Where Security and Privacy Meet - Partnering Tips for CSOs and Privacy/Compliance Leads

Page 2

Partner Logo Here

Today’s Agenda

For todays Slides http://compliancy-group.com/slides023/

Next Free Education Session – March 11 2:00EST • How insurance can aide in data breach response expenses that arise

in the wake of a data breach or security incident •  Presented by Gamelah Palagonia, Privacy Professionals

Todays & Past webinars go to: http://compliancy-group.com/webinar/

Page 3

Partner Logo Here

Introductions: Today’s Speakers

• Gant Redmon, General Counsel, Co3 Systems

Page 4

Partner Logo Here

Types Of Compromise

Source: Ponemon Research Institute, “Post Breach Boom 2013” 3,529 IT and IT Security respondents

Page 5

Partner Logo Here

Detection of Compromise

The discovery of malicious breaches averages 80 days for corporations:

Source: Ponemon Research Institute, “Post Breach Boom 2013” 3,529 IT and IT Security respondents

Page 6

Partner Logo Here

Corporate Information Loss

Malicious Cyber-Attacks

Lost / Stolen Assets

Third-Party Leaks

Internal / Employee

Actions

Hackers stole customer data, including credit card information 100 million records

Laptops with patient data stolen by former employee 208,000 records

Digital marketing agency exposes customer data of dozens of clients Millions of records

Employee sent CD-ROM with personal data on registered advisors 139,000 records

Information Loss: The exposure / loss of consumer or employee Personal Information, as well as trade secrets and intellectual property from a compromise.

Page 7

Partner Logo Here

Security and Compliance Together

Security and Compliance becoming the same thing

- PCI, HIPAA, GLB

“75% of CISOs who experience publicly disclosed security breaches and lack documented, tested response plans will be fired”

- Gartner: July 2012 “It’s about the response … with all hands on deck in a coordinated manner.” - Gant: January 2014

Page 8

Partner Logo Here

Security and Compliance Together

•  Breach Response

Track 1: Focus on cause analysis, remediation and customer communication Track 2: Legal compliance, communication with authorities, corporate filings

- Companies often do Track 1 and then Track 2

- But these tracks don’t have to be separate.

- Incident response plans need to cover more that closing the vulnerability

Page 9

Partner Logo Here

Security and Compliance Together

expediency v.

accuracy

Page 10

Partner Logo Here

Target Response

• Clear notice with proposed next steps (good) • Deflected blame and responsibility (bad) •  Initial notice by flacks (bad) • Later notices by CEO (good) •  Immediate forensic investigation (good) • Few details to consumers (bad) • Breach notifications to consumers (good) • Breach notification to banks (not as good

Page 11

Partner Logo Here

Target Response

• Electronic notification with fraud monitoring (good) • E-mail notice with hyperlinks (very bad) • Follow up notices (good) • No regular schedule of follow up (bad) • Coordinate with law enforcement (good) • No info to consumers about how to contact law enforcement

(bad)

POLL 1 Where does Data Privacy reside in your organization: - Legal Department - Security Office - Compliance Department - Other

Page 13

Partner Logo Here

CPO+CSO = BFF

Challenges  for  the  Privacy  Office  • Viewed  as  problem  rather  than  solu<on  • Need  to  be  plugged  in  all  over  the  enterprise  to  do  the  job  • Budget  starved  • Maintaining  vigilance  in  the  absence  of  crisis    Challenges  for  the  Security  Office  • Needs  to  be  effec<ng  100%,  threat  only  has  to  be  effec<ve  once  • Not  trained  to  speak  “compliance”  • Pulled  in  many  direc<ons  • Like  tools  more  than  process  

Page 14

Partner Logo Here

CPO+CSO = BFF

Why  working  together  important  •  Insight  • Skills  • Strategy  • Budget  

Page 15

Partner Logo Here

CPO+CSO = BFF

Insight  •  The  CSO  is  your  early  warning  system  •  Ask  yourself  who  your  first  responder  is.  Then  ask  what  their  priori<es  are  when  handling  an  incident    

•  Scenario  #1,  Stolen  Laptop:    •  Fred  from  finance  has  his  laptop  stolen  when  his  house  is  broken  into.  The  CSO  may  have  focused  on  geTng  Fred  a  new  laptop  and  restoring  info  from  back  up.  But  did  he  think  about  what  data  was  on  the  laptop?  Did  the  informa<on  match  defini<ons  of  PII  or  PHI?  How  does  that  relate  to  the  data  breach  regula<ons  affec<ng  the  company?    The  CSO  hears  lost  laptop  but  you  think  lost  informa<on.  You  can  lead  him  along  the  path  to  privacy  righteousness.  

• 

Page 16

Partner Logo Here

CPO+CSO = BFF

•  Scenario  #2,  Malware:    • Malware  is  detected  on  the  HR  and  Engineering  servers  and  log  files  show  files  have  been  accessed  by  an  IP  address  assigned  to  an  ISP  in  Kazakhstan.  The  CSO  will  focus  on  closing  the  vulnerability  and  ridding  the  system  of  malware.  How  fast  will  he  also  determine  which  files  have  been  accessed  and  what  was  in  those  files?  Bet  it  will  be  faster  if  he  knows  how  important  it  is  for  you  to  determine  if  the  intruder  made  off  with  protected  informa<on.  

•  Scenario  #3,  Insider  Threat:    •  Your  network  monitoring  tool  throws  an  alert  that  Rissa  the  recep<onist  has  been  removing  files  from  the  CFO’s  laptop  just  as  your  company  is  set  to  announce  quarterly  results  and  personnel  informa<on.  The  CSO  may  think  his  job  is  done  when  he  reports  Rissa  to  HR  and  she’s  marched  out  of  the  building.  Will  he  think  of  analyzing  Rissa’s  computer  to  see  where  that  informa<on  might  have  been  sent?  You’ll  certainly  want  to  know.  

Page 17

Partner Logo Here

CPO+CSO = BFF

Skills  • Does  the  CPO  have  the  resources  to  analyze  a  log  file,  image  a  disk,  or  conduct  a  forensic  analysis?  

• Who  tells  you  if  the  informa<on  was  accessed  or  acquired?  • Was  it  encrypted?  In  transit  and  at  rest?  • What  is  the  nature  of  the  informa<on  involved?  Does  it  meet  the  defini<ons  of  PII  or  PHI?  

• The  CSO  is  your  oracle  into  affected  informa<on  

Page 18

Partner Logo Here

CPO+CSO = BFF

Strategy  •  This  is  where  1+1=3  via  collabora<on  •  The  CSO  will  have  a  hand  in  the  company’s  mobile,  social  media  and  cloud  strategies  but  needs  the  CPO’s  guidance  in  launching  these  strategies.    •  For  example,  a  health  care  organiza<on  realizes  doctors  are  communica<ng  with  pa<ents  on  the  doctors’  personal  unencrypted  email  accounts.  The  CSO  wants  to  roll  out  a  pa<ent  site  for  communica<ons  with  doctors  in  a  secure  environment.  A  number  of  vendors  offer  such  pa<ent  sites,  but  which  will  keep  the  company  on  the  right  side  of  HIPAA/HITECH?  You  may  not  know  log  files,  but  you  know  HIPAA.    

• When  you  take  a  seat  at  the  table  next  to  the  CSO  for  purposes  of  pa<ent  interac<on  you  have  promoted  yourself  from  a  basic  compliance  func<on  to  a  strategic  contributor.  

• 

Page 19

Partner Logo Here

CPO+CSO = BFF

Budget  • CSOs  have  money.  Privacy  offices  are  not  known  for  lavish  budgets.    

• Some  in  management  feel  that  tradi<onal  compliance  func<ons  should  be  kept  on  a  strict  fiscal  diet  so  they  don’t  become  strong  enough  to  hamper  the  business.    

•  IT  and  security  don’t  suffer  from  such  reduced  ra<ons.      • Network  security  is  red  hot  these  days  and  money  is  being  spent.    • Got  a  tool  that  helps  the  CSO  iden<fy  privacy  issues  in  everyday  security  incidents?  You  may  find  the  CSO’s  budget  a  lot  easier  to  tap  than  your  own.  

• 

Page 20

Partner Logo Here

CPO+CSO = BFF

Goals  for  Privacy  and  Security  Departments  • Educate  in  proper  use  • Prevent  loss  • Respond  to  crisis    The  CPOs  biggest  leverage:  • A  major  security  breach  has  befallen  the  company  • The  CEO  calls  the  CSO  into  his  office  for  a  status  update  • The  CSO  thinks  back,  glad  she  followed  your  advice  and  says,    Thanks  to  the  planning  we  did  last  year,  no  customer  or  personal  informa8on  was  available  on  the  servers  affected  and  all  informa8on  there  was  encrypted.  

• 

POLL 2 Which applies best - I have incident response plans for different types of incidents - I have an incident response plan that is general - I think we have a plan, but I haven't seen it for a while

Page 22

Partner Logo Here

Event Entry

Basic event information captures what happened, when, who reported it, etc.

Page 23

Partner Logo Here

Instant Incident Response Plans

Instant IR plans list required tasks by category

Page 24

Partner Logo Here

For privacy professionals

Extensive, always up-to-date, regulation library bolsters compliance

IR plans map breach parameters to the appropriate regulations

Page 25

Partner Logo Here

For Privacy Professionals

Task details aid task completion

Task source linked to the triggering regulatory language eases review

POLL 3 How serious does your organization take compliance? - Critical - Cost of Business - To Avoid Fines - Not at All

One Alewife Center, Suite 450 Cambridge, MA 02140 PHONE 617.206.3900

WWW.CO3SYS.COM

“Co3 Systems makes the process of planning for a nightmare scenario as painless as possible, making it an Editors’ Choice.” PC MAGAZINE, EDITOR’S CHOICE

“Co3…defines what software packages for privacy look like.” GARTNER

“Platform is comprehensive, user friendly, and very well designed.” PONEMON INSTITUTE

Marc Haskelson Marc@compliancygroup.com 855.854.4722 ext 507

“One of the hottest products at RSA…” NETWORK WORLD – FEBRUARY 2013

QUESTIONS