IAPP Privacy Security Risk 2015 · 2015-09-25 · Role Based Training Computer Based Training...
Transcript of IAPP Privacy Security Risk 2015 · 2015-09-25 · Role Based Training Computer Based Training...
Marriott Proprietary & Confidential
IAPP Privacy Security Risk 2015
Thursday, October 1st, 2015
1 Marriott Proprietary & Confidential Marriott Proprietary & Confidential
A Tour de Force: How to Take Your Privacy and Security Program to the Next Level
Privacy determines what
needs to be protected
Security determines how
best to protect it
Kathy Memenza, Senior VP, IT Security and Privacy, Marriott International Dorene Stupski, CIPP/C, CIPP/US, Director of Information Protection and Privacy, Marriott International This topic is about taking your program to the next level. We will discuss how privacy and security can join forces to build a privacy/security program and take it to the next level. Now that you have the basics in place - what do you do next, how do you really operationalize your program. What you’ll take away: Obtain examples how to operationalize Privacy by Design & Security by Design Obtain real examples of privacy/security tools built in-house with low budgets Obtain examples how to train/communicate to all levels of associates
2 Marriott Proprietary & Confidential Marriott Proprietary & Confidential
Why are Cyber Threats Growing?
The Internet has become so integral to life:
2015 3 Billion Devices
2020 13 Billion Devices
Supply chains are increasingly interconnected:
Avg. Global Company 900 Service Providers
Marriott 750 Service Providers
Cyber Black Market is more profitable than illegal drug trade ($3 Trillion)
Hackers can earn $10 - $20k per hour
People can be the weakest link:
90% of breaches are caused by employee mistakes
“Phishing” attacks are on the rise
110 Million Records (Credit Cards
and Customer PII)
350,000 Records (Credit Cards
and Debit Cards)
800,000 Records (Account IDs,
Phone Numbers)
310,000 Records (SSN, DOB)
12 Million Records ( Bank Account,
Employment Details)
3 Million Records (Credit Cards,
Expiration Dates)
310,000 Records (SSN, DOB,
Billing, Diagnosis)
145 Million Records (Pswds, Addresses,
DOB, Phone Numbers)
4.5 Million Records (SSNs, DOB,
Address, Phone #s)
868,000 Records (Names, Credit Cards)
350,000 Records (Credit and Debit Cards)
80Million Records (SSNs, DOB,
Address, Phone #s)
145 Million Records SSNs, DOB, Insurance, Diagnosis)
21.5Million Records (Names, SSNs, DOB,
Address, Phone #s)
Sample of Breaches 2014/2015
6 Million Records
(Addresses, Phone, Email)
3 Marriott Proprietary & Confidential
The Scale of Cyber Threats
$400B Annual economic breach
impact
$12.69M Average cost per breach
50% of the time users click links in
phishing emails within the first hour
60% Attackers compromise an
organization within minutes
23% of breaches are attributable to
third party vendors
650% ▲ Malware (390k new
malicious programs/day)
66% ▲ Detected security incidents
per year
Malware Growth 2006-2015
4 Marriott Proprietary & Confidential
Don’t get stuck in old ways of thinking……
s:/filepath...
5 Marriott Proprietary & Confidential
Inherent Tensions between Privacy & Security
Right to Privacy vs. Importance of Surveillance
Privacy and Security are in the same foxhole – we need to work as a team in order to overcome formidable obstacles.
Most facets of our work intersect
Requires a workable equilibrium
Can provide both privacy & security by partnering
Added on privacy or security creates conflicts
Security and Privacy Joining Forces! Why is this Important?
Privacy
Security
6 Marriott Proprietary & Confidential
Step 1: Create a Successful Partnership:
Start by creating a shared vision & mission
Make sure each partner's needs and expectations are addressed
Identify and utilize the strengths of each partner
Create a common language and common understanding
Handle disagreements, disappointments and frustrations early
Leave your ego at the door
TRUST is paramount!
How to Take Your Privacy and Security Program to the Next Level
7 Marriott Proprietary & Confidential
Where do Marriott’s Privacy and Security teams Partner and How Do our Processes Intersect?
Answer: Everywhere More Risk = More
Engagement
Where we Partner
PROJECT Framework 3RD PARTY Assessments CLOUD Framework INCIDENT Response RISK Assessment Mergers & Acquisitions
Intersections
All Projects Sales & Marketing Digital HR Operations IT
Intersections Regulatory & PCI
Compliance In Country Registrations Safe Harbor
Intersections Mergers & Acquisitions
Data transfers and Cyber controls
Intersections Business and Property
Processes
Intersections
Fully Integrated Project Lifecycle & Stage Gates
Data collection, transfers and handling
Applications, Social media, Cookies, Websites
Intersections
Training &
Awareness
8 Marriott Proprietary & Confidential Marriott Proprietary & Confidential
Working to Simplify Engagement
Combining multiple engagement channels into a single engagement process
Request Center Forms
Third party hosting
assessment
Business continuity request
Policy exception request(s)
Risk management request
Lost or stolen device notice
High risk data access
requests
Phone & Email Privacy consulting Security consulting Investigations request
Our Work in
Progress
9 Marriott Proprietary & Confidential Marriott Proprietary & Confidential
Privacy/Security Training & Communication
Region Specific Training
Role Based Training
Computer Based
Training
Instructor Led Training
Discipline Specific
Training
Franchises & Owner Webinars
PCI Webinars
Discipline/Role
Specific Webinars
Privacy & Security Day
Posters
Privacy & Security
Brochures
Privacy & Security Booths at Company Sponsored Events
On Site Training
Privacy & Security Staff combined 51
Certifications
Mediapro Training
Webinars Awareness Programs
Cross Discipline Training
Audit Committee
Information Security & Privacy
Governance Committee
Corporate &
Continental Legal & Ethical Compliance
Committee
Information Protection &
Privacy Committee
Privacy/Security Account Managers
Governance Committees
10 Marriott Proprietary & Confidential
Risk Assessment/Acceptance Methodology
Likelihood
of Incident
Scenario
Very Low
(Very
Unlikely)
Low
(Unlikely)
Medium
(Possible)
High
(Likely)
Very High
(Frequent)
Very Low 0 1 2 3 4
Low 1 2 3 4 5
Medium 2 3 4 5 6
High 3 4 5 6 7
Very High 4 5 6 7 8
Business
Impact
Risk No
Challenge or Risk
Risk Level
Marriott Requirement
Abuse Cases Comments Suggestions
Security Risks
Privacy Risks
Legal Risks
11 Marriott Proprietary & Confidential Marriott Proprietary & Confidential
New Privacy and Security Framework
Ensures applications and systems meet regulatory expectations and industry best practices
Creates reusable patterns
Helps make projects easier and faster to implement
Demystifies requirements through pre-defined controls
Assesses providers and vendors against a common set of capabilities
12 Marriott Proprietary & Confidential Marriott Proprietary & Confidential
Privacy & Security Demystifying Requirements
Privacy & Security
Programs
Safe Harbor Certification
Program
Hosted Service Providers
MIP-34 Process
PAMS (Privacy Account
Managers)
SAMS (Security Account
Managers)
Data
Classification & Security Patterns
Privacy & Security
Decision Tree
Privacy & Security
Portal- SDLC
Modularize Offerings
13 Marriott Proprietary & Confidential Marriott Proprietary & Confidential
Case Study:
50% of Marriott’s systems will be moved into the cloud in the next two
years and all new applications will be built
in the cloud.
14 Marriott Proprietary & Confidential Marriott Proprietary & Confidential
We Built Our Framework on Regulatory Expectations and Best Practices
Privacy/Security Laws Cloud Security Alliance NIST Framework Regulations such as SOX, PCI Int’l Standards Organization-27001 Marriott’s Policies and Standards
• Defined over 460 controls
• Evaluated each control
against Service and Deployment Model and Solution Design
• Adopted a risk-based approach, assigning different level of controls for different levels of risk
Multidimensional Framework Data Classification (by Country) Cloud Service and Deployment Model Solution Design
Outcome
• Credit Card Data • High Risk
Service Model • Infrastructure as a Service (IaaS) • Platform as a Service (PaaS) • Software as a Service (SaaS)
Deployment Model
• MI Data Center • Public • Private • Hybrid • Community
• Restricted • Non- Public • Public
Data Classification
15 Marriott Proprietary & Confidential
MARRIOTT’S DATA CLASSIFICATION
DIFFERENT “CLASSES” OF DATA =
DIFFERENT CONTROLS
16 Marriott Proprietary & Confidential Marriott Proprietary & Confidential
Marriott Security and Privacy Framework Components
High Risk
Restricted
More
Risky
Non Public
PCI data
Less
Risky
Public
Security and Privacy Pattern “What needs to be done”
Architectural Solution
17 Marriott Proprietary & Confidential Marriott Proprietary & Confidential
Decision Tree Portal
In order to support the Plan intake process, Information Protection & Privacy and Enterprise Security teams are building a system that will provide privacy and security guidance to the project team.
This system will guide a user through a series of questions during the Business Modeling and Planning phase. Answers to those questions will determine specific set of recommendations.
This system will use the decision tree logic to produce a repeatable set of requirements based on the type and volume of data involved, countries that the data is stored in, and the application architecture.