Security Awareness Executive Summary

1
Privacy, Security and Compliance Have a
Framework/Plan Carol A. DiBattisteSenior Vice
PresidentPrivacy, Security, Compliance and
Government AffairsLexisNexis Group
2
Overview

• Why are privacy, security and compliance
  important?
• Information security breaches are a global,
  industry-wide problem affecting
• Government/Military
• Educational Institutions
• Health Care
• Banking/Credit/Financial Services
• Businesses
• Non Profits
• A strong privacy, information security, and
  compliance framework into an organization will
  positively impact
• Brand
• Market share
• Risk mitigation
• Customers
• Employees

• Consumers
• Shareholders
• Stakeholders
• Investors
• Bottom line/top line

1
3
Getting Started

• Make it part of your business model
• Scale your program
• Put your framework in writing
• Things to consider
• Inventory information assets with personally
  identifiable information
• Data security
• Credentialing
• Policies, standards and guidelines
• Audit and compliance

• Corporate accountability
• Education, outreach and
• transparency

2
4
Creating Your Framework

• Holistic framework, encompassing
• People
• Process
• Technical management
• Standards based
• Industry security standards (ISO 27002)
• Proprietary customer credentialing criteria
• Process driven
• Quarterly application inventory
• Risk assessments
• Customer verifications/credentialing program
• Audit program (Internal and third party)

• Key ISO 27002 Control Objectives
• Security Policy
• Organizing Information Security
• Asset Management
• Human Resources Security
• Physical and Environmental Security
• Communications and Operations Management
• Access Control
• Information Systems Acquisition, Development and
  Maintenance
• Information Security Incident Management
• Business Continuity Management
• Compliance

3
5
Plan Elements Data Security

• Steps you can take
• Inventory PII/SPII
• Update the inventory on a regular basis
• Codify the collection, use and dissemination of
  PII/SPII in policies
• Remove or truncate SPII when possible
• Implement controls for the electronic
  transmission of SPII
• Restrict/limit third party access to data
• Create a Risk Management Control Framework
• Utilize technology solutions, such as
• IP Restrictions on customer access
• Back-end anomalous activity detection
• Network security controls, such as firewalls,
  intrusion detection/prevention systems,
  anti-virus/anti-spyware, and network
  vulnerability assessments
• Application vulnerability assessments
• Encryption of sensitive data in transit and at
  rest (where applicable)
• Password assessments

4
6
Plan Elements Credentialing

• Employees
• Criminal
• SSN verification
• Education verification
• Previous employment
• Re-credentialing
• Vendors
• Credentialing questionnaire with scoring
• Strong privacy/security safeguards
• Contractual provisions
• Re-credentialing

• Customers
• Centralized credentialing process
• Proprietary checklist/process of verification
• Internal and external verification
• Scoring and review
• Site visits and site visit scoring process

5
7
Plan Elements Policies

• Policies, standards and guidelines should
  address
• Data access
• Protection
• Transport
• Restriction
• Review and update
• Key Policies
• Privacy
• Incident Response
• Information Security
• Physical Security
• Audit and Compliance
• Code of Conduct

• Retention
• Deletion
• Classification

• Credentialing and re-credentialing
• Public Representations
• Third Party Service Provider
• Breach Notification
• Web site privacy

6
8
Plan Elements Audit Compliance

• Self regulate through audit and compliance
• In-house audits
• Customer
• Consumer sampling
• Policies
• Regulatory compliance
• Random
• Reseller
• Event-driven
• Suspicious activity
• Independent assessments
• Third-party audits

• Internal access to
• Regulated data
• Information systems
• Administration tools
• IP monitoring
• Phishing log monitoring
• Administrator verification
• Hot list
• Employee badge display
• Public records menu compliance

7
9
Plan Elements Corporate Accountability

• Establish an organization to oversee privacy,
  security and compliance
• Establish a corporate governance model
• Infuse participation and accountability at all
  levels
• Create committees and working groups, such as
• Senior Management Committee
• Security Review Board
• Security Working Group
• Credentialing Working Group
• Risk and Emerging Areas Working Group
• Policy Working Group
• International Working Group
• Maintain applicable certifications for employees
  (CISM/CIPP)

8
10
Plan Elements Education, Outreach and
Transparency

• Establish mandatory privacy and security training
  program with assessment
• Distribute privacy and security-related reminders
  and updates
• Establish an office or officer for Consumer
  Advocacy
• Build relationships with privacy advocates,
  government, education institutions, consumers and
  customers
• Institute a program to notify stakeholders of
  privacy/security-related announcements
• Maintain hotlines for customers/consumers
• Partner with privacy and security organizations
• Establish liaison with law enforcement

9