Priyanka Aash, profile picture
Uploaded byPriyanka Aash
PDF, PPTX161 views

Business cases internet 30 use cases

The document outlines a job description for a senior information security position, emphasizing the need for strong knowledge in information security practices, privacy regulation, and risk management. It details the responsibilities, including managing security programs, conducting risk assessments, ensuring compliance, and training staff. Additionally, it discusses the evolving role of the CISO in relation to privacy concerns and the importance of communication and collaboration across departments.

Embed presentation

Download as PDF, PPTX
SESSION ID:SESSION ID: #RSAC Todd Fitzgerald, CISSP, CISM, CISA, CRISC, CGEIT, CIPP/US/E/C, CIPM, PMP, ISO27001, ITILv3f One Hour Privacy Primer For Security Officers CXO-R02RF todd_fitzgerald@yahoo.com @securityfitz
#RSAC 4. Privacy Program Design 3. Privacy Laws and Common Principles 1. Why Should Security Officers Care About Privacy? 2. The Language of Privacy Today's Agenda
#RSAC 1. What Is The Phishing Threat Today? Why Should Security Officers Care About Privacy?
#RSAC We Face Privacy Choices Daily
#RSAC The CISO Job Description Job description: This position will represent the information protection program of the’ region and requires the ability to understand business issues and processes and articulate appropriate security models to protect the assets of and entrusted to. A strong understanding of information security is necessary to manage, coordinate, plan, implement and organize the information protection and security objectives of the’ region. This position is a senior technical role within our information protection and security department. A high-level of technical and security expertise is required and will be responsible for managing information security professionals. This position will play a key role in defining acceptable and appropriate security models for protecting information and enabling secure business operations. This person must be knowledgeable of current data protection best practices, standards and applicable legislation and familiar with principles and techniques of security risk analysis, disaster recovery planning and business continuity processes and must demonstrate an understanding of the management issues involved in implementing security processes and security-aware culture in a large, global corporate environment. He or she will work with a wide variety of people from different internal organizational units, and bring them together to manifest information security controls that reflect workable compromises as well as proactive responses to current and future business risks to enable ongoing operations and protection of corporate assets. RESPONSIBILITIES INCLUDE: • Manage a cost-effective information security program for the Americas region; aligned with the global information security program, business goals and objectives • Assist with RFP and Information Security responses for clients • Implementing and maintaining documentation, policies, procedures, guidelines and processes related to ISO 9000, ISO 27000, ISO 20000, European Union Safe Harbor Framework, Payment Card Industry Data Protection Standards (PCI), SAS-70, General Computer Controls and client requirements • Performing information security risk assessments • Ensuring disaster recovery and business continuity plans for information systems are documented and tested • Participate in the system development process to ensure that applications adhere to an appropriate security model and are properly tested prior to production • Ensure appropriate and adequate information security training for employees, contractors, partners and other third parties • Manage information protection support desk and assist with resolution • Manage security incident response including performing investigative follow-up, assigning responsibility for corrective action, and auditing for effective completion • Manage the change control program • Monitor the compliance and effectiveness of Americas’ region information protection program • Develop and enhance the security skills and experience of infrastructure, development, information security and operational staff to improve the security of applications, systems, procedures and processes •
#RSAC …Continued Direct senior security personnel in order to achieve the security initiatives • Participate in the information security steering and advisory committees to address organization-wide issues involving information security matters and concerns, establish objectives and set priorities for the information security initiatives • Work closely with different departments and regions on information security issues • Consult with and advise senior management on all major information security related issues, incidents and violations • Update senior management regarding the security posture and initiative progress • Provide advice and assistance concerning the security of sensitive information and the processing of that information • Participate in security planning for future application system implementations • Stay current with industry trends relating to Information Security • Monitor changes in legislation and standards that affect information security • Monitor and review new technologies • Performs other Information Security projects / duties as needed MINIMUM QUALIFICATIONS: Transferable Skills (Competencies) • Strong communication and interpersonal skills • Strong understanding of computer networking technologies, architectures and protocols • Strong understanding of client and server technologies, architectures and systems • Strong understanding of database technologies • Strong knowledge of information security best practices, tools and techniques • Strong conceptual understanding of Information Security theory • Strong working knowledge of security architecture and recovery methods and concepts including encryption, firewalls, and VPNs • Knowledge of business, security and privacy requirements related to international standards and legislation (including ISO 9001, ISO 27001, ISO 20000, Payment Card Industry data protection standard (PCI), HIPPA, European Union Data Protection Directive, Canada’s Personal Information Protection and Electronic Documents Act, SAS-70 Type II, US state privacy legislation and Mexico’s E-Commerce Act) • Knowledge of risk analysis and security techniques • Working knowledge of BCP and DR plan requirements and testing procedures • Working knowledge of Windows XP/2000/2003, Active Directory, and IT Infrastructure security and recovery methods and concepts • Working knowledge of Web-based application security and recovery methods and concepts • Working knowledge of AS400 security and recovery methods and concepts • Working knowledge of PeopleSoft security and recovery methods and concepts • Working Knowledge of anti-virus systems, vulnerability management, and violation monitoring • Strong multi-tasking and analytical/troubleshooting skills • Knowledge of audit and control methods and concepts a plus • Knowledge of SAS-70 audit requirements a plus • Knowledge of ISO 9001 requirements a plus • Knowledge of ISO 27001 requirements a plus • Knowledge of ISO 20001 requirements a plus • Knowledge of COBIT requirements a plus • Knowledge of EU / Safe Harbor requirements a plus • Knowledge of Linux security a plus • Knowledge of VB.NET, C++, JAVA, or similar programming languages a plus • Proficient in MS-Office suite of products • Professional, team oriented Qualifications • Bachelor’s Degree (B.A., B.S.), or equivalent combination of education and experience in Information Security, Information Technology, Computer Science, Management Information Systems or similar curriculum • 7+ years of Information Technology or Information Security experience, including at least 5 years dedicated to Information Security • 2+ years of Travel Industry experience preferred • Must be a Certified Information Systems Security Professional (CISSP) • Certified Information Security Manager (CISM) preferred • Strong organizational, time management, decision making, and problem solving skills • Strong initiative and self motivated professional • Professional certifications from ISACA, (ISC)2, or SANS preferred • Experience with ISO certified systems a plus
#RSAC Contains Many Privacy References! Job description: This position will represent the information protection program of the’ region and requires the ability to understand business issues and processes and articulate appropriate security models to protect the assets of and entrusted to. A strong understanding of information security is necessary to manage, coordinate, plan, implement and organize the information protection and security objectives of the’ region. This position is a senior technical role within our information protection and security department. A high-level of technical and security expertise is required and will be responsible for managing information security professionals. This position will play a key role in defining acceptable and appropriate security models for protecting information and enabling secure business operations. This person must be knowledgeable of current data protection best practices, standards and applicable legislation and familiar with principles and techniques of security risk analysis, disaster recovery planning and business continuity processes and must demonstrate an understanding of the management issues involved in implementing security processes and security-aware culture in a large, global corporate environment. He or she will work with a wide variety of people from different internal organizational units, and bring them together to manifest information security controls that reflect workable compromises as well as proactive responses to current and future business risks to enable ongoing operations and protection of corporate assets. RESPONSIBILITIES INCLUDE: • Manage a cost-effective information security program for the Americas region; aligned with the global information security program, business goals and objectives • Assist with RFP and Information Security responses for clients • Implementing and maintaining documentation, policies, procedures, guidelines and processes related to ISO 9000, ISO 27000, ISO 20000, European Union Safe Harbor Framework, Payment Card Industry Data Protection Standards (PCI), SAS-70, General Computer Controls and client requirements • Performing information security risk assessments • Ensuring disaster recovery and business continuity plans for information systems are documented and tested • Participate in the system development process to ensure that applications adhere to an appropriate security model and are properly tested prior to production • Ensure appropriate and adequate information security training for employees, contractors, partners and other third parties • Manage information protection support desk and assist with resolution • Manage security incident response including performing investigative follow- up, assigning responsibility for corrective action, and auditing for effective completion • Manage the change control program • Monitor the compliance and effectiveness of Americas’ region information protection program • Develop and enhance the security skills and experience of infrastructure, development, information security and operational staff to improve the security of applications, systems, procedures and processes •
#RSAC Direct senior security personnel in order to achieve the security initiatives • Participate in the information security steering and advisory committees to address organization-wide issues involving information security matters and concerns, establish objectives and set priorities for the information security initiatives • Work closely with different departments and regions on information security issues • Consult with and advise senior management on all major information security related issues, incidents and violations • Update senior management regarding the security posture and initiative progress • Provide advice and assistance concerning the security of sensitive information and the processing of that information • Participate in security planning for future application system implementations • Stay current with industry trends relating to Information Security • Monitor changes in legislation and standards that affect information security • Monitor and review new technologies • Performs other Information Security projects / duties as needed MINIMUM QUALIFICATIONS: Transferable Skills (Competencies) • Strong communication and interpersonal skills • Strong understanding of computer networking technologies, architectures and protocols • Strong understanding of client and server technologies, architectures and systems • Strong understanding of database technologies • Strong knowledge of information security best practices, tools and techniques • Strong conceptual understanding of Information Security theory • Strong working knowledge of security architecture and recovery methods and concepts including encryption, firewalls, and VPNs • Knowledge of business, security and privacy requirements related to international standards and legislation (including ISO 9001, ISO 27001, ISO 20000, Payment Card Industry data protection standard (PCI), HIPPA, European Union Data Protection Directive, Canada’s Personal Information Protection and Electronic Documents Act, SAS-70 Type II, US state privacy legislation and Mexico’s E- Commerce Act) • Knowledge of risk analysis and security techniques • Working knowledge of BCP and DR plan requirements and testing procedures • Working knowledge of Windows XP/2000/2003, Active Directory, and IT Infrastructure security and recovery methods and concepts • Working knowledge of Web-based application security and recovery methods and concepts • Working knowledge of AS400 security and recovery methods and concepts • Working knowledge of PeopleSoft security and recovery methods and concepts • Working Knowledge of anti-virus systems, vulnerability management, and violation monitoring • Strong multi-tasking and analytical/troubleshooting skills • Knowledge of audit and control methods and concepts a plus • Knowledge of SAS-70 audit requirements a plus • Knowledge of ISO 9001 requirements a plus • Knowledge of ISO 27001 requirements a plus • Knowledge of ISO 20001 requirements a plus • Knowledge of COBIT requirements a plus • Knowledge of EU / Safe Harbor requirements a plus • Knowledge of Linux security a plus • Knowledge of VB.NET, C++, JAVA, or similar programming languages a plus • Proficient in MS-Office suite of products • Professional, team oriented Qualifications • Bachelor’s Degree (B.A., B.S.), or equivalent combination of education and experience in Information Security, Information Technology, Computer Science, Management Information Systems or similar curriculum • 7+ years of Information Technology or Information Security experience, including at least 5 years dedicated to Information Security • 2+ years of Travel Industry experience preferred • Must be a Certified Information Systems Security Professional (CISSP) • Certified Information Security Manager (CISM) preferred • Strong organizational, time management, decision making, and problem solving skills • Strong initiative and self motivated professional • Professional certifications from ISACA, (ISC)2, or SANS preferred • Experience with ISO certified systems a plus
#RSAC The Fortune 1000 Is Investing in Privacy and Values Relationships To Information Security Source: Benchmarking Privacy Management and Investments of the Fortune 1000, IAPP 2014 Research
#RSAC The 2018 CISO Evolution • Plan path away from operations • Refine risk management processes to business language • Widen vision to privacy, data management and compliance • Build support network • Create focus and attention of business leaders Leadership Strategic Thinking Business Knowledge Risk Management Communication Relationship Management Security Expertise Technical Expertise Source: Forrester Research: Evolve to become 2018 CISO or Face Extinction
#RSAC The New CISO will Need to Know Privacy 1990s-2000 2000-2003 2004-2008 2008-2014 2015-20+ Non Existent Security=Logon & Password FIRST CISO 1995 Regulatory Compliance Era Must hire security officer The "Risk-oriented" CISO emerges The Threat-aware Cybersecurity, Socially- Mobile CISO The Privacy and Data-aware CISO
#RSAC The security officer is increasingly dealing with privacy concerns beyond the 'privacy principles' Lack of global trustInconsistent application Data Governance/location Controller/Processor responsibilities Location of data Regulatory fines for privacy notice violation Retention, record correction, right to be forgotten Location tracking
#RSAC PRIVACY IS DEAD… OR IS IT ? 13 Privacy Is Completely And Utterly Dead, And We Killed It - Forbes, 8/19/14 Privacy Is Dead, Harvard Professors Tell Davos Forum - January 22, 2015 Why Privacy Is Actually Thriving Online - Wired, May 2014 Privacy Is Dead: What You Still Can Do to Protect Yourself - Huffington Post, 08/27/15
#RSAC © 2011 Tamara J. Erickson and Moxie Insight. U.S. Dept of Labor (Date Range 1946-64, 1965-79 Each generation approaches work differently, shaped by the economic, social and political forces of their time ultimately forming their individual preferences. Traditionalist 1928-45 Traditionalist 1946-64 Gen Y 1980-95 Gen X 1965-79 Gen Z 1996-? Privacy Concern Differs By Generation
#RSAC The Workforce Composition Is Shifting Source: Deloitte Research/UN Population Division, It’s 2008: Do You Know Where Your Talent Is?
#RSAC
#RSAC 1. What Is The Phishing Threat Today? Privacy Laws and Common Principles
#RSAC Early Privacy Laws and Regulations 18 Year Milestone 1890 "The Right to Privacy" Warren and Brandeis 1947 Article 12 of Universal Declaration of Human Rights 1966 US Freedom of Information Act 1970 Fair Credit Reporting Act 1974 US Privacy Act 1978 France Data Protection Act 1980 Organization for Economic Cooperation and Development (OECD) 1981 Council of Europe Convention on the Protection of Personal Data Warren Brandeis
#RSAC Privacy Coverage Varies Across Countries 19 Source: Forrester Research, 2015 privacy Heat Map, Forbes 10/15/15 (relatively unchanged in 2016)
#RSAC Laws Vary in Approach 20 Sectoral Laws (US) PIPEDA (Canada) Comprehensive (EU) Co-Regulatory (AU) Australia Federal Privacy Act (amended in 2000) China- Draft Cybersecurity Hong Kong- 1996 Personal Data Ordinance Fair Credit Reporting Act HIPAA/HITECH/State laws Gramm-Leach-Bliley Act Children's Online Privacy Protection Act (COPPA) 1974 Privacy Act /FOIA 1995 EU Data Protection Directive (2018-GDPR) e-Privacy Directive Data retention directive Article 29 working party
#RSAC 2016 Saw Much Activity with Emerging EU/US Privacy Laws 21 General Data Protection Regulation EU/US Privacy Shield (Replace Safe Harbor) • Strong obligations for US Companies • Government access transparency • Redress • Regulation vs Directive • Reach beyond EU • Fines 4% revenue • 72 hour data breach notification May 2018 Compliance Approved In 2016 BREXIT Impact?
#RSAC Organization for Economic Co-operation and Development (OECD) Privacy Principles 22 Collection Limitation Data Quality Purpose Specification Use Limitation Security Safeguards Openness Individual Participation Accountability OECD
#RSAC OECD- 1. Collection Limitation Principle 23 There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.
#RSAC OECD- 2. Data Quality Principle 24 Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date.
#RSAC OECD- 3. Purpose Specification Principle 25 The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfilment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose. Why am I Getting All This SPAM Now ?
#RSAC OECD- 4. Use Limitation Principle 26 Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with Paragraph 9 except: a) with the consent of the data subject; or b) by the authority of law.
#RSAC OECD- 5. Security Safeguards Principle 27 Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification or disclosure of data.
#RSAC OECD- 6. Openness Principle 28 There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller. MR. CONTROLLER
#RSAC OECD- 7. Individual Participation Principle 29 Right to obtain confirmation DATA STORED REASONABLE TIME REASONABLE MANNER, COST and FORM If denied, be provided a reason Ability to challenge denials Right to erase, rectify complete, or amend information
#RSAC OECD- 8. Accountability Principle 30 A data controller should be accountable for complying with measures which give effect to the principles stated above.
#RSAC 1. What Is The Phishing Threat Today? The Language of Privacy
#RSACPrivacy Language Can Be Foreign To Business Environment… • Principles need to be communicated in business context • Companies care about the right people being able to use data when they need to. Period. • Oh, yes, and avoiding big fines and personal liability
#RSAC EU Defines Personal Data "Personal data shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity." Sensitive Personal Data or 'special categories of personal data' are generally prohibited from processing (some exemptions). De-Identified (non-personal) data – laws generally do not apply after identifying elements removed. 33
#RSAC Personal Information Elements Name Gender Age DOB Marital Status Citizenship Nationality Languages Spoken Veteran Status Disabled Status IP Address Demographics 34
#RSAC Sources of Personal Information 35 Public Records • Real estate • Criminal • Varies State/National/Local level Publicly Available • Names and addresses • Newspapers • Search engines • Facebook/Twitter Nonpublic • Medical records • Financial information • Adoption Records • Company customers • Employee database
#RSAC Sensitive Personal Information EUROPE UNITED STATES 36 • Racial or Ethic Origin • Political opinion • Religious or philosophical beliefs • Trade-union membership • Health or sex life • Offenses or criminal convictions • Social Security Number • Financial Information • Driver's License Number • Medical Records
#RSAC Data Protection Roles 37 Data Protection Authority Data Controller Data Subject Data Processor • Enforcement • Reporting • Determines purposes • Means of processing • Processes on behalf of data controller
#RSAC Privacy Policy and Notice Privacy Policy – Internal statement directing employees Privacy Notice- statement to data subject for collection, use, retention and disclosure of information Contracts, application forms, web pages, terms of use, Icons, signs, brochures 38 PRIVACY NOTICE • Initially, periodically • Clear and conspicuous • Accurate and complete • Readable, plain language
#RSAC Privacy Consent • Processed unless data subject objects • Box pre-checked to accept or check box to opt-out OPT-OUT • Information processed only if data subject agrees • Active affirmation OPT-IN 39
#RSAC OPT-IN or OPT-OUT ? A. DO YOU WANT TO RECEIVE ADDITIONAL INFORMATION?  YES  NO B.  CHECK BOX IF YOU DO NOT WANT TO RECEIVE MORE INFORMATION C. DO YOU WANT TO RECEIVE ADDITIONAL INFORMATION ?  YES  NO D. PLEASE SEND MORE INFORMATION ABOUT YOUR PRODUCTS 40
#RSAC 1. What Is The Phishing Threat Today? Privacy Program Design
#RSAC Privacy Information Life Cycle Collection Use Retention Disclosure 42 • Limits • Lawful and fair means • Consent • Identified purpose • Proportionate • Purposes identified in notice • Implicit or explicit consent • Retain only as long as necessary for purpose • Securely dispose, destroy, return • Rights maintained on transfer of data • New purposes subject to consent
#RSAC Privacy By Design – 7 Principles 1. PROACTIVE PREVENTATIVE 2. PRIVACY BY DEFAULT 3. EMBEDDED IN DESIGN 4. POSITIVE-SUM NOT ZERO-SUM 5. END-TO-END LIFECYCLE PROTECTION 6. VISIBILITY TRANSPARENCY 7. RESPECT FOR USERS IT Business Practices Physical
#RSAC 1. PROACTIVE PREVENTATIVE
#RSAC 2. PRIVACY BY DEFAULT
#RSAC 3. EMBEDDED IN DESIGN
#RSAC 4. POSITIVE SUM NOT ZERO- SUM
#RSAC 5. END-TO-END SECURITY; LIFECYCLE PROTECTION
#RSAC 6. VISIBILITY TRANSPARENCY
#RSAC 7. RESPECT FOR USERS
#RSAC Privacy Impact Assessment (PIA) 51 • Checklists to ensure systems evaluated for privacy risks • New systems • Changes to existing systems • Legal/Regulatory requirements • Policy/Practice consistency
#RSAC 1. What Is The Phishing Threat Today? Final Thoughts
#RSAC Data+Privacy+Security+Risk= New Focus 1990s-2000 2000-2003 2004-2008 2008-2014 2015-20+ Non Existent Security=Logon & Password FIRST CISO 1995 Regulatory Compliance Era Must hire security officer The 'Risk-oriented" CISO emerges The Threat-aware Cybersecurity, Socially- Mobile CISO The Privacy and Data-aware CISO
#RSAC 54 Next week you should: Schedule a meet n greet with the privacy officer or legal dept. In the first three months following this presentation you should: Read the EU Data Protection Directive and any local laws Visit the International Association of Privacy Professionals (IAPP) website at www.privacyassociation.org Examine your organization's privacy policies Within six months you should: Go forward with a privacy certification Drive an assessment project (with the privacy officer) to determine where the privacy gaps are Begin educating the workforce on privacy principles through regional meetings Apply What You Have Learned Today
#RSAC Today We Explored… 55 Why Privacy should be Important to the security officer 8 information OECD Privacy Principles Global laws impacting privacy Building a program through Privacy By Design Principles Understanding the data elements and language of privacy
#RSAC Resources Contributed To By Presenter (Books In Amazon, B&N, ISC2, EC-Council Website, RSA Bookstore) 56 Information Security Handbook Series Since 2004 New Book Coming in 2017-18
#RSAC Final Thoughts • Planning and advance communication of Phishing/awareness campaigns is essential • Learning must be behavioral to stick • Employees at every organization level will click • Significant reductions and follow-on willingness to learn will be achieved • Bury the once a year 1 hour training sessions…
#RSAC I leave you with this 60 second view of your next few years figuring out where all the data is and what privacy regulations apply…
#RSAC Thank You Very Much For Your Participation! Todd Fitzgerald, CISSP, CISM, CISA, CRISC, CGEIT, CIPP/US/E/C, CIPM, PMP, ISO27001, ITILv3f Deerfield, IL Todd_fitzgerald@yahoo.com linkedin.com/in/toddfitzgerald

More Related Content

PDF
The evolving threats and the challenges of the modern CISO
byisc2-hellenic
 
PDF
Mash f43
bySelectedPresentations
 
PDF
ISO 27001 2013 Introduction Study Case IGN Mantra, 2nd Day, 3rd Session.
byIGN MANTRA
 
PPTX
Security Awareness and Training
byPriyank Hada
 
DOC
Martin_Leroux_2014
byMartin Leroux
 
PDF
IT Information Security Management Principles, 28 February - 02 March 2016 Du...
by360 BSI
 
PDF
IT Information Security Management Principles, 15 - 18 May 2016 Dubai UAE
by360 BSI
 
PPTX
CISSP Certification- Security Engineering-part1
byHamed Moghaddam
 
The evolving threats and the challenges of the modern CISO
byisc2-hellenic
 
Mash f43
bySelectedPresentations
 
ISO 27001 2013 Introduction Study Case IGN Mantra, 2nd Day, 3rd Session.
byIGN MANTRA
 
Security Awareness and Training
byPriyank Hada
 
Martin_Leroux_2014
byMartin Leroux
 
IT Information Security Management Principles, 28 February - 02 March 2016 Du...
by360 BSI
 
IT Information Security Management Principles, 15 - 18 May 2016 Dubai UAE
by360 BSI
 
CISSP Certification- Security Engineering-part1
byHamed Moghaddam
 

What's hot

PPTX
CISSP Certification-Asset Security
byHamed Moghaddam
 
PDF
IT Information Security Management Principles, 23 - 26 November 2015 Dubai UAE
by360 BSI
 
PPTX
Roadmap to security operations excellence
byErik Taavila
 
PDF
20CS024 Ethics in Information Technology
byKathirvel Ayyaswamy
 
PPT
Introduction to information security
byKumawat Dharmpal
 
PPTX
CISSP - Chapter 1 - Security Concepts
byKarthikeyan Dhayalan
 
PPT
Roadmap to IT Security Best Practices
byGreenway Health
 
PPTX
Information Security
byAlok Katiyar
 
PDF
Information Security Intelligence
byguest08b1e6
 
PPTX
Become CISSP Certified
byHamed Moghaddam
 
PDF
CISSP Preview - For the next generation of Security Leaders
byNUS-ISS
 
PPT
Information security
byrazendar79
 
PDF
isicg - 3 r's v4
byElliott Franklin
 
PPSX
1 Info Sec+Risk Mgmt
byAlfred Ouyang
 
PDF
CNIT 160 3a Information Risk Management
bySam Bowne
 
PDF
Cybersecurity Roadmap Development for Executives
byKrist Davood - Principal - CIO
 
PDF
Chapter 12 iso 27001 awareness
bynewbie2019
 
PDF
Enterprise 360 degree risk management
byInfosys
 
PDF
Mergers and Acquisition Security - Areas of Interest
byMatthew Rosenquist
 
CISSP Certification-Asset Security
byHamed Moghaddam
 
IT Information Security Management Principles, 23 - 26 November 2015 Dubai UAE
by360 BSI
 
Roadmap to security operations excellence
byErik Taavila
 
20CS024 Ethics in Information Technology
byKathirvel Ayyaswamy
 
Introduction to information security
byKumawat Dharmpal
 
CISSP - Chapter 1 - Security Concepts
byKarthikeyan Dhayalan
 
Roadmap to IT Security Best Practices
byGreenway Health
 
Information Security
byAlok Katiyar
 
Information Security Intelligence
byguest08b1e6
 
Become CISSP Certified
byHamed Moghaddam
 
CISSP Preview - For the next generation of Security Leaders
byNUS-ISS
 
Information security
byrazendar79
 
isicg - 3 r's v4
byElliott Franklin
 
1 Info Sec+Risk Mgmt
byAlfred Ouyang
 
CNIT 160 3a Information Risk Management
bySam Bowne
 
Cybersecurity Roadmap Development for Executives
byKrist Davood - Principal - CIO
 
Chapter 12 iso 27001 awareness
bynewbie2019
 
Enterprise 360 degree risk management
byInfosys
 
Mergers and Acquisition Security - Areas of Interest
byMatthew Rosenquist
 

Similar to Business cases internet 30 use cases

PDF
Super CISO 2020: How to Keep Your Job
byPriyanka Aash
 
DOCX
Albert G Info systems resume
byAlbert Gonzales
 
PPTX
presentation on Security functional requirement.pptx
bymuhammadabdullahkhan78
 
DOC
Brenden Brown Resume
byBrenden Brown
 
PDF
Resume 2.0 Remi Beauregard
byRemiBeau
 
DOC
Resume-Amit 1.0
byAmit Verma
 
DOCX
Visual_ CV_of_Umesh ranade
byUmesh ranade
 
DOCX
Steve alameda burlingame ca
bySteve Alameda
 
PDF
Information Security Analyst Resume. When seeking
byDanielle Bowers
 
PDF
Erwin (Chris) Carrow resume Brief 10-23-2015
byErwin Carrow
 
DOCX
CHARLES E DAVIS SailPoint PROFESSIONAL SUMMARY
byChuck Davis
 
PDF
Cyber Security Career in 2024.pdf
bytheartificialthinker
 
DOC
Information Security
byNicole DaCosta
 
DOC
TyroneResume[1]
byTyrone Parker, MBA
 
PPTX
Information Security Management System ISO/IEC 27001:2005
byControlCase
 
PDF
Rothke stimulating your career as an information security professional
byBen Rothke
 
PPT
Tata Kelola Keamanan Informasi
byDirectorate of Information Security | Ditjen Aptika
 
DOCX
Network Security Expert and Risk Analyst
byAshok K DL
 
DOCX
Michael Barham Resume 2014 ISA
byMichael Barham
 
PDF
Information Security Career Day Presentation
bydjglass
 
Super CISO 2020: How to Keep Your Job
byPriyanka Aash
 
Albert G Info systems resume
byAlbert Gonzales
 
presentation on Security functional requirement.pptx
bymuhammadabdullahkhan78
 
Brenden Brown Resume
byBrenden Brown
 
Resume 2.0 Remi Beauregard
byRemiBeau
 
Resume-Amit 1.0
byAmit Verma
 
Visual_ CV_of_Umesh ranade
byUmesh ranade
 
Steve alameda burlingame ca
bySteve Alameda
 
Information Security Analyst Resume. When seeking
byDanielle Bowers
 
Erwin (Chris) Carrow resume Brief 10-23-2015
byErwin Carrow
 
CHARLES E DAVIS SailPoint PROFESSIONAL SUMMARY
byChuck Davis
 
Cyber Security Career in 2024.pdf
bytheartificialthinker
 
Information Security
byNicole DaCosta
 
TyroneResume[1]
byTyrone Parker, MBA
 
Information Security Management System ISO/IEC 27001:2005
byControlCase
 
Rothke stimulating your career as an information security professional
byBen Rothke
 
Tata Kelola Keamanan Informasi
byDirectorate of Information Security | Ditjen Aptika
 
Network Security Expert and Risk Analyst
byAshok K DL
 
Michael Barham Resume 2014 ISA
byMichael Barham
 
Information Security Career Day Presentation
bydjglass
 

More from Priyanka Aash

PPTX
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
byPriyanka Aash
 
PDF
From Chatbot to Destroyer of Endpoints - Can ChatGPT Automate EDR Bypasses (1...
byPriyanka Aash
 
PDF
Cracking the Code - Unveiling Synergies Between Open Source Security and AI.pdf
byPriyanka Aash
 
PDF
Oh, the Possibilities - Balancing Innovation and Risk with Generative AI.pdf
byPriyanka Aash
 
PDF
Lessons Learned from Developing Secure AI Workflows.pdf
byPriyanka Aash
 
PDF
Cyber Defense Matrix Workshop - RSA Conference
byPriyanka Aash
 
PDF
A Constitutional Quagmire - Ethical Minefields of AI, Cyber, and Privacy.pdf
byPriyanka Aash
 
PDF
Securing AI - There Is No Try, Only Do!.pdf
byPriyanka Aash
 
PDF
GenAI Opportunities and Challenges - Where 370 Enterprises Are Focusing Now.pdf
byPriyanka Aash
 
PDF
Coordinated Disclosure for ML - What's Different and What's the Same.pdf
byPriyanka Aash
 
PDF
10 Key Challenges for AI within the EU Data Protection Framework.pdf
byPriyanka Aash
 
PDF
Techniques for Automatic Device Identification and Network Assignment.pdf
byPriyanka Aash
 
PDF
Keynote : Presentation on SASE Technology
byPriyanka Aash
 
PDF
Keynote : AI & Future Of Offensive Security
byPriyanka Aash
 
PDF
Redefining Cybersecurity with AI Capabilities
byPriyanka Aash
 
PDF
Demystifying Neural Networks And Building Cybersecurity Applications
byPriyanka Aash
 
PDF
Finetuning GenAI For Hacking and Defending
byPriyanka Aash
 
PDF
(CISOPlatform Summit & SACON 2024) Kids Cyber Security .pdf
byPriyanka Aash
 
PDF
(CISOPlatform Summit & SACON 2024) Regulation & Response In Banks.pdf
byPriyanka Aash
 
PDF
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
byPriyanka Aash
 
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
byPriyanka Aash
 
From Chatbot to Destroyer of Endpoints - Can ChatGPT Automate EDR Bypasses (1...
byPriyanka Aash
 
Cracking the Code - Unveiling Synergies Between Open Source Security and AI.pdf
byPriyanka Aash
 
Oh, the Possibilities - Balancing Innovation and Risk with Generative AI.pdf
byPriyanka Aash
 
Lessons Learned from Developing Secure AI Workflows.pdf
byPriyanka Aash
 
Cyber Defense Matrix Workshop - RSA Conference
byPriyanka Aash
 
A Constitutional Quagmire - Ethical Minefields of AI, Cyber, and Privacy.pdf
byPriyanka Aash
 
Securing AI - There Is No Try, Only Do!.pdf
byPriyanka Aash
 
GenAI Opportunities and Challenges - Where 370 Enterprises Are Focusing Now.pdf
byPriyanka Aash
 
Coordinated Disclosure for ML - What's Different and What's the Same.pdf
byPriyanka Aash
 
10 Key Challenges for AI within the EU Data Protection Framework.pdf
byPriyanka Aash
 
Techniques for Automatic Device Identification and Network Assignment.pdf
byPriyanka Aash
 
Keynote : Presentation on SASE Technology
byPriyanka Aash
 
Keynote : AI & Future Of Offensive Security
byPriyanka Aash
 
Redefining Cybersecurity with AI Capabilities
byPriyanka Aash
 
Demystifying Neural Networks And Building Cybersecurity Applications
byPriyanka Aash
 
Finetuning GenAI For Hacking and Defending
byPriyanka Aash
 
(CISOPlatform Summit & SACON 2024) Kids Cyber Security .pdf
byPriyanka Aash
 
(CISOPlatform Summit & SACON 2024) Regulation & Response In Banks.pdf
byPriyanka Aash
 
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
byPriyanka Aash
 

Recently uploaded

PDF
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
PPTX
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
PDF
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
PDF
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
PDF
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
PDF
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
PDF
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
PDF
TravelTech Paris 2025 | The EU Digital Identity Wallet and it’s impact on Tra...
byapidays
 
PPTX
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
PDF
Traditional-Security-Models-No-Longer-Work.pptx (1).pdf
byOhhproJunction
 
PDF
20260212 Security-JAWS activity results for 2025 and activity goals for 2026
byTyphon 666
 
PPTX
Celonis Optimizing your future with process
bydevjeremyappleyard
 
PDF
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
PPTX
PPTX game guess the logo with a twistppt
byAdrianAnig
 
PDF
The Emergence of Empathic XR: AWE Asia 2026 keynote
byMark Billinghurst
 
PPTX
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
PDF
Founder & Tech Lead | Web Development & Digital Growth Consultant | Helping B...
byShyamal Das
 
PDF
How to Install XRDP on CentOS 10 .pdf
byGreen Webpage
 
PPTX
TravelTech Paris 2025 | Beyond the pipes: Why Channel Management isn’t really...
byapidays
 
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
TravelTech Paris 2025 | The EU Digital Identity Wallet and it’s impact on Tra...
byapidays
 
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
Traditional-Security-Models-No-Longer-Work.pptx (1).pdf
byOhhproJunction
 
20260212 Security-JAWS activity results for 2025 and activity goals for 2026
byTyphon 666
 
Celonis Optimizing your future with process
bydevjeremyappleyard
 
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
PPTX game guess the logo with a twistppt
byAdrianAnig
 
The Emergence of Empathic XR: AWE Asia 2026 keynote
byMark Billinghurst
 
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
Founder & Tech Lead | Web Development & Digital Growth Consultant | Helping B...
byShyamal Das
 
How to Install XRDP on CentOS 10 .pdf
byGreen Webpage
 
TravelTech Paris 2025 | Beyond the pipes: Why Channel Management isn’t really...
byapidays
 

Business cases internet 30 use cases

  • 1.
    SESSION ID:SESSION ID: #RSAC ToddFitzgerald, CISSP, CISM, CISA, CRISC, CGEIT, CIPP/US/E/C, CIPM, PMP, ISO27001, ITILv3f One Hour Privacy Primer For Security Officers CXO-R02RF todd_fitzgerald@yahoo.com @securityfitz
  • 2.
    #RSAC 4. Privacy ProgramDesign 3. Privacy Laws and Common Principles 1. Why Should Security Officers Care About Privacy? 2. The Language of Privacy Today's Agenda
  • 3.
    #RSAC 1. What IsThe Phishing Threat Today? Why Should Security Officers Care About Privacy?
  • 4.
    #RSAC We Face PrivacyChoices Daily
  • 5.
    #RSAC The CISO JobDescription Job description: This position will represent the information protection program of the’ region and requires the ability to understand business issues and processes and articulate appropriate security models to protect the assets of and entrusted to. A strong understanding of information security is necessary to manage, coordinate, plan, implement and organize the information protection and security objectives of the’ region. This position is a senior technical role within our information protection and security department. A high-level of technical and security expertise is required and will be responsible for managing information security professionals. This position will play a key role in defining acceptable and appropriate security models for protecting information and enabling secure business operations. This person must be knowledgeable of current data protection best practices, standards and applicable legislation and familiar with principles and techniques of security risk analysis, disaster recovery planning and business continuity processes and must demonstrate an understanding of the management issues involved in implementing security processes and security-aware culture in a large, global corporate environment. He or she will work with a wide variety of people from different internal organizational units, and bring them together to manifest information security controls that reflect workable compromises as well as proactive responses to current and future business risks to enable ongoing operations and protection of corporate assets. RESPONSIBILITIES INCLUDE: • Manage a cost-effective information security program for the Americas region; aligned with the global information security program, business goals and objectives • Assist with RFP and Information Security responses for clients • Implementing and maintaining documentation, policies, procedures, guidelines and processes related to ISO 9000, ISO 27000, ISO 20000, European Union Safe Harbor Framework, Payment Card Industry Data Protection Standards (PCI), SAS-70, General Computer Controls and client requirements • Performing information security risk assessments • Ensuring disaster recovery and business continuity plans for information systems are documented and tested • Participate in the system development process to ensure that applications adhere to an appropriate security model and are properly tested prior to production • Ensure appropriate and adequate information security training for employees, contractors, partners and other third parties • Manage information protection support desk and assist with resolution • Manage security incident response including performing investigative follow-up, assigning responsibility for corrective action, and auditing for effective completion • Manage the change control program • Monitor the compliance and effectiveness of Americas’ region information protection program • Develop and enhance the security skills and experience of infrastructure, development, information security and operational staff to improve the security of applications, systems, procedures and processes •
  • 6.
    #RSAC …Continued Direct senior securitypersonnel in order to achieve the security initiatives • Participate in the information security steering and advisory committees to address organization-wide issues involving information security matters and concerns, establish objectives and set priorities for the information security initiatives • Work closely with different departments and regions on information security issues • Consult with and advise senior management on all major information security related issues, incidents and violations • Update senior management regarding the security posture and initiative progress • Provide advice and assistance concerning the security of sensitive information and the processing of that information • Participate in security planning for future application system implementations • Stay current with industry trends relating to Information Security • Monitor changes in legislation and standards that affect information security • Monitor and review new technologies • Performs other Information Security projects / duties as needed MINIMUM QUALIFICATIONS: Transferable Skills (Competencies) • Strong communication and interpersonal skills • Strong understanding of computer networking technologies, architectures and protocols • Strong understanding of client and server technologies, architectures and systems • Strong understanding of database technologies • Strong knowledge of information security best practices, tools and techniques • Strong conceptual understanding of Information Security theory • Strong working knowledge of security architecture and recovery methods and concepts including encryption, firewalls, and VPNs • Knowledge of business, security and privacy requirements related to international standards and legislation (including ISO 9001, ISO 27001, ISO 20000, Payment Card Industry data protection standard (PCI), HIPPA, European Union Data Protection Directive, Canada’s Personal Information Protection and Electronic Documents Act, SAS-70 Type II, US state privacy legislation and Mexico’s E-Commerce Act) • Knowledge of risk analysis and security techniques • Working knowledge of BCP and DR plan requirements and testing procedures • Working knowledge of Windows XP/2000/2003, Active Directory, and IT Infrastructure security and recovery methods and concepts • Working knowledge of Web-based application security and recovery methods and concepts • Working knowledge of AS400 security and recovery methods and concepts • Working knowledge of PeopleSoft security and recovery methods and concepts • Working Knowledge of anti-virus systems, vulnerability management, and violation monitoring • Strong multi-tasking and analytical/troubleshooting skills • Knowledge of audit and control methods and concepts a plus • Knowledge of SAS-70 audit requirements a plus • Knowledge of ISO 9001 requirements a plus • Knowledge of ISO 27001 requirements a plus • Knowledge of ISO 20001 requirements a plus • Knowledge of COBIT requirements a plus • Knowledge of EU / Safe Harbor requirements a plus • Knowledge of Linux security a plus • Knowledge of VB.NET, C++, JAVA, or similar programming languages a plus • Proficient in MS-Office suite of products • Professional, team oriented Qualifications • Bachelor’s Degree (B.A., B.S.), or equivalent combination of education and experience in Information Security, Information Technology, Computer Science, Management Information Systems or similar curriculum • 7+ years of Information Technology or Information Security experience, including at least 5 years dedicated to Information Security • 2+ years of Travel Industry experience preferred • Must be a Certified Information Systems Security Professional (CISSP) • Certified Information Security Manager (CISM) preferred • Strong organizational, time management, decision making, and problem solving skills • Strong initiative and self motivated professional • Professional certifications from ISACA, (ISC)2, or SANS preferred • Experience with ISO certified systems a plus
  • 7.
    #RSAC Contains Many PrivacyReferences! Job description: This position will represent the information protection program of the’ region and requires the ability to understand business issues and processes and articulate appropriate security models to protect the assets of and entrusted to. A strong understanding of information security is necessary to manage, coordinate, plan, implement and organize the information protection and security objectives of the’ region. This position is a senior technical role within our information protection and security department. A high-level of technical and security expertise is required and will be responsible for managing information security professionals. This position will play a key role in defining acceptable and appropriate security models for protecting information and enabling secure business operations. This person must be knowledgeable of current data protection best practices, standards and applicable legislation and familiar with principles and techniques of security risk analysis, disaster recovery planning and business continuity processes and must demonstrate an understanding of the management issues involved in implementing security processes and security-aware culture in a large, global corporate environment. He or she will work with a wide variety of people from different internal organizational units, and bring them together to manifest information security controls that reflect workable compromises as well as proactive responses to current and future business risks to enable ongoing operations and protection of corporate assets. RESPONSIBILITIES INCLUDE: • Manage a cost-effective information security program for the Americas region; aligned with the global information security program, business goals and objectives • Assist with RFP and Information Security responses for clients • Implementing and maintaining documentation, policies, procedures, guidelines and processes related to ISO 9000, ISO 27000, ISO 20000, European Union Safe Harbor Framework, Payment Card Industry Data Protection Standards (PCI), SAS-70, General Computer Controls and client requirements • Performing information security risk assessments • Ensuring disaster recovery and business continuity plans for information systems are documented and tested • Participate in the system development process to ensure that applications adhere to an appropriate security model and are properly tested prior to production • Ensure appropriate and adequate information security training for employees, contractors, partners and other third parties • Manage information protection support desk and assist with resolution • Manage security incident response including performing investigative follow- up, assigning responsibility for corrective action, and auditing for effective completion • Manage the change control program • Monitor the compliance and effectiveness of Americas’ region information protection program • Develop and enhance the security skills and experience of infrastructure, development, information security and operational staff to improve the security of applications, systems, procedures and processes •
  • 8.
    #RSAC Direct senior securitypersonnel in order to achieve the security initiatives • Participate in the information security steering and advisory committees to address organization-wide issues involving information security matters and concerns, establish objectives and set priorities for the information security initiatives • Work closely with different departments and regions on information security issues • Consult with and advise senior management on all major information security related issues, incidents and violations • Update senior management regarding the security posture and initiative progress • Provide advice and assistance concerning the security of sensitive information and the processing of that information • Participate in security planning for future application system implementations • Stay current with industry trends relating to Information Security • Monitor changes in legislation and standards that affect information security • Monitor and review new technologies • Performs other Information Security projects / duties as needed MINIMUM QUALIFICATIONS: Transferable Skills (Competencies) • Strong communication and interpersonal skills • Strong understanding of computer networking technologies, architectures and protocols • Strong understanding of client and server technologies, architectures and systems • Strong understanding of database technologies • Strong knowledge of information security best practices, tools and techniques • Strong conceptual understanding of Information Security theory • Strong working knowledge of security architecture and recovery methods and concepts including encryption, firewalls, and VPNs • Knowledge of business, security and privacy requirements related to international standards and legislation (including ISO 9001, ISO 27001, ISO 20000, Payment Card Industry data protection standard (PCI), HIPPA, European Union Data Protection Directive, Canada’s Personal Information Protection and Electronic Documents Act, SAS-70 Type II, US state privacy legislation and Mexico’s E- Commerce Act) • Knowledge of risk analysis and security techniques • Working knowledge of BCP and DR plan requirements and testing procedures • Working knowledge of Windows XP/2000/2003, Active Directory, and IT Infrastructure security and recovery methods and concepts • Working knowledge of Web-based application security and recovery methods and concepts • Working knowledge of AS400 security and recovery methods and concepts • Working knowledge of PeopleSoft security and recovery methods and concepts • Working Knowledge of anti-virus systems, vulnerability management, and violation monitoring • Strong multi-tasking and analytical/troubleshooting skills • Knowledge of audit and control methods and concepts a plus • Knowledge of SAS-70 audit requirements a plus • Knowledge of ISO 9001 requirements a plus • Knowledge of ISO 27001 requirements a plus • Knowledge of ISO 20001 requirements a plus • Knowledge of COBIT requirements a plus • Knowledge of EU / Safe Harbor requirements a plus • Knowledge of Linux security a plus • Knowledge of VB.NET, C++, JAVA, or similar programming languages a plus • Proficient in MS-Office suite of products • Professional, team oriented Qualifications • Bachelor’s Degree (B.A., B.S.), or equivalent combination of education and experience in Information Security, Information Technology, Computer Science, Management Information Systems or similar curriculum • 7+ years of Information Technology or Information Security experience, including at least 5 years dedicated to Information Security • 2+ years of Travel Industry experience preferred • Must be a Certified Information Systems Security Professional (CISSP) • Certified Information Security Manager (CISM) preferred • Strong organizational, time management, decision making, and problem solving skills • Strong initiative and self motivated professional • Professional certifications from ISACA, (ISC)2, or SANS preferred • Experience with ISO certified systems a plus
  • 9.
    #RSAC The Fortune 1000Is Investing in Privacy and Values Relationships To Information Security Source: Benchmarking Privacy Management and Investments of the Fortune 1000, IAPP 2014 Research
  • 10.
    #RSAC The 2018 CISOEvolution • Plan path away from operations • Refine risk management processes to business language • Widen vision to privacy, data management and compliance • Build support network • Create focus and attention of business leaders Leadership Strategic Thinking Business Knowledge Risk Management Communication Relationship Management Security Expertise Technical Expertise Source: Forrester Research: Evolve to become 2018 CISO or Face Extinction
  • 11.
    #RSAC The New CISOwill Need to Know Privacy 1990s-2000 2000-2003 2004-2008 2008-2014 2015-20+ Non Existent Security=Logon & Password FIRST CISO 1995 Regulatory Compliance Era Must hire security officer The "Risk-oriented" CISO emerges The Threat-aware Cybersecurity, Socially- Mobile CISO The Privacy and Data-aware CISO
  • 12.
    #RSAC The security officeris increasingly dealing with privacy concerns beyond the 'privacy principles' Lack of global trustInconsistent application Data Governance/location Controller/Processor responsibilities Location of data Regulatory fines for privacy notice violation Retention, record correction, right to be forgotten Location tracking
  • 13.
    #RSAC PRIVACY IS DEAD…OR IS IT ? 13 Privacy Is Completely And Utterly Dead, And We Killed It - Forbes, 8/19/14 Privacy Is Dead, Harvard Professors Tell Davos Forum - January 22, 2015 Why Privacy Is Actually Thriving Online - Wired, May 2014 Privacy Is Dead: What You Still Can Do to Protect Yourself - Huffington Post, 08/27/15
  • 14.
    #RSAC © 2011 TamaraJ. Erickson and Moxie Insight. U.S. Dept of Labor (Date Range 1946-64, 1965-79 Each generation approaches work differently, shaped by the economic, social and political forces of their time ultimately forming their individual preferences. Traditionalist 1928-45 Traditionalist 1946-64 Gen Y 1980-95 Gen X 1965-79 Gen Z 1996-? Privacy Concern Differs By Generation
  • 15.
    #RSAC The Workforce CompositionIs Shifting Source: Deloitte Research/UN Population Division, It’s 2008: Do You Know Where Your Talent Is?
  • 16.
  • 17.
    #RSAC 1. What IsThe Phishing Threat Today? Privacy Laws and Common Principles
  • 18.
    #RSAC Early Privacy Lawsand Regulations 18 Year Milestone 1890 "The Right to Privacy" Warren and Brandeis 1947 Article 12 of Universal Declaration of Human Rights 1966 US Freedom of Information Act 1970 Fair Credit Reporting Act 1974 US Privacy Act 1978 France Data Protection Act 1980 Organization for Economic Cooperation and Development (OECD) 1981 Council of Europe Convention on the Protection of Personal Data Warren Brandeis
  • 19.
    #RSAC Privacy Coverage VariesAcross Countries 19 Source: Forrester Research, 2015 privacy Heat Map, Forbes 10/15/15 (relatively unchanged in 2016)
  • 20.
    #RSAC Laws Vary inApproach 20 Sectoral Laws (US) PIPEDA (Canada) Comprehensive (EU) Co-Regulatory (AU) Australia Federal Privacy Act (amended in 2000) China- Draft Cybersecurity Hong Kong- 1996 Personal Data Ordinance Fair Credit Reporting Act HIPAA/HITECH/State laws Gramm-Leach-Bliley Act Children's Online Privacy Protection Act (COPPA) 1974 Privacy Act /FOIA 1995 EU Data Protection Directive (2018-GDPR) e-Privacy Directive Data retention directive Article 29 working party
  • 21.
    #RSAC 2016 Saw MuchActivity with Emerging EU/US Privacy Laws 21 General Data Protection Regulation EU/US Privacy Shield (Replace Safe Harbor) • Strong obligations for US Companies • Government access transparency • Redress • Regulation vs Directive • Reach beyond EU • Fines 4% revenue • 72 hour data breach notification May 2018 Compliance Approved In 2016 BREXIT Impact?
  • 22.
    #RSAC Organization for EconomicCo-operation and Development (OECD) Privacy Principles 22 Collection Limitation Data Quality Purpose Specification Use Limitation Security Safeguards Openness Individual Participation Accountability OECD
  • 23.
    #RSAC OECD- 1. CollectionLimitation Principle 23 There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.
  • 24.
    #RSAC OECD- 2. DataQuality Principle 24 Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date.
  • 25.
    #RSAC OECD- 3. PurposeSpecification Principle 25 The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfilment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose. Why am I Getting All This SPAM Now ?
  • 26.
    #RSAC OECD- 4. UseLimitation Principle 26 Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with Paragraph 9 except: a) with the consent of the data subject; or b) by the authority of law.
  • 27.
    #RSAC OECD- 5. SecuritySafeguards Principle 27 Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification or disclosure of data.
  • 28.
    #RSAC OECD- 6. OpennessPrinciple 28 There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller. MR. CONTROLLER
  • 29.
    #RSAC OECD- 7. IndividualParticipation Principle 29 Right to obtain confirmation DATA STORED REASONABLE TIME REASONABLE MANNER, COST and FORM If denied, be provided a reason Ability to challenge denials Right to erase, rectify complete, or amend information
  • 30.
    #RSAC OECD- 8. AccountabilityPrinciple 30 A data controller should be accountable for complying with measures which give effect to the principles stated above.
  • 31.
    #RSAC 1. What IsThe Phishing Threat Today? The Language of Privacy
  • 32.
    #RSACPrivacy Language CanBe Foreign To Business Environment… • Principles need to be communicated in business context • Companies care about the right people being able to use data when they need to. Period. • Oh, yes, and avoiding big fines and personal liability
  • 33.
    #RSAC EU Defines PersonalData "Personal data shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity." Sensitive Personal Data or 'special categories of personal data' are generally prohibited from processing (some exemptions). De-Identified (non-personal) data – laws generally do not apply after identifying elements removed. 33
  • 34.
    #RSAC Personal Information Elements NameGender Age DOB Marital Status Citizenship Nationality Languages Spoken Veteran Status Disabled Status IP Address Demographics 34
  • 35.
    #RSAC Sources of PersonalInformation 35 Public Records • Real estate • Criminal • Varies State/National/Local level Publicly Available • Names and addresses • Newspapers • Search engines • Facebook/Twitter Nonpublic • Medical records • Financial information • Adoption Records • Company customers • Employee database
  • 36.
    #RSAC Sensitive Personal Information EUROPEUNITED STATES 36 • Racial or Ethic Origin • Political opinion • Religious or philosophical beliefs • Trade-union membership • Health or sex life • Offenses or criminal convictions • Social Security Number • Financial Information • Driver's License Number • Medical Records
  • 37.
    #RSAC Data Protection Roles 37 Data Protection Authority Data Controller Data Subject Data Processor •Enforcement • Reporting • Determines purposes • Means of processing • Processes on behalf of data controller
  • 38.
    #RSAC Privacy Policy andNotice Privacy Policy – Internal statement directing employees Privacy Notice- statement to data subject for collection, use, retention and disclosure of information Contracts, application forms, web pages, terms of use, Icons, signs, brochures 38 PRIVACY NOTICE • Initially, periodically • Clear and conspicuous • Accurate and complete • Readable, plain language
  • 39.
    #RSAC Privacy Consent • Processedunless data subject objects • Box pre-checked to accept or check box to opt-out OPT-OUT • Information processed only if data subject agrees • Active affirmation OPT-IN 39
  • 40.
    #RSAC OPT-IN or OPT-OUT? A. DO YOU WANT TO RECEIVE ADDITIONAL INFORMATION?  YES  NO B.  CHECK BOX IF YOU DO NOT WANT TO RECEIVE MORE INFORMATION C. DO YOU WANT TO RECEIVE ADDITIONAL INFORMATION ?  YES  NO D. PLEASE SEND MORE INFORMATION ABOUT YOUR PRODUCTS 40
  • 41.
    #RSAC 1. What IsThe Phishing Threat Today? Privacy Program Design
  • 42.
    #RSAC Privacy Information LifeCycle Collection Use Retention Disclosure 42 • Limits • Lawful and fair means • Consent • Identified purpose • Proportionate • Purposes identified in notice • Implicit or explicit consent • Retain only as long as necessary for purpose • Securely dispose, destroy, return • Rights maintained on transfer of data • New purposes subject to consent
  • 43.
    #RSAC Privacy By Design– 7 Principles 1. PROACTIVE PREVENTATIVE 2. PRIVACY BY DEFAULT 3. EMBEDDED IN DESIGN 4. POSITIVE-SUM NOT ZERO-SUM 5. END-TO-END LIFECYCLE PROTECTION 6. VISIBILITY TRANSPARENCY 7. RESPECT FOR USERS IT Business Practices Physical
  • 44.
  • 45.
  • 46.
  • 47.
  • 48.
  • 49.
  • 50.
  • 51.
    #RSAC Privacy Impact Assessment(PIA) 51 • Checklists to ensure systems evaluated for privacy risks • New systems • Changes to existing systems • Legal/Regulatory requirements • Policy/Practice consistency
  • 52.
    #RSAC 1. What IsThe Phishing Threat Today? Final Thoughts
  • 53.
    #RSAC Data+Privacy+Security+Risk= New Focus 1990s-20002000-2003 2004-2008 2008-2014 2015-20+ Non Existent Security=Logon & Password FIRST CISO 1995 Regulatory Compliance Era Must hire security officer The 'Risk-oriented" CISO emerges The Threat-aware Cybersecurity, Socially- Mobile CISO The Privacy and Data-aware CISO
  • 54.
    #RSAC 54 Next week youshould: Schedule a meet n greet with the privacy officer or legal dept. In the first three months following this presentation you should: Read the EU Data Protection Directive and any local laws Visit the International Association of Privacy Professionals (IAPP) website at www.privacyassociation.org Examine your organization's privacy policies Within six months you should: Go forward with a privacy certification Drive an assessment project (with the privacy officer) to determine where the privacy gaps are Begin educating the workforce on privacy principles through regional meetings Apply What You Have Learned Today
  • 55.
    #RSAC Today We Explored… 55 WhyPrivacy should be Important to the security officer 8 information OECD Privacy Principles Global laws impacting privacy Building a program through Privacy By Design Principles Understanding the data elements and language of privacy
  • 56.
    #RSAC Resources Contributed ToBy Presenter (Books In Amazon, B&N, ISC2, EC-Council Website, RSA Bookstore) 56 Information Security Handbook Series Since 2004 New Book Coming in 2017-18
  • 57.
    #RSAC Final Thoughts • Planningand advance communication of Phishing/awareness campaigns is essential • Learning must be behavioral to stick • Employees at every organization level will click • Significant reductions and follow-on willingness to learn will be achieved • Bury the once a year 1 hour training sessions…
  • 58.
    #RSAC I leave youwith this 60 second view of your next few years figuring out where all the data is and what privacy regulations apply…
  • 59.
    #RSAC Thank You VeryMuch For Your Participation! Todd Fitzgerald, CISSP, CISM, CISA, CRISC, CGEIT, CIPP/US/E/C, CIPM, PMP, ISO27001, ITILv3f Deerfield, IL Todd_fitzgerald@yahoo.com linkedin.com/in/toddfitzgerald