#RSAC

SESSION ID:SESSION ID:

The Rising Tide of Data: Managing the Dams of Privacy & Security

PGR-R08

Ben GerberChief Information Security Officer (CISO) and

Chief Privacy Officer (CPO), Coupang

JoAnn StonierEVP/Chief Information Governance and

Privacy Officer, Mastercard

Dana Simberkoff Chief Risk, Privacy and Information Security Officer, AvePoint

#RSAC

Your Speakers

Dana Louise SimberkoffChief Risk, Privacy and Information Security Officer, AvePoint Inc.@danalouise

JoAnn StonierEVP/Chief Information Governance and Privacy Officer, Mastercard@PrivacyDesign

Ben GerberChief Information Security Officer (CISO) and Chief Privacy Officer (CPO), Coupang@gerber

#RSAC

Agenda

3

About us….Setting the Stage Pressures on the eco-system Better TogetherCorporate Strategies building a culture of trust (privacy and security-can we make them two sides of a coin)-Here is how we do it….Audience Questions and AnswersBest Practices Approach-Key Takeaways for attendees

#RSAC

The Balancing Act (Privacy and Security)

#RSAC

Data is a new currency

©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.

©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.

©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.

Collaboration Tools

#RSAC

Someone else’s Computer

THE CLOUD….

#RSAC

Risks

Social engineering & network attacks

Distribution of confidential/sensitive/proprietary information too easily

Limited security capabilities/enforcement

Limited regulations or industry standards

Rapidly evolving technology capabilities

Workforce surveillance and behavioral tracking

©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.

How Do You Know Where to Park?

#RSAC

Privacy without Security Without Privacy?

#RSAC

Private Data? What Data?

Organizational : market information, financial information, business decisions, personnel/workforce decisions, content and material

Personal : Access frequency, access point, location, money spent, services used, content shared, opinions and perspectives, etc..

Collection & Use Limitation

Notice / Consent

Data Quality

Retention / Destruction

Operational Processes

Contractual Compliance

Confidentiality

Access

Incident Management

Privacy

Secu

rity

Non Personal InformationPersonal Information

#RSAC

Data Protection is a Team Sport

#RSAC

Privacy and Security is everyone’s job…...

©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.

#RSAC

#RSAC

This is how we do it-A tale of three companies

Mastercard

Coupang

AvePoint

#RSACLessons Learned-What you can do in your organization

19

Know thy business

Identify your priorities

Trust and Verify

IT Transformation as a compliance Enabler

©20

17 M

aste

rcar

d. P

ropr

ieta

ry

Privacy & Security By Design

JUNE 6, 2017 RSA - 2017 20

#RSAC

Know thy business

Develop a service level agreement among your compliance officers, your IT team, and the business before you implement a compliance plan.

#RSAC

You need the right people at your table

Cross functional team

Establish accountability and ownership

Ensures adoption of Acceptable Use across the enterprise

Defines, executes and monitors governance processes and metrics

Should be “right-sized” for your organization

HR

Legal

Risk Compliance

Data Owners

Information Securi

#RSAC

What are your crown jewels?

What are you trying to protect and from whom?

#RSAC

You cannot protect your data if you don’t know what or where it is…..

Metadata is a love note to the future…

#RSAC

Trust and verify

Trust your end users to appropriately identify and classify sensitive data they are handling and/or creating, but verify that they are doing so properly.

#RSAC

Privacy and Security as Business Transformation

Mixed Junk IN

Filter for CompliancePrioritize for Business Need

Structure for Governance

Organized Gold OUT

#RSAC

Compliance as a culture

Make it easier for your employees to do the right thing than the wrong thing

Create a transparent security organization to discourage employees from working around security

“Privacy and Security is Everyone’s Job…”

#RSAC

Next Steps….

28

Next week you should:Identify key stakeholders/champions within your organization

In the first three months following this presentation you should:Understand how data is being accessed and protected inside your organization todayREALLY Understand how data is being accessed and protected inside your organization today

Within six months you should:Select a targeted IT transformation Project inside of your company that you can leverage for your privacy and security programDrive an implementation project to discover and tag existing data repositories