Christine M. Frye, CIPP/US, CIPM, Chief Privacy Officer, Bank of America

Similar documents
City of Lathrop, California - Red Flags and Preventing Identity Theft

Information Security Program CHARTER

Utica College. Information Security Plan

CSR Breach Reporting Service Frequently Asked Questions

HiSoftware Policy Sheriff. SP HiSoftware Security Sheriff SP. Content-aware. Compliance and Security Solutions for. Microsoft SharePoint

Harvard University Payment Card Industry (PCI) Compliance Business Process Documentation

AUGUST 28, 2013 INFORMATION TECHNOLOGY INCIDENT RESPONSE PLAN Siskiyou Boulevard Ashland OR 97520

Best Practices for a Healthcare Data Breach: What You Don t Know Will Cost You

PII Compliance Guidelines

NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT

DUUS Information Technology (IT) Incident Management Standard

Data Governance Center Positioning

Improving Unstructured Data Governance. Ryan Jancaitis Product Management Symantec

Information Security Incident Management Guidelines

CONTENTS. Introduction Page 2. Scope.Page 2. Policy Statements Pages 2-3. Major IT Security Incidents Defined... Page 3

The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v

State of Illinois Department of Central Management Services ACTION PLAN FOR NOTIFICATION OF A SECURITY BREACH

Oregon Public Employees Retirement System

CHAPTER 1 COMPUTER SECURITY INCIDENT RESPONSE TEAM (CSIRT)

IAPP Global Privacy Summit Protecting Privacy Under the Cybersecurity Microscope

Data Loss Prevention and HIPAA. Kit Robinson Director

UTech Services Compliance, Auditing, Risk, and Security (CARS) Team Charter

SecurityMetrics Business Associate HIPAA compliance program

IDENTITY THEFT PREVENTION PROGRAM TRAINING MODULE February 2009

EURIBOR - CODE OF OBLIGATIONS OF PANEL BANKS

Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance

10 Building Blocks for Securing File Data

The Legal Pitfalls of Failing to Develop Secure Cloud Services

ADMINISTRATIVE POLICY # (2014) Information Security Roles and Responsibilities

State of Oregon. State of Oregon 1

Compliance and Security Solutions

DEPARTMENT OF TAXATION AND FINANCE SECURITY OVER PERSONAL INFORMATION. Report 2007-S-77 OFFICE OF THE NEW YORK STATE COMPTROLLER

Information Resources Security Guidelines

Rowan University Data Governance Policy

Prepare for the Worst: Best Practices for Responding to Cybersecurity Breaches Trivalent Solutions Expo June 19, 2014

Compliance and Ethics at the Federal Reserve Bank of New York

How To Manage Information Security At A University

Computer Security Incident Response Team

Stepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM

C. Author(s): David Millar (ISC Information Security) and Lauren Steinfeld (Chief Privacy Officer)

Miami University. Payment Card Data Security Policy

Computer Security Incident Response Plan. Date of Approval: 23- FEB- 2015

Bradley University Credit Card Security Incident Response Team (Response Team)

I S O I E C I N F O R M A T I O N S E C U R I T Y A U D I T T O O L

July 6, Mr. Michael L. Joseph Chairman of the Board Roswell Park Cancer Institute Elm & Carlton Streets Buffalo, NY 14263

DEALERSHIP IDENTITY THEFT RED FLAGS AND NOTICES OF ADDRESS DISCREPANCY POLICY

White Paper on Financial Institution Vendor Management

Incident Response Team Responsibilities

Texas Medical Records Privacy Act

Village of Brockport Identity Theft Prevention Program Effective December 1, 2009 Confirmed 7/21/14

Credit Card (PCI) Security Incident Response Plan

Norwich University Information Assurance Security Policy. Final Version 10.0 for Implementation

Business Associate Management Methodology

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL

INFORMATION SECURITY INCIDENT REPORTING POLICY

Information Technology Policy

Office of Inspector General

Appendix 1 Payment Card Industry Data Security Standards Program

Facts About FACTA Red Flag Identity Theft Prevention Program

Computer Security Incident Reporting and Response Policy

Identity Theft Repair Kit

Oklahoma State University Policy and Procedures. Red Flags Rules and Identity Theft Prevention

DATA BREACH NOTIFICATION POLICY

CONTRACT MANAGEMENT FRAMEWORK

Identity Theft Repair Kit

Information Protection Framework: Data Security Compliance and Today s Healthcare Industry

How To Manage Change Management At Uni

University of Hawai i Executive Policy on Data Governance (Draft 2/1/12)

Newhall County Water District N. Pine Street P.O. Box Santa Clarita, CA Telephone: (661) Facsimile: (661)

MOTLOW STATE COMMUNITY COLLEGE

Vendor Management Challenges and Solutions for HIPAA Compliance. Jim Sandford Vice President, Coalfire

The potential legal consequences of a personal data breach

POSTAL REGULATORY COMMISSION

Best Practices for SharePoint Content: A Checklist for Creating Policies that Encourage Secure Collaboration and High User Adoption

Iowa Student Loan Online Privacy Statement

Data Breach Strikes - Nerds & Geeks Unite: Effective Cooperation Between Privacy and Technical Experts Presented by: Paul H. Luehr, Managing Dir.

Massachusetts MA 201 CMR Best Practice Guidance on How to Comply

Existing Technologies and Data Governance

An Automated Strategy for Governance, Risk and Compliance and Data Loss P reven on

Enterprise Security Governance, Risk and Compliance System. Category: Enterprise IT Management Initiatives. Initiation date: June 15, 2013

University System of New Hampshire. Identity Theft Prevention Program

AUTHOR: REVISION BY: ADS Lead/Manager ESYS Windows OSA

The CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II).

AB 1149 Compliance: Data Security Best Practices

2008 NASCIO Award Submission. Utilizing PCI Compliance to Improve Enterprise Risk Management

IMPORTANT ACCOUNT INFORMATION FOR OUR CUSTOMERS from

David Coble Internal Control Officer

The Value of Vulnerability Management*

A California Business Privacy Handbook

IBM Unstructured Data Identification & Management An on ramp to reducing information costs and risk

Privacy and Electronic Communications Regulations

Guided HIPAA Compliance

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

REDEFINING THE BOUNDARIES OF RISK MANAGEMENT, NOW AND INTO THE FUTURE

The National Association of Community Health Centers, Inc. ISSUE BRIEF

Gatekeeper PKI Framework. February Registration Authority Operations Manual Review Criteria

White Paper. Managing Risk to Sensitive Data with SecureSphere

Manage Vulnerabilities (VULN) Capability Data Sheet

Plan of Action and Milestones (POA&M) Training Session

Transcription:

Christine M. Frye, CIPP/US, CIPM, Chief Privacy Officer, Bank of America Dana Simberkoff, JD, CIPP/US, Vice President, Risk Management and Compliance, AvePoint

The Landscape Prevention and Response Planning The Event Looking Backwards and Forwards Key Takeaways

00010000 1010101 10010 010 1 010 10010 1010101 00010000

Per Breached Record Per Breached Event

Balancing Act

$ Vs.

Risk Management 1 2 Compliance Reports Business Processes IT Operations Identify Sensitive Data (PII) Act Move Delete - Classify 4 5 6 Process improvement Address Access 7 3 Protect Data Policies Procedures Monitor Real Time or Scheduled 8

Privacy Impact Assessments Program, Policies and Technology It takes a village A structured and automated approach to data breach prevention and response Measurement and Validation with trends analysis, historical reporting and a point in time view of target repositories for roll up reporting to stake holders Automated forensic analysis of breaches Proof to authority that measures and actions are being taken to address compliance - avoid and reduce fines

Content contributors: Internal and External Process owners Legal PR CPO $ IT Data Security (CISO/CSO, IA, IRM) Records Management Officers Social Governance committee

Transparency and Collaboration People Policy & Process Technology Data Protection and Management Training Governance & Oversight Technical Enforcement

1-Detect 2-Track 3-Respond 4-Resolve

The Privacy Event Management Process should provide a documented, controlled and consistent approach to identify, mitigate, track and report privacy events. Identify & Report Mitigate & Control Track & Decision Escalation & Notification Event Detected Monitor for events Report privacy event Resolution Team Assembled Contain and investigate event Assess risk Event Escalation Key stakeholders Exec Management escalation process Customer Notification Decision whether notification required Execute notifications Event Closure Define/ Monitor remediation Document event details Review/verify event documentation for closure Reporting/ Regulator Notification Trend/metric reporting Notify regulators, as needed

Data breach notification increasingly a global requirement U.S. interagency guidance addresses response programs for unauthorized access to customer information maintained by financial institutions and their service providers. Almost all U.S. states (forty-six) have enacted breach notification laws. Growing number of countries developing data breach notification rules. Varies by country, but the breach notification laws generally relate to: breaches involving personal information which typically involves an individual s name and sensitive information such as a Social Security number, a driver s license, credit card, PIN or other information that is likely to be involved in identity theft or results in the potential compromise of the confidentiality or integrity of the data

Know the right questions to ask in order to ensure applicable law is followed Have standard questions/ checklists ready Have inventory and assessment of laws readily available Understand where the variables may be Conflicting triggers, time frames, notice content, delivery mechanisms. Know which regulators and other parties you may need to contact and when Regulators, States, FTC, credit bureaus, law enforcement. Work on response ahead of time to get to the common denominator Documented response plan with defined roles and responsibilities Draft notices to comply with as many laws/regulations as possible.

Predictive Measures Reporting, Metrics and Measures Actions to look into more broadly Emerging Trends

General Classes/Categories of Breaches Checklists Considerations around disruptive technologies Cloud/Social/Mobile/Online Document and Automate Tell them what you are going to do, Do it, Prove it!

Technology can help you Detect Track Respond Resolve Prevent Prove it!

Irresponsibility

Content needs to be monitored in both real time and on a schedule using rule based automated processes in such a way as to provide systematic protection of information. Classify content using metadata about the document; where authors can add the metadata but the system has controls which allow the system to override the user s classification if it is in question. Basically, Enable business users to do the right thing while Preventing them from doing the wrong thing (i.e. user assisted tagging/ Trust and Verify )) Evaluate Risk according to your organizations logic to provide multiple perspectives on potential risk within content and risk related to the delivery and transport of data. Perform ongoing audits for compliance/run regularly scheduled scans of SharePoint sites Measure progress over time to demonstrate priority, success of compliance initiatives and modify as necessary Work with stakeholders, content authors to prioritize areas for improvement and address issues and concerns Link compliance improvements to any migration programs (Scan data on your file shares before it is migrated to SharePoint) All new initiatives should require compliance - Get Compliant/Stay compliant Educate your staff as to what is sensitive information and the steps they need to do to protect the information Use proper notifications on sites as related to privacy and security for internal and external data.

Thank you!

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information