Best Practices In Corporate Privacy & Information Security
Upcoming SlideShare
Loading in...5
×
 

Best Practices In Corporate Privacy & Information Security

on

  • 968 views

 

Statistics

Views

Total Views
968
Views on SlideShare
961
Embed Views
7

Actions

Likes
1
Downloads
18
Comments
0

2 Embeds 7

http://www.linkedin.com 6
https://www.linkedin.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  •  System EU-Directive - BDSG Art.25 I iVm. §4bII BDSG : transfer of data to 3rd countries permitted only if adequate protection of data in 3rd country Art.25 IV: Commission decision: no adequate protection in USA => member states to take measures to prevent transfer of data
  •  Art.25 V: negotiations to enable data transfer ( safe harbor rules ) Art.26 iVm. §4c I BDSG: exceptions (transfer permitted regardless of non-adequate protection) 1. Consent of subject 2. Necessary for performance in contractual relation with subject 3. Necessary for performance in contractual relation with 3rd party in the interest of subject (4. Important public interest or necessary in the context of proceedings) (5.vital interest of the subject) (6. Transfer from public register) Art.26 II,IV iVm 4c II BDSG: sufficient guarantees, especially contractual clauses => standard contractual clauses or binding business rules

Best Practices In Corporate Privacy & Information Security Best Practices In Corporate Privacy & Information Security Presentation Transcript

  • Best Practices in Corporate Privacy & Information Security Policies & Compliance
        • Satyakam Biswas
  • Topics
    • Introduction
    • Privacy Fundamentals
    • Legal Compliance
    • Physical & Electronic Security Issues
      • General
      • Privacy Specific
    • Questions & Conclusion
  • Introduction
    • Why Should You Worry About Privacy Laws?
      • Regulatory Enforcement
        • EU-Privacy Commissioners Announce Increased Enforcement
        • FTC Actions
      • Unfair Competition Provisions of the Lanham Act ( 15 USC 1125 (a))
        • Collegenet, Inc. v. XAP Corp 2006 WL 2307457 (D. Or.)
      • Criminal Liability
      • Civil Litigation
      • Suspension of Business Activity
      • Loss of Rights to Use Data
      • Adverse Publicity – Choice Point
      • Employee Issues
        • Union/Work Council Leverage
        • Transfer of Data
    • Gap Between Privacy/Security Policies and Reality!!
  • Introduction
    • Why Should You Worry About Security?
        • “ Adequate Security” Requirements in EU
        • FTC Actions in US BJ Case
        • Breach of Notification Laws in US
        • HIPAA Requirements
        • GLB Requirements
        • SOX Issues
        • General Theories of Negligence in Civil Actions
  • Introduction
    • Goals
      • Avoid Damage to Company or Brand Image
      • Assure Business Continuity
      • Protect Value of Data Usability
      • Strengthen Business Relationships
      • Avoid Civil and Criminal Liability
  • Introduction
    • Modern Corporate Practice
      • Business Units Run Globally
      • Share Information Globally
      • IT & BPO Outsourcing
    • Distributed Information Management Systems
      • Servers Replicate Everywhere
      • 24/7 Seamless Networks
      • Not Able to Trace Data Flow
    • Comply with Strictest Law Where Company Does Business on a Global Basis
  • Fundamentals: General Privacy Model
    • Common Elements Of Most Legislation
      • Definition & Scope of Personal Identifier Information
      • Notice
      • Consent
        • Unambiguous
        • Opt Out for Direct Marketing
        • Opt In for Sensitive
        • Warning : Direct Marketing!!!
          • Opt Out from EU Privacy Directive
          • Opt In For EU Unsolicited Electronic Mail
      • Registrations
      • DPA Approvals or Notifications
      • Work Council Approval
  • Fundamentals: General Privacy Model
    • Common Elements of Most Legislation
      • Includes Paper or Electronic Data
      • Right to Review & Correct
      • Adequate Security
      • Registration
      • Transfer
      • DPA or Work Council Notice or Consent
      • Warming : Extraterritorial Reach of EU Directive !!
      • Privacy Laws - Global and Not Consistent
        • EAA
        • South America – Argentina
        • Asia - Japan
        • Canada
        • US??
  • Fundamentals: Notice and Consent Flowchart
  • Fundamentals: Trans-border Data Transfer Directive 95/46/EC EU expressly recognises “adequate protection” by national rules
  • Fundamentals: Trans-border Data Transfer to US Safe Harbor Program Contract (Model Clauses) or Binding Corp Rules
  • Legal Compliance
    • Data Transfer Agreements
      • Must Sign If Personal Data Being Transferred
        • Even If Local Law Does Not Require
        • DuPont Policy
        • Extraterritorial Reach of EU Directive
      • Scope
        • Employees
        • Vendors ( Supply Chain )
        • Customers
        • Whenever Transfer Personal Information
      • Little Room For Negotiation
        • Do Not Connect DTA to Substantive Agreement
          • Avoid Limitation of Liability/Damages
          • Avoid Other Disclaimer Language
  • Legal Compliance
    • New DTA – See Form
      • Use EU Model Clauses (Controller to Controller)
        • Set 2 for Controller to Controller
        • Set 1 for Controller to Processor
    • Affiliates
    • Hub and Spoke Model
      • List of All Affiliates
      • Updates
      • Adopt Global Corporate Privacy and Electronic Security Policies
    • Suppliers, Customers, ASP’s, BPO’s, Other Outsourcing
      • All Required to Sign a DTA if Personal Information Being Transferred
      • All Required to Sign a DISO 4 E If 3 rd Party Needs Access to Intranet Through Firewall
  • Legal Compliance
    • Data Transfer Agreements
      • Surprising How Few Companies Are Aware of Privacy Issues
        • Don’t Understand Need for DTA
        • Some Think that Signing HIPAA Agreement is Sufficient
        • Even If Aware, Don’t Want to Sign
        • Key Is to Have DTA Signed Before Substantive Contract is Awarded
      • Administrative Burden to Manage 1000’s of Contracts with Negotiated Terms
      • List Signed DTA’s at Privacy Central Intranet Website
      • Problem is Possible Changing Nature of Data Flow
        • Checkboxes Attempt to Address Annex of Model Clauses
        • Very Difficult to Manage
          • Not Know When Data Flow Changes
          • Changes in Contract Scopes of Work
      • Normal Route is Sourcing Buyer and Then In House Counsel
  • Legal Compliance
    • DISO 4 E (See Form)
      • Used When 3 rd Party Given Access To Intranet Through Firewall
      • Requires Company Sponsor
      • DISO Screening
      • Periodic Sunsets
      • Includes Divested Business Access During Transitional Services Period
      • Data Base of Signed DISO 4E at DISO Intranet Website
      • Normal Route Is Either Sourcing Buyer or DISO Rep and then Legal Counsel
  • Legal Compliance
    • Anticipate Rather Than React
      • I-4 for eSecurity
      • CPO Council of Conference Board
      • IAPP
      • ABA
        • Cyberspace Law Committee of Business Law Section
        • SciTech
      • CLE Programs
      • BNA and Other Reporters
      • Outside Counsel Briefings
      • Networking
  • Legal Compliance
    • Make Sure Privacy & Security Policies Implemented
      • “ Sourcing IT”
        • Dedicated Group for IT Procurement
        • Other Sourcing Buyers
        • Same Lawyer As DISO, Privacy, and CRIM Lawyer
        • Negotiate with Vendors To Make Sure Policy Compliance
      • Commercial Businesses
        • Educate Commercial Lawyers
        • Imbed eSecurity and Privacy Coordinators in each Business and Function
        • Work With IT Coordinators in each Business and Function
  • Legal Compliance
    • Regional In House Lawyer
      • Accountable and Responsible For eSecurity & Privacy Legal Issues in Region
      • Coordinate with Other Regional In House Counsel
      • Keep Up to Date on Regional Legislation/Enforcement
      • Participate in Creating Policies
      • Same In House Lawyer for Both Privacy and eSecurity
      • Work With Regional Outside Counsel as Needed
  • Legal Compliance
    • Make Sure Business Does Due Diligence On Potential 3 rd Parties Vendors
      • D & B
      • References
      • Credit Experience
      • Criminal Background Checks
      • Lexis Searches
      • Warranties in Contracts
      • RFP Questions
      • Make Sure 3 rd Party is Substantial and Reputable
  • Legal Compliance
    • eSecurity Pre Screening and Audits For 3 rd Party Vendors (Supply Chain)
      • Self Audit Question
      • On Site Visit
      • DISO and IT Representatives
      • Contract Language Re Changes or Problem Reporting
      • Sponsor
      • Risk/Benefit Analysis At Corporate Level
    • Must Pass Screen Before Can Bid On Contracts
  • Legal Compliance
    • Supplier [Goods, Services, BPO, Outsourcing, etc.] Contract Terms
      • Preapproved Templates ( See ASP Contract As Example]
      • Physical & Electronic Security Language
      • Privacy Language
      • Must Conform to DuPont Policies and Guidelines, as They Change
      • Criminal Background Checks- Where Legal
      • Drug Testing Requirements – Where Legal
      • Key is Treat Virtual Access to Plants, etc. the Same as Physical Access.
      • Site by Site Policies Based on Risks, Legal Requirements/Prohibitions
      • Indemnity for 3 rd Party Claims re Privacy or Security Breaches
      • Limitation of Liability/Damages Carve Outs for Security and Privacy Breaches
      • Generally Comply With Law
  • Developing & Implementing Comprehensive Written Security Policies General
  • Developing & Implementing Comprehensive Written Security Policies
    • Information Classification & Protection
      • Information Classification
      • Information Retention
      • Anti-Virus Software & Hardware
      • Application/Software Development
      • Information Disposal
      • Apply “Right to Know” Principle
      • Back-ups
      • Encryption
      • Fax Transmissions
      • Use of Copiers & Area Printers
      • Company Developed Software Ownership
      • Vulnerability Migration
      • Equipment Inventory
  • Developing & Implementing Comprehensive Written Security Policies
    • Identification & Authentication
      • Unique Identification
      • Shared Account
      • 2 Factor Authentication
      • Passwords
      • Access Requests
      • Access Deletions
      • Lockout Following Login Failures
      • Activity Logs
      • Password Resets
  • Developing & Implementing Comprehensive Written Security Policies
    • Information Security Responsibilities
      • DISO
      • Line Management Responsibilities
      • Asset Owners
      • Custodians
      • Users
  • Developing & Implementing Comprehensive Written Security Policies
    • Personal Computer Policy
      • Personal Firewalls
      • Web Hosting Software
      • Computer Lock Protection
      • Boot-Up Protection
      • Portable PC Precautions
      • Shared PC’s
    • Personally Owned Hardware & Software
    • Workplace Relocation & Site Shutdown Policy
    • Disaster Recover & Potential Impact
  • Developing & Implementing Comprehensive Written Security Policies
    • Telephone Policy
      • Telephones
      • Voice Mail
      • Audio Bridge Conferences
      • Off Net Forwarding
    • Physical Security Policy
      • Physical Security
      • Visitors
    • Internal Network Connections Policy
      • Intranet Connection Controls
      • Process Control Networks
      • Network Directory
  • Developing & Implementing Comprehensive Written Security Policies
    • External Network Interface Controls
      • Internet Network Interface Controls
      • Inter-Company Network Interface Controls
      • Remote Access
    • Non-Employee Measures Policy & DuPont Sponsorship
    • Incident Reporting Policy
    • Mail Use Policy
      • E Mail Use
      • Expectation of Privacy
      • Paper Mail Practices
    • Traveling Policy
    • Outsourcing Policy
    • Monitoring Policy
      • Company Right to Monitor
      • Policies
      • Pre-Logon Warning Banner (See Form )
      • See Delaware Law
      • Monitoring Controls
    • Wireless Data Communication Policy
  • Preparedness/Response for Security Breaches
    • Key Is To Have System To Detect Possible Breaches
      • Reports to DISO From
        • Corporate, Business, or Function IT Coordinator
        • DISO Rep
        • Physical Security Organization
        • 3 rd Parties
          • IT or BPO Outsourcer
          • Vendors
  • Preparedness/Response for Security Breaches
    • Key Triggers
      • Lost or Stolen Portables
      • Breach of Vendor or Customer Security
      • Employee Unauthorized Access and Use
      • 3 rd Party Hacking Detected
      • Reports of ID Theft
    • Have A Process For Dealing With Security Breaches
      • Notify In All States/Countries Whether Legally Required or Not
      • Global Privacy Manager Accountable for Process
      • Include Legal, DISO, Physical Security, etc. as Needed
      • Make Sure That Public Affairs Is Included
        • Stand By Press Statement
        • All Inquiries to Public Affairs
      • Written Process
        • Accountability and Responsibility Allocation
        • Pre Approved Templates
        • Update as Needed
  • Preparedness/Response For Security Breaches
    • Training & Employee Awareness
      • DuPont Makes Available a Number of Privacy and E Security Educational Offerings to Employees:
        • Introduction to Privacy Requirements
        • Introduction to Information Privacy and Integrating Information Privacy at DuPont
        • Global Legislation Concerning Privacy
        • Information Privacy Implementation Communications Package
        • DISO-U Privacy Course for DISO Officers
        • EU Data Protection and Privacy Module in Legal Eagle TM
        • DISO U For A Range of Electronic Security On Line Courses
      • Employee Ethic’s Survey
      • Legal Briefings to Commercial, HR, and IP Attorneys & Paralegals
      • Yearly Presentations to Top Level Management
  • Developing & Implementing Comprehensive Written Security Policies Privacy Specific
  • Security
    • Privacy Specific Requirements
      • Many Confusing Country or Statutory Standards
      • More on the Way
      • Key: Encryption, Encryption, Encryption!!!
      • Some Unique Requirements: Must Check Applicable Laws
    • Need To Have:
      • A Written Security Program
        • Administrative Safeguards
        • Technical Safeguards
        • Physical Safeguards
        • Nature and Scope of Activities
        • Sensitivity of PII
        • Requires Annual Updates
        • See Spanish Law For More Specifics (As An Example)
      • Vendor Will Appoint a Security Officer
      • No Right to Delegate Security Compliance to a Subcontractor Without Customer Approval
  • Security
    • Privacy Specific Requirements
      • Authentication & Authorization
        • Two Factor Authentication Technology
        • System Access Must Be Logged
        • Access Logs Retained for At Least 90 Days
        • Registration & Access Privilege Process Must Be Documented
        • Outsourcing Vendor Agrees to Audit At Least Quarterly The List of System Administration * Support Users
        • Disable Access to Users No Longer Need to Support Contract
        • Unique User ID for Each User
        • Password Life No Longer than 90 days
        • Outsourcing Vendor Must Audit Password Policy Compliance at least Every 6 months and Report Weaknesses
        • Outsourcing Vendor Must Notify Customer with 24 Hours of Any Compromise
        • Automatic Lockouts after 4 Consecutive Unsuccessful Tries
        • Only Unlock Account with Customer Permission
        • Limit Access to Authorized Users
  • Security
    • Privacy Specific Requirements
      • Transmission & Storage of PII
        • Encrypt Transmissions of PII
        • Stored PII Encrypted
        • Encryption Must be Integral and Enforced by the Application ( Not At Option of User)
        • Master Keys Under Exclusive Control of Customer
      • Application Development
        • Separate, Distinct Computing Environment
          • Production System
          • Development Environment
        • Policies & Procedures to Prevent Introduction of Untested or Unapproved Changes into the Production System
        • Not Use Actual Production System for Development, Testing or Troubleshooting Without Customer Destroy Development Data
  • Security
    • Privacy Specific Requirements
      • Event Logging
        • Virus Infections
        • System Administrative Rights Usage
        • System Support Logins
        • System Shutdowns and Restarts
      • Security Patches and Viruses Protection
        • Where Technically Feasible, Vendor installs Virus Protection Software
        • Apply Virus Updates Within 24 Hours
        • Apply Security Patches Within 24 Hours
  • Security
    • Privacy Specific Requirements
      • Access Restrictions
        • Limit Physical Access to Equipment Storing PII on “Need” Basis
        • Upon Contract Termination, Documentation Destroyed or Rendered Unreadable
      • Equipment Sanitization
        • Termination of Agreement or Replacement of Equipment Storing PII
        • Render Data Unreadable and Unrecoverable
        • Includes Equipment and Storage Media
      • Audit Requirements
        • Audit System at least Every 2 Years
        • Results of Audits and Corrective Actions Made Available to Customer and Possibly Regulatory Agencies
      • Backup Requirements
        • Replicate All PII on Backup System
        • Locate Backup Facilities At Different Geographic Location
        • Allow Data To Be Reconstructed Within Specified Timeframe
      • 3 rd Party Notification of Breaches
  • Questions and Conclusion