title crystal ball executive forum: insights on information security keynote: dave cullinane ciso,...

TitleTitlecrystal ball executive forum:

insights on information securityKeynote: Dave CullinaneCISO, Washington MutualPresident, ISSA

Additional Speakers:Jim ReavisCSO, Breakwater Security Associates

Rob OwensIndustry Analyst, Pacific Crest Securities

Greg HampsonCorporate Privacy Manager, Microsoft

Breakwater Security Associates Presents:

Breakwater Security Associates Overview

• Delivering security protection both nationally and globally since 1996.

• Our team has an average of 5+ years of information security experience and more than 8-10 years of technical or consulting experience.

• Our holistic approach combines planning, designing, building and supporting sophisticated security systems. – Security Consulting– Managed Security Services– Training and Education

Risk Management & the Changing Role of the CISO

Dave Cullinane, CPP, CISSPChief Information Security Officer, Washington Mutual, Inc

International President, ISSA

Protecting Information

• Assets:– People, Property, Information & Reputation

• Critical asset that must be protected in all forms– Electronic, hardcopy, intellectual– Usually in all 3 forms simultaneously

• Not Computer/IT Security• Value based information protection

– Value + Environment

Information Risk Management

• Risk identification & management core function

• FFIEC Information Security Handbook

• Industry trend to Risk Management Focus

• CSO role

What is Risk Management

• Anticipate

• Understand

• Act

• Governance

Anticipate

• Identify critical information assets

• Identify likely threats

• Prepare– Donn Parker’s Due Care approach– Response capability

• Monitor

• Participate

Understand

• Business processes and initiatives

• External events/trends and business impacts

• Build knowledge base – Expertise and – Store of knowledge

Act

• Prepared

• Enable effective decision-making– By business units and functions– Initiatives and changes

• Develop solutions – Partnership with business

New Paradigm

• Establish Risk Profile

• Establish Protection Profile

• Modify PP as RP changes– Threat level “Orange”– New business venture

• ROSI

New Paradigm (Cont.)

• Governance– Not about power– About enabling effective decision making

• Thought leadership– ability to understand trends & anticipate change, synthesize

that understanding into a strategic vision, and communicate that vision to others in an informative and convincing way

• Metrics & Reporting

End of Presentation

Thank You.

Contact Information:Dave Cillinane

dave.cullinane@wamu.net

206.461.2000

Security Technology Trends That Matter

Jim ReavisChief Strategy Officer, Breakwater Security Associates

Editor, CSOinformer Newsletter

Thesis

• The world is an insecure and scary place• Demand & awareness for security solutions growing• Bulk of security budgets have gone to 1st generation

technologies• Problems have not been solved adequately• Security industry is at an “inflection point”• Interesting innovation is occurring in the 2nd generation

of security technologies

Insecure and Scary

• Increased threat environment• Internal/External Network demarcs increasingly blurred• IT is “defined” as critical infrastructure but was not

“designed” to be critical infrastructure• Blended threats between traditional crime, terrorism

and cyber attacks• Technology adoption & complexity continues• Organizations lack trained and experienced security

personnel

Demand Environment

• Highest profile ever (CEO, board level, Presidential commissions)

• Increased regulation, compliance

• Insurance requirements

• Skepticism on ROI for security dollars spent, keeps total spending relatively low (3-5% of IT budgets, according to Gartner)

Technology Segments

• AntiVirus• Firewall• VPN• Intrusion Detection• Vulnerability Assessment• Encryption

• AAA / PKI• Security Info Mgt• Patch Mgt• Policy Mgt• Content Mgt

Follow an Attack

Vulnerabilitydiscovered

VendorPatch

AwarenessProgram

RemediationProgram

Policy Architecture

Hacker ExploitIn the Wild

Current Security Technology Spending

Security Vendors release update for Exploit Signature

ImplementWorkaround

Exploit Identified & Categorized

Users Hit Update security software

Conventional Approach

• Firewalls / some VPN• AntiVirus: Client & Gateway• IDS shelfware• Infrequent Audits• Paper Policies

Growth Segments

• 3A’s – Authentication, Authorization, Administration (Identity Mgt, SSO, Policy Mgt)

• Intrusion Detection/Prevention (HIDS, NIDS, DDoS)

• Security Management (full lifecycle mgt)

• Content/Application Layer Security

• Remediation/Patch Mgt

Predictions

• Proactive Approach• Behavioral Technology• Reduce Complexity• Application Layer Insecurity• Product Segment Convergence• Address Evolving Threats• Party Crashers

Proactive Approach

• Real time, pervasive vulnerability assessment

• Expedited patch mgt

• Make policies part of the network fabric

• Baseline standards for minimum security requirements

Behavorial Technology

• Signature-based systems miss new and mutated attacks• Signature-based systems lack context, create false positives• Signature-based is easy for the hacker to understand• “Bad Behavior” Examples

– Application attempting direct access to address books

– Machine attempting to connect to unusual host (i.e. R&D to Payroll)

– Application attempting to modify system files

• Behavioral/Heuristics technology– Improves AntiVirus detection rates by 5-10%

– Will increase accuracy of IDS

– Will improve spam detection

– Will combine with network monitoring and “Meta-data” applications to profile large networks and find anomalies

Reduce Complexity

• AAA– Self service

• Encryption– Centralized admin– Gateway / Web Integration

• Security Info Mgt– Reduce, correlate alerts– Tie IDS alerts with other security infrastructure

Product Segment Convergence

• Greater ROI when combined• Fewer Vendors• Examples

– Life Cycle Vulnerability Mgt: Scanners + Patch Mgt + Tracking Systems

– Systems Management + Security Management– All in One appliances

Application Layer Insecurity

• Hackers take path of least resistance• Increased network layer resiliency forces hackers to

application layer• Enterprise apps• Web server apps

Address Evolving Threats

• Wi-Fi: difficult to solve, indirect “defense in depth” needed

• Instant Messaging: encryption, auditing, authentication, non-repudiation, interoperability

• Mobile devices: building full security functionality into a small footprint

• Blended threats: data correlation

Party Crashers

• Demand for more built-in technology, less vendors• Microsoft

– Active Directory, Passport, CA– Hardened Operating Systems (Host IDS overlap)

• Cisco– Focused on adding services across infrastructure– Unified Mgt platform

Follow an Attack

Vulnerabilitydiscovered

VendorPatch

AwarenessProgram

Hacker ExploitIn the Wild

RemediationProgram

Users Hit

Security Vendors release update for Exploit Signature

ImplementWorkaround

Update security software

Policy Architecture

Exploit Identified & Categorized

Current Security Technology Spending

Behavioral

Future Security Technology Spending

End of Presentation

Thank You.

Contact Information:Jim Reavis

jreavis@breakwatersecurity.com

877-952-5500

The State of the Security Market: Wall Street’s View

Rob OwensVP, Senior Research Analyst, Pacific Crest

Pacific Crest Overview

Business Focus: Full-service investment bank

Industry Focus: Technology

Employees: 100+

Offices: Portland, Boston, Silicon Valley

Research Breadth: 100+ public companies in 10 sectors

Investor Reach: More than 250 active institutional technology buyers

Trading Strength: #1 market maker trading fewer than 150 stocks (4Q/2002)

Singular Focus: Technology “Core to the Consumer”

Software Enterprise Applications Internet Security Systems Management

Interactive Content & Commerce Advanced Commerce & Media Content Management &

Collaboration Connected Consumer

Communications Technologies Network Infrastructure Wireless Communications Communications Software

Core Technologies Semiconductors Semiconductor Equipment Communications Components & Equipment

Widely Recognized Research

Sector Best Firm Honorable Mention

Retailing/Specialty Stores Buckingham Research Group Jefferies & Co.

Software Pacific Crest Securities

Specialty Finance Keefe, Bruyette & Woods Fox-Pitt, Kelton

The sunny side of the Street “Mainstream Wall Street research firms have had a tough year. But specialized boutiques have never done better.” (Institutional Investor, December 2002)

2002 Best Boutiques

2002 All-American Research Teams Rankings

“Debuting in II’s poll, Portland, Oregon-based Pacific Crest Securities, a technology research firm, edges out SoundView Technology Group for the best applications software research.”(Institutional Investor, December 2002)

Analyst II Sector Pacific Crest Sector

Steve Weinstein Internet Advanced Commerce & Media

To

p10

Brendan Barnicle Software Enterprise Applications

Rob Owens Software & Systems Mgmt. Internet Security

Brent Bracelin Software & Systems Mgmt.

IT Hardware/Enterprise Data Infrastructure

Steve Lidberg Software & Systems Mgmt. Content & Collaboration Software

Aalok Shah Data Networking Semiconductors

Communications Equipment & Components

Ho

no

rab

le

Men

tio

n

J ames Faucette Software & Systems Mgmt. Wireless Communications

The State of Internet Security

Its been a rocky 12 months, the security group has underperformed the indices

2003 trends: challenging environment, but group will grow at meaningful rate

M&A market to continue at strong pace

Threat profile to increase

Still investor optimism surrounding security investing

Stock Performance

-70%

-60%

-50%

-40%

-30%

-20%

-10%

0%

10%

20%

30%

02/28/0301/15/0312/02/0210/18/0209/06/0207/25/0206/12/0204/30/0203/18/02

Pacific Crest Security I ndex

Nasdaq

S&P 500

A rocky twelve months

Security stocks have underperformed the indices

12 Month Stock Performance

Symantec

Check PointEntrust

NetegrityNetScreen

SonicWALL

VeriSignWatchGuard

ActivCard

RSARainbow

ISS

Network Associates

Secure Computing

Websense

12 Month Stock Performance

Symantec 7.0%

Check Point -50.7%

Entrust -47.9%

Netegrity -69.8%

NetScreen 20.4%

Network Associates -41.2%

Secure Computing -70.5%

SonicWALL -75.4%

VeriSign -71.3%

WatchGuard 23.8%

Websense -43.9%

ActivCard -9.9%

RSA -28.0%

Rainbow 18.2%

ISS -54.5%

Stock Performance

Poor February performance

Company Ticker Price52-Wk High

52-Wk Low Feb % 3-Mo % YTD % 1-Yr %

Check Point Soft. Tech. Ltd. CHKP $14.87 $38.49 $10.37 2.2 (12.8) 2.2 (50.7)Entrust, I nc. ENTU $2.76 $6.79 $1.98 (3.8) (31.5) (3.8) (47.9)Internet Security Sys., Inc. ISSX $11.47 $32.00 $10.26 (9.3) (54.2) (9.3) (54.5)Netegrity, I nc. NETE $4.04 $17.95 $1.40 1.0 4.7 1.0 (69.8)NetScreen Tech., I nc. NSCN $19.53 $20.80 $7.76 (0.9) 13.2 (0.9) NMNetwork Associates, I nc. NET $14.80 $29.95 $8.14 (2.6) (18.9) (2.6) (41.2)Rainbow Technologies, Inc. RNBO $8.23 $11.25 $2.84 2.9 (2.9) 2.9 18.2RSA Security, Inc. RSAS $7.08 $11.25 $2.23 26.2 11.0 26.2 (28.0)Secure Computing Corp. SCUR $4.55 $21.96 $2.26 (6.8) (40.8) (6.8) (70.5)SonicWALL, I nc. SNWL $3.33 $16.49 $1.79 (9.5) (17.6) (9.5) (75.4)Symantec Corporation SYMC $40.47 $48.30 $27.21 (12.7) (7.5) (12.7) 7.0VeriSign, I nc. VRSN $7.71 $33.50 $3.92 (6.8) (26.6) (6.8) (71.3)WatchGuard Tech., I nc. WGRD $6.50 $9.00 $3.03 (23.5) 0.8 (23.5) 23.8Websense, I nc. WBSN $14.16 $31.98 $10.35 (32.8) (47.1) (32.8) (43.9)Pacific Crest Security Index PCSSX 158.88 329.74 116.39 (11.0) (22.9) (15.5) (42.0)Nasdaq Composite CCMP 1337.52 1929.67 1114.11 1.0 (9.9) (3.4) (25.8)S&P 500 Index SPX 841.15 1170.29 776.76 (2.2) (10.0) (7.5) (25.7)

Comparative Valuation

C2003 C2004 3-5 C2003 C2003 C2003 C2004 C2004 C2004Company Price Sales Sales Gr. Rate P/E PEG EV/S P/E PEG EV/SCheck Point Soft. Tech, Ltd. $15.10 $450M $485M 15% 14.8x 1.0x 5.6x 14.4x 1.0x 5.2xEntrust, Inc. $2.85 $112M $131M 25% NM NM 0.5x 40.7x 1.6x 0.4xInternet Security Sys., Inc. $11.77 $273M $315M 25% 18.4x 0.7x 1.5x 15.1x 0.6x 1.3xNetegrity, Inc. $4.17 $71M $79M 20% NM NM 1.0x NM NM 0.9xNetScreen Tech., Inc. $19.98 $254M $344M 40% 34.4x 0.9x 5.4x 31.7x 0.8x 4.0xNetwork Associates, Inc. $15.19 $1,020M $1,158M 20% 20.5x 1.0x 2.0x 16.9x 0.8x 1.8xRainbow Technologies, Inc. $8.26 $135M NE 18% 27.5x 1.6x 1.3x NM NM NMRSA Security, Inc. $7.30 $251M $277M 16% 56.2x 3.6x 1.2x 28.1x 1.8x 1.1xSecure Computing, Corp. $4.64 $77M $86M 25% 25.8x 1.0x 1.5x 17.2x 0.7x 1.4xSonicWALL, Inc. $3.38 $101M $119M 20% NM NM -0.1x 56.3x 2.8x 0.0xSymantec, Corp. $42.15 $1,590M $1,858M 20% 22.3x 1.1x 3.5x 19.6x 1.0x 3.0xVeriSign, Inc. $7.91 $1,098M $1,199M 15% 13.4x 0.9x 1.4x 11.6x 0.8x 1.2xWatchGuard Tech, Inc. $6.48 $94M $110M 20% 81.0x 4.1x 1.3x 28.2x 1.4x 1.1xWebsense, Inc. $14.82 $83M $108M 40% 24.7x 0.6x 2.5x 18.5x 0.5x 1.9x

Industry Average 30.8x 1.5x 2.0x 24.9x 1.1x 1.8xIndustry Median 24.7x 1.0x 1.4x 19.1x 0.9x 1.3x

C2003 C2004 3-5 C2003 C2003 C2003 C2004 C2004 C2004Company Price Sales Sales Gr. Rate P/E PEG EV/S P/E PEG EV/SBEA Systems, Inc. $9.72 $1,000M $1,121M 25% 34.7x 1.4x 3.3x 30.0x 1.2x 3.0xMicrosoft Corporation $23.70 $33,359M $37,217M 15% 23.2x 1.5x 6.5x 20.2x 1.3x 5.8xOracle Corporation $11.96 $9,723M $11,045M 15% 26.8x 1.8x 5.5x 21.8x 1.5x 4.9xPeopleSoft, Inc. $17.10 $2,027M $2,203M 15% 26.8x 1.8x 1.7x 23.5x 1.6x 1.6xSAP AG $20.90 $7,865M $8,550M 15% 24.0x 1.6x 0.7x 21.0x 1.4x 0.7xSiebel Systems, Inc. $8.63 $1,610M $1,759M 20% 32.3x 1.6x 1.5x 24.0x 1.2x 1.4x

Industry Average 28.0x 1.6x 3.2x 23.4x 1.4x 2.9xIndustry Median 26.8x 1.6x 2.5x 22.6x 1.4x 2.3x

Why the Lackluster Performance?

Investor / analyst expectations out of sync with reality

Challenging economy impacting sectors within technology

Too much noise, not enough execution

Security is a process, not an out of the box product

“The need is understood,

but the execution has been poor”

Emerging Trends

Internet security should be a high-growth segment in 2003 Top IT Priority Media coverage generates awareness Potential government spend We forecast aggregate spending to increase 8-12%

Technology bellwethers to continue to expand security offerings (IBM, MSFT, CSCO) Industry consolidation has begun Non-security firms seeking security-industry growth rates Given heterogeneous architecture installed base, third party providers

best suited to address complete solution

Emerging Trends (Cont.)

Government spending, which was delayed in 2002, should now come to fruition Creation of the Department of Homeland Security and a Republican

congress set the stage Fiscal 2003 budget to increase IT security spending State and local agencies a source of upside HIPAA and GLBA forcing spending

Security Reporting / Management Managing several devices has become point of pain Patch management solutions to benefit from SQL Slammer Solutions being developed by security, systems management and other

players (BMC, CA, IBM, ISSX, NET, NTIQ, SYMC)

Emerging Trends (Cont.)

New categories Identity Management Corporate Desktop Firewall Integrity Assessment Spam

Consolidation – Continuing Trend

M&A market to continue at a strong pace In general space is over funded - too many companies Lack of new venture funding Trend towards “one-stop shop” Technology bellwethers Public companies provide large source of “funding capital”

Consolidation – The Numbers

The total amount of venture funding has declined sharply

Value of trans.

Value of trans.

Value of trans.

1Q01 $606M 1Q02 $260M 1Q03 $47M

2Q01 $274M 2Q02 $262M

3Q01 $240M 3Q02 $210M

4Q01 $330M 4Q02 $206M

Total $1,450M Total $938M Total $47M

Sources: Company reports and industry trade publications

Consolidation – The Numbers

The number of M&A deals is increasing year over year

# of deals

# of deals

# of deals

1Q01 4 1Q02 8 1Q03 14*

2Q01 7 2Q02 8

3Q01 7 3Q02 9

4Q01 6 4Q02 6

Total 24 Total 31 Total 14

* Number includes pending transactions

Sources: Company reports and industry trade publications

Increasing Threat Profile

IDC predicts a serious cyber attack in 2003 Traffic halted, economy affected for a day or longer

Increasing home broadband use driving attack proliferation South Korea now #2 source of attacks

81.5% increase of vulnerabilities in 2002

55.9% increase in incidents in 2002

General Internet attacks increasing at 64% CAGR

Increase in sophisticated attacks More RATs, blended threats, etc.

Sources: CERT, IDC, CSI/FBI, Symantec

Investor Sentiment Still Positive

Positive secular trends

Government regulations to increase spend HIPAA GLBA

Privacy concerns increasing

Easier to understand value Risk mitigation vs. FUD

Conclusion

Fundamental outlook remains strong, but timing is difficult to predict

Overall industry has attractive long-term growth rates Security is #1 IT priority Government spending

We expect continued consolidation over the next 12 months Currently there is no one-stop shop

Investment strategy: Invest in companies that are leveraging leading positions or positioned for large growth opportunities

Security Coverage List

Check Point Software Tech., Ltd.6 (CHKP) – Neutral

Entrust, Inc.6 (ENTU) – Buy

Network Associates, Inc. (NET) – Buy

Netegrity, Inc.6 (NETE) – Neutral

NetScreen Tech., Inc.6 (NSCN) – Buy

Secure Computing Corp.6 (SCUR) – Neutral

SonicWALL, Inc.6 (SNWL) – Neutral

Symantec Corp.6 (SYMC) – Buy

VeriSign, Inc.6 (VRSN) – Neutral

Websense, Inc.3,6 (WBSN) – Buy

WatchGuard Tech., Inc.6 (WGRD) – Neutral

Disclosures

1) Indicates that Pacific Crest Securities managed or co-managed a public offering for this company within the past 12 months.

2) Indicates that Pacific Crest Securities received compensation for investment banking ser-vices from this company within the past 12 months.

3) Indicates that Pacific Crest Securities expects to receive or intends to seek investment banking compensation from this company in the next three months.

4) Indicates that the research analyst or a member of the research analyst’s household has a financial interest in this company.

5) Indicates that a Pacific Crest Securities employee or a member of the research analyst’s household serves as an officer, director or advisory board member of this company.

6) Indicates that Pacific Crest Securities makes a market in the shares of this company.

7) Indicates that a Pacific Crest Securities employee has an aggregate beneficial ownership of more than 5% of the outstanding stock of this company.

8) Indicates that Pacific Crest Securities or an affiliate of Pacific Crest Securities beneficially owns 1% or more of the common equity of this company.

Disclosures (Cont.)

The material contained herein is based on data from sources considered to be

reliable. However, Pacific Crest Securities (PCS) does not guarantee or warrant the

accuracy or completeness of the information. The information is not intended to be

used as the primary basis of investment decisions, nor, because of individual client

requirements, should it be construed as a representation by PCS as an offer, or the

solicitation of an offer, to buy or sell a security. The opinions and estimates

expressed reflect the current judgment of PCS and are subject to change without

notice. This report may contain forward-looking statements, which involve risk and

uncertainty. Actual results may differ significantly from the forward-looking

statements. PCS may perform or seek to perform investment banking services for

the issuers of these securities. Analyst compensation is based partially on revenues

from investment banking services provided by PCS. Individuals associated with PCS

or PCS itself may have a position in the securities mentioned and may make

purchases and/or sales of those securities in the open market or otherwise. This

communication is intended solely for use by PCS clients. The recipient agrees not to

forward or copy the information to any other person.

Disclosures (Cont.)

Strong Buy (SB) We expect the stock to significantly outperform its peer group over the coming three to six months.

Buy (B) We expect the stock to outperform its peer group over the coming 12 months.

Neutral (N) We expect the stock to perform in line with its peer group over the coming 12 months.

Avoid (A) We expect the stock to underperform its peer group over the coming 12 months.

Not Rated (NR) We do not follow this stock.

Distribution of Ratings and I B Services as of Dec. 31, 2002

% of Ratings % I B Services*

Strong Buy 4% 0%

Buy 44% 0%

Neutral 50% 2%

Avoid 2% 0%

Total 100% 2%

* Indicates the percentage of companies within each category for which Pacific Crest Securities has provided investment banking services within the past 12 months.

End of Presentation

Thank You.

Contact Information:

Rob D. Owens

rowens@pacific-crest.com

503-248-0721

Privacy in Practice:Developing and Deploying Applications That Meet the Privacy Standards

Greg HampsonPrivacy Manager, Microsoft

Why Should You Care About Privacy?

• The Marketplace Cares!

• Loss of privacy tops list of fears for next century - Wall Street Journal, 9/16/99

• 78% of public have refused to provide information to a business because they thought it was too personal or not needed -Harris Interactive—IBM

• Privacy concerns are #1 reason off-line people do not go online – Consumer Privacy Survey

• 92% of online families do not trust online companies to safeguard their information private – Odyssey Research 2001

Your Company Cares!

• In 2001 Privacy Litigation

– 8 companies-obtaining PII fraudulently

– 32 companies-obtaining PII in violation of policy

– 10 companies-tracking/monitoring users w/o permission/disclosure

– 15 companies-using PII improperly or not within policy

– $74.2 million awarded in settlements/judgments

Source – P&AB

Government Cares!

• USA – GLBA, HIPPA, COPPA– + North Dakota, California, New Hampshire . . . ??

• Canada – C6• European Union

– Directive on Data Processing– Safe Harbor Agreement

• Rest of World: Hong Kong, Australia, New Zealand, South Korea, Argentina…

Privacy at Microsoft

• Vision:

– To create a culture that integrates privacy values into our

global business processes, practices and relationships.

• Mission:

– Enhance our long-term business relationships with others

through the proper collection, storage and usage of PII

• Strategy:

– Establish a premiere privacy infrastructure

– Integrate & implement privacy strategies globally

– Implement continuous improvement

Trustworthy Components

Core Tenants

SecuritySecurity

PrivacyPrivacy

ReliabilityReliability

Business IntegrityBusiness Integrity

• Resilient to attack• Protects confidentiality, integrity, availability and data

• Dependable• Available when needed• Performs at expected levels

• Individuals control personal data• Products and Online Services adhere to fair

information principles

• Help customers find appropriate solutions• Address issues with products and services• Open interaction with customers

More than Just a Privacy Statement;It’s a program

The Basis: Privacy Handbook

• Corporate principles, policies and implementation guidelines

• Data Life Cycle for Information Management– Collecting– Storing– Using– Sharing– Retention– Destruction

• Scenarios– Vendor Management– Vendor-hosted/Co-branded– Marketing & Product Reg.– Events– International– Systems Management– Web Sites

Microsoft Privacy Handbook

Privacy Program Elements

• Required Training – 101 & 201• Clear Requirements – Legal & Policy

– Security– Privacy

• Defined Processes– Application Safety Assurance Process (ASAP)– Supporting Documentation

• Disciplined Measurement– Awareness– Compliance

More than just a privacy statement; it’s a program.

Training: Privacy 101

• Introduce “Privacy” in the context of Trustworthy Computing

• Drive awareness that responsible data management practices are critically important to the company’s business success, now and into the future

• Present the Microsoft Privacy Principle and relate it to the Software Development Lifecycle, Data Lifecycle and the Privacy Policy Framework

• Heighten the awareness of privacy and how it plays a part in everything we do at Microsoft

• Explain the online Privacy Handbook and how it should be used when privacy issues arise

Requirements: Privacy Checklist

5 Privacy Scenarios5 Privacy Scenarios

Requirements: Application Safety Assurance Process (ASAP)

11/1/2002 12/1/2002 1/1/2003 2/1/2003 3/1/2003 4/1/2003

11/8/2002 5/9/2003

Scoping In ProductionPre-Prod ASAP auditSystemTesting

UAT starts

Coding

Code Complete

Planning

Baseline

SCALEAudit within 14 days

of Go Live

Pre-Baseline

1. Register in MsApps2. Risk Assessment

ASAPDesignReview

Go Live

Post:1. Privacy Procedures2. Privacy Statement

into MsApps

Get LCASignoff onPrivacy Statement

BUIT signoffon PrivacyProcedures

Generate from template:1. Privacy Statement2. Privacy Procedures doc

Ace RegressesBugs in Production

Measurement: Awareness

• Privacy Assessment Tool provides quantitative measure of

business unit’s capacity for privacy health (awareness)

• Weighted scoring model determines Privacy Health Index

(PHI)

– Scores within division rolled up to Division score

– PHI score to be reported in annual and mid-year budget reviews

Sample Survey Questions

Measurement: Sample Evaluation of a Business Unit

LEVEL 3(PHi)

LEVEL 2(PHi)

LEVEL 1(PHI)

T e ch n ica lA rch ite ct

D e ve lo p m e ntM a na g er

D e ve lo p m e ntM a na g er

P ro du c t D e ve lo p m e ntG ro up M a n ag er

M a rke tingD ire c to r

R e g ion a l S a lesM a na g er

R e g ion a l S a lesM a na g er

S a lesV ice -P re s id e n t

S h iftM a na g er

S h iftM a na g er

S h iftM a na g er

S h iftM a na g er

P ro d uc t H e lp D e skG ro up M a n ag er

M S P ro d u ctS r. V ice -P res id e n t

.31 .72 .55

.55 = Business Unit PHI= Business Unit PHI

.21

.42

.30 .75.71 .51

.51

.52

.60= PHi= PHi

(Illustrative)

Assessment Scorecard

Privacy Health Index

PHI Leader View PHI Organization View

VP Org FY03 Q2 PHI FY03 Q4 PHIChange From Last Survey Response Rate PHI M etrics (%/M S Rank)

FY04 Q4 PHI % (# of #)

FY03 Q2 PHI % (# of #)

VP Directs Org FY03 Q2 PHI FY03 Q4 PHIChange From Last Survey Response Rate

Biggest PHI Item Im provem ents Pts . Change

%%%

Biggest PHI Item Drops Pts . Change

%%

%%

FY03 Q2 Areas of Focus Pts . Change

%%%

FY03 Q4 Planned Areas of Focus FY03 Goal

%%%

Com m ents

Summary

• High Bar! – Marketplace, Legal & Policy obligations

• Provide Training – 101 & 201

• Define Requirements – in relevant vocabulary for each

discipline

• Define and develop processes – Security & Privacy

• Measure - for awareness & compliance

• Because . . .

More than Just a Privacy Statement;It’s a program

More than just a privacy statement; it’s a program!

End of Presentation

© 2002 Microsoft Corporation. All rights reserved.© 2002 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.implied, in this summary.

Thank You.

Contact Information:Greg Hampson

gregham@microsoft.com