Book: Securing Clicks
- (audit absurdity) OH: "Each bank cust gives us 300 q survey to prove 'we're secure'; we did over 1000 of these surveys in 2011"
- OH: "Questionairre for our suppliers include: background check, have they had their network hacked, etc."
- OH: "We accept much more security risk w/vendors, bc they have some business capability we need: outsrced payroll, PPM, etc."
- OH: "Fender Guitars: cost of making their guitars in China now as expensive as Mexico: considering moving plants"
- OH: Wow. "When I travel abroad, to mitigate lost baggage risk, I pack two suitcases, each w/complete wardrobe."
- OH: "Apple doesn't own most the supply chain: they've transferred almost all risk to Foxconn, who manages thousands of their suppliers"
Linda Clark, Esq
Reed Elsevier Group
Audit, policy/programs (advise business units), privacy/security, business units
Value Proposition of Compliance: Understanding the Costs
- 3 consent orders w/FTC and 1 with State AG, due to Sizent and Choicepoint
- Got supplemental consent order: speak from experience from FTC and biennual for next 20 years
- Holy cow. OH: "We acquired a company who had data breach: now living with FTC consent order & audits 2x/yr for next 20 yrs."
- OH: "The $15MM fine was just the tip of the iceberg." [imagine the costs of 20 years of audits"
- OH: "State laws & enforcement: notice triggers: PII access/acq by unauthorized party, risk of harm"
- Fascinating hearing lawyer interpreting state disclosure notice trigger: "what does 'acquisition' & 'access' of PII really mean?"
- For data breaches, all regulations of state of PII owner's residence are applicable. (ie, lots of paperwork, lawsuits)
- Many state disclosures are mutually exclusive: MA law disallows desc of breach; other states req it; can't do single filing
- Now can negotiate w/outsourced data custodians (e.g., Iron Mountain) so they own notification/disclosure responsibility
- Ooh. Listening to lawyer opine on whether Dev staff w/access to test data w/GLBA PII data a "breach". This is awesome. :)
- This is astounding: Creating test data sets is fine. But mixing it with real data (even obfuscated)
- Wow. It's really tricky to create test datasets when it involves PII. Totally fake data is fine. If based on any real data, dicey
- Even obfuscated/redacted data is considered PII by many state laws. Whole new market: vendors who make safe fake PII-free data
- (The # of lawyers who work on issues like this is frightening. Stimulating & funny, but value to society? Questionable... :)
- Hard costs of compliance: mailings, call support center, credit monitoring
- Other costs: outside advisors (counsel, forensics, PR), reputational harm, private right of actions, state/fed investigations
- On PII & BYOD/social media: "protecting castle no longer tenable; every output needs to be as strong as a castle"
- Case of City Ontario vs. ??: Citizens expectations of privacy re BYOD: poison pill, wiping, policy of not sending sensitive data
- Which CEO tweeted photo of himself in front of company being acquired (unannounced) "It's a good day!", putting deal in jeopardy?
Lance Hayden: firstname.lastname@example.org
- P: zero tolerance inside infosec programs: guarantees failure
- Failure studies: failures are learning opportunities;
- "goal of failure to keep failures small and manageable, before they turn into huge unmanageable failures"
- Jim Collins "Great by Choice," Lean works,
- On aircraft carriers, decision level is pushed way down: so seaman can fix issues right awa
- Karl Wight: Michigan: coined making: sense-making: "Managing the Unexpected"
- High reliability organiation
- ALE: problem: for risk of $100K loss, management would give them $100K
- solution: put ALE on probability curve, using historical data to plot curve ($5-45K, 0-10 incidents): now you can use stochastic modeling
- 1 out of 25 times, you lose $250K
- Case study 2:
- CISO measured on vulnerabilities
- GQM: goal, quality, measures
- # IPs vulnerable vs. # high severity
- New ISO standard creates common terminology/methodology of risk mgrs: ISO 31000 (across infosec, risk mgrs, operational mgrs)