NIST Cybersecurity Framework Impacting Your Company? April 24, 2014 Presented By Sheila FitzPatrick, NetApp Jeff Greene, Symantec Andy Serwin, MoFo

Transcription

1 2014 Morrison & Foerster LLP All Rights Reserved mofo.com NIST Cybersecurity Framework Impacting Your Company? April 24, 2014 Presented By Sheila FitzPatrick, NetApp Jeff Greene, Symantec Andy Serwin, MoFo

2 Sheila FitzPatrick Sheila FitzPatrick Worldwide Legal Data Governance Counsel Worldwide Data Privacy Counsel NetApp, Inc. (408) Sheila currently works with NetApp as their global Data Governance Counsel and Chief Privacy Officer. She is responsible for NetApp s worldwide data privacy compliance program that includes responsibility for compliance with global laws related to data protection, cybersecurity, data breach notification, cloud computing and records management. She is currently the Vice-Chair of TechAmerica s Privacy and Cybersecurity Committees and is actively involved in their Big Data and Cloud Computing Subcommittees. Sheila also sits on the European Union Data Protection Advisory Council and the Asia Pacific Data Protection Framework Advisory Board. Sheila is recognized as one of the world s leading experts in data protection compliance. 2

3 Jeff Greene Jeff Greene Senior Policy Counsel, Cybersecurity and Identity Symantec Corporation Jeff Greene serves as a Senior Policy Counsel at Symantec, where he focuses on issues including cybersecurity, identity management, and privacy. In this role, he monitors executive and legislative branch activity, and works extensively with industry and government organizations. Prior to joining Symantec, he was Senior Counsel with the U.S. Senate Homeland Security and Governmental Affairs Committee, where he focused on cybersecurity and Homeland Defense issues. Jeff has also worked in the House of Representatives, where he was Staff Director of the Management, Investigations and Oversight Subcommittee on the House Committee on Homeland Security. 3

4 Andy Serwin Andy Serwin Partner Morrison & Foerster (858) Andrew B. Serwin is a partner in the Global Privacy and Data Security Practice Group at Morrison & Foerster s San Diego and Washington, D.C. offices. Mr. Serwin is internationally recognized as one of the leading consumer protection and privacy lawyers, as well as a thought leader regarding information, and its role in society and the economy. Mr. Serwin also serves as the CEO and Executive Director of the Lares Institute, a think tank focused on information management issues, and is also a member of the advisory team of the Naval Postgraduate School s Center for Asymmetric Warfare. 4

5 Understanding the Cyber Threat The cyber threat presents unique issues that are difficult to solve. 5 5

6 Cybersecurity Cyber-terrorism; Organized crime; Hactivists; and Industrial espionage. 6

7 Examples of Information Your company creates, gathers, and processes a significant amount of information: Financial information; Information regarding individuals (employees, customers, or both); Proprietary/confidential information IP; Undisclosed M&A activity; Business and marketing plans; and Pricing; Information regarding businesses processes, including process improvements; Information regarding business trends; Social data/user generated content; Machine data; and Many other forms of information. 7

8 Executive Order Executive Order Improving Critical Infrastructure Cybersecurity. The Framework is supposed to provide a prioritized, flexible, repeatable, performance-based, and cost effective approach for cybersecurity risk for critical infrastructure. 8

9 Framework Version 1.0 February 12, 2014 Document Overview: Section 2 describes the Framework components. Section 3 gives examples of how the Framework can be used. Appendix A puts the Framework Core in a tabular framework. 9

10 Framework Version 1.0 February 12, 2014 It is identified by NIST as a risk-based approach to managing cybersecurity risk. According to NIST, this permits organizations to prioritize cyber activities. Overview of the Framework: Framework Core; Functions; Categories; Subcategories; and Informative References. Framework Implementation Tiers; and A Framework Profile. 10

11 NIST Cybersecurity Framework Impacting Your Company? Sheila M. FitzPatrick Global Data Privacy Counsel Chief Privacy Officer NetApp Confidential - Limited Use Only 11

12 NetApp at a glance. Computer storage and data management company headquartered in Sunnyvale, CA. Fortune 500 Company 6+ Billion in FY13 revenue 13,000+ employees 150 offices worldwide Leading data storage provider to the U.S. Government #33 FORTUNE 100 Best Companies to Work For in NetApp Confidential - Limited Use Only 12

13 Why the NIST framework matters to our legal team and our business Monitoring and implementing the framework practices aligns with the NetApp legal team mission statement: Guard the business, guide the company Cybersecurity risk can impact our bottom line Financial and reputational risk (avoid the Target effect) The framework has imparted new obligations on our senior leaders Cybersecurity strategy must come from the top of the enterprise Absent a codified regulatory scheme, the Framework best practices may become the de facto reasonableness standard The framework aligns to the common sense approach we have already adopted NetApp Confidential - Limited Use Only 13

14 Legal team supporting the adoption of the Framework Core to our business processes Identify Protect Detect Respond Recover Dedicated CS focused roles across relevant business units Critical review of supply chain and updated policies Established policies to balance CS with privacy concerns Proactive C-Level involvement Participation in industry leadership forums Updated data retention and destruction polices Implemented intrusion detection capabilities Implemented a cross functional Incident Response Team Well-defined data breach notification program Legal is the first point of breach contact Legal engages the Incident Response Team Legal drives the forensic investigation, determines the risk mitigation and communicates with regulatory authorities and impacted individuals NetApp Confidential - Limited Use Only 14

15 NetApp legal is responsible for finding a balance between privacy & cybersecurity Cybersecurity Privacy NetApp Confidential - Limited Use Only 15

16 Intersection of Trust & Technology Monitor network traffic not personal data Report breaches without revealing personal data Privacy Legal Legal Obligations IT Security Develop Data Protection Savvy Program including consents & notifications related to cyber attacks NetApp Confidential - Limited Use Only 16

17 Symantec & the CSF Participated in the development of the CSF dating back to the development of the EO so we knew it well. Began to use the CSF before it was even final CISO used core functions to brief Audit Committee; CISO s office used it to examine our security program. Proved to be useful lens to examine what we re doing and to challenge our assumptions. Mapping our internal security efforts to the core functions. Using in two ways: For our own internal security; and To help customers examine their security needs. 18

18 Questions 18