Where security and privacy meet partnering tips for CSOs and privacy/compliance leads


Published on

This webinar will identifying challenges in both the privacy and security offices, explaining the necessities of working together, and identify mutual goals, both within their departments and in the context of the rest of the business. It will include solutions and suggestions for working together and case studies/examples showing common mistakes as well as success stories of privacy and IT offices working together.

Gant Redmon, General Counsel and VP of Business Development, Co3 Systems

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Where security and privacy meet partnering tips for CSOs and privacy/compliance leads

  1. 1. Where Security and Privacy Meet - Partnering Tips for CSOs and Privacy/ Compliance Leads
  2. 2. Today’s Agenda For todays Slides http://compliancy-group.com/slides023/ Next Free Education Session – March 11 2:00EST •  How insurance can aide in data breach response expenses that arise in the wake of a data breach or security incident •  Presented by Gamelah Palagonia, Privacy Professionals Todays & Past webinars go to: http://compliancy-group.com/webinar/ Page 2 Partner Logo Here
  3. 3. Introductions: Today’s Speakers • Gant Redmon, General Counsel, Co3 Systems Page 3 Partner Logo Here
  4. 4. Types Of Compromise Source: Ponemon Research Institute, “Post Breach Boom 2013” 3,529 IT and IT Security respondents Page 4 Partner Logo Here
  5. 5. Detection of Compromise The discovery of malicious breaches averages 80 days for corporations: Source: Ponemon Research Institute, “Post Breach Boom 2013” 3,529 IT and IT Security respondents Page 5 Partner Logo Here
  6. 6. Corporate Information Loss Malicious Cyber-Attacks Hackers stole customer data, including credit card information 100 million records Third-Party Leaks Laptops with patient data stolen by former employee 208,000 records Internal / Employee Actions Digital marketing agency exposes customer data of dozens of clients Millions of records Lost / Stolen Assets Employee sent CD-ROM with personal data on registered advisors 139,000 records Information Loss: The exposure / loss of consumer or employee Personal Information, as well as trade secrets and intellectual property from a compromise. Page 6 Partner Logo Here
  7. 7. Security and Compliance Together Security and Compliance becoming the same thing - PCI, HIPAA, GLB “75% of CISOs who experience publicly disclosed security breaches and lack documented, tested response plans will be fired” - Gartner: July 2012 “It’s about the response … with all hands on deck in a coordinated manner.” - Gant: January 2014 Page 7 Partner Logo Here
  8. 8. Security and Compliance Together •  Breach Response Track 1: Focus on cause analysis, remediation and customer communication Track 2: Legal compliance, communication with authorities, corporate filings - Companies often do Track 1 and then Track 2 - But these tracks don’t have to be separate. - Incident response plans need to cover more that closing the vulnerability Page 8 Partner Logo Here
  9. 9. Security and Compliance Together expediency v. accuracy Page 9 Partner Logo Here
  10. 10. Target Response • Clear notice with proposed next steps (good) • Deflected blame and responsibility (bad) • Initial notice by flacks (bad) • Later notices by CEO (good) • Immediate forensic investigation (good) • Few details to consumers (bad) • Breach notifications to consumers (good) • Breach notification to banks (not as good Page 10 Partner Logo Here
  11. 11. Target Response • Electronic notification with fraud monitoring (good) • E-mail notice with hyperlinks (very bad) • Follow up notices (good) • No regular schedule of follow up (bad) • Coordinate with law enforcement (good) • No info to consumers about how to contact law enforcement (bad) Page 11 Partner Logo Here
  12. 12. POLL 1 Where does Data Privacy reside in your organization: - Legal Department - Security Office - Compliance Department - Other
  13. 13. CPO+CSO = BFF Challenges  for  the  Privacy  Office   • Viewed  as  problem  rather  than  solu<on   • Need  to  be  plugged  in  all  over  the  enterprise  to  do  the  job   • Budget  starved   • Maintaining  vigilance  in  the  absence  of  crisis     Challenges  for  the  Security  Office   • Needs  to  be  effec<ng  100%,  threat  only  has  to  be  effec<ve  once   • Not  trained  to  speak  “compliance”   • Pulled  in  many  direc<ons   • Like  tools  more  than  process   Page 13 Partner Logo Here
  14. 14. CPO+CSO = BFF Why  working  together  important   • Insight   • Skills   • Strategy   • Budget   Page 14 Partner Logo Here
  15. 15. CPO+CSO = BFF Insight   •  The  CSO  is  your  early  warning  system   •  Ask  yourself  who  your  first  responder  is.  Then  ask  what  their  priori<es  are   when  handling  an  incident     •  Scenario  #1,  Stolen  Laptop:     •  Fred  from  finance  has  his  laptop  stolen  when  his  house  is  broken  into.  The   CSO  may  have  focused  on  geTng  Fred  a  new  laptop  and  restoring  info  from   back  up.  But  did  he  think  about  what  data  was  on  the  laptop?  Did  the   informa<on  match  defini<ons  of  PII  or  PHI?  How  does  that  relate  to  the  data   breach  regula<ons  affec<ng  the  company?    The  CSO  hears  lost  laptop  but   you  think  lost  informa<on.  You  can  lead  him  along  the  path  to  privacy   righteousness.   •  Page 15 Partner Logo Here
  16. 16. CPO+CSO = BFF •  Scenario  #2,  Malware:     •  Malware  is  detected  on  the  HR  and  Engineering  servers  and  log  files  show   files  have  been  accessed  by  an  IP  address  assigned  to  an  ISP  in  Kazakhstan.   The  CSO  will  focus  on  closing  the  vulnerability  and  ridding  the  system  of   malware.  How  fast  will  he  also  determine  which  files  have  been  accessed   and  what  was  in  those  files?  Bet  it  will  be  faster  if  he  knows  how  important  it   is  for  you  to  determine  if  the  intruder  made  off  with  protected  informa<on.   •  Scenario  #3,  Insider  Threat:     •  Your  network  monitoring  tool  throws  an  alert  that  Rissa  the  recep<onist  has   been  removing  files  from  the  CFO’s  laptop  just  as  your  company  is  set  to   announce  quarterly  results  and  personnel  informa<on.  The  CSO  may  think   his  job  is  done  when  he  reports  Rissa  to  HR  and  she’s  marched  out  of  the   building.  Will  he  think  of  analyzing  Rissa’s  computer  to  see  where  that   informa<on  might  have  been  sent?  You’ll  certainly  want  to  know.   Page 16 Partner Logo Here
  17. 17. CPO+CSO = BFF Skills   • Does  the  CPO  have  the  resources  to  analyze  a  log  file,  image  a   disk,  or  conduct  a  forensic  analysis?   • Who  tells  you  if  the  informa<on  was  accessed  or  acquired?   • Was  it  encrypted?  In  transit  and  at  rest?   • What  is  the  nature  of  the  informa<on  involved?  Does  it  meet  the   defini<ons  of  PII  or  PHI?   • The  CSO  is  your  oracle  into  affected  informa<on   Page 17 Partner Logo Here
  18. 18. CPO+CSO = BFF Strategy   •  This  is  where  1+1=3  via  collabora<on   •  The  CSO  will  have  a  hand  in  the  company’s  mobile,  social  media  and  cloud   strategies  but  needs  the  CPO’s  guidance  in  launching  these  strategies.     •  For  example,  a  health  care  organiza<on  realizes  doctors  are  communica<ng   with  pa<ents  on  the  doctors’  personal  unencrypted  email  accounts.  The  CSO   wants  to  roll  out  a  pa<ent  site  for  communica<ons  with  doctors  in  a  secure   environment.  A  number  of  vendors  offer  such  pa<ent  sites,  but  which  will   keep  the  company  on  the  right  side  of  HIPAA/HITECH?  You  may  not  know   log  files,  but  you  know  HIPAA.     •  When  you  take  a  seat  at  the  table  next  to  the  CSO  for  purposes  of  pa<ent   interac<on  you  have  promoted  yourself  from  a  basic  compliance  func<on  to  a   strategic  contributor.   •  Page 18 Partner Logo Here
  19. 19. CPO+CSO = BFF Budget   • CSOs  have  money.  Privacy  offices  are  not  known  for  lavish   budgets.     • Some  in  management  feel  that  tradi<onal  compliance  func<ons   should  be  kept  on  a  strict  fiscal  diet  so  they  don’t  become  strong   enough  to  hamper  the  business.     • IT  and  security  don’t  suffer  from  such  reduced  ra<ons.       • Network  security  is  red  hot  these  days  and  money  is  being  spent.     • Got  a  tool  that  helps  the  CSO  iden<fy  privacy  issues  in  everyday   security  incidents?  You  may  find  the  CSO’s  budget  a  lot  easier  to   tap  than  your  own.   •  Page 19 Partner Logo Here
  20. 20. CPO+CSO = BFF Goals  for  Privacy  and  Security  Departments   • Educate  in  proper  use   • Prevent  loss   • Respond  to  crisis     The  CPOs  biggest  leverage:   • A  major  security  breach  has  befallen  the  company   • The  CEO  calls  the  CSO  into  his  office  for  a  status  update   • The  CSO  thinks  back,  glad  she  followed  your  advice  and  says,     Thanks  to  the  planning  we  did  last  year,  no  customer  or  personal   informa8on  was  available  on  the  servers  affected  and  all   informa8on  there  was  encrypted.   Partner Logo •  Here Page 20
  21. 21. POLL 2 Which applies best - I have incident response plans for different types of incidents - I have an incident response plan that is general - I think we have a plan, but I haven't seen it for a while
  22. 22. Event Entry Basic event information captures what happened, when, who reported it, etc. Page 22 Partner Logo Here
  23. 23. Instant Incident Response Plans Instant IR plans list required tasks by category Page 23 Partner Logo Here
  24. 24. For privacy professionals Extensive, always up-todate, regulation library bolsters compliance IR plans map breach parameters to the appropriate regulations Page 24 Partner Logo Here
  25. 25. For Privacy Professionals Task details aid task completion Task source linked to the triggering regulatory language eases review Page 25 Partner Logo Here
  26. 26. POLL 3 How serious does your organization take compliance? - Critical - Cost of Business - To Avoid Fines - Not at All
  27. 27. “Co3 Systems makes the process of planning for a nightmare scenario as painless as possible, making it an Editors’ Choice.” PC MAGAZINE, EDITOR’S CHOICE “One of the hottest products at RSA…” One Alewife Center, Suite 450 Cambridge, MA 02140 PHONE 617.206.3900 WWW.CO3SYS.COM NETWORK WORLD – FEBRUARY 2013 “Co3…defines what software packages for privacy look like.” GARTNER “Platform is comprehensive, user friendly, and very well designed.” PONEMON INSTITUTE Marc Haskelson Marc@compliancygroup.com 855.854.4722 ext 507
  28. 28. QUESTIONS