Katherine Fithen has been a leader in information security for more than 20 years. She retired as the Chief Privacy Officer and Director of Governance & Compliance at The Coca-Cola Company in July 2017. Prior to joining The Coca-Cola Company in 2002, Katherine was the Senior Manager of the CSIRT Program at PricewaterhouseCoopers, LLP, and prior to pwc, the Manager of the CERT®. Katherine has earned a Bachelor of Arts in Retail Management, a Master of Arts in Personnel Management, and a Master of Science in Information Science.
Katherine is on several advisory boards for privacy and security. In August 2015, Katherine was listed as one of “Women in IT Security: 10 Power Players”
4. Classification: //SecureWorks/Confidential - Limited External Distribution:
Why Compliance ≠ Security
• SOX
• Enron
• PCI
• TJ Maxx breach (2007)
• Had been certified by PCI assessment
• 45.6 million cards compromised
• Privacy
• Target breach (2013 - 2015)
• 42 million cards compromised
• 61 million people had PI compromised
• OPM breach
• 21.5 million people had PI compromised
• Equifax
• 143 million people had PI compromised
ciso.eccouncil.org 4
5. Classification: //SecureWorks/Confidential - Limited External Distribution:
Privacy Partnership
• Business
• “Owner” of the data
• HR, Marketing,Customer, etc.
• IT
• Technology enables organizations to align with privacy laws, regulations,
and expectations
• Legal
• Provide the legal/regulatory requirements for
• Business owners of data
• IT
ciso.eccouncil.org 5
6. Classification: //SecureWorks/Confidential - Limited External Distribution:
Privacy Partnership (cont.)
• IT
• IT SDLC
• Access controls
• Negative testing
• Authentication
• MFA vs UserID + passwd
• Encryption
• Who owns/manages the encryption key?
• Age validation implementation
• Logs
• Application
• Network
• Contract obligations for vendors
& vendor management
ciso.eccouncil.org 6
7. Classification: //SecureWorks/Confidential - Limited External Distribution:
Privacy Partnership (cont.)
• Considerations for Privacy Office & Privacy Council
• Privacy Office
• IT and Legal
• Privacy Council
• Legal
• IT
• Marketing
• HR
• Public Affairs
• InternalAudit
• Controller’s Office
ciso.eccouncil.org 7
8. Classification: //SecureWorks/Confidential - Limited External Distribution:
Risk Management
• If compliance ≠ security – then what do we do?
• Most organizations cannot protect all assets equally – and probably
should not
• Too costly
• Too resource-intensive
• Risk Management
• Identify sensitive assets
• IP (Intellectual Property)
• PI (Personal Information)
• Insider threat vs external threats
ciso.eccouncil.org 8
10. Classification: //SecureWorks/Confidential - Limited External Distribution:
Breach Response (cont.)
• Who, What, Where,When, and How
• Who
• Legal, Business owner of breached data, IT, Public Affairs,Vendor(s), 3rd-party breach
response team (e.g., PCI)
• Who leads/is decision maker?
• Regulators
ciso.eccouncil.org 10
11. Classification: //SecureWorks/Confidential - Limited External Distribution:
Breach Response (cont.)
• Who, What, Where,When, and How
• What
• What happened?
• How quickly will you know what happened?
• What to communicate about what happened?
• What facts do you have?
• What “beliefs” do you have?
• What steps do I take?
• What services do I offer (e.g., ID theft protection, etc.)
ciso.eccouncil.org 11
12. Classification: //SecureWorks/Confidential - Limited External Distribution:
Breach Response (cont.)
• Who, What, Where,When, and How (cont.)
• Where
• Where is it?
• My data?
• My users?
• My logs/evidence?
ciso.eccouncil.org 12
13. Classification: //SecureWorks/Confidential - Limited External Distribution:
Breach Response (cont.)
• Who, What, Where,When, and How (cont.)
• When
• Communicate
• Internally
• Externally
• “Know” what happened to be able
to communicate?
• Bring in a 3rd-party
• Required by regulation?
• Need the SME assistance?
• Want outsider “objective” assistance?
ciso.eccouncil.org 13
14. Classification: //SecureWorks/Confidential - Limited External Distribution:
Breach Response
• Who, What, Where,When, and How (cont.)
• How
• How do I communicate?
• Internally
• Externally
• How do I make “Everyone” comfortable / confident in my ability to handle?
• Those impacted?
• Regulators?
• Media?
• Employees?
• Partners?
ciso.eccouncil.org 14
15. Classification: //SecureWorks/Confidential - Limited External Distribution:
In Closing
• We need to work together – Business, IT, and Legal to ensure
enable the business while protecting company assets
ciso.eccouncil.org 15