where security and privacy meet partnering tips for csos and privacy/compliance leads
DESCRIPTION
This webinar will identifying challenges in both the privacy and security offices, explaining the necessities of working together, and identify mutual goals, both within their departments and in the context of the rest of the business. It will include solutions and suggestions for working together and case studies/examples showing common mistakes as well as success stories of privacy and IT offices working together. Panelists: Gant Redmon, General Counsel and VP of Business Development, Co3 SystemsTRANSCRIPT
Where Security and Privacy Meet - Partnering Tips for CSOs and Privacy/Compliance Leads
Page 2
Partner Logo Here
Today’s Agenda
For todays Slides http://compliancy-group.com/slides023/
Next Free Education Session – March 11 2:00EST • How insurance can aide in data breach response expenses that arise
in the wake of a data breach or security incident • Presented by Gamelah Palagonia, Privacy Professionals
Todays & Past webinars go to: http://compliancy-group.com/webinar/
Page 3
Partner Logo Here
Introductions: Today’s Speakers
• Gant Redmon, General Counsel, Co3 Systems
Page 4
Partner Logo Here
Types Of Compromise
Source: Ponemon Research Institute, “Post Breach Boom 2013” 3,529 IT and IT Security respondents
Page 5
Partner Logo Here
Detection of Compromise
The discovery of malicious breaches averages 80 days for corporations:
Source: Ponemon Research Institute, “Post Breach Boom 2013” 3,529 IT and IT Security respondents
Page 6
Partner Logo Here
Corporate Information Loss
Malicious Cyber-Attacks
Lost / Stolen Assets
Third-Party Leaks
Internal / Employee
Actions
Hackers stole customer data, including credit card information 100 million records
Laptops with patient data stolen by former employee 208,000 records
Digital marketing agency exposes customer data of dozens of clients Millions of records
Employee sent CD-ROM with personal data on registered advisors 139,000 records
Information Loss: The exposure / loss of consumer or employee Personal Information, as well as trade secrets and intellectual property from a compromise.
Page 7
Partner Logo Here
Security and Compliance Together
Security and Compliance becoming the same thing
- PCI, HIPAA, GLB
“75% of CISOs who experience publicly disclosed security breaches and lack documented, tested response plans will be fired”
- Gartner: July 2012 “It’s about the response … with all hands on deck in a coordinated manner.” - Gant: January 2014
Page 8
Partner Logo Here
Security and Compliance Together
• Breach Response
Track 1: Focus on cause analysis, remediation and customer communication Track 2: Legal compliance, communication with authorities, corporate filings
- Companies often do Track 1 and then Track 2
- But these tracks don’t have to be separate.
- Incident response plans need to cover more that closing the vulnerability
Page 9
Partner Logo Here
Security and Compliance Together
expediency v.
accuracy
Page 10
Partner Logo Here
Target Response
• Clear notice with proposed next steps (good) • Deflected blame and responsibility (bad) • Initial notice by flacks (bad) • Later notices by CEO (good) • Immediate forensic investigation (good) • Few details to consumers (bad) • Breach notifications to consumers (good) • Breach notification to banks (not as good
Page 11
Partner Logo Here
Target Response
• Electronic notification with fraud monitoring (good) • E-mail notice with hyperlinks (very bad) • Follow up notices (good) • No regular schedule of follow up (bad) • Coordinate with law enforcement (good) • No info to consumers about how to contact law enforcement
(bad)
POLL 1 Where does Data Privacy reside in your organization: - Legal Department - Security Office - Compliance Department - Other
Page 13
Partner Logo Here
CPO+CSO = BFF
Challenges for the Privacy Office • Viewed as problem rather than solu<on • Need to be plugged in all over the enterprise to do the job • Budget starved • Maintaining vigilance in the absence of crisis Challenges for the Security Office • Needs to be effec<ng 100%, threat only has to be effec<ve once • Not trained to speak “compliance” • Pulled in many direc<ons • Like tools more than process
Page 14
Partner Logo Here
CPO+CSO = BFF
Why working together important • Insight • Skills • Strategy • Budget
Page 15
Partner Logo Here
CPO+CSO = BFF
Insight • The CSO is your early warning system • Ask yourself who your first responder is. Then ask what their priori<es are when handling an incident
• Scenario #1, Stolen Laptop: • Fred from finance has his laptop stolen when his house is broken into. The CSO may have focused on geTng Fred a new laptop and restoring info from back up. But did he think about what data was on the laptop? Did the informa<on match defini<ons of PII or PHI? How does that relate to the data breach regula<ons affec<ng the company? The CSO hears lost laptop but you think lost informa<on. You can lead him along the path to privacy righteousness.
•
Page 16
Partner Logo Here
CPO+CSO = BFF
• Scenario #2, Malware: • Malware is detected on the HR and Engineering servers and log files show files have been accessed by an IP address assigned to an ISP in Kazakhstan. The CSO will focus on closing the vulnerability and ridding the system of malware. How fast will he also determine which files have been accessed and what was in those files? Bet it will be faster if he knows how important it is for you to determine if the intruder made off with protected informa<on.
• Scenario #3, Insider Threat: • Your network monitoring tool throws an alert that Rissa the recep<onist has been removing files from the CFO’s laptop just as your company is set to announce quarterly results and personnel informa<on. The CSO may think his job is done when he reports Rissa to HR and she’s marched out of the building. Will he think of analyzing Rissa’s computer to see where that informa<on might have been sent? You’ll certainly want to know.
Page 17
Partner Logo Here
CPO+CSO = BFF
Skills • Does the CPO have the resources to analyze a log file, image a disk, or conduct a forensic analysis?
• Who tells you if the informa<on was accessed or acquired? • Was it encrypted? In transit and at rest? • What is the nature of the informa<on involved? Does it meet the defini<ons of PII or PHI?
• The CSO is your oracle into affected informa<on
Page 18
Partner Logo Here
CPO+CSO = BFF
Strategy • This is where 1+1=3 via collabora<on • The CSO will have a hand in the company’s mobile, social media and cloud strategies but needs the CPO’s guidance in launching these strategies. • For example, a health care organiza<on realizes doctors are communica<ng with pa<ents on the doctors’ personal unencrypted email accounts. The CSO wants to roll out a pa<ent site for communica<ons with doctors in a secure environment. A number of vendors offer such pa<ent sites, but which will keep the company on the right side of HIPAA/HITECH? You may not know log files, but you know HIPAA.
• When you take a seat at the table next to the CSO for purposes of pa<ent interac<on you have promoted yourself from a basic compliance func<on to a strategic contributor.
•
Page 19
Partner Logo Here
CPO+CSO = BFF
Budget • CSOs have money. Privacy offices are not known for lavish budgets.
• Some in management feel that tradi<onal compliance func<ons should be kept on a strict fiscal diet so they don’t become strong enough to hamper the business.
• IT and security don’t suffer from such reduced ra<ons. • Network security is red hot these days and money is being spent. • Got a tool that helps the CSO iden<fy privacy issues in everyday security incidents? You may find the CSO’s budget a lot easier to tap than your own.
•
Page 20
Partner Logo Here
CPO+CSO = BFF
Goals for Privacy and Security Departments • Educate in proper use • Prevent loss • Respond to crisis The CPOs biggest leverage: • A major security breach has befallen the company • The CEO calls the CSO into his office for a status update • The CSO thinks back, glad she followed your advice and says, Thanks to the planning we did last year, no customer or personal informa8on was available on the servers affected and all informa8on there was encrypted.
•
POLL 2 Which applies best - I have incident response plans for different types of incidents - I have an incident response plan that is general - I think we have a plan, but I haven't seen it for a while
Page 22
Partner Logo Here
Event Entry
Basic event information captures what happened, when, who reported it, etc.
Page 23
Partner Logo Here
Instant Incident Response Plans
Instant IR plans list required tasks by category
Page 24
Partner Logo Here
For privacy professionals
Extensive, always up-to-date, regulation library bolsters compliance
IR plans map breach parameters to the appropriate regulations
Page 25
Partner Logo Here
For Privacy Professionals
Task details aid task completion
Task source linked to the triggering regulatory language eases review
POLL 3 How serious does your organization take compliance? - Critical - Cost of Business - To Avoid Fines - Not at All
One Alewife Center, Suite 450 Cambridge, MA 02140 PHONE 617.206.3900
WWW.CO3SYS.COM
“Co3 Systems makes the process of planning for a nightmare scenario as painless as possible, making it an Editors’ Choice.” PC MAGAZINE, EDITOR’S CHOICE
“Co3…defines what software packages for privacy look like.” GARTNER
“Platform is comprehensive, user friendly, and very well designed.” PONEMON INSTITUTE
Marc Haskelson [email protected] 855.854.4722 ext 507
“One of the hottest products at RSA…” NETWORK WORLD – FEBRUARY 2013
QUESTIONS