title crystal ball executive forum: insights on information security keynote: dave cullinane ciso,...
TRANSCRIPT
TitleTitlecrystal ball executive forum:
insights on information securityKeynote: Dave CullinaneCISO, Washington MutualPresident, ISSA
Additional Speakers:Jim ReavisCSO, Breakwater Security Associates
Rob OwensIndustry Analyst, Pacific Crest Securities
Greg HampsonCorporate Privacy Manager, Microsoft
Breakwater Security Associates Presents:
Breakwater Security Associates Overview
• Delivering security protection both nationally and globally since 1996.
• Our team has an average of 5+ years of information security experience and more than 8-10 years of technical or consulting experience.
• Our holistic approach combines planning, designing, building and supporting sophisticated security systems. – Security Consulting– Managed Security Services– Training and Education
Risk Management & the Changing Role of the CISO
Dave Cullinane, CPP, CISSPChief Information Security Officer, Washington Mutual, Inc
International President, ISSA
Protecting Information
• Assets:– People, Property, Information & Reputation
• Critical asset that must be protected in all forms– Electronic, hardcopy, intellectual– Usually in all 3 forms simultaneously
• Not Computer/IT Security• Value based information protection
– Value + Environment
Information Risk Management
• Risk identification & management core function
• FFIEC Information Security Handbook
• Industry trend to Risk Management Focus
• CSO role
What is Risk Management
• Anticipate
• Understand
• Act
• Governance
Anticipate
• Identify critical information assets
• Identify likely threats
• Prepare– Donn Parker’s Due Care approach– Response capability
• Monitor
• Participate
Understand
• Business processes and initiatives
• External events/trends and business impacts
• Build knowledge base – Expertise and – Store of knowledge
Act
• Prepared
• Enable effective decision-making– By business units and functions– Initiatives and changes
• Develop solutions – Partnership with business
New Paradigm
• Establish Risk Profile
• Establish Protection Profile
• Modify PP as RP changes– Threat level “Orange”– New business venture
• ROSI
New Paradigm (Cont.)
• Governance– Not about power– About enabling effective decision making
• Thought leadership– ability to understand trends & anticipate change, synthesize
that understanding into a strategic vision, and communicate that vision to others in an informative and convincing way
• Metrics & Reporting
Security Technology Trends That Matter
Jim ReavisChief Strategy Officer, Breakwater Security Associates
Editor, CSOinformer Newsletter
Thesis
• The world is an insecure and scary place• Demand & awareness for security solutions growing• Bulk of security budgets have gone to 1st generation
technologies• Problems have not been solved adequately• Security industry is at an “inflection point”• Interesting innovation is occurring in the 2nd generation
of security technologies
Insecure and Scary
• Increased threat environment• Internal/External Network demarcs increasingly blurred• IT is “defined” as critical infrastructure but was not
“designed” to be critical infrastructure• Blended threats between traditional crime, terrorism
and cyber attacks• Technology adoption & complexity continues• Organizations lack trained and experienced security
personnel
Demand Environment
• Highest profile ever (CEO, board level, Presidential commissions)
• Increased regulation, compliance
• Insurance requirements
• Skepticism on ROI for security dollars spent, keeps total spending relatively low (3-5% of IT budgets, according to Gartner)
Technology Segments
• AntiVirus• Firewall• VPN• Intrusion Detection• Vulnerability Assessment• Encryption
• AAA / PKI• Security Info Mgt• Patch Mgt• Policy Mgt• Content Mgt
Follow an Attack
Vulnerabilitydiscovered
VendorPatch
AwarenessProgram
RemediationProgram
Policy Architecture
Hacker ExploitIn the Wild
Current Security Technology Spending
Security Vendors release update for Exploit Signature
ImplementWorkaround
Exploit Identified & Categorized
Users Hit Update security software
Conventional Approach
• Firewalls / some VPN• AntiVirus: Client & Gateway• IDS shelfware• Infrequent Audits• Paper Policies
Growth Segments
• 3A’s – Authentication, Authorization, Administration (Identity Mgt, SSO, Policy Mgt)
• Intrusion Detection/Prevention (HIDS, NIDS, DDoS)
• Security Management (full lifecycle mgt)
• Content/Application Layer Security
• Remediation/Patch Mgt
Predictions
• Proactive Approach• Behavioral Technology• Reduce Complexity• Application Layer Insecurity• Product Segment Convergence• Address Evolving Threats• Party Crashers
Proactive Approach
• Real time, pervasive vulnerability assessment
• Expedited patch mgt
• Make policies part of the network fabric
• Baseline standards for minimum security requirements
Behavorial Technology
• Signature-based systems miss new and mutated attacks• Signature-based systems lack context, create false positives• Signature-based is easy for the hacker to understand• “Bad Behavior” Examples
– Application attempting direct access to address books
– Machine attempting to connect to unusual host (i.e. R&D to Payroll)
– Application attempting to modify system files
• Behavioral/Heuristics technology– Improves AntiVirus detection rates by 5-10%
– Will increase accuracy of IDS
– Will improve spam detection
– Will combine with network monitoring and “Meta-data” applications to profile large networks and find anomalies
Reduce Complexity
• AAA– Self service
• Encryption– Centralized admin– Gateway / Web Integration
• Security Info Mgt– Reduce, correlate alerts– Tie IDS alerts with other security infrastructure
Product Segment Convergence
• Greater ROI when combined• Fewer Vendors• Examples
– Life Cycle Vulnerability Mgt: Scanners + Patch Mgt + Tracking Systems
– Systems Management + Security Management– All in One appliances
Application Layer Insecurity
• Hackers take path of least resistance• Increased network layer resiliency forces hackers to
application layer• Enterprise apps• Web server apps
Address Evolving Threats
• Wi-Fi: difficult to solve, indirect “defense in depth” needed
• Instant Messaging: encryption, auditing, authentication, non-repudiation, interoperability
• Mobile devices: building full security functionality into a small footprint
• Blended threats: data correlation
Party Crashers
• Demand for more built-in technology, less vendors• Microsoft
– Active Directory, Passport, CA– Hardened Operating Systems (Host IDS overlap)
• Cisco– Focused on adding services across infrastructure– Unified Mgt platform
Follow an Attack
Vulnerabilitydiscovered
VendorPatch
AwarenessProgram
Hacker ExploitIn the Wild
RemediationProgram
Users Hit
Security Vendors release update for Exploit Signature
ImplementWorkaround
Update security software
Policy Architecture
Exploit Identified & Categorized
Current Security Technology Spending
Behavioral
Future Security Technology Spending
The State of the Security Market: Wall Street’s View
Rob OwensVP, Senior Research Analyst, Pacific Crest
Pacific Crest Overview
Business Focus: Full-service investment bank
Industry Focus: Technology
Employees: 100+
Offices: Portland, Boston, Silicon Valley
Research Breadth: 100+ public companies in 10 sectors
Investor Reach: More than 250 active institutional technology buyers
Trading Strength: #1 market maker trading fewer than 150 stocks (4Q/2002)
Singular Focus: Technology “Core to the Consumer”
Software Enterprise Applications Internet Security Systems Management
Interactive Content & Commerce Advanced Commerce & Media Content Management &
Collaboration Connected Consumer
Communications Technologies Network Infrastructure Wireless Communications Communications Software
Core Technologies Semiconductors Semiconductor Equipment Communications Components & Equipment
Widely Recognized Research
Sector Best Firm Honorable Mention
Retailing/Specialty Stores Buckingham Research Group Jefferies & Co.
Software Pacific Crest Securities
Specialty Finance Keefe, Bruyette & Woods Fox-Pitt, Kelton
The sunny side of the Street “Mainstream Wall Street research firms have had a tough year. But specialized boutiques have never done better.” (Institutional Investor, December 2002)
2002 Best Boutiques
2002 All-American Research Teams Rankings
“Debuting in II’s poll, Portland, Oregon-based Pacific Crest Securities, a technology research firm, edges out SoundView Technology Group for the best applications software research.”(Institutional Investor, December 2002)
Analyst II Sector Pacific Crest Sector
Steve Weinstein Internet Advanced Commerce & Media
To
p10
Brendan Barnicle Software Enterprise Applications
Rob Owens Software & Systems Mgmt. Internet Security
Brent Bracelin Software & Systems Mgmt.
IT Hardware/Enterprise Data Infrastructure
Steve Lidberg Software & Systems Mgmt. Content & Collaboration Software
Aalok Shah Data Networking Semiconductors
Communications Equipment & Components
Ho
no
rab
le
Men
tio
n
J ames Faucette Software & Systems Mgmt. Wireless Communications
The State of Internet Security
Its been a rocky 12 months, the security group has underperformed the indices
2003 trends: challenging environment, but group will grow at meaningful rate
M&A market to continue at strong pace
Threat profile to increase
Still investor optimism surrounding security investing
Stock Performance
-70%
-60%
-50%
-40%
-30%
-20%
-10%
0%
10%
20%
30%
02/28/0301/15/0312/02/0210/18/0209/06/0207/25/0206/12/0204/30/0203/18/02
Pacific Crest Security I ndex
Nasdaq
S&P 500
A rocky twelve months
Security stocks have underperformed the indices
12 Month Stock Performance
Symantec
Check PointEntrust
NetegrityNetScreen
SonicWALL
VeriSignWatchGuard
ActivCard
RSARainbow
ISS
Network Associates
Secure Computing
Websense
12 Month Stock Performance
Symantec 7.0%
Check Point -50.7%
Entrust -47.9%
Netegrity -69.8%
NetScreen 20.4%
Network Associates -41.2%
Secure Computing -70.5%
SonicWALL -75.4%
VeriSign -71.3%
WatchGuard 23.8%
Websense -43.9%
ActivCard -9.9%
RSA -28.0%
Rainbow 18.2%
ISS -54.5%
Stock Performance
Poor February performance
Company Ticker Price52-Wk High
52-Wk Low Feb % 3-Mo % YTD % 1-Yr %
Check Point Soft. Tech. Ltd. CHKP $14.87 $38.49 $10.37 2.2 (12.8) 2.2 (50.7)Entrust, I nc. ENTU $2.76 $6.79 $1.98 (3.8) (31.5) (3.8) (47.9)Internet Security Sys., Inc. ISSX $11.47 $32.00 $10.26 (9.3) (54.2) (9.3) (54.5)Netegrity, I nc. NETE $4.04 $17.95 $1.40 1.0 4.7 1.0 (69.8)NetScreen Tech., I nc. NSCN $19.53 $20.80 $7.76 (0.9) 13.2 (0.9) NMNetwork Associates, I nc. NET $14.80 $29.95 $8.14 (2.6) (18.9) (2.6) (41.2)Rainbow Technologies, Inc. RNBO $8.23 $11.25 $2.84 2.9 (2.9) 2.9 18.2RSA Security, Inc. RSAS $7.08 $11.25 $2.23 26.2 11.0 26.2 (28.0)Secure Computing Corp. SCUR $4.55 $21.96 $2.26 (6.8) (40.8) (6.8) (70.5)SonicWALL, I nc. SNWL $3.33 $16.49 $1.79 (9.5) (17.6) (9.5) (75.4)Symantec Corporation SYMC $40.47 $48.30 $27.21 (12.7) (7.5) (12.7) 7.0VeriSign, I nc. VRSN $7.71 $33.50 $3.92 (6.8) (26.6) (6.8) (71.3)WatchGuard Tech., I nc. WGRD $6.50 $9.00 $3.03 (23.5) 0.8 (23.5) 23.8Websense, I nc. WBSN $14.16 $31.98 $10.35 (32.8) (47.1) (32.8) (43.9)Pacific Crest Security Index PCSSX 158.88 329.74 116.39 (11.0) (22.9) (15.5) (42.0)Nasdaq Composite CCMP 1337.52 1929.67 1114.11 1.0 (9.9) (3.4) (25.8)S&P 500 Index SPX 841.15 1170.29 776.76 (2.2) (10.0) (7.5) (25.7)
Comparative Valuation
C2003 C2004 3-5 C2003 C2003 C2003 C2004 C2004 C2004Company Price Sales Sales Gr. Rate P/E PEG EV/S P/E PEG EV/SCheck Point Soft. Tech, Ltd. $15.10 $450M $485M 15% 14.8x 1.0x 5.6x 14.4x 1.0x 5.2xEntrust, Inc. $2.85 $112M $131M 25% NM NM 0.5x 40.7x 1.6x 0.4xInternet Security Sys., Inc. $11.77 $273M $315M 25% 18.4x 0.7x 1.5x 15.1x 0.6x 1.3xNetegrity, Inc. $4.17 $71M $79M 20% NM NM 1.0x NM NM 0.9xNetScreen Tech., Inc. $19.98 $254M $344M 40% 34.4x 0.9x 5.4x 31.7x 0.8x 4.0xNetwork Associates, Inc. $15.19 $1,020M $1,158M 20% 20.5x 1.0x 2.0x 16.9x 0.8x 1.8xRainbow Technologies, Inc. $8.26 $135M NE 18% 27.5x 1.6x 1.3x NM NM NMRSA Security, Inc. $7.30 $251M $277M 16% 56.2x 3.6x 1.2x 28.1x 1.8x 1.1xSecure Computing, Corp. $4.64 $77M $86M 25% 25.8x 1.0x 1.5x 17.2x 0.7x 1.4xSonicWALL, Inc. $3.38 $101M $119M 20% NM NM -0.1x 56.3x 2.8x 0.0xSymantec, Corp. $42.15 $1,590M $1,858M 20% 22.3x 1.1x 3.5x 19.6x 1.0x 3.0xVeriSign, Inc. $7.91 $1,098M $1,199M 15% 13.4x 0.9x 1.4x 11.6x 0.8x 1.2xWatchGuard Tech, Inc. $6.48 $94M $110M 20% 81.0x 4.1x 1.3x 28.2x 1.4x 1.1xWebsense, Inc. $14.82 $83M $108M 40% 24.7x 0.6x 2.5x 18.5x 0.5x 1.9x
Industry Average 30.8x 1.5x 2.0x 24.9x 1.1x 1.8xIndustry Median 24.7x 1.0x 1.4x 19.1x 0.9x 1.3x
C2003 C2004 3-5 C2003 C2003 C2003 C2004 C2004 C2004Company Price Sales Sales Gr. Rate P/E PEG EV/S P/E PEG EV/SBEA Systems, Inc. $9.72 $1,000M $1,121M 25% 34.7x 1.4x 3.3x 30.0x 1.2x 3.0xMicrosoft Corporation $23.70 $33,359M $37,217M 15% 23.2x 1.5x 6.5x 20.2x 1.3x 5.8xOracle Corporation $11.96 $9,723M $11,045M 15% 26.8x 1.8x 5.5x 21.8x 1.5x 4.9xPeopleSoft, Inc. $17.10 $2,027M $2,203M 15% 26.8x 1.8x 1.7x 23.5x 1.6x 1.6xSAP AG $20.90 $7,865M $8,550M 15% 24.0x 1.6x 0.7x 21.0x 1.4x 0.7xSiebel Systems, Inc. $8.63 $1,610M $1,759M 20% 32.3x 1.6x 1.5x 24.0x 1.2x 1.4x
Industry Average 28.0x 1.6x 3.2x 23.4x 1.4x 2.9xIndustry Median 26.8x 1.6x 2.5x 22.6x 1.4x 2.3x
Why the Lackluster Performance?
Investor / analyst expectations out of sync with reality
Challenging economy impacting sectors within technology
Too much noise, not enough execution
Security is a process, not an out of the box product
“The need is understood,
but the execution has been poor”
Emerging Trends
Internet security should be a high-growth segment in 2003 Top IT Priority Media coverage generates awareness Potential government spend We forecast aggregate spending to increase 8-12%
Technology bellwethers to continue to expand security offerings (IBM, MSFT, CSCO) Industry consolidation has begun Non-security firms seeking security-industry growth rates Given heterogeneous architecture installed base, third party providers
best suited to address complete solution
Emerging Trends (Cont.)
Government spending, which was delayed in 2002, should now come to fruition Creation of the Department of Homeland Security and a Republican
congress set the stage Fiscal 2003 budget to increase IT security spending State and local agencies a source of upside HIPAA and GLBA forcing spending
Security Reporting / Management Managing several devices has become point of pain Patch management solutions to benefit from SQL Slammer Solutions being developed by security, systems management and other
players (BMC, CA, IBM, ISSX, NET, NTIQ, SYMC)
Emerging Trends (Cont.)
New categories Identity Management Corporate Desktop Firewall Integrity Assessment Spam
Consolidation – Continuing Trend
M&A market to continue at a strong pace In general space is over funded - too many companies Lack of new venture funding Trend towards “one-stop shop” Technology bellwethers Public companies provide large source of “funding capital”
Consolidation – The Numbers
The total amount of venture funding has declined sharply
Value of trans.
Value of trans.
Value of trans.
1Q01 $606M 1Q02 $260M 1Q03 $47M
2Q01 $274M 2Q02 $262M
3Q01 $240M 3Q02 $210M
4Q01 $330M 4Q02 $206M
Total $1,450M Total $938M Total $47M
Sources: Company reports and industry trade publications
Consolidation – The Numbers
The number of M&A deals is increasing year over year
# of deals
# of deals
# of deals
1Q01 4 1Q02 8 1Q03 14*
2Q01 7 2Q02 8
3Q01 7 3Q02 9
4Q01 6 4Q02 6
Total 24 Total 31 Total 14
* Number includes pending transactions
Sources: Company reports and industry trade publications
Increasing Threat Profile
IDC predicts a serious cyber attack in 2003 Traffic halted, economy affected for a day or longer
Increasing home broadband use driving attack proliferation South Korea now #2 source of attacks
81.5% increase of vulnerabilities in 2002
55.9% increase in incidents in 2002
General Internet attacks increasing at 64% CAGR
Increase in sophisticated attacks More RATs, blended threats, etc.
Sources: CERT, IDC, CSI/FBI, Symantec
Investor Sentiment Still Positive
Positive secular trends
Government regulations to increase spend HIPAA GLBA
Privacy concerns increasing
Easier to understand value Risk mitigation vs. FUD
Conclusion
Fundamental outlook remains strong, but timing is difficult to predict
Overall industry has attractive long-term growth rates Security is #1 IT priority Government spending
We expect continued consolidation over the next 12 months Currently there is no one-stop shop
Investment strategy: Invest in companies that are leveraging leading positions or positioned for large growth opportunities
Security Coverage List
Check Point Software Tech., Ltd.6 (CHKP) – Neutral
Entrust, Inc.6 (ENTU) – Buy
Network Associates, Inc. (NET) – Buy
Netegrity, Inc.6 (NETE) – Neutral
NetScreen Tech., Inc.6 (NSCN) – Buy
Secure Computing Corp.6 (SCUR) – Neutral
SonicWALL, Inc.6 (SNWL) – Neutral
Symantec Corp.6 (SYMC) – Buy
VeriSign, Inc.6 (VRSN) – Neutral
Websense, Inc.3,6 (WBSN) – Buy
WatchGuard Tech., Inc.6 (WGRD) – Neutral
Disclosures
1) Indicates that Pacific Crest Securities managed or co-managed a public offering for this company within the past 12 months.
2) Indicates that Pacific Crest Securities received compensation for investment banking ser-vices from this company within the past 12 months.
3) Indicates that Pacific Crest Securities expects to receive or intends to seek investment banking compensation from this company in the next three months.
4) Indicates that the research analyst or a member of the research analyst’s household has a financial interest in this company.
5) Indicates that a Pacific Crest Securities employee or a member of the research analyst’s household serves as an officer, director or advisory board member of this company.
6) Indicates that Pacific Crest Securities makes a market in the shares of this company.
7) Indicates that a Pacific Crest Securities employee has an aggregate beneficial ownership of more than 5% of the outstanding stock of this company.
8) Indicates that Pacific Crest Securities or an affiliate of Pacific Crest Securities beneficially owns 1% or more of the common equity of this company.
Disclosures (Cont.)
The material contained herein is based on data from sources considered to be
reliable. However, Pacific Crest Securities (PCS) does not guarantee or warrant the
accuracy or completeness of the information. The information is not intended to be
used as the primary basis of investment decisions, nor, because of individual client
requirements, should it be construed as a representation by PCS as an offer, or the
solicitation of an offer, to buy or sell a security. The opinions and estimates
expressed reflect the current judgment of PCS and are subject to change without
notice. This report may contain forward-looking statements, which involve risk and
uncertainty. Actual results may differ significantly from the forward-looking
statements. PCS may perform or seek to perform investment banking services for
the issuers of these securities. Analyst compensation is based partially on revenues
from investment banking services provided by PCS. Individuals associated with PCS
or PCS itself may have a position in the securities mentioned and may make
purchases and/or sales of those securities in the open market or otherwise. This
communication is intended solely for use by PCS clients. The recipient agrees not to
forward or copy the information to any other person.
Disclosures (Cont.)
Strong Buy (SB) We expect the stock to significantly outperform its peer group over the coming three to six months.
Buy (B) We expect the stock to outperform its peer group over the coming 12 months.
Neutral (N) We expect the stock to perform in line with its peer group over the coming 12 months.
Avoid (A) We expect the stock to underperform its peer group over the coming 12 months.
Not Rated (NR) We do not follow this stock.
Distribution of Ratings and I B Services as of Dec. 31, 2002
% of Ratings % I B Services*
Strong Buy 4% 0%
Buy 44% 0%
Neutral 50% 2%
Avoid 2% 0%
Total 100% 2%
* Indicates the percentage of companies within each category for which Pacific Crest Securities has provided investment banking services within the past 12 months.
Privacy in Practice:Developing and Deploying Applications That Meet the Privacy Standards
Greg HampsonPrivacy Manager, Microsoft
Why Should You Care About Privacy?
• The Marketplace Cares!
• Loss of privacy tops list of fears for next century - Wall Street Journal, 9/16/99
• 78% of public have refused to provide information to a business because they thought it was too personal or not needed -Harris Interactive—IBM
• Privacy concerns are #1 reason off-line people do not go online – Consumer Privacy Survey
• 92% of online families do not trust online companies to safeguard their information private – Odyssey Research 2001
Your Company Cares!
• In 2001 Privacy Litigation
– 8 companies-obtaining PII fraudulently
– 32 companies-obtaining PII in violation of policy
– 10 companies-tracking/monitoring users w/o permission/disclosure
– 15 companies-using PII improperly or not within policy
– $74.2 million awarded in settlements/judgments
Source – P&AB
Government Cares!
• USA – GLBA, HIPPA, COPPA– + North Dakota, California, New Hampshire . . . ??
• Canada – C6• European Union
– Directive on Data Processing– Safe Harbor Agreement
• Rest of World: Hong Kong, Australia, New Zealand, South Korea, Argentina…
Privacy at Microsoft
• Vision:
– To create a culture that integrates privacy values into our
global business processes, practices and relationships.
• Mission:
– Enhance our long-term business relationships with others
through the proper collection, storage and usage of PII
• Strategy:
– Establish a premiere privacy infrastructure
– Integrate & implement privacy strategies globally
– Implement continuous improvement
Trustworthy Components
Core Tenants
SecuritySecurity
PrivacyPrivacy
ReliabilityReliability
Business IntegrityBusiness Integrity
• Resilient to attack• Protects confidentiality, integrity, availability and data
• Dependable• Available when needed• Performs at expected levels
• Individuals control personal data• Products and Online Services adhere to fair
information principles
• Help customers find appropriate solutions• Address issues with products and services• Open interaction with customers
More than Just a Privacy Statement;It’s a program
The Basis: Privacy Handbook
• Corporate principles, policies and implementation guidelines
• Data Life Cycle for Information Management– Collecting– Storing– Using– Sharing– Retention– Destruction
• Scenarios– Vendor Management– Vendor-hosted/Co-branded– Marketing & Product Reg.– Events– International– Systems Management– Web Sites
Microsoft Privacy Handbook
Privacy Program Elements
• Required Training – 101 & 201• Clear Requirements – Legal & Policy
– Security– Privacy
• Defined Processes– Application Safety Assurance Process (ASAP)– Supporting Documentation
• Disciplined Measurement– Awareness– Compliance
More than just a privacy statement; it’s a program.
Training: Privacy 101
• Introduce “Privacy” in the context of Trustworthy Computing
• Drive awareness that responsible data management practices are critically important to the company’s business success, now and into the future
• Present the Microsoft Privacy Principle and relate it to the Software Development Lifecycle, Data Lifecycle and the Privacy Policy Framework
• Heighten the awareness of privacy and how it plays a part in everything we do at Microsoft
• Explain the online Privacy Handbook and how it should be used when privacy issues arise
Requirements: Privacy Checklist
5 Privacy Scenarios5 Privacy Scenarios
Requirements: Application Safety Assurance Process (ASAP)
11/1/2002 12/1/2002 1/1/2003 2/1/2003 3/1/2003 4/1/2003
11/8/2002 5/9/2003
Scoping In ProductionPre-Prod ASAP auditSystemTesting
UAT starts
Coding
Code Complete
Planning
Baseline
SCALEAudit within 14 days
of Go Live
Pre-Baseline
1. Register in MsApps2. Risk Assessment
ASAPDesignReview
Go Live
Post:1. Privacy Procedures2. Privacy Statement
into MsApps
Get LCASignoff onPrivacy Statement
BUIT signoffon PrivacyProcedures
Generate from template:1. Privacy Statement2. Privacy Procedures doc
Ace RegressesBugs in Production
Measurement: Awareness
• Privacy Assessment Tool provides quantitative measure of
business unit’s capacity for privacy health (awareness)
• Weighted scoring model determines Privacy Health Index
(PHI)
– Scores within division rolled up to Division score
– PHI score to be reported in annual and mid-year budget reviews
Sample Survey Questions
Measurement: Sample Evaluation of a Business Unit
LEVEL 3(PHi)
LEVEL 2(PHi)
LEVEL 1(PHI)
T e ch n ica lA rch ite ct
D e ve lo p m e ntM a na g er
D e ve lo p m e ntM a na g er
P ro du c t D e ve lo p m e ntG ro up M a n ag er
M a rke tingD ire c to r
R e g ion a l S a lesM a na g er
R e g ion a l S a lesM a na g er
S a lesV ice -P re s id e n t
S h iftM a na g er
S h iftM a na g er
S h iftM a na g er
S h iftM a na g er
P ro d uc t H e lp D e skG ro up M a n ag er
M S P ro d u ctS r. V ice -P res id e n t
.31 .72 .55
.55 = Business Unit PHI= Business Unit PHI
.21
.42
.30 .75.71 .51
.51
.52
.60= PHi= PHi
(Illustrative)
Assessment Scorecard
Privacy Health Index
PHI Leader View PHI Organization View
VP Org FY03 Q2 PHI FY03 Q4 PHIChange From Last Survey Response Rate PHI M etrics (%/M S Rank)
FY04 Q4 PHI % (# of #)
FY03 Q2 PHI % (# of #)
VP Directs Org FY03 Q2 PHI FY03 Q4 PHIChange From Last Survey Response Rate
Biggest PHI Item Im provem ents Pts . Change
%%%
Biggest PHI Item Drops Pts . Change
%%
%%
FY03 Q2 Areas of Focus Pts . Change
%%%
FY03 Q4 Planned Areas of Focus FY03 Goal
%%%
Com m ents
Summary
• High Bar! – Marketplace, Legal & Policy obligations
• Provide Training – 101 & 201
• Define Requirements – in relevant vocabulary for each
discipline
• Define and develop processes – Security & Privacy
• Measure - for awareness & compliance
• Because . . .
More than Just a Privacy Statement;It’s a program
More than just a privacy statement; it’s a program!
End of Presentation
© 2002 Microsoft Corporation. All rights reserved.© 2002 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.implied, in this summary.
Thank You.
Contact Information:Greg Hampson