John Weigelt, MEng, PEng, CISSP, CISM National Technology Officer Microsoft Canada November 2005 Fighting Fraud Through Data Governance Fighting Fraud Understanding the landscape Leveraging the compliance spotlight Designing solutions for compliance Partnering for success The Fundamental Difference CIO View of Finance CFO IT: The Great Divide, CFO Magazine, Spring 2004 CFO View of IT CFOs often don't grasp the strategic importance of IT IT is expensive, complex, and often fails to deliver it's a place to look for savings. Security Protections afforded to a system to protect the confidentiality, integrity, availability of the system and information contained therein Sometimes includes Authentication, Authorization, Non-repudiation Security Challenges Security seen as an impediment Common Complaints include: Restricts Access to Critical Services Encumbers the user Simply a cost Engaging the business leader remains a challenge Often seen as a IT systems thing Tendency to respond only after a crisis Multi-channel view not fully appreciated Privacy the right to control access to one's person and information about one's self. Privacy Commissioner of Canada, speech at the Freedom of Information and Protection of Privacy Conference, June 13, 2002 Privacy Challenges Spotlight on PIPEDA, PHIPA, FOIPPA Policy interpretations are still emerging Relationship to Security services misunderstood Privacy often implemented in a binary manner Focus on privacy enhancing technologies Fully Secure Anonymous Non-Secure Full Disclosure Public Opinion Solution Range Privacy Security Privacy Agility Data Governance The effective and responsible management of information assets within a framework that strives to mitigate risk, achieve compliance and promote trust and accountability. Data governance is the monitoring, management, and protection of data in a manner that complies with corporate policy, industry standards and regulatory requirements Data Governance Characteristics Management accountability Policy creation Identity management Security safeguards Role-based access to data Policy enforcement Auditing and reporting Leveraging Compliance Leveraging the Current Compliance Environment While getting visibility for pure security activities has traditionally been a challenge, privacy and other compliance activities have caught the attention of business leaders Compliance activities are catalyzing security and privacy activities within the enterprise Leveraging the Current Compliance Environment Organizations are coming to the realization that compliance activities are good business Compliance activities: Improve processes Creates Competitive Advantage Further Integrate IT Into the Business Designing for Compliance How Do You Design for Compliance? Detailed policies and procedures Awareness and education Leverage existing product features Employ specialized solutions Maximize the use of trustworthy products Designed and Evaluated to be secure Ongoing maintenance All while ensuring consistency with traditional service delivery channels A Layered Approach to Compliance Engages the entire business for success Allows for the allocation of controls outside of IT Legislation Policies Procedures Physical Controls Application Features Inherent System Capabilities Where to start? Depends on organizational culture But generally speaking: Top-down / bottom-up / middle out approach Embed and/or identify compliance requirements in business requirements Inventory existing tools for their data governance capabilities Fill gaps with specialized safeguards Roadmap to Compliance Planning Implement and Document Evaluation and Testing Corrective Measures Optimization Startup Open, transparent interaction with customers Industry leadership Embracing of Open Standards Predictable; consistent, available Easy to configure and manage ResilientRecoverableProven Secure against attacks Protects confidentiality, integrity of data and systems Manageable Protects from unwanted communication Controls for informational privacy Products, online services adhere to fair information principles Partnerships for Success Guidance and Partnership Call to Action Look to understand the landscape Leverage current emphasis Design for compliance Partner for success 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.