five questions to evaluate any privacy or security program
play

Five Questions to Evaluate any Privacy or Security Program Wyoming - PowerPoint PPT Presentation

Mar 30, 2024 •386 likes •597 views

Five Questions to Evaluate any Privacy or Security Program Wyoming Cybersecurity Symposium August 6 & 7, 2019 October 23, 2019 SPEAKER BIO CISO at Holland & Hart Past President, Denver Chapter ISSA 18 years of Computer &

  1. Five Questions to Evaluate any Privacy or Security Program Wyoming Cybersecurity Symposium August 6 & 7, 2019 October 23, 2019

  2. SPEAKER BIO • CISO at Holland & Hart • Past President, Denver Chapter ISSA • 18 years of Computer & Information Security Leadership in Fortune 100 and 500 companies – government & private sectors • 3 years security consulting • CISSP and PMP • Based in Denver, CO James Johnson CISSP, PMP, STS CISO, Holland & Hart LLP 555 17th Street, Suite 3200, Denver, CO 80202 303.295.8563 jbjohnson@hollandhart.com 2

  3. THE PROBLEM Too many standards. Too many controls and requirements. SECURITY PRIVACY Standard Controls Standard Controls GDPR 99 HIPAA 56+ HIPAA 6 CSF 98 ISO Adds 15 NIST 800-171 109 27701:2019 ISO 27001 114 NIST 800-53 26 PCI-DSS 200 50 States varies NIST 800-53 303 3

  4. SIMPLE PRIVACY & CYBER SECURITY MEASURING SCALE Good Great No Story Story Story How does your Privacy & Security Book Read? 4

  5. THE REALITY Security and Privacy are merging rapidly! Privacy Security Incident Response Breach Notification Security & Privacy Controls Business Continuity Plan Business Impact Assessment Data Inventory & Classification 5

  6. DEFINITIONS - SECURITY Confidentiality DATA SECURITY DEFINITIONS Availability Integrity Confidentiality : Data being stored is safe from “CIA Triad” unauthorized access and use Integrity : Data is reliable and accurate Availability : Data is available for use when it is needed 6

  7. DEFINITIONS - PRIVACY Data Collection Data Breach Data Litigation Storage, Protection, and Security Data Life Cycle PRIVACY DEFINITIONS Data Breach Data Use Prevention and • and Marketing Collecting personal information Readiness • Using and disclosing personal information Data • Ensuring data quality Destruction Compliance • Controlling access to personal information • Confidentiality of sensitive data not defined as PII 7

  8. THE SOLUTION The proposed model of five questions is: • Meant to be a high-level evaluation. • Not meant to replace detailed standards and compliance framework reviews! 8

  9. THE SOLUTION 5 Security Questions 1. What security methodology or standards are followed? 2. Who is the one person assigned security responsibility and oversight? 3. Are there written and approved security policies and procedures? 4. Are the key stakeholders (CEO, CIO, BoD, etc.) briefed routinely on security risks? 5. Is the security program independently tested or audited? 9

  10. THE SOLUTION 5 Privacy Questions 1. What Privacy methodology or standards are followed? 2. Who is the one person assigned privacy responsibility and oversight? 3. Are there written and approved privacy policies and procedures? 4. Are the key stakeholders (CEO, CIO, BoD, etc.) briefed routinely on privacy risks? 5. Is the privacy program independently tested or audited? 10

  11. THE SOLUTION What level is the person assigned Privacy – Security? Depends upon organization size and type Security: 5,000+ should have CISO 500+ should have position assigned security exclusively <500 should have defined security roles but may have other responsibilities. Privacy: 10,000+ should have CDPO 1,000+ should have position assigned privacy exclusively <1,000 should have defined privacy roles but may have other responsibilities. 11

  12. RATING A PRIVACY & CYBER SECURITY PROGRAM Security Scoring Question (0) (1) (2) None Working on it Certified / Compliant 1. What security methodology or standards are followed? No one Identified but reports Identified and reports 2. Who is the one person assigned security responsibility and low in the org high in the organization oversight? None Some written and Written, approved and 3. Are there written and approved security policies and maybe some communicated procedures? approved Yes – Annually or on Yes – Weekly or monthly Never or only 4. Are the key stakeholders (CEO, CIO, BoD, etc.) when issues occasion briefed routinely on security risks? Yes – Once in the last Yes – At least annually or No 5. Is the security program independently tested or few years has certification audited? Column Scores 0 Overall Score 12

  13. RATING A PRIVACY & CYBER SECURITY PROGRAM Privacy Scoring Question (0) (1) (2) None Working on it Certified / Compliant 1. What privacy methodology or standards are followed? No one Identified but reports Identified and reports 2. Who is the one person assigned privacy responsibility and low in the org high in the organization oversight? None Some written and Written, approved and 3. Are there written and approved privacy policies and maybe some communicated procedures? approved Yes – Annually or on Yes – Weekly or monthly Never or only 4. Are the key stakeholders (CEO, CIO, BoD, etc.) when issues occasion briefed routinely on privacy risks? Yes – Once in the last Yes – At least annually or No 5. Is the privacy program independently tested or few years has certification audited? Column Scores 0 Overall Score 13

  14. RATING A PRIVACY & CYBER SECURITY PROGRAM Security or Privacy Scoring Question (0) (1) (2) 1. What security or privacy methodology or standards are followed? 2. Who is the one person assigned security or privacy responsibility and oversight? 3. Are there written and approved security or privacy policies and procedures? 4. Are the key stakeholders (CEO, CIO, BoD, etc.) briefed routinely on security or privacy risks? 5. Is the security or privacy program independently tested or audited? Column Scores 0 Overall Score 14

  15. RATING A PRIVACY & CYBER SECURITY PROGRAM Security or Privacy Example Scoring Question (0) (1) (2) 1. What security or privacy methodology or standards are followed? 0 2. Who is the one person assigned security or privacy responsibility and oversight? 1 3. Are there written and approved security or privacy policies and 2 procedures? 4. Are the key stakeholders (CEO, CIO, BoD, etc.) briefed routinely 2 on security or privacy risks? 5. Is the security or privacy program independently tested or audited? 1 Column Scores 0 2 4 Overall Score 6 15

  16. SIMPLE PRIVACY & CYBER SECURITY MEASURING SCALE Regulatory Now with more information how does your program rate? Requirements Non-Compliant Nearing- Compliant Compliance 0 1 2 3 4 5 6 7 8 9 10 16

  17. STORY AND MEASURING CORRELATION Nearing- Non-Compliant Compliant Compliance 0 1 2 3 4 5 6 7 8 9 10 No Story Good Story Great Story 17

  18. HELPFUL HINT WHEN EVALUATING SAAS When evaluating a SaaS take a quick look at the T&C’s no other work may be required “ -----y.com agrees during the Term to implement reasonable security measures to protect Customer Data and will, at a minimum, utilize industry standard security procedures. However, because of the nature of the Service, which combines public and private information that is conveyed over the public internet, to the maximum extent permitted by law: (i) -----y.com shall not be held liable for any damage caused as a result of your use of the Service ” 18

  19. PRESENTATION SUMMARY • 5 questions can be used to evaluate security or privacy • Process can be used for an organization of supplier • Meant to be done quickly – may save time on a full analysis 19

  20. Questions & Discussion James Johnson CISSP, PMP, STS CISO JBJohnson@hollandhart.com 303.295.8563 Holland & Hart LLP | 555 17th Street, Suite 3200 | Denver, CO 80202 20

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CS573 Data Privacy and Security Data Privacy and Security in Healthcare Data Privacy and Security

CS573 Data Privacy and Security Data Privacy and Security in Healthcare Data Privacy and Security

CS573 Data Privacy and Security Data Privacy and Security in Healthcare Data Privacy and Security in Healthcare Li Xiong Healthcare security and privacy HIPAA overview Research survey on information security and privacy in healthcare

1.05k views • 57 slides
Compliance Workshop Privacy &amp; Security Protecting Personal Information &amp; SNAP Program

Compliance Workshop Privacy &amp; Security Protecting Personal Information &amp; SNAP Program

3/27/2015 Compliance Workshop Privacy &amp; Security Protecting Personal Information &amp; SNAP Program Considerations August 14, 2014 Presentation by: Jennifer L. Cox, J.D. Cox &amp; Osowiecki, LLC Hartford, Connecticut 1 Todays Privacy &amp;

475 views • 24 slides
Security and Privacy 12A. Operating Systems Security Operating Systems Principles 12B.

Security and Privacy 12A. Operating Systems Security Operating Systems Principles 12B.

5/18/2016 Security and Privacy 12A. Operating Systems Security Operating Systems Principles 12B. Authentication 12C. Authorization Security and Privacy 12D. Trust 12E. At-Rest Encryption Mark Kampe (markk@cs.ucla.edu) Security and Privacy

116 views • 8 slides
SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY

SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY

SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY Christian Kaestner with slides from Eunsuk Kang Required reading: Hulten, Geoff. &quot;Building Intelligent Systems: A Guide to Machine Learning

1.95k views • 113 slides
Karl Kopper Caltrans Privacy and Chief Information Security Officer Four Questions Every Auditor

Karl Kopper Caltrans Privacy and Chief Information Security Officer Four Questions Every Auditor

Karl Kopper Caltrans Privacy and Chief Information Security Officer Four Questions Every Auditor Should Know the Answer To What is What is PII? De- Identification? What is Re-Identification? Privacy Internal Controls &amp; Behavioral

765 views • 45 slides
S &amp; P SECURITY &amp; PRIVACY GROUP Security and Privacy for Payment Channel Networks

S &amp; P SECURITY &amp; PRIVACY GROUP Security and Privacy for Payment Channel Networks

FAKULTT FR !NFORMATIK Faculty of Informatics S &amp; P SECURITY &amp; PRIVACY GROUP Security and Privacy for Payment Channel Networks Pedro Moreno-Sanchez Blockchain Summer School BDLT19 Vienna, Sep 2nd 2019 Blockchain Research

1.41k views • 73 slides
Be,er Privacy and Security via Secure Computa9on Jonathan Katz Security/privacy would be much

Be,er Privacy and Security via Secure Computa9on Jonathan Katz Security/privacy would be much

Be,er Privacy and Security via Secure Computa9on Jonathan Katz Security/privacy would be much easier if there were someone we could all TRUST with our data Be8er data mining -- using MORE data, while respec@ng users PRIVACY

888 views • 35 slides
Web Privacy Professor Adam Bates Fall 2018 Security &amp; Privacy Research at Illinois (SPRAI)

Web Privacy Professor Adam Bates Fall 2018 Security &amp; Privacy Research at Illinois (SPRAI)

CS 563 - Advanced Computer Security: Web Privacy Professor Adam Bates Fall 2018 Security &amp; Privacy Research at Illinois (SPRAI) Administrative Learning Objectives : Consider the difference between security and privacy Discuss work

814 views • 43 slides
Privacy &amp; Security Matters: Privacy &amp; Security Matters: Protecting Personal Data

Privacy &amp; Security Matters: Privacy &amp; Security Matters: Protecting Personal Data

Privacy &amp; Security Matters: Privacy &amp; Security Matters: Protecting Personal Data Protecting Personal Data Privacy &amp; Security Project HIPAA: What it is Health Insurance Portability and Accountability Act of 1996 Also known as

445 views • 26 slides
Healthcare privacy and security Li Xiong CS573 Data Privacy and Security Patients Are Concerned

Healthcare privacy and security Li Xiong CS573 Data Privacy and Security Patients Are Concerned

Healthcare privacy and security Li Xiong CS573 Data Privacy and Security Patients Are Concerned Did you know... 77 percent of all Americans feel their personal health information privacy is very important, and 84 percent said they

769 views • 50 slides
How Badly Broken is Privacy Legislation? And what can we do to fix it? 17th Annual Privacy and

How Badly Broken is Privacy Legislation? And what can we do to fix it? 17th Annual Privacy and

How Badly Broken is Privacy Legislation? And what can we do to fix it? 17th Annual Privacy and Security Conference Privacy and Security by Choice, not Chance Afternoon Workshop Wednesday February 3, 2016 Victoria, B.C. Canada Gerry Bliss

1.11k views • 63 slides
CS573 Data Privacy and Security Local Differential Privacy Li Xiong Privacy at Scale: Local

CS573 Data Privacy and Security Local Differential Privacy Li Xiong Privacy at Scale: Local

CS573 Data Privacy and Security Local Differential Privacy Li Xiong Privacy at Scale: Local Differential Privacy in Practice (Module 1) Graham Cormode, Somesh Jha, Tejas Kulkarni, Ninghui Li, Divesh Srivastava, and Tianhao Wang Differential

819 views • 38 slides
IEEE Symposium on Security and Privacy Program chairs report Andrew Myers and Dave Evans

IEEE Symposium on Security and Privacy Program chairs report Andrew Myers and Dave Evans

IEEE Symposium on Security and Privacy Program chairs report Andrew Myers and Dave Evans Previous reviewing process One round of reviewing (roughly Nov. 10-Jan. 20) ~40 program committee members Physical program committee meeting

99 views • 6 slides
Introduction to Cybersecurity Database Privacy Review: Anonymity vs. Privacy Privacy -

Introduction to Cybersecurity Database Privacy Review: Anonymity vs. Privacy Privacy -

CISPA Center for IT Security, Privacy and Accountabiltiy Introduction to Cybersecurity Database Privacy Review: Anonymity vs. Privacy Privacy - Privacy is the claim of individuals, groups, or institutions to determine for themselves when,

573 views • 26 slides
Privacy Protection privacy notions and metrics; privacy in RFID systems; location privacy in

Privacy Protection privacy notions and metrics; privacy in RFID systems; location privacy in

Privacy Protection privacy notions and metrics; privacy in RFID systems; location privacy in vehicular networks; Security and Cooperation in Wireless Networks Georg-August University Gttingen Chapter outline 1 Important privacy related

1.12k views • 33 slides
The Vital Need for Privacy and Security by Design Ann Cavoukian, Ph.D. Executive Director

The Vital Need for Privacy and Security by Design Ann Cavoukian, Ph.D. Executive Director

The Vital Need for Privacy and Security by Design Ann Cavoukian, Ph.D. Executive Director Global Privacy &amp; Security by Design Centre Technion Summer School on Cyber Security Haifa, Israel September 9, 2020 Lets Dispel The Myths

929 views • 55 slides
Using COBIT 5 Framework for Cybersecurity Assessment Hugh Burley, Trevor Hurst, and Ivor MacKay

Using COBIT 5 Framework for Cybersecurity Assessment Hugh Burley, Trevor Hurst, and Ivor MacKay

Conference 2018 Conference 2018 Using COBIT 5 Framework for Cybersecurity Assessment Hugh Burley, Trevor Hurst, and Ivor MacKay Speakers Trevor Hurst, Chief Information Officer Ministry of Advanced Education, Skills &amp; Training Hugh

551 views • 26 slides
The Office of Infrastructure Protection National Protection and Programs Directorate Department

The Office of Infrastructure Protection National Protection and Programs Directorate Department

The Office of Infrastructure Protection National Protection and Programs Directorate Department of Homeland Security Regional Resiliency Assessment Program 2015 State Energy Risk Assessment Workshop April 29, 2015 Department of Homeland

362 views • 14 slides
National CyberWatch Center National Cybersecurity Student Association CyberStudents.org National

National CyberWatch Center National Cybersecurity Student Association CyberStudents.org National

National CyberWatch Center National Cybersecurity Student Association CyberStudents.org National Cybersecurity Student Association Agenda Introductions Association Overview Vision Mission Objectives Benefits

498 views • 30 slides
Workshop on Amendments to the Nuclear Security Regulations Patrick Adams Team Leader Nuclear

Workshop on Amendments to the Nuclear Security Regulations Patrick Adams Team Leader Nuclear

Workshop on Amendments to the Nuclear Security Regulations Patrick Adams Team Leader Nuclear Security Division Kevin Lee Senior Regulatory Policy Officer Regulatory Policy Analysis Division January 31, 2017 e-Doc: 5113970 nuclearsafety.gc.ca

729 views • 40 slides
Lock-in-Pop : Securing Privileged Operating System Kernels by Keeping on the Beaten Path Yiwen

Lock-in-Pop : Securing Privileged Operating System Kernels by Keeping on the Beaten Path Yiwen

Lock-in-Pop : Securing Privileged Operating System Kernels by Keeping on the Beaten Path Yiwen Li, Brendan Dolan-Gavitt, Sam Weber, Justin Cappos New York University Tandon School of Engineering Motivation 1. Many vulnerabilities exist in

299 views • 19 slides
Ret2dir: Rethinking Kernel Isolation Kermerlis et al. Columbia University Presented by Lucas Copi

Ret2dir: Rethinking Kernel Isolation Kermerlis et al. Columbia University Presented by Lucas Copi

Ret2dir: Rethinking Kernel Isolation Kermerlis et al. Columbia University Presented by Lucas Copi Introduction ! In the past attackers have focused efforts on server and client applications ! Due to lesser complexities and simpler

501 views • 26 slides
Linux Security State of Linux Security in 2016 Michael Boelen michael.boelen@cisofy.com DBLUG,

Linux Security State of Linux Security in 2016 Michael Boelen michael.boelen@cisofy.com DBLUG,

Linux Security State of Linux Security in 2016 Michael Boelen michael.boelen@cisofy.com DBLUG, 7 December 2016 Michael Boelen Open Source Lynis, Rootkit Hunter Business and Community Founder of CISOfy Board member and

454 views • 18 slides
User-space Tracing with UST Mathieu Desnoyers mathieu.desnoyers@efficios.com David Goulet

User-space Tracing with UST Mathieu Desnoyers mathieu.desnoyers@efficios.com David Goulet

User-space Tracing with UST Mathieu Desnoyers mathieu.desnoyers@efficios.com David Goulet david.goulet@polymtl.ca Michel Dagenais michel.dagenais@polymtl.ca April 6-8, 2011 Collaboration Summit Presenters Mathieu Desnoyers EfficiOS

356 views • 21 slides

More recommend