Information Security, Privacy and Compliance Convergence

Size: px

Start display at page:

Download "Information Security, Privacy and Compliance Convergence"

Holly Barrett
8 years ago
Views:

1 Information Security, Privacy and Compliance Convergence Rebecca Herold, CIPP, CISSP, CISM, CISA, FLMI Rebecca Herold & Associates, LLC April 2009

2 Agenda Information lifecycles Security and privacy challenges changes over time The importance of communication Convergence areas Governance perspectives Collaboration & convergence steps Page 2

3 PII Lifecycles Add to the at least 46 U.S. breach notice laws, the federal laws, at least 100 worldwide data protection laws, industry standards, policies and contractual requirements! Many issues to address Consider a simple data flow Privacy: Access to PII appears okay but a PIA Info Sec: Systems & app controls are in place. But, a risk assessment may be good Legal: No problems Compliance & Audit: It meets all requirements Page 3

4 PII Lifecycle What Can And Has Happened! Legal: Compliance & Audit: Ummm well Privacy: Oh, my Info Sec: Aarrgghh! Page 4

5 A short history of business computing 1980s: Highly centralized, primarily closed networks 1990s: LANs decentralize information; Internet starts being used 2000s: Highly decentralized; global ecommerce Current: Highly mobile; new technologies; even more new threats; new EE expectations New and emerging technologies + Greater mobility = More risks & More incidents & More breaches & More noncompliance & More negative business impact Page 5

Highly mobile; new technologies; even more new threats; new EE expectations New and emerging technologies +

6 Compliance, Privacy and Information Security Compliance is more complex than ever before What really is the letter of the law as opposed to the spirit of the law? Privacy is not just about PII Is it a privacy incident if it did not involve defined PII? Security is about more than bits and bytes Information comes in many, many forms They all do better when working together! Page 6

Privacy is not just about PII Is it a privacy incident if it did not involve defined PII?

7 What we ve got here is failure to communicate Typically different answers for the same questions FTC s view Notify? It s not explicitly required Encrypt? Give to 3 rd party? FTC The risks!! The checklist is complete It s not a privacy issue Compliance Privacy Info Sec Page 7

It s not explicitly required Encrypt? Give to 3 rd party?

8 "...and never the twain shall meet" Show passion & communicate often Say it in many different ways Fight the Ebbinghaus effect Be persistent Page 8

9 The need for convergence is nothing new Avoid gaps Avoid conflicts Strengthen controls And Strategy Governance Controls Risk Management Maintain consumer trust! IT Financial Operational Regulatory Contracts BCP Policy Assurance Due Diligence Board Reporting Complaints Quality Management M&A s Actions/Incident Management Training Page 9

IT Financial Operational Regulatory Contracts BCP Policy Assurance Due Diligence

10 Information Security and Privacy Convergence (1/2) 1. Growing numbers of laws, regulations and standards 2. Increasing insider threats 3. Increased outsourcing 4. Greater need for incident and breach response plans 5. Increased use of mobile computing 6. More risk management activities 7. Web 2.0 for business & by EE s 8. Business dependency upon CRM and data mining 9. Policy needs 10. Growing need for permissions databases Page 10

Increased use of mobile computing 6. More risk management activities 7. Web 2.0 for business & by EE s 8.

11 Information Security and Privacy Convergence (2/2) 11. Encryption implementation 12. Authentication and identity management initiatives 13. More certifications 14. More vendor assessments 15. More data retention requirements 16. Expanded e-discovery requirements 17. Disposal problems 18. Increased use of cyber risk insurance 19. More monitoring and surveillance 20. Greater need for data inventories Page 11

More vendor assessments 15. More data retention requirements 16. Expanded e-discovery requirements 17.

12 Governance Perspectives Privacy OECD AICPA Law by law Security COBIT ISO 27001/27002 ITIL PCI DSS NIST Risk COSO COBIT Page 12

13 Collaboration & Convergence Steps Step 1: Identify business overlaps Page 13

14 Collaboration & Convergence Steps Step 1: Identify business overlaps Step 2: Determine risks Page 14

15 Collaboration & Convergence Steps Step 1: Identify business overlaps Step 2: Determine risks Step 3: Establish policies and procedures Page 15

16 Collaboration & Convergence Steps Step 1: Identify business overlaps Step 2: Determine risks Step 3: Establish policies and procedures Step 4: Integrate security and privacy into the business culture Page 16

Establish policies and procedures Step 4: Integrate

17 Collaboration & Convergence Steps Step 1: Identify business overlaps Step 2: Determine risks Step 3: Establish policies and procedures Step 4: Integrate security and privacy into the business culture Step 5: Implement cooperative awareness and training Page 17

procedures Step 4: Integrate security and privacy into the

18 Bottom Line Information security and privacy collaboration improves business! Page 18

19 Contact Information Rebecca Herold & Associates, LLC The Privacy Professor 1408 Quail Ridge Avenue Van Meter, Iowa Phone Web site: Blog: TwitterID: PrivacyProf Page 19

515-996-2199 Web site: www.privacyguidance.com Blog: www.

Cloudy Privacy Computing

Cloudy Privacy Computing Rebecca Herold, CIPP, CISSP, CISA, CISM, FLMI Final Draft for December 2008 CSI Alert Is cloud computing cumulous or cirrus? At Thanksgiving dinner, some of my relatives (none