Security & Privacy Friends, Foes or Partners? · 2008. 8. 8. · Thursday, February 12 Rebecca...
Transcript of Security & Privacy Friends, Foes or Partners? · 2008. 8. 8. · Thursday, February 12 Rebecca...
How To Develop a Global Privacy Compliance Strategy and Implementation Program
Thursday, February 12
Rebecca Whitener, EDS Fellow(919) 645-1902 [email protected]
How To Develop a Global Privacy Compliance Strategy and Implementation Program
Thursday, February 12
Rebecca Whitener, EDS Fellow(919) 645-1902 [email protected]
Security & PrivacyFriends, Foes or Partners?
2
In the electronic age, no company can afford to ignore privacy and securityIn the electronic age, no company can afford to ignore privacy and security
• There are estimates that security, privacy and the legal issues of digital signature together constitute over half of the quantifiable barriers to electronic commerce
• A recent Gartner report states that "through 2005, enterprises failing to…address the variable risk factors of their business systems within the first two years of launch will reach only 60% of their Web business objectives because of trading-partner distrust and the compromise of sensitive information.”
“Trust is essential to make e-commerce and cyber collaboration work…... We believe that this most human notion is inhibiting the growth of cyber communities while offering an enormous opportunity for vendors to innovate and a competitive advantage for corporations which get it right.” IDC Newsletter #W23796 -December 2000
3
How to create this trusted relationship is a major challenge for companiesHow to create this trusted relationship is a major challenge for companies
What do our stakeholders (customers, employees, stockholders, regulators, auditors) expect?
How do we assess the “trust” readiness components of our organizational structure, culture, environment?
What types of training and awareness programs can enhance our corporate “trust” readiness?
Can we have effective privacy programs AND aggressive marketing initiatives?
What should we be budgeting for effective “trust” programs?How do we find the right resources to direct and manage the
“trust” initiatives?How do we ensure our “trust” practices are consistently
applied enterprise-wide on a global basis?How effective are the administrative and technical safeguards
to prevent a “trust” fiasco?Do we have an adequate communication plan in place?
4
Many of the efforts to address the risks associated with “Trust” have often been narrow in scopeMany of the efforts to address the risks associated with “Trust” have often been narrow in scope
• Developing website privacy statements • Assigning Chief Privacy Officers • Focusing on compliance with regulatory and/or
auditing and accrediting bodies• Enhancing security awareness• Trying to avoid negative media attention
Often the parties responsible for the various components of a trusted environment (legal, security, privacy, risk management, web applications, communications, training, human resources, marketing, etc.) have not engaged in a unified strategy or approach.
5
REALITY: There are revenue opportunities from Information sharing and aggressive marketingREALITY: There are revenue opportunities from Information sharing and aggressive marketing
Highly competitive, dynamic and shifting markets are driving companies towards:– Opening up their internal business processes and data to
an ever-increasing array of partners, suppliers, and customers
– Protecting copyrights and other intellectual property with digital rights management (DRM) technologies
– Focusing on delivery of personalized services (knowing the customer, life-time value calculations, retention)
– Creative marketing approaches
Enterprises are searching for ways to squeeze the maximum returns (enhancement of revenues and reductions in costs)
6
One challenging truism is “Consumers say one thing while doing another”One challenging truism is “Consumers say one thing while doing another”
Although 70 % of online consumers say they are worried about online privacy, the study found just:– 40% read Web site privacy
statements– 82 % would give personal
information to new shopping sites in exchange for a chance to win $100 in a sweepstakes
Jupiter Research (2003) found that customers barely lifted a finger to protect individual privacy online, but fretted outwardly about the possible abuses of personal information
7
CEO’s are in a struggle for “balance”CEO’s are in a struggle for “balance”
• Establishing and adhering to standards for information collection and use– With the need to maximize the value of
the information sharing• Increased monitoring and surveillance for
security – With the preservation of safeguards for
privacy of individuals• Serving the “public good”
– With the right to make profits• Satisfying the often diverse expectations of
key stakeholders – While meeting demands and avoiding
law suits
Privacy Other Values
8
Customer Issue: Global company operating in regions with varying data protection/privacy regulationsCustomer Issue: Global company operating in regions with varying data protection/privacy regulations
Requirement: Develop comprehensive trust program combining security, audit, marketing, legal, strategy, and privacy to ensure
comprehensive coverage of the global regulatory environment
Supporting activities:Examine vulnerabilities across every aspect of
the organization -Internet-exposed systems -Remote access -Affiliates -Employees -Wireless -Databases -Call centers -Off shoreLink privacy initiatives to enterprise business
risk Assess technologies being deployed: Identity
management, authentication and access control, digital assets protection
9
A global privacy strategy begins with understanding privacy fundamentals derived from OECD principles A global privacy strategy begins with understanding privacy fundamentals derived from OECD principles
1. Notice and Awareness
2. Choice and Consent
3. Individual Participation and Access
4. Security, Information Quality, and Integrity
5. Enforcement, Accountability, Recourse
Account-ability
Individual participa-
tionOpenness
SecurityUse limitation
Purpose specifi-cation
Data qualityCollection limitation
Organization for Economic Cooperation and Development, 1980
10
These five privacy principles form the foundation of a company’s privacy policy and programThese five privacy principles form the foundation of a company’s privacy policy and program
• What information and information types are collected, stored, used, shared, and retained?
• What are the relevant industry standards, laws and regulations
• What do our stakeholders expect?• What choices are available?• What controls ensure compliance with
preferences?• What access to information is provided and
controlled?• How secure is the information?• How is misuse of information handled?
11
Where to start?Where to start?
12
Tools are helpful when performing a baseline assessmentTools are helpful when performing a baseline assessment
Security Assessment Tool
56.7%
42.6%31.5%
21.1% 25.3%
34.0% 32.9% 41.4%
22.5%16.7%
35.0%
0.0%10.0%20.0%30.0%40.0%50.0%60.0%70.0%80.0%90.0%
100.0%
Risk Assessment Process Security Policy
Security Organization Asset Classification and Control
Personnel Security Physical and Environmental Security
Comm and Ops Management Access Control
System Development Business Continuity
Compliance
13
A privacy assessment tool should:A privacy assessment tool should:
• Incorporate best practices, standards and regulatory requirements from global legislation
• Be tailored to specific industries, countries and regulatory and self-regulatory environments
• Comprehensively address strategy and policies as well as operational, audit and legal requirements
• Be adaptable to changing technical, regulatory or legal needs
• Be flexible enough to allow clients to ‘drill down’ to address specific areas of concern while still conducting a thorough review of security and privacy needs
14
The privacy assessment should focus on key areasThe privacy assessment should focus on key areas
50.0%44.1%
16.7%
41.2%73.8%
100.0%90.0%80.0%70.0%60.0%50.0%40.0%30.0%20.0%10.0%0.0%
Directives Operations Audit Compliance Legal
15
Privacy Program - Directive ComponentsPrivacy Program - Directive Components
75.0% 77.9% 71.8% 77.9%
50.0%
77.8% 83.3%
50.0%
16.7%
100.0%
80.0%
60.0%
40.0%
20.0%
0.0%
Infrastructure Customer Strategy Business Strategy
Privacy Strategy Security Strategy Internal Privacy Policy
External PrivacyStatement
Guidelines Procedures
16
Privacy Program - Operations ComponentsPrivacy Program - Operations Components
50.1%
33.3%40.7%
23.5% 26.7%16.7% 13.9%
0.0%
PI Management CP Management Communication Participation & Access Information Security Recourse &
EnforcementPractices
100.0%
90.0%
80.0%
70.0%
60.0%
50.0%
40.0%
30.0%
20.0%
10.0%
17
Privacy Program – Personal Information Management ComponentsPrivacy Program – Personal Information Management Components
46.1%66.7%
33.3% 33.3%
66.3% 66.7%
33.3%
100.0%
90.0%
80.0%
70.0%
60.0%
50.0%
40.0%
30.0%
20.0%
10.0%
0.0%
PI ValidationPI Categorization PI Collection
PI Storage PI Usage PI DisseminationPI Retirement
18
Privacy Program – Customer Preference Management ComponentsPrivacy Program – Customer Preference Management Components
66.7%
40.0%
16.7% 16.7% 16.7% 16.7% 16.7%
0.0%
10.0%
20.0%
30.0%
40.0%
50.0%
60.0%
70.0%
80.0%
90.0%
100.0%
CP Categorization CP Collection CP ValidationCP Storage CP Usage CP DisseminationCP Retirement
19
Privacy Program Communications ComponentsPrivacy Program Communications Components
35.5%
78.1%
22.9%
100.0%
90.0%
80.0%
70.0%
60.0%
50.0%
40.0%
30.0%
20.0%
10.0%
0.0%
Customer External Internal
20
All components of the Privacy Program must then be implementedAll components of the Privacy Program must then be implemented
– Strategy
– Policy
– Guidelines
– Information use and flow
– Communications
– Customer preferences
– Individual participation and access
– Customer Recourse
– Information Security
– Personnel privacy
– Training and education
– Privacy controls
– Regulatory oversight
– Audit
21
The results should resonate across multiple audiencesThe results should resonate across multiple audiences
• Business Community…– Ties privacy to the business opportunities
and risks– Clearly defines the risk and mitigation
strategy– Connects costs to benefits– Answers the question “how do we stand
against best practices?”• Information technology ….
– Comprehensively defines privacy action items to the business community
– Allows for a reasonable and cost effective phased approach
– Is architecturally sound– Is actionable
22
The challenge for companies today is to lead through exampleThe challenge for companies today is to lead through example
• Build TRUST into the culture• Implement effective administrative and
technical safeguards for managing security, privacy and fraud risks
• Be Pro-active in anticipating emerging problems
• Put good rules and good practices into wide use and publicize
• Educate employees and customers about the policies and issues
• Protect customer’s interests while continuing to provide value and benefits
• Avoid being a “bad actor”
Thank You!