Privacy & Data Breach Management
Upcoming SlideShare
Loading in...5
×
 

Privacy & Data Breach Management

on

  • 688 views

 

Statistics

Views

Total Views
688
Views on SlideShare
688
Embed Views
0

Actions

Likes
0
Downloads
24
Comments
0

0 Embeds 0

No embeds

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Privacy & Data Breach Management Privacy & Data Breach Management Presentation Transcript

  • Privacy & Data Breach Management Benchmarks, Informal Survey, Solutions Presentation by Dr. Larry Ponemon Webinar sponsored by Co3 Systems September 13, 2012
  • Agenda• Benchmark Analysis• Cost Benchmarks• Informal Influencer Survey• Market Need For Breach Management Solutions9/13/2012 Ponemon Institute: Private & Confidential Information 2
  • About Ponemon Institute• Ponemon Institute conducts independent research on cyber security, data protection and privacy issues.• Since our founding 11+ years ago our mission has remained constant, which is to enable organizations in both the private and public sectors to have a clearer understanding of the practices, enabling technologies and potential threats that will affect the security, reliability and integrity of information assets and IT systems.• Ponemon Institute research informs organizations on how to improve upon their data protection initiatives and enhance their brand and reputation as a trusted enterprise.• In addition to research, Ponemon Institute offers independent assessment and strategic advisory services on privacy and data protection issues. The Institute also conducts workshops and training programs.• The Institute is frequently engaged by leading companies to assess their privacy and data protection activities in accordance with generally accepted standards and practices on a global basis.• The Institute also performs customized benchmark studies to help organizations identify inherent risk areas and gaps that might otherwise trigger regulatory action.9/13/2012 Ponemon Institute: Private & Confidential Information 3
  • Benchmark AnalysisAnalysis is based on Ponemon Institute’s 2012 benchmark on corporate privacy management (n=89 companies)
  • Background• Ponemon Institute has conduct detailed benchmark surveys of corporate privacy program activities for the past 10 years (starting in January 2003).• Ponemon Institute has conducted more than 500+ separate benchmark studies.• A total of 89 large, US-based organizations in various industries participated in this 2012 study (fieldwork concluding in August).• The primary contact in these organizations was the chief security officer, the chief information security officer, the chief privacy officer or another individual who has overall responsibility for privacy & data protection.• All results were gathered by the researcher. All individual and company- identifiable information was removed to protect the confidentiality of responding organizations.• Caveats – Benchmarks provide descriptive information that may not be representative of all corporate privacy initiatives. 9/13/2012 Ponemon Institute: Private & Confidential Information 5
  • IndustriesA total of 89 companies participated in this 2012 researchMinimum headcount of participating companies is > 1,000 Financial services 2% 4% 3% Health & pharma 21% 6% Retail Public sector 6% Industrial Services 6% Consumer products 12% 6% Technology & software Transportation 7% Energy & utilities 12% Communications 7% 8% Education & research Other9/13/2012 Ponemon Institute: Private & Confidential Information 6
  • Overall Benchmark ScoreThe benchmark scores for the 2012 sample of 89 companies are presented in a percentage form.These scores are compiled from a proprietary instrument containing 130 items presented in seven(7) sections. Each section is weighted equally for purposes of comparison.70% 61%60% 53%50% 47% 42%40%30%20%10% 0% > 25,000 FTE 5,000 to 25,000 FTE < 5,000 FTE Overall9/13/2012 Ponemon Institute: Private & Confidential Information 7
  • Overall Benchmark ScoreThe benchmark scores for the 2012 sample of 89 companies are presented in a percentageform. These scores are compiled from a proprietary instrument containing 130 items presentedin seven (7) sections. Each section is weighted equally for purposes of comparison.90% 79%80% 70%70% 61%60% 56%50% 42%40% 33% 29%30%20%10% 0% Policy% Com% Mgmt% Security% Compliance% Choice% Redress%9/13/2012 Ponemon Institute: Private & Confidential Information 8
  • Benchmarks on Privacy Policies Centralized version control procedures 49% Harmonized approach to global policies 43% Acceptable use policies for social media 41% Acceptable use policies for mobile devices (BYOD) 38% 0% 10% 20% 30% 40% 50% 60% 90% 79% 80% 76% 71% 68% 70% 63% 65% 60% 62% 59% 60% 56% 50% 40% 30% 20% 10% 0% 2003 2004 2005 2006 2007 2008 2009 2010 2011 20129/13/2012 Ponemon Institute: Private & Confidential Information 9
  • Benchmarks on Training & Communications Mandatory training for all employees 41% Specialized training for high risk employees 37% Metrics for assessing training effectiveness 30% Incident response training for readiness 29% Privacy awareness for business partners 15% Privacy awareness for customers 12% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 60% 56% 50% 52% 50% 52% 50% 46% 47% 48% 46% 45% 40% 30% 20% 10% 0% 2003 2004 2005 2006 2007 2008 2009 2010 2011 20129/13/2012 Ponemon Institute: Private & Confidential Information 10
  • Benchmarks on Privacy Program Management Centralized authority 35% Adequacy of program resources 33%Formal privacy or data governance strategy 29% Data inventory for sensitive PI 21% Independent audit or assessment 17% 0% 5% 10% 15% 20% 25% 30% 35% 40%60% 52% 50%50% 48% 46% 44% 41% 42% 40% 39% 40%40%30%20%10% 0% 2003 2004 2005 2006 2007 2008 2009 2010 2011 20129/13/2012 Ponemon Institute: Private & Confidential Information 11
  • Benchmarks on Data SecurityAlignment of privacy and cyber security strategy 33% Extensive use of encryption for data at rest 31% Controls over PI data in cloud environments 29% Extensive use of data loss prevention tools 27% Privileged user visibility 24% 0% 5% 10% 15% 20% 25% 30% 35%80% 68% 68% 70%70% 64% 66% 65% 66% 59%60% 53% 50%50%40%30%20%10% 0% 2003 2004 2005 2006 2007 2008 2009 2010 2011 20129/13/2012 Ponemon Institute: Private & Confidential Information 12
  • Benchmarks on Privacy Compliance & Monitoring Compliance monitoring over contract and temporary 29% employees Mock regulatory audits or assessments 25% Advanced assessments of marketing compaigns 22% Board level reporting 21%Evaluation of information theft upon employee termination 21% 0% 5% 10% 15% 20% 25% 30% 35%70% 59% 61%60% 54%50% 46% 48% 43% 45% 39% 41% 40%40%30%20%10% 0% 2003 2004 2005 2006 2007 2008 2009 2010 2011 20129/13/2012 Ponemon Institute: Private & Confidential Information 13
  • Benchmarks on Consent & Choice Exclusive use of permission-based lists for 26% customer/consumer contact Testing that customer preferences are honored 23%Rigorous monitoring of secondary uses of sensitive PI 22% Global harmonization of consumer preferences 18% Readiness for do not track 18% 0% 5% 10% 15% 20% 25% 30%40% 35% 34% 35%35% 33% 33% 32% 33% 33% 30%30% 28%25%20%15%10%5%0% 2003 2004 2005 2006 2007 2008 2009 2010 2011 20129/13/2012 Ponemon Institute: Private & Confidential Information 14
  • Benchmarks on Redress & Enforcement Whistle blowing protection 27% Redress process involves the privacy leader 26% Escalation procedures 24% Specific timeline to investigate incidents 21%Enforcement actions reported to executive management 20% 0% 5% 10% 15% 20% 25% 30%40% 35% 36% 33% 34% 33%35% 32% 31% 28% 29%30% 27%25%20%15%10%5%0% 2003 2004 2005 2006 2007 2008 2009 2010 2011 20129/13/2012 Ponemon Institute: Private & Confidential Information 15
  • Net change over 10 years The benchmark scores for the 2012 sample consists of 89 companies. The benchmark scores for the 2003 sample consist of 68 companies. Please note that both samples were matched by organizational headcount (size), industry sector and geographic footprint. Certain items in the proprietary benchmark instrument were edited or updated over this 10-year period. 90% 79% 80% 70% 70% 61% 60% 56% 56% 50% 50% 46% 42% 40% 39% 40% 33% 35% 29% 27% 30% 20% 10% 0% Policy% Com% Mgmt% Security% Compliance% Choice% Redress% FY 2012 FY 20039/13/2012 Ponemon Institute: Private & Confidential Information 16
  • Cost BenchmarksAnalysis is based on Ponemon Institute’s 2012 benchmark on corporate privacy management (n=265 companies)
  • Extrapolated cost of privacy programs$US millions (000,000 omitted)Analysis is based on Ponemon Institute’s 2012 benchmark on corporate privacy management (n=265 companies) This graph reports the average direct and indirect program spending for FY 2012 based on SES quartiles from 1 = highest to 4 = lowest. The SES is a metric ranging from -2 (lowest) to +2 (highest) that attempts to measure the effectiveness of an organization’s information security posture. The SES was developed by Ponemon Institute and his been validated in more than 50 studies conducted over nearly eight (8) years. As can be seen, organizations with a higher SES spend more direct and indirect costs on privacy programs. While not shown in this graph, the average privacy program cost for our benchmark sample of companies totals $5.98 million. 10.00 9.00 8.75 8.00 7.00 6.39 6.00 4.84 4.61 5.00 3.92 4.18 4.00 3.12 3.27 2.92 3.00 2.53 2.00 1.70 1.65 1.00 - Quartile 1 (SES 1.1) Quartile 2 (SES .71) Quartile 3 (SES .35) Quartile 4 (SES -.11) Direct cost Indirect cost Total9/13/2012 Ponemon Institute: Private & Confidential Information 18
  • Extrapolated cost of privacy programs$US millions (000,000 omitted)Analysis is based on Ponemon Institute’s 2012 benchmark on corporate privacy management (n=265 companies) This graph reports the average direct and indirect program spending for FY 2012 based on six expenditure or spending categories totaling $5.98 million. As can be seen, the two highest spending categories are data security ($1.55 million) and program management ($1.50 million). In contrast, the two lowest spending categories are redress and enforcement ($.30 million) and policies and procedures ($.60 million). While not shown separately, our benchmark sample of companies spend approximately 25% of budget on program management activities, which includes all costs associated with data breach incident management. $1.80 $1.55 $1.60 $1.50 $1.40 $1.20 $1.14 $1.00 $0.90 $0.80 $0.60 $0.60 $0.40 $0.30 $0.20 $- Policies & Training & Program Data security Compliance Redress & procedures communication management monitoring enforcement9/13/2012 Ponemon Institute: Private & Confidential Information 19
  • Informal Influencer Survey
  • Benchmark study of 107 privacy influencers• Results in this report are based on Ponemon Institute’s proprietary database of privacy practices in US organizations.• Examined perceptions about data breach incident response management.• Purpose of analysis is to determine the value privacy leaders place on an automated tool or system to deal with the data breach incident management process.• The results indicate that privacy leaders believe automated management tools are important to deal with the data breach incident management process due to the numerous separate incidents that require ongoing tracking.9/13/2012 Ponemon Institute: Private & Confidential Information 21
  • Is there a need to have an automated tool or systemto deal with the data breach incident managementprocess?Benchmark question posed to 107 privacy leaders in U.S. based corporations 4% 15% Yes No Unsure 81%9/13/2012 Ponemon Institute: Private & Confidential Information 22
  • Do you have an automated data breach managementtool or system today?Benchmark question posed to 107 privacy leaders in U.S. based corporations 2% 36% No Yes, homemade 62% Yes, commercial9/13/2012 Ponemon Institute: Private & Confidential Information 23
  • What is your company’s primary focus for databreach management issues?Benchmark question posed to 107 privacy leaders in U.S. based corporations 2% 6% 10% US Global North America 50% Europe/EU Latin America Asia-Pacific 31%9/13/2012 Ponemon Institute: Private & Confidential Information 24
  • Approximately, how many separate incidentsrequire tracking over a 12-month period?Benchmark question posed to 107 privacy leaders in U.S. based corporations < 40 9%21 to 40 15%11 to 20 24% 5 to 10 36% 2 to 4 10% >2 5% 0% 5% 10% 15% 20% 25% 30% 35% 40%9/13/2012 Ponemon Institute: Private & Confidential Information 25
  • Need for a Data Breach Management Tool• Ponemon Institute’s tracking study of the cost of privacy programs reveals the potential market demand data breach incident management tool for the following reasons: – Cost effective – TCO of the tool versus labor costs and professional fees – A comprehensive and accurate repository of summarized privacy and data breach laws reduces research costs and legal services. – Benefits SMBs that cannot afford a fully-dedicated privacy staff. – Secures (lock-down) sensitive and confidential information concerning data breach incidents and events. – Avoid redundant or inconsistent operating practices and reduce operational complexity.• Ponemon Institute’s proprietary benchmarks on corporate privacy spending for larger- sized organizations (headcount > 1,000) reveal a substantial spending level for program management (which includes incident response) and data security measures.9/13/2012 Ponemon Institute: Private & Confidential Information 26
  • Questions? Ponemon Institute www.ponemon.org Tel: 231.938.9900 Toll Free: 800.887.3118Michigan HQ: 2308 US 31 N. Traverse City, MI 49686 USA research@ponemon.org