Presentation is loading. Please wait.

Presentation is loading. Please wait.

Governance of Privacy & Security: Balancing Compliance & Risks CSO Breakfast Club DC Chapter September 30, 2008 Jody R. Westby, Esq. CEO, Global Cyber.

Published bySharon Stafford Modified over 9 years ago

Similar presentations

Presentation on theme: "Governance of Privacy & Security: Balancing Compliance & Risks CSO Breakfast Club DC Chapter September 30, 2008 Jody R. Westby, Esq. CEO, Global Cyber."— Presentation transcript:

1 Governance of Privacy & Security: Balancing Compliance & Risks CSO Breakfast Club DC Chapter September 30, 2008 Jody R. Westby, Esq. CEO, Global Cyber Risk LLC Adjunct Distinguished Fellow, Carnegie Mellon CyLab www.globalcyberrisk.com

2 2 The International Business & Legal Landscape Cybercrime, Privacy & Cyber Security Are Integrated Issues 233 Countries Connected to Internet; 1.5 Billion Online Users Global Operations Following the Sun and Outsourcing for Competitiveness International Legal Framework Highly Inconsistent Must Manage Risks Internally and For Outsourced Operations Governance of Security Required at Board & Senior Executive Levels © Jody R. Westby

3 3 www.globalcyberrisk.com Principles of Corporate Governance Manage Risks of Organization & Align with Strategy Protect Critical Assets Preserve Resources of Organization Meet Compliance Requirements Set Culture and Managerial Tone for Conduct Make Governance Systemic Throughout Company Determine a Clear, Strategic Direction with Goals Assure Decisions are Implemented Through Effective Controls, Metrics, & Policies Business Roundtable, Principles of Corporate Governance 2005 © Jody R. Westby

4 4 www.globalcyberrisk.com Effective Security Governance Characteristics Security Managed as Enterprise Issue Leaders are Accountable Security Viewed as Business Requirement Risk Based (Compliance, Operational, Reputational, Financial) Roles & Responsibilities Defined with Segregation of Duties Security Addressed & Enforced in Policy Adequate Resources Committed Staff Aware & Trained Security Addressed Throughout System Development Life Cycle Security is Planned, Managed, Measured & Weaknesses Addressed Reviewed & Audited © Jody R. Westby

5 5 www.globalcyberrisk.com Enterprise Security Program RMP ESS Enterprise Security Plan Business Unit Security Plans System Security Plans Policies & Procedures System Architecture

6 6 www.globalcyberrisk.com System interconnection points Operating environment and operational criteria Culture and management policies and procedures Business plan and strategic goals Asset Info on data, applications, networks Assessments & audit findings Incident response & crisis communications Reqs for business continuity and disaster recovery Standards, best prac. & guidance Technological considerations & system arch. Legal & cybercrime considerations RMP, ESS & risks, threats, vulnerabilities ROI and financial information Enterprise Security Program Security Plan Security Policies Security Procedures © Jody R. Westby Enterprise Security Program Inputs

7 7 www.globalcyberrisk.com Compliance Issues for ESP Privacy (Federal, State, Foreign) Security Breach Notification (States, Fed Reserve, Watch Foreign) Economic Espionage Act & Cybercrime Laws Financial (GLBA, FCRA, FACTA, SOX) Health/Medical Intellectual Property Other protected types of data Procedural and Rules of Evidence (chain of custody (s/s & forensic), integrity, admissibility E-Discovery

8 8 www.globalcyberrisk.com Nexus Between Cyber Security, Privacy, & Cybercrime Major Component of Cyber Security is Ability to Protect Against Unauthorized Access & Disclosure; Enterprise Approach Needed; Must be Able to Deter, Detect, Obtain Evidence Privacy & Security Breaches Are Cybercrimes; Laws Deter, Enable Prosecution Privacy Dependent upon Security; Driven by Laws, Culture Cybercrime Privacy Security © Jody R. Westby

9 9 www.globalcyberrisk.com Governance Structure AOBMCAOPIAEA BOD CEO/COO BRC BAC X-Team BM AOCA OP IAEA

10 10 www.globalcyberrisk.com Governance for Enterprise Security Program Flowchart

11 11 www.globalcyberrisk.com ESP Activity Sequence Governance Structure & Roles and Responsibilities Inventory of Assets Compliance & Mapping Cybercrime & Mapping Privacy Impact Assessment & Privacy Audits Risk Assessments Operational Criteria Security Input to RMP, Develop ESS Integration & Operations Categorization, Controls, Metrics Best Practices & Standards Security Configuration Settings Supporting Plans (IR, BC/DR, CC) 3 rd Party & Vendor Requirements Change Management Plans ESP, Policies & Policies © Jody R. Westby

12 12 www.globalcyberrisk.com ESP Activity Sequence Implementation & Evaluation Implement & Train Monitor & Enforce Test & Evaluate Controls, Policies & Procedures Identify System Weaknesses & Correct Issue Authority to Operate Capital Planning & Investment Controls Determine Security Business Case, ROI, Funding Needs Formal Review of ESP Formal Audit of ESP © Jody R. Westby

13 13 www.globalcyberrisk.com Roles and Responsibilities & Artifacts BRC X-Team Business Managers Asset Owners Operational Personnel Certification Authority Internal & External Auditors © Jody R. Westby Artifacts BRC, X-Team Mission, Goals, Objectives Organization Chart and R&R Top Level Policies Inventory of Assets Detailed Security Responsibilities Table of Authorities & Mappings Privacy Impact Assessments & Audits Risk Assessments, Certification Letter Operational Criteria Enterprise Security Plan & ESS Categorization, Controls & Metrics Best Practices & Standards, Settings Supporting Plans (IR, BC/DR, CC, Chg) 3 rd Party & Outsource Vendor Reqments Policies & Procedures Security System Architecture Plan Implementation & Training Monitoring & Enforcement Testing & Evaluation, POAMs ESP Security Funding, ROI Annual Reviews, Audits

14 14 www.globalcyberrisk.com More and More Offshore – India, China, Philippines Largest Markets Lack of Available Talent, Increasing Wage Scales, Weak Infrastructure Causing Major Outsourcing Vendors to go to Satellite Sites Popular Destinations for Satellite Operations are China, Mexico, Romania, Philippines, Eastern European countries Many of These Countries Lack Privacy Laws, Economic Espionage Laws Cybercrime Laws are Inadequate, Poor Law Enforcement Assistance Weak Criminal Procedures, Lack of Trained Judiciary Personnel re Cybercrimes, Investigations Poor International Cooperation With Law Enforcement Recent Breaches of US & EU Data Caused Response from Regulators Global Environment Today © Jody R. Westby

15 15 www.globalcyberrisk.com Your Data is in Hands of Company You Do Not Control Lack of Ability to Control Vendor Personnel, Monitoring, Enforcement Vendor May Not Inform You Until Later On Provider May Not Have Adequate Incident Response Plan or Not Follow Plan Provider May Not Preserve Evidence Provider May Make Statements to Press, Law Enforcement, Others That Could Harm Brand, Stock Price, Market Share Provider May Have Contractual Obligation to Protect Data, But No Statutory Obligation Provider May Have Other Clients Whose Data Attracts Hackers, Economic Espionage Provider May Get Legal Requests for Your Data Reality of Outsourcing Breaches © Jody R. Westby

16 16 www.globalcyberrisk.com Immediate Barriers to Effective Response Legal Differences in Laws, Procedures Jurisdictional Issues International Cooperation Issues Investigation & Prosecution Difficulties Evidentiary Considerations (Logs, Audit Trails, Search/Seizure) Compliance Responsibilities of Company & Provider Conflict Reality of Time Zones © Jody R. Westby

17 17 www.globalcyberrisk.com Goverance Actions That Reduce Risk Identify Compliance Issues & Weave Through ESP Take Laws of Outsourced Jurisdiction into Account for Table of Authorities & Mapping Determine Roles & Responsibilities for Personnel Conduct Privacy Impact Assessments Push Security Requirements Out to Providers, Third Parties (Controls, Metrics, Policies/Procedures) Review Policies & Procedures & Supporting Plans Monitoring & Enforcement & Communications Plan Regular Reporting (Incidents, Monitoring, Enforcement) Business Cases for IT Include Privacy, Security & BC/DR Conduct Privacy & Security Audits (Internal & Vendors) © Jody R. Westby

18 18 www.globalcyberrisk.com THANK YOU! Jody R. Westby westby@globalcyberrisk.com 202.255.2700

Download ppt "Governance of Privacy & Security: Balancing Compliance & Risks CSO Breakfast Club DC Chapter September 30, 2008 Jody R. Westby, Esq. CEO, Global Cyber."

Similar presentations

Auditing Governance Functions

Auditing Governance Functions
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Control and Accounting Information Systems

Control and Accounting Information Systems
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
Agenda COBIT 5 Product Family Information Security COBIT 5 content

Agenda COBIT 5 Product Family Information Security COBIT 5 content
Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.

Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.
Chapter 5 5-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Chapter 5 5-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Security Controls – What Works

Security Controls – What Works
Author(s): Don M. Blumenthal, 2010 License: Unless otherwise noted, this material is made available under the terms of the Attribution – Non-commercial.

Author(s): Don M. Blumenthal, 2010 License: Unless otherwise noted, this material is made available under the terms of the Attribution – Non-commercial.
Information Security Policies and Standards

Information Security Policies and Standards
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Rethinking Security to Enable Business LJ Johnson Nike’s Global Information Security Officer August 16, 2005.

Rethinking Security to Enable Business LJ Johnson Nike’s Global Information Security Officer August 16, 2005.
Chapter 4 IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESSES.

Chapter 4 IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESSES.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Information Systems Controls for System Reliability -Information Security-

Information Systems Controls for System Reliability -Information Security-
Elements of Internal Controls Preventing Fraud, Waste, and Abuse in Urban and Rural Transit Systems.

Elements of Internal Controls Preventing Fraud, Waste, and Abuse in Urban and Rural Transit Systems.
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing
Auditing Cloud Computing: Adapting to Changes in Data Management IIA and ISACA Joint Meeting March 12, 2013 Presented by: Jay Hoffman (AEP), John Didlott.

Auditing Cloud Computing: Adapting to Changes in Data Management IIA and ISACA Joint Meeting March 12, 2013 Presented by: Jay Hoffman (AEP), John Didlott.

Similar presentations

Ads by Google