global ciso forum 2017: privacy partnership

Classification: //SecureWorks/Confidential - Limited External Distribution:Classification: //SecureWorks/Confidential - Limited External Distribution:

Privacy PartnershipKatherine Fithen

Retired Chief Privacy Officer

The Coca-Cola Company

<date>

Classification: //SecureWorks/Confidential - Limited External Distribution:

Agenda

• My Background

• Why Compliance ≠ Security

• Privacy Partnership• Business

• IT

• Legal

• Risk Management

• Breach Response

• Questions & Contact Information

ciso.eccouncil.org 2


My Background

• Education• B.A., Retail Management

• M.A., Personnel Management

• M.S., Information Science

• Careers• Retail – clothing buyer for stores

• Technology• PREPnet

• CERT®

• pwc

• The Coca-Cola Company

• SecureWorks



Why Compliance ≠ Security

• SOX• Enron

• PCI• TJ Maxx breach (2007)

• Had been certified by PCI assessment• 45.6 million cards compromised

• Privacy• Target breach (2013 - 2015)

• 42 million cards compromised• 61 million people had PI compromised

• OPM breach• 21.5 million people had PI compromised

• Equifax• 143 million people had PI compromised



Privacy Partnership

• Business• “Owner” of the data

• HR, Marketing, Customer, etc.

• IT• Technology enables organizations to align with privacy laws, regulations,

and expectations

• Legal• Provide the legal/regulatory requirements for

• Business owners of data

• IT



Privacy Partnership (cont.)

• IT• IT SDLC• Access controls

• Negative testing

• Authentication• MFA vs UserID + passwd

• Encryption• Who owns/manages the encryption key?

• Age validation implementation• Logs

• Application• Network

• Contract obligations for vendors & vendor management



Privacy Partnership (cont.)

• Considerations for Privacy Office & Privacy Council• Privacy Office

• IT and Legal

• Privacy Council• Legal

• IT

• Marketing

• HR

• Public Affairs

• Internal Audit

• Controller’s Office



Risk Management

• If compliance ≠ security – then what do we do?

• Most organizations cannot protect all assets equally – and probably should not• Too costly

• Too resource-intensive

• Risk Management• Identify sensitive assets

• IP (Intellectual Property)

• PI (Personal Information)

• Insider threat vs external threats



Breach Response

• Who, What, Where, When, and How



Breach Response (cont.)

• Who, What, Where, When, and How• Who

• Legal, Business owner of breached data, IT, Public Affairs, Vendor(s), 3rd-party breach response team (e.g., PCI)

• Who leads/is decision maker?

• Regulators




• Who, What, Where, When, and How• What

• What happened?

• How quickly will you know what happened?

• What to communicate about what happened?

• What facts do you have?

• What “beliefs” do you have?

• What steps do I take?

• What services do I offer (e.g., ID theft protection, etc.)




• Who, What, Where, When, and How (cont.)• Where

• Where is it?• My data?

• My users?

• My logs/evidence?




• Who, What, Where, When, and How (cont.)• When

• Communicate• Internally

• Externally

• “Know” what happened to be able to communicate?

• Bring in a 3rd-party• Required by regulation?

• Need the SME assistance?

• Want outsider “objective” assistance?



Breach Response

• Who, What, Where, When, and How (cont.)• How

• How do I communicate?• Internally

• Externally

• How do I make “Everyone” comfortable / confident in my ability to handle?• Those impacted?

• Regulators?

• Media?

• Employees?

• Partners?



In Closing

• We need to work together – Business, IT, and Legal to ensure enable the business while protecting company assets



Questions & Contact Information


• Katherine FithenManaging Principal [email protected]+1-770-331-2092

mailto:[email protected]