Peter A Clarke

There has been no consideration of Australian Privacy Principle (“APP”) 11 by the Privacy Commissioner through determination, enforceable undertaking or civil penalty proceeding. The APP guidelines are drafted in general terms. The guidelines on enforcement actions are in draft form and part way through the consultation process.  The nature and extent of actual implementation of measures to comply with APP 11 is a matter of some conjecture, often depending upon which expert has the microphone. What is clear is that the risk of breaches is real as set out in a report prepared by Trustwave titled The State of Risk 2014.

Some of the sobering findings are that:

• that 21% of businesses have either no incident response procedures in place or never test them even if they do;

• only 25% of the 476 IT professionals surveyed said they test incident response plans quarterly while a further 36% test them annually;
• 20% of businesses have no internal process that enables staff to report security incidents “immediately and without fear of reprisal” within their business
• 62% of businesses have technical controls in place to allow employees to use their own devices (“BYODs);
• 67% have “policy controls” that govern BYOD activity, the report said.
• only 60% of companies are “fully aware of their legal responsibilities in safeguarding sensitive data”;
• 21% of IT professionals surveyed said their company has never carried out security awareness training;
• 23% of IT professionals surveyed said their company never held security planning meetings;
• 24% of IT professionals surveyed said their company never required staff to “read and sign their businesses’ information security policy”.
• 50% of businesses run internal  vulnerability scans on critical systems less than once every three months
• 60% of businesses respectively run external vulnerability scans on critical systems less than once every three months
• that board members are fully involved in security matters at 40% of businesses
• board members are partially involved in 48% of companies
• senior managers take a fully active role in security issues in 52% of businesses
• senior managers are partially active on those matters in 43% of businesses.

 The New York Department of Financial Services has issued a formal memorandum setting out the new information technology examination procedures which will focus on cyber security. It is quite detailed and precise, in stark contrast to expectations set out by Australian regulators.  It provides:

In an effort to promote greater cyber security across the financial services industry, the NewYork State Department of Financial Services (the “Department”) plans to expand its information technology (“IT”) examination procedures to focus more attention on cyber security. The Department encourages all institutions to view cyber security as an integral aspect of their overall risk management strategy, rather than solely as a subset of information technology. Tothatend,theDepartmenthasincorporatedintotheexaminationnewquestionsandtopics,whichwill be embodied in pre-examination “First Day Letters.”

In particular, IT/cybersecurity examinations will now include, but not be limited to, the following topics:

• Corporate governance, including organization and reporting structure for cybersecurity relatedissues;
• Management of cyber security issues, including the interaction betweeninformation security and core business functions, written information security policies andprocedures, and the periodic reevaluation of such policies and procedures in lightofchangingrisks;
• Resources devoted to information security and overall riskmanagement;
• The risks posed by sharedinfrastructure;
• Protections against intrusion including multi-factor or adaptive authentication andserverand databaseconfigurations;
• Information security testing and moni toring, including penetrationtesting;
• Incident detection and response processes , including monitoring;
• Training of information security professionals as wel l as all otherpersonnel;
• Management of third-party serviceproviders;
• Integration of information security into business continuity and disaster recoverypoliciesand procedures;and
• Cyber security insurance coverage and other third-partyprotections.

As is standard with both safety and soundness and targeted examinations, each institutionmayreceive a tailored First Day Letter at the time that the institution is actually scheduledforexamination.

In addition to the revised First Day Letter, the Department is updating its examination process, including the procedure for assessing and scheduling IT/cyber security examinations. Going forward, the Department will schedule IT/cyber security examinations following the comprehensive risk assessment of each institution.   To aid in that assessment, the Department will be seeking, by separate request, responses to the following questions:

1. Provide the CV and job description of the current Chieflnformation Security Officerorthe individual otherwise responsible for information security, describe thatindividual’s information security training and experience, and identify all reporting lines forthatindividual, including all committees and managers. In addition, provide an organization chart for your institution’s IT and information security functions.

2. Descri be the extent to which your institution maintains information security policies and procedures designed to address the information security goals of confidentiality, integrity, and availability. Provide copies of all such information security policies.

3. Describe how data classification is integrated into information risk managementpoliciesandprocedures.

4. Describe your institution’s vulnerability management program as applicable to servers, end points, mobile devices, network devices, systems, and applications.

5. Describe the organization’s patch management program including how updates, patches,and fixes are obtained and disseminated , whether processes are manual o rautomated, and how often they occur.

6. Describe identity and access management systems employed by the organization for both internal and external users, includ ing all administrative, logical, and physical controls and whether such controls are preventive, detective, or corrective in nature.

7. Identify and describe the current use of multi-factor authentication for any systemsor applications.

8. Describe you r institution’s due diligence process regarding information security practices that is used in vetting, selecting, and monitoring third-party serviceproviders.

9. Describe all application development standards utilized by theorganization ,including the use of a secure software development lifecycle, and the extent to which security and privacy requirements are assessed and incorporated into the initial phases of the application development process.
10. Provide a copy of, to the extent it exists in writing, or otherwise describe, the organization’s incident response program, including how incidents arer eported, escalated, and remediated.
11. Describe the extent to which information security is incorporated into the organization’s BCP/DR plan, how and how often the BCP/DR is tested, and theresults of the most recent test.
12. Describe any significant changes to the institution’s IT portfolio over the last 24 months resulting from mergers, acquisitions, or the addition of new business lines.