global ciso forum 2017: privacy partnership
TRANSCRIPT
Classification: //SecureWorks/Confidential - Limited External Distribution:Classification: //SecureWorks/Confidential - Limited External Distribution:
Privacy PartnershipKatherine Fithen
Retired Chief Privacy Officer
The Coca-Cola Company
<date>
Classification: //SecureWorks/Confidential - Limited External Distribution:
Agenda
• My Background
• Why Compliance ≠ Security
• Privacy Partnership• Business
• IT
• Legal
• Risk Management
• Breach Response
• Questions & Contact Information
ciso.eccouncil.org 2
Classification: //SecureWorks/Confidential - Limited External Distribution:
My Background
• Education• B.A., Retail Management
• M.A., Personnel Management
• M.S., Information Science
• Careers• Retail – clothing buyer for stores
• Technology• PREPnet
• CERT®
• pwc
• The Coca-Cola Company
• SecureWorks
ciso.eccouncil.org 3
Classification: //SecureWorks/Confidential - Limited External Distribution:
Why Compliance ≠ Security
• SOX• Enron
• PCI• TJ Maxx breach (2007)
• Had been certified by PCI assessment• 45.6 million cards compromised
• Privacy• Target breach (2013 - 2015)
• 42 million cards compromised• 61 million people had PI compromised
• OPM breach• 21.5 million people had PI compromised
• Equifax• 143 million people had PI compromised
ciso.eccouncil.org 4
Classification: //SecureWorks/Confidential - Limited External Distribution:
Privacy Partnership
• Business• “Owner” of the data
• HR, Marketing, Customer, etc.
• IT• Technology enables organizations to align with privacy laws, regulations,
and expectations
• Legal• Provide the legal/regulatory requirements for
• Business owners of data
• IT
ciso.eccouncil.org 5
Classification: //SecureWorks/Confidential - Limited External Distribution:
Privacy Partnership (cont.)
• IT• IT SDLC• Access controls
• Negative testing
• Authentication• MFA vs UserID + passwd
• Encryption• Who owns/manages the encryption key?
• Age validation implementation• Logs
• Application• Network
• Contract obligations for vendors & vendor management
ciso.eccouncil.org 6
Classification: //SecureWorks/Confidential - Limited External Distribution:
Privacy Partnership (cont.)
• Considerations for Privacy Office & Privacy Council• Privacy Office
• IT and Legal
• Privacy Council• Legal
• IT
• Marketing
• HR
• Public Affairs
• Internal Audit
• Controller’s Office
ciso.eccouncil.org 7
Classification: //SecureWorks/Confidential - Limited External Distribution:
Risk Management
• If compliance ≠ security – then what do we do?
• Most organizations cannot protect all assets equally – and probably should not• Too costly
• Too resource-intensive
• Risk Management• Identify sensitive assets
• IP (Intellectual Property)
• PI (Personal Information)
• Insider threat vs external threats
ciso.eccouncil.org 8
Classification: //SecureWorks/Confidential - Limited External Distribution:
Breach Response
• Who, What, Where, When, and How
ciso.eccouncil.org 9
Classification: //SecureWorks/Confidential - Limited External Distribution:
Breach Response (cont.)
• Who, What, Where, When, and How• Who
• Legal, Business owner of breached data, IT, Public Affairs, Vendor(s), 3rd-party breach response team (e.g., PCI)
• Who leads/is decision maker?
• Regulators
ciso.eccouncil.org 10
Classification: //SecureWorks/Confidential - Limited External Distribution:
Breach Response (cont.)
• Who, What, Where, When, and How• What
• What happened?
• How quickly will you know what happened?
• What to communicate about what happened?
• What facts do you have?
• What “beliefs” do you have?
• What steps do I take?
• What services do I offer (e.g., ID theft protection, etc.)
ciso.eccouncil.org 11
Classification: //SecureWorks/Confidential - Limited External Distribution:
Breach Response (cont.)
• Who, What, Where, When, and How (cont.)• Where
• Where is it?• My data?
• My users?
• My logs/evidence?
ciso.eccouncil.org 12
Classification: //SecureWorks/Confidential - Limited External Distribution:
Breach Response (cont.)
• Who, What, Where, When, and How (cont.)• When
• Communicate• Internally
• Externally
• “Know” what happened to be able to communicate?
• Bring in a 3rd-party• Required by regulation?
• Need the SME assistance?
• Want outsider “objective” assistance?
ciso.eccouncil.org 13
Classification: //SecureWorks/Confidential - Limited External Distribution:
Breach Response
• Who, What, Where, When, and How (cont.)• How
• How do I communicate?• Internally
• Externally
• How do I make “Everyone” comfortable / confident in my ability to handle?• Those impacted?
• Regulators?
• Media?
• Employees?
• Partners?
ciso.eccouncil.org 14
Classification: //SecureWorks/Confidential - Limited External Distribution:
In Closing
• We need to work together – Business, IT, and Legal to ensure enable the business while protecting company assets
ciso.eccouncil.org 15
Classification: //SecureWorks/Confidential - Limited External Distribution:
Questions & Contact Information
ciso.eccouncil.org 16
• Katherine FithenManaging Principal [email protected]+1-770-331-2092