2012/5/3: CIMA talks

by Gene Kim on

#infosec

Razient: www.razient.com
Gary Bahadur
Book: Securing Clicks

  • (audit absurdity) OH: "Each bank cust gives us 300 q survey to prove 'we're secure'; we did over 1000 of these surveys in 2011"
  • OH: "Questionairre for our suppliers include: background check, have they had their network hacked, etc."
  • OH: "We accept much more security risk w/vendors, bc they have some business capability we need: outsrced payroll, PPM, etc."
  • OH: "Fender Guitars: cost of making their guitars in China now as expensive as Mexico: considering moving plants"
  • OH: Wow. "When I travel abroad, to mitigate lost baggage risk, I pack two suitcases, each w/complete wardrobe."
  • OH: "Apple doesn't own most the supply chain: they've transferred almost all risk to Foxconn, who manages thousands of their suppliers"

Linda Clark, Esq
Lead counsel:
Reed Elsevier Group
Audit, policy/programs (advise business units), privacy/security, business units

Value Proposition of Compliance: Understanding the Costs

  • 3 consent orders w/FTC and 1 with State AG, due to Sizent and Choicepoint
  • Got supplemental consent order: speak from experience from FTC and biennual for next 20 years
  • Holy cow. OH: "We acquired a company who had data breach: now living with FTC consent order & audits 2x/yr for next 20 yrs."
  • OH: "The $15MM fine was just the tip of the iceberg." [imagine the costs of 20 years of audits"
  • OH: "State laws & enforcement: notice triggers: PII access/acq by unauthorized party, risk of harm"
  • Fascinating hearing lawyer interpreting state disclosure notice trigger: "what does 'acquisition' & 'access' of PII really mean?"
  • For data breaches, all regulations of state of PII owner's residence are applicable. (ie, lots of paperwork, lawsuits)
  • Many state disclosures are mutually exclusive: MA law disallows desc of breach; other states req it; can't do single filing
  • Now can negotiate w/outsourced data custodians (e.g., Iron Mountain) so they own notification/disclosure responsibility
  • Ooh. Listening to lawyer opine on whether Dev staff w/access to test data w/GLBA PII data a "breach". This is awesome. :)
  • This is astounding: Creating test data sets is fine. But mixing it with real data (even obfuscated)
  • Wow. It's really tricky to create test datasets when it involves PII. Totally fake data is fine. If based on any real data, dicey
  • Even obfuscated/redacted data is considered PII by many state laws. Whole new market: vendors who make safe fake PII-free data
  • (The # of lawyers who work on issues like this is frightening. Stimulating & funny, but value to society? Questionable... :)
  • Hard costs of compliance: mailings, call support center, credit monitoring
  • Other costs: outside advisors (counsel, forensics, PR), reputational harm, private right of actions, state/fed investigations
  • On PII & BYOD/social media: "protecting castle no longer tenable; every output needs to be as strong as a castle"
  • Case of City Ontario vs. ??: Citizens expectations of privacy re BYOD: poison pill, wiping, policy of not sending sensitive data
  • Which CEO tweeted photo of himself in front of company being acquired (unannounced) "It's a good day!", putting deal in jeopardy?

Lance Hayden: lhayden@cisco.com
ISO 31000

  • P: zero tolerance inside infosec programs: guarantees failure
  • Failure studies: failures are learning opportunities;
  • "goal of failure to keep failures small and manageable, before they turn into huge unmanageable failures"
    • Jim Collins "Great by Choice," Lean works,
    • On aircraft carriers, decision level is pushed way down: so seaman can fix issues right awa
    • Karl Wight: Michigan: coined making: sense-making: "Managing the Unexpected"
  • High reliability organiation
  • ALE: problem: for risk of $100K loss, management would give them $100K
    • solution: put ALE on probability curve, using historical data to plot curve ($5-45K, 0-10 incidents): now you can use stochastic modeling
    • 1 out of 25 times, you lose $250K
  • Case study 2:
    • CISO measured on vulnerabilities
    • GQM: goal, quality, measures
    • # IPs vulnerable vs. # high severity
  • New ISO standard creates common terminology/methodology of risk mgrs: ISO 31000 (across infosec, risk mgrs, operational mgrs)