Presentation is loading. Please wait.

Presentation is loading. Please wait.

Governance of Privacy & Security: Balancing Compliance & Risks CSO Breakfast Club DC Chapter September 30, 2008 Jody R. Westby, Esq. CEO, Global Cyber.

Similar presentations

Presentation on theme: "Governance of Privacy & Security: Balancing Compliance & Risks CSO Breakfast Club DC Chapter September 30, 2008 Jody R. Westby, Esq. CEO, Global Cyber."— Presentation transcript:

1 Governance of Privacy & Security: Balancing Compliance & Risks CSO Breakfast Club DC Chapter September 30, 2008 Jody R. Westby, Esq. CEO, Global Cyber Risk LLC Adjunct Distinguished Fellow, Carnegie Mellon CyLab

2 2 The International Business & Legal Landscape Cybercrime, Privacy & Cyber Security Are Integrated Issues 233 Countries Connected to Internet; 1.5 Billion Online Users Global Operations Following the Sun and Outsourcing for Competitiveness International Legal Framework Highly Inconsistent Must Manage Risks Internally and For Outsourced Operations Governance of Security Required at Board & Senior Executive Levels © Jody R. Westby

3 3 Principles of Corporate Governance Manage Risks of Organization & Align with Strategy Protect Critical Assets Preserve Resources of Organization Meet Compliance Requirements Set Culture and Managerial Tone for Conduct Make Governance Systemic Throughout Company Determine a Clear, Strategic Direction with Goals Assure Decisions are Implemented Through Effective Controls, Metrics, & Policies Business Roundtable, Principles of Corporate Governance 2005 © Jody R. Westby

4 4 Effective Security Governance Characteristics Security Managed as Enterprise Issue Leaders are Accountable Security Viewed as Business Requirement Risk Based (Compliance, Operational, Reputational, Financial) Roles & Responsibilities Defined with Segregation of Duties Security Addressed & Enforced in Policy Adequate Resources Committed Staff Aware & Trained Security Addressed Throughout System Development Life Cycle Security is Planned, Managed, Measured & Weaknesses Addressed Reviewed & Audited © Jody R. Westby

5 5 Enterprise Security Program RMP ESS Enterprise Security Plan Business Unit Security Plans System Security Plans Policies & Procedures System Architecture

6 6 System interconnection points Operating environment and operational criteria Culture and management policies and procedures Business plan and strategic goals Asset Info on data, applications, networks Assessments & audit findings Incident response & crisis communications Reqs for business continuity and disaster recovery Standards, best prac. & guidance Technological considerations & system arch. Legal & cybercrime considerations RMP, ESS & risks, threats, vulnerabilities ROI and financial information Enterprise Security Program Security Plan Security Policies Security Procedures © Jody R. Westby Enterprise Security Program Inputs

7 7 Compliance Issues for ESP Privacy (Federal, State, Foreign) Security Breach Notification (States, Fed Reserve, Watch Foreign) Economic Espionage Act & Cybercrime Laws Financial (GLBA, FCRA, FACTA, SOX) Health/Medical Intellectual Property Other protected types of data Procedural and Rules of Evidence (chain of custody (s/s & forensic), integrity, admissibility E-Discovery

8 8 Nexus Between Cyber Security, Privacy, & Cybercrime Major Component of Cyber Security is Ability to Protect Against Unauthorized Access & Disclosure; Enterprise Approach Needed; Must be Able to Deter, Detect, Obtain Evidence Privacy & Security Breaches Are Cybercrimes; Laws Deter, Enable Prosecution Privacy Dependent upon Security; Driven by Laws, Culture Cybercrime Privacy Security © Jody R. Westby


10 10 Governance for Enterprise Security Program Flowchart

11 11 ESP Activity Sequence Governance Structure & Roles and Responsibilities Inventory of Assets Compliance & Mapping Cybercrime & Mapping Privacy Impact Assessment & Privacy Audits Risk Assessments Operational Criteria Security Input to RMP, Develop ESS Integration & Operations Categorization, Controls, Metrics Best Practices & Standards Security Configuration Settings Supporting Plans (IR, BC/DR, CC) 3 rd Party & Vendor Requirements Change Management Plans ESP, Policies & Policies © Jody R. Westby

12 12 ESP Activity Sequence Implementation & Evaluation Implement & Train Monitor & Enforce Test & Evaluate Controls, Policies & Procedures Identify System Weaknesses & Correct Issue Authority to Operate Capital Planning & Investment Controls Determine Security Business Case, ROI, Funding Needs Formal Review of ESP Formal Audit of ESP © Jody R. Westby

13 13 Roles and Responsibilities & Artifacts BRC X-Team Business Managers Asset Owners Operational Personnel Certification Authority Internal & External Auditors © Jody R. Westby Artifacts BRC, X-Team Mission, Goals, Objectives Organization Chart and R&R Top Level Policies Inventory of Assets Detailed Security Responsibilities Table of Authorities & Mappings Privacy Impact Assessments & Audits Risk Assessments, Certification Letter Operational Criteria Enterprise Security Plan & ESS Categorization, Controls & Metrics Best Practices & Standards, Settings Supporting Plans (IR, BC/DR, CC, Chg) 3 rd Party & Outsource Vendor Reqments Policies & Procedures Security System Architecture Plan Implementation & Training Monitoring & Enforcement Testing & Evaluation, POAMs ESP Security Funding, ROI Annual Reviews, Audits

14 14 More and More Offshore – India, China, Philippines Largest Markets Lack of Available Talent, Increasing Wage Scales, Weak Infrastructure Causing Major Outsourcing Vendors to go to Satellite Sites Popular Destinations for Satellite Operations are China, Mexico, Romania, Philippines, Eastern European countries Many of These Countries Lack Privacy Laws, Economic Espionage Laws Cybercrime Laws are Inadequate, Poor Law Enforcement Assistance Weak Criminal Procedures, Lack of Trained Judiciary Personnel re Cybercrimes, Investigations Poor International Cooperation With Law Enforcement Recent Breaches of US & EU Data Caused Response from Regulators Global Environment Today © Jody R. Westby

15 15 Your Data is in Hands of Company You Do Not Control Lack of Ability to Control Vendor Personnel, Monitoring, Enforcement Vendor May Not Inform You Until Later On Provider May Not Have Adequate Incident Response Plan or Not Follow Plan Provider May Not Preserve Evidence Provider May Make Statements to Press, Law Enforcement, Others That Could Harm Brand, Stock Price, Market Share Provider May Have Contractual Obligation to Protect Data, But No Statutory Obligation Provider May Have Other Clients Whose Data Attracts Hackers, Economic Espionage Provider May Get Legal Requests for Your Data Reality of Outsourcing Breaches © Jody R. Westby

16 16 Immediate Barriers to Effective Response Legal Differences in Laws, Procedures Jurisdictional Issues International Cooperation Issues Investigation & Prosecution Difficulties Evidentiary Considerations (Logs, Audit Trails, Search/Seizure) Compliance Responsibilities of Company & Provider Conflict Reality of Time Zones © Jody R. Westby

17 17 Goverance Actions That Reduce Risk Identify Compliance Issues & Weave Through ESP Take Laws of Outsourced Jurisdiction into Account for Table of Authorities & Mapping Determine Roles & Responsibilities for Personnel Conduct Privacy Impact Assessments Push Security Requirements Out to Providers, Third Parties (Controls, Metrics, Policies/Procedures) Review Policies & Procedures & Supporting Plans Monitoring & Enforcement & Communications Plan Regular Reporting (Incidents, Monitoring, Enforcement) Business Cases for IT Include Privacy, Security & BC/DR Conduct Privacy & Security Audits (Internal & Vendors) © Jody R. Westby

18 18 THANK YOU! Jody R. Westby 202.255.2700

Download ppt "Governance of Privacy & Security: Balancing Compliance & Risks CSO Breakfast Club DC Chapter September 30, 2008 Jody R. Westby, Esq. CEO, Global Cyber."

Similar presentations

Ads by Google