Top Privacy Issues for Infosec Professionals

Similar documents
How to Establish Security & Privacy Due Diligence in the Cloud

Cybersecurity The Evolving Landscape

Keeping It Under Wraps: Personally Identifiable Information (PII)

EU GDPR & ISO Integrated Documentation Toolkit integrated-documentation-toolkit

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

Building YOUR Privacy Program: One Size Does Not Fit All. IBM Security Services

Security Breach Notification Reflections on the U.S. Experience

General Data Protection Regulation Frequently Asked Questions (FAQ) General Questions

Data Security: Public Contracts and the Cloud

Understanding my data and getting value from it

Cyber Risks in the Boardroom Conference

THE PROCESS FOR ESTABLISHING DATA CLASSIFICATION. Session #155

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

Privacy by Design and Privacy by Default

Martijn Loderus. Merritt Maxim. Principal Analyst Forrester. Director & Global Practice Partner for Advisory Consulting Janrain

The GDPR Are you ready?

Cybersecurity in Higher Ed

GDPR: A QUICK OVERVIEW

Google Cloud & the General Data Protection Regulation (GDPR)

UPDATE: HEALTHCARE CYBERSECURITY & INCIDENT RESPONSE Lindsay M. Johnson, Esq. Partner, Freund, Freeze & Arnold, LPA

What to do if your business is the victim of a data or security breach?

IT MANAGEMENT AND THE GDPR: THE VMWARE PERSPECTIVE

Emerging Challenges in mhealth: Keeping Information Safe & Secure HCCA CI Web Hull Privacy, Data Protection, & Compliance Advisor

Topics 4/11/2016. Emerging Challenges in mhealth: Keeping Information Safe & Secure. Here s the challenge It s just the beginning of mhealth

Knowing and Implementing the GDPR Part 3

Developing Issues in Breach Notification and Privacy Regulations: Risk Managers Are you having the right conversation with the C Suite?

Internet of Things Toolkit for Small and Medium Businesses

Protecting Your Business: Best Practices for Implementing a Legally Compliant Cybersecurity Program Trivalent Solutions Expo June 19, 2014

Do you handle EU residents personal data? The GDPR update is coming May 25, Are you ready?

Employee Security Awareness Training Program

Developing a Privacy Compliance Program

Cisco Spark and GDPR. Thomas Flambeaux. Collaboration Consulting Solution Engineer, Security and Compliance. Cisco Connect 2018 Copenhagen April 12th

GDPR: An Opportunity to Transform Your Security Operations

How to Prepare a Response to Cyber Attack for a Multinational Company.

Data Privacy and Protection GDPR Compliance for Databases

10 Hidden IT Risks That Might Threaten Your Business

This Webcast Will Begin Shortly

encrypted, and that all portable devices (laptops, phones, thumb drives, etc.) be encrypted while in use and while at rest?

Cloud Computing Risks & Reality. Sandra Liepkalns, CRISC

EU GDPR & NEW YORK CYBERSECURITY REQUIREMENTS 3 KEYS TO SUCCESS

CLEARING THE PATH: PREVENTING THE BLOCKS TO CYBERSECURITY IN BUSINESS

01.0 Policy Responsibilities and Oversight

Smart Software Licensing tools and Smart Account Management Privacy DataSheet

Data Management and Security in the GDPR Era

Hot Topics in Privacy

Hot Topics in Privacy

EU General Data Protection Regulation (GDPR) Achieving compliance

2017 Cyber Incident & Breach Readiness Webinar Will Start Shortly

Why you MUST protect your customer data

Data Compromise Notice Procedure Summary and Guide

EU GDPR and . The complete text of the EU GDPR can be found at What is GDPR?

ARE YOU READY FOR GDPR?

Dealing with the Reality of a Privacy Breach: Civil Litigation, Regulatory Response, and Minimizing Your Risks

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

General Data Protection Regulation (GDPR)

WHITE PAPER. The General Data Protection Regulation: What Title It Means and How SAS Data Management Can Help

ADMA Briefing Summary March

General Data Protection Regulation April 3, Sarah Ackerman, Managing Director Ross Patz, Consultant

HIPAA in 2017: Hot Topics You Can t Ignore. Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017

Understanding the Impact of Data Privacy January 2012

Effective Strategies for Managing Cybersecurity Risks

EU Data Protection Triple Threat for May of 2018 What Inside Counsel Needs to Know

Data Privacy and Cybersecurity

What To Do When Your Data Winds Up Where It Shouldn t

PS Mailing Services Ltd Data Protection Policy May 2018

But first, about me you 5/16/2017. Sensitive Data Breach: Not If, But When June 5, Session Objectives

Accelerate GDPR compliance with the Microsoft Cloud

Putting It All Together:

Embedding GDPR into the SDLC. Sebastien Deleersnyder Siebe De Roovere

2017 RIMS CYBER SURVEY

2017 Varonis Data Risk Report. 47% of organizations have at least 1,000 sensitive files open to every employee.

Cybersecurity Conference Presentation North Bay Business Journal. September 27, 2016

Breach Notification in the GDPR Era. Speakers: Sam Pfeifle, IAPP Dennis Holmes, PwC

Plan a Pragmatic Approach to the new EU Data Privacy Regulation

Storage Made Easy. Enterprise File Fabric for Unified Data Indexing, Auditing, e-compliance, and secure file sharing.

2016 Data Protection & Breach Readiness Webinar Will Start Shortly. please download the guide at

CipherCloud CASB+ Connector for ServiceNow

Remote Access to a Healthcare Facility and the IT professional s obligations under HIPAA and the HITECH Act

Are your data ready for GDPR Compliance?

Aon Service Corporation Law Global Privacy Office. Aon Client Data Privacy Summary

Controlled Document Page 1 of 6. Effective Date: 6/19/13. Approved by: CAB/F. Approved on: 6/19/13. Version Supersedes:

Top Five Privacy and Data Security Issues for Nonprofit Organizations

Data Processor Agreement

Understand & Prepare for EU GDPR Requirements

PII Policies and Procedures

The Impact of Cybersecurity, Data Privacy and Social Media

Development of your Company s Record Information System and Disaster Preparedness. The National Emergency Management Summit

Cloud is the 'Only' Way Forward in Information Security. Leveraging Scale to Make the Unknown Known, in Dev, Sec & Ops.

ngenius Products in a GDPR Compliant Environment

Overview of Key E.U. and U.S. Privacy and Cybersecurity Laws. Brett Lockwood Smith, Gambrell & Russell, LLP May 15, 2018

You will see lots of references in the Checklist to the GDPR Pack if you would like to purchase this, go to

Jeff Wilbur VP Marketing Iconix

All 3 Billion Yahoo Accounts Were Affected by 2013 Attack NY Times 10/3/17

NYDFS Cybersecurity Regulations

Don t Be the Next Headline! PHI and Cyber Security in Outsourced Services.

Security and Privacy Breach Notification

SOLUTION BRIEF HELPING BREACH RESPONSE FOR GDPR WITH RSA SECURITY ADDRESSING THE TICKING CLOCK OF GDPR COMPLIANCE

Robert Bond. Respecting Privacy, Securing Data and Enabling Trust a view from Europe

GDPR How to Comply in an HPE NonStop Environment. Steve Tcherchian GTUG Mai 2018

Breach Notifications: How to Handle Breaches Across Jurisdictions. Moderated by: Zach Warren, Editor-in-Chief, Legaltech News

Transcription:

Top Privacy Issues for Infosec Professionals Gregory Reid, CEO, InFuture LLC Sam Pfeifle, Content Director, International Association of Privacy Professionals (IAPP)

Where Security Meets Privacy Why privacy may very well be an infosecurity professional s best way to move up in the world

Privacy makes data security a regulatory issue Federal Trade Commission The FTC has made reasonable data security a legal obligation. The FTC s documented approach includes: 1. Take Stock (You need to know what PI you have stored and where it is located) 2. Scale Down (Minimize it) 3. Lock It (Self-explanatory: Physical, Electronic, Processes, Education) 4. Pitch It (A good case for solid Records Management implementation) 5. Plan Ahead (for the Eventual Breach) Watch the LabMD case even with no demonstrable harm, the FTC took action 3

Privacy makes security a regulatory issue EU General Data Protection Regulation (GDPR). Some examples: Data protection must be built into the system By Design and by Default. (Recital 78 and Article 25) Data must be secured using technical means. (Recital 49 and Articles 5-1(f), 32-1(b-d)) A determination must be made almost immediately as to whether a data breach is likely to have a high risk to the rights and freedoms of the natural person, as such a technical environment must be in place to identify, track and assess such breaches. (Recitals 85, 87 and numerous Articles) Infringement fines can range up to 20,000,000 or 4% of the global revenue of the organization, which ever is higher, PER incident. 4

Privacy makes security a regulatory issue The greatest challenge in Privacy and establishing a security environment to legally support it are the greatly divergent laws and regulations: Industry: E.g. HIPAA and HITECH (Healthcare) US State: E.g. Massachusetts (201 CMR 17.00) US Regulatory Body: E.g. Federal Trade Commission Other Countries and Bodies: E.g. EU Directive and GDPR, Canadian PIPEDA, Chinese CPL Which can individually impact: What the definition of personal data is. And there can be more than one type of data... How personal data is secured, stored, located, managed, accessed, controlled, and processed physically and electronically. And the legally required breach preparations and breach responses. The key is understanding what the company is accountable for following. 5

Privacy makes security a regulatory issue The Good News is that many of the security obligations are similar across the privacy laws and regulations: Encrypting personal data is almost a universal requirement, on any device or DB Anonymizing or Pseudonymizing data, where possible, is highly recommended Data minimization and deletion traverses many different laws and regulations Keeping an accurate inventory of personal data state, location, and owner is key The technical environment must be secured using "reasonable, state of the art technologies and procedures. (e.g. two factor authentication for admins) Breach preparation, notification, and response processes must be documented, trained and tested. Appropriate resources need to be available 6

Privacy makes security a regulatory issue So, be able to document what you re doing and why You should have a plan and follow it accordingly Monitor best practices Record decisions and why you made them Have documentation of the overall plan in a format that the privacy department can explain to the regulator 7

Privacy makes security a regulatory issue Do everything right, and you re vitally important Move from operational to strategic Help privacy show accountability Get a seat at the privacy table collaborate with the general counsel, CIO, other high-level strategic operators 8

Personal and sensitive data Sometimes it s not always obvious which data needs the most protection and proper handling

Definition of personal data Anything that establishes a 1-to-1 relationship Telephone book data may not be particularly personal Unique identifiers: IP addresses, usernames, etc. Watch out for combinations of innocuous data that, together, can identify a single individual. 10

Definition of sensitive data How could the data be used? Health data (fullz) Protected classes Pay attention to jurisdiction 11

PI is Insidious! (Def n: Treacherous, Crafty, Gradual, Subtle) PI and Sensitive PI exists about everywhere It just creeps: Typical RDBMS transactional environments (ERP, HR, G/L, etc.) User Laptops (in all types of locations. Such as email clients, HD folders, Evernote, screenshots, etc.) User Mobile Devices (and the BYOD ones, as well) Shared Drive/Folder Servers External Shared Drives (Box, Dropbox, Googledocs, etc.) Email Systems (Exchange, Gmail, Yahoo) Content systems (SharePoint, Office 365, Livelink, Documentum) Paper notebooks PLUS all of your third-party information partners and outsourcers (e.g. HIPAA business associates and GDPR processors) Privacy laws still cover all these physical and electronic locations, with very few exceptions All of these locations need to be, by law, technically, procedurally, and administratively secured 12

Where Security and Privacy collide Sometimes good security means collecting or sharing personal information.

Watch what you collect Data minimization You can t lose what you don t have Multiple jurisdictions U.S., EU, and more emphasize this point Must have documentation find it and then delete it Watch your vendors, too If you re sharing data, you re responsible if they lose it or abuse it Are you auditing them on a regular basis? 14

Watch what you collect Log files and authentication When you create an account, you create PII Data retention: How long do you need to keep that log file? Physical security issues Single credentials and employee monitoring Theft prevention and customer monitoring 15

Watch what you share CISA and information sharing Can you redact? How much information is helpful? How much is overkill? Working with law enforcement What s your company s stance on law enforcement requests? Can you ask them to narrow their focus? Watch out for cross border transfer 16

You might not care, but does privacy? What do the access logs tell you? Peeking, snooping, etc. Are security and privacy policies in alignment? EU laws are quite strict around tracking and storing device data that we take for granted in the US. And the fines are very high. But there are derogations for using user data to ensure that your system is secure, if it is solely for that purpose and stored no longer than necessary. You can t take it with you Intellectual property can be PII, too 17

Privacy (and security) by Design The SDLC, preparing for the worst, and more

The SDLC, Data Security and Privacy Intersection You design for security, take one step further for privacy by working with the Developers on their efforts: The Software Development Lifecycle (SDLC) directly supports your abilities to make your technical environment secure. The developers data architecture designs and data transport layer designs 19

Preparing for a breach There are many, many great articles and plans available on the internet for breach preparation. For example, Experian has an excellent Data Breach Response Guide. A couple of short thoughts: Different privacy laws require different breach responses and timeframes which, in turn, require different breach planning processes to support the responses. (HIPAA v. GDPR) Data minimization means way less risk down the road. Electronic Records Management, one more time And that includes email. Forensics efforts might introduce privacy risk in themselves (cross-border data transfer?) 20

Summary Points The InfoSec role is critical to privacy efforts. Without it, privacy operations would be impossible to conduct. Coordination and clarity between the CIO/CISO, the GC, and the Compliance group is required to meet privacy obligations. No Person is an Island. No laws note the requirement for Superhuman or Extraordinary security efforts. The words practicable, reasonable, industry-standard are commonly used. However, Proactive and By Design, not Reactive are common themes. Many of the laws and regulations have similar, if not the same, technical, procedural and administrative security requirements. Leverage them. PI can be in any number of different repositories. You re responsible for securing all of them; not just the obvious ones inside of RDBMS. TBD 21

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback