2009 iapp-the corpprivacydeptmar13-2009


Published on

The corporate privacy department -

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

2009 iapp-the corpprivacydeptmar13-2009

  1. 1. The Corporate Privacy Department Challenges, Synergies, and Value Demonstration Aurobindo Sundaram VP Security LexisNexis Group IAPP Privacy Summit Mar 13, 2009
  2. 2. Session Goals <ul><li>You will gain an understanding of: </li></ul><ul><ul><li>The challenges of a standalone privacy organization </li></ul></ul><ul><ul><li>The potential synergies and alignments with different departments in the organization </li></ul></ul><ul><ul><li>Good practice frameworks for information protection </li></ul></ul><ul><ul><li>Value demonstration and privacy metrics </li></ul></ul>
  3. 3. Overview <ul><li>Information is everywhere! </li></ul><ul><ul><li>Far easier and beneficial to manipulate bits/bytes than printed paper </li></ul></ul><ul><ul><li>Information is necessary in this world, to help informed corporations, government, and consumers make the appropriate risk decisions </li></ul></ul><ul><ul><li>Good corporate citizenship dictates the need for robust data governance models (including privacy and security) </li></ul></ul><ul><ul><li>Must balance consumer privacy concerns, civil rights, and the usefulness of information </li></ul></ul>
  4. 4. Overview <ul><li>Good practice will dictate that privacy organizations find and exploit increased synergies within: </li></ul><ul><ul><li>Information Security, </li></ul></ul><ul><ul><li>Information Technology, </li></ul></ul><ul><ul><li>Application Development, </li></ul></ul><ul><ul><li>Government Affairs, </li></ul></ul><ul><ul><li>Business Development/Management, </li></ul></ul><ul><ul><li>Legal, and </li></ul></ul><ul><ul><li>Compliance departments. </li></ul></ul><ul><li>Other trends driving the performance and success of privacy offices: </li></ul><ul><ul><li>A focus on information protection (&quot;follow the data&quot;) </li></ul></ul><ul><ul><li>Privacy as a competitive advantage </li></ul></ul><ul><ul><li>Privacy legislation closely tied to security protections </li></ul></ul><ul><ul><li>Metrics creation, measurement, communication, and improvement </li></ul></ul><ul><li>Let’s explore some frameworks and integration points that demonstrate tangible value to an organization. </li></ul>
  5. 5. History & Current State <ul><li>History: </li></ul><ul><li>First Chief Privacy Officer position created in the late 1990s </li></ul><ul><li>Many CPO positions </li></ul><ul><ul><li>Created after privacy/security incident </li></ul></ul><ul><ul><li>To meet requirements (GLB, HIPAA) </li></ul></ul><ul><li>Similar to the rise of the Chief Security Officer </li></ul><ul><li>Current State: </li></ul><ul><li>Privacy often reports into Legal </li></ul><ul><li>Reactive, mainly breach response </li></ul><ul><ul><li>Rarely involved in product development </li></ul></ul><ul><ul><li>No substantial interactions with other departments (except sometimes compliance) </li></ul></ul><ul><ul><li>Online privacy policy development </li></ul></ul><ul><ul><li>Limited external presence </li></ul></ul><ul><li>But … recent talk of “convergence”… </li></ul>
  6. 6. Challenges <ul><li>Challenges: </li></ul><ul><li>Electronic data use exploding </li></ul><ul><li>Businesses have a motivation to multi-purpose data </li></ul><ul><li>Consumers have privacy concerns </li></ul><ul><li>Data accessed in different ways (SaaS, private line, Internet, batch, etc.) </li></ul><ul><li>Where is the line between business need and privacy concerns? </li></ul><ul><li>Corporate Privacy must work closely with: </li></ul><ul><li>Product Management </li></ul><ul><li>Product Development </li></ul><ul><li>Operations/IT </li></ul><ul><li>Security </li></ul><ul><li>Customer service/consumer interactions </li></ul><ul><li>Legal </li></ul><ul><li>Incident Response </li></ul><ul><li>Human Resources/Credentialing </li></ul><ul><li>Compliance </li></ul>Corporate Privacy must stop being a silo in order to remain viable.
  7. 7. Alignment and Tasks … <ul><li>Product Management and Development </li></ul><ul><ul><li>Information privacy/business analysis </li></ul></ul><ul><ul><ul><li>What data is involved? </li></ul></ul></ul><ul><ul><ul><li>What are the privacy implications? </li></ul></ul></ul><ul><ul><ul><li>How does it benefit the consumer? The customer? </li></ul></ul></ul><ul><ul><ul><li>If the data to be used is sensitive, can it be appropriately protected? Can an alternative be found? </li></ul></ul></ul><ul><ul><ul><li>What controls must be placed on data? (truncation, activity monitoring, permissible purpose certifications, etc.) </li></ul></ul></ul><ul><ul><ul><li>What are the compliance implications of data usage? (with Legal/Compliance) </li></ul></ul></ul>
  8. 8. Alignment and Tasks … <ul><li>IT Operations/Information Security </li></ul><ul><ul><li>Information security has historically been “technology” security </li></ul></ul><ul><ul><li>Privacy department needs technology support </li></ul></ul><ul><ul><li>Security (e.g. confidentiality, encryption) is closely linked to privacy </li></ul></ul><ul><ul><li>Operations/IT/security can help solve privacy requirements (e.g. encryption to preserve confidentiality; segregation of duties; segregated development and production environments) </li></ul></ul>Privacy must leverage technology/security to implement robust privacy controls.
  9. 9. Alignment and Tasks … <ul><li>Incident Response/HR/Customer service </li></ul><ul><ul><li>Use lessons learned from incidents -> feedback to product management/information security/development </li></ul></ul><ul><ul><li>Work closely with HR on employee monitoring policies </li></ul></ul><ul><ul><li>Communication, education, and outreach both internally and externally </li></ul></ul><ul><li>Legal/Compliance </li></ul><ul><ul><li>Privacy’s strongest interactions have historically been with these departments. </li></ul></ul><ul><ul><li>Work with Legal to understand upcoming legislation, privacy implications, and business impact to help shape company response. </li></ul></ul><ul><ul><li>Ensure compliance performs testing of privacy-related requirements (e.g. privacy policy, training, encryption, third party assessments). </li></ul></ul>
  10. 10. Product Management/ Development Privacy Lifecycle Corporate Privacy Legal/ Compliance Policies Procedures Guidelines Information Security Communication, Education, and Outreach Compliance/ Audit Incident Response/ Operations
  11. 11. Good Practices <ul><li>Rely on established internationally recognized frameworks, because of their completeness, consistency and standards-based approach. This may include: </li></ul><ul><ul><li>Security standards (such as ISO 27002), </li></ul></ul><ul><ul><li>Disaster recovery guidelines (such as those from the FFIEC), </li></ul></ul><ul><ul><li>Privacy principles (e.g. fair information practices from AICPA), and </li></ul></ul><ul><ul><li>Potentially organization/situation-specific proprietary guidelines (for instance, to appropriately credential/screen customers; customer activity audits; other assessments). </li></ul></ul><ul><li>Organizations that use deliberate, structured, but flexible processes to create privacy and security frameworks will benefit. </li></ul>Assess your own organization for applicability …
  12. 12. Good Practices <ul><li>Know where privacy sensitive information (e.g. consumer Personally Identifiable Information (PII)) is stored and processed on their information systems. </li></ul><ul><ul><li>A periodically updated inventory of privacy sensitive information. </li></ul></ul><ul><ul><li>Documented procedures, tools and associated training to control access to privacy sensitive information, and assist authorized employees in protecting privacy sensitive information during receipt from customers and consumers, transmission (e.g., via e-mail) and storage. </li></ul></ul><ul><li>Discuss … Who does this? How? Lessons learned? </li></ul>WHERE is privacy sensitive information in the enterprise?
  13. 13. Good Practices <ul><li>Credentialing is an essential component and should focus on: (1) employees, (2) customers and (3) vendors/third parties. </li></ul><ul><ul><li>Through credentialing, an organization is able to mitigate the risk of fraud, and ensuring permissible regulatory purpose and legitimate business purpose for accessing information products, systems and data. </li></ul></ul><ul><li>In the privacy and information security context, accountability is critical. Establish a governance model. </li></ul><ul><li>Technology solutions to help safeguard information and effectively implement privacy related controls </li></ul><ul><ul><li>Masking/Non-display of privacy sensitive information </li></ul></ul><ul><ul><li>Encryption </li></ul></ul><ul><ul><li>Vulnerability assessments </li></ul></ul><ul><ul><li>Firewalls, IDS, IPS, etc. </li></ul></ul><ul><ul><li>Data leakage detection and response </li></ul></ul>WHO is allowed to have access to privacy sensitive information?
  14. 14. Good Practices <ul><li>Meaningful audit and compliance programs to measure usage of privacy sensitive information. </li></ul><ul><ul><li>Fraud and anomalous use detection </li></ul></ul><ul><ul><li>Permissible purpose and appropriate use audits </li></ul></ul><ul><ul><li>Customer and consumer audits (as appropriate) </li></ul></ul><ul><ul><li>Third party provider safeguards (MA regulations …) </li></ul></ul><ul><ul><li>Federal and state law compliance (e.g. FCRA, GLB, state privacy laws) </li></ul></ul>WHAT do authorized users do with privacy sensitive information?
  15. 15. Good Practices <ul><li>Training, education and internal/external outreach. Ensures that all constituencies are aware of the framework’s components and responsibilities that accompany those components. </li></ul><ul><ul><li>For employees, regular mandatory training will help keep privacy and information security top of mind. Additionally, regular privacy and information security reminders and alerts keep employees abreast of current and emerging trends and risks. </li></ul></ul><ul><ul><li>Outreach to external audiences educates customers, consumers, stakeholders, advocacy communities and others on the good practices of your organization and creates transparency that fosters communication and trust. </li></ul></ul><ul><li>Documented, tested plans and procedures around responding to incidents and breaches. </li></ul><ul><ul><li>Roles and responsibilities </li></ul></ul><ul><ul><li>Contingency plans </li></ul></ul><ul><ul><li>Post incident response (privacy related) </li></ul></ul><ul><ul><li>Dry-run testing of procedures (similar to DR testing) </li></ul></ul>
  16. 16. Sample Metrics <ul><li>Privacy training compliance percentage (with HR) </li></ul><ul><li>Privacy breaches, costs, responses, and remediation steps taken (with Incident Response/Security) </li></ul><ul><li>User privacy awareness in action (e.g. what percentage of email sent with sensitive information is appropriately protected) (with Security) </li></ul><ul><li>State privacy law compliance (with Compliance) </li></ul><ul><li>Application privacy compliance (e.g. masking requirements) (with Application Development) </li></ul><ul><li>Online presence privacy (e.g. privacy policy, TrustE certification) </li></ul><ul><li>Consistency v/s accuracy discussion </li></ul>Metrics are a good way to measure and improve performance
  17. 17. Next Steps for the Listener <ul><li>Tactically </li></ul><ul><ul><li>Discuss “touch” points with other functions (e.g. combined privacy and security training) </li></ul></ul><ul><ul><li>Start measuring privacy related metrics </li></ul></ul><ul><ul><li>Privacy risk assessment </li></ul></ul><ul><ul><li>PII inventory and data flows </li></ul></ul><ul><ul><li>Implement outreach, both within and outside your enterprise </li></ul></ul><ul><ul><li>Navigate “turf” issues carefully </li></ul></ul><ul><li>Strategically </li></ul><ul><ul><li>Identify and implement an integrated control framework </li></ul></ul><ul><ul><li>Integrated policy framework </li></ul></ul><ul><ul><li>Governance model development </li></ul></ul><ul><ul><li>Organizational structure issues </li></ul></ul>
  18. 18. Summary <ul><li>Privacy must help shape business strategy </li></ul><ul><li>Privacy must help balance business need and consumer privacy concerns </li></ul><ul><li>Privacy must collaborate with different business functions to ensure holistic protection of sensitive information </li></ul><ul><li>Privacy must continuously demonstrate value with objective, simple metrics </li></ul>Assess your own organization for applicability …
  19. 19. Other Resources <ul><li>CSO Online: Five Things Every CSO Needs to Know About the Chief Privacy Officer, http://www.csoonline.com/article/220021/ </li></ul><ul><li>Jan 2009 Issue, Privacy Advisor: A practical guide for operational information security and privacy convergence, by Rebecca Herold </li></ul><ul><li>Apr 2007, ISSA Magazine: Building a Comprehensive Security Control Framework, by Lori Crooks and Aurobindo Sundaram </li></ul><ul><li>ACC Docket, May 2008: Trust, but verify: The Reality of Data Protection in an Information-Driven World, by Carol DiBattiste and James Lee </li></ul>