis (2020), companies who have invested in privacy measures experience positive returns on investments. Based on responses from 2,500 professionals across 13 countries, companies on average received $2.70 for every $1 spend on their privacy program. Implementing a mature privacy program, developing a robust data governance in alignment with company goals and implementing an efficient information security system proactive in threat detection and incident response are key to reducing data breaches. Study: Mature privacy programs experience higher ROI (iapp.org)
  • 18. SUMMARY 1. KNOW YOUR DATA 2. PROTECT YOUR DATA 3. APPLY THE DATA PROCESSING PRINCPLES 4. INVEST IN A MATURE PRIVACY PROGRAM 5. BUILD AND IMPLEMENT A ROBUST INFORMATION SECURITY PROGRAM
  • 19. THANK YOU ? hardeep.mehrotara@gmail.com Hardeep Mehrotara olasow@yahoo.com Mojisola Abi Sowemimo