Security for Business

7/30/2019 Security for Business

1/32

A Nw Er ofComplianCeABN-AMRO

Dr. Martjn Dkkr,Senior Vice President, Chie

Inormation Security Ofcer

ADP INC.

roanD Coutr, VicePresident, Chie SecurityOfcer

BHARTI AIRTEL

x Mohan, Senior VicePresident, CISO & ChieArchitect

CSO CONFIDENTIAL

Prossor Pau Dory,Founder and Director andFormer Chie InormationSecurity Ofcer, BP

CIGNA

Crag shuMarD, ChieInormation Security Ofcer

DIAGEO

Dr. CauDa natanson,Chie Inormation SecurityOfcer

EBAY

Dav Cunan, ChieInormation Security Ofcerand Vice President

EMC

Dav Martn, ChieSecurity Ofcer

FEDEX

Dns WooD, ChieInormation SecurityOfcer and Corporate Vice

President

GENZYME

DavD knt, VicePresident, Global Risk andBusiness Resources

JPMORGAN CHASE

ansh BhMan, ChieInormation Risk Ofcer

NOKIA

Ptr kuvaa, ChieInormation Security Ofcer

HDFC BANK

vsha sav, ChieInormation Security Ofcerand Senior Vice President

T-MOBILE USA

B Bon, CorporateInormation SecurityOfcer, VP Enterprise

Inormation Security

TIME WARNER

rn guttMann, VicePresident, InormationSecurity & Priacy Ofcer

WITH GUEST CONTRIBUTOR:

stWart rooM, Partner,Priacy and Inormation

Law Group, Field Fieee LL

Security for Business Innovation Council An industryinitiativesponsored

by RSA

Evidence offour emerging

trends in informa-tion protectionregulations

The rapidshift toward

a newera ofcompliance

Businessimpact:

predictionsandanalysis

Strategiesfor aligning

complianceprograms tothe new era

v 3, 20 10Rep based ondici with the

nsD ths rPort:

t

Raising the Baror Organizations Worldwide

QRecommendations fRom Global 1000 executives


2/32

I. INTRODUCTION

Te Ed f ie A Ul >>>>>>>>>>>>>>>>>>>>>>>>>>>>> 2

II. THE CHANGING COMPLIANCE LANDSCAPE

Seeed Efceme>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>4

Glbl Sped f ec Nici Lw >>>>>>>>>>>>>>>>6

e ecipie Reli >>>>>>>>>>>>>>>>>>>>>>>>>>>>> 7

Gwi Reqieme Redi ie e >>>>>>>>>>>>8

III. BUSINESS IMPACT

Ge eme Aei >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 10

Icee >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 11

ee Gee eqece f ece >>>>>>>>>>>>>> 11

Gie Rie e Tid-p Ri >>>>>>>>>>>>>>>>>>>>>>> 12

Compliance and the Moe to the Cloud >>>>>>>>>>>>>>>>>>>>>> 13

IV. RECOMMENDATIONS

1 Embce i-bed cmplice >>>>>>>>>>>>>>>>>>>>>>>>> 14

2 Ebli eepie cl fmew >>>>>>>>>>>>>>>> 16

3 Se/d eld f cl >>>>>>>>>>>>>>>>>>>>> 164 Semlie d me cmplice pcee >>>>>>>>>>>>> 18

5 Fif id-p i meme >>>>>>>>>>>>>>>>>>>>>20

Managing cloud serice proiders >>>>>>>>>>>>>>>>>>>>>>>>> 21

6Uif e cmplice d bie ed >>>>>>>>>>>>>>>> 21

7 Edce d iece el d

dd bdie >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 22

V. CONCLUSION

Ge i Ri d Rep e Rewd >>>>>>>>>>>>>>>>>>>>>>>>> 23

VI. APPENDICES

Ab e Seci f ie Ii Iiiie >>>>>>>>>>> 24

Seci f ie Ii Rep Seie >>>>>>>>>>>>>>>> 25

ipie >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>26

* Contents The Complete Compendium to the New Era


3/32

RSA, The Security Division of EMC|secuRity foR business innovation council RepoRt | 1

Rcnly h hvbn j shifsin h cplinclndscp.

athough norCMnt oeii eli beewe i m idiciwldwide, el ddd bdie e w i-ei efceme

epded pwe, ie pe-lie d efcemeci.

gong orWarD t W Bme dicl ide ifm-i eci fili weeeizi d bie: lei-l e fci pec e idci fbec ici lw i E-pe, Ai d N Ameic d bec dicle be-

cme lbl piciple.

as Mor rguatons aridced, ee i ed -wd iceil pecipiele. F emple, w ecee lw e bl w fe m pecipie ifm-i peci eliee. A lbl eepie de bie i e U.S. dwill liel be ceed b eeeli.

o at rguators arl mi i cle e-epie e e fei e peci f eid we i i bei pceedb bie pe icldicld eice pide.

th nW ra o CoMPce cee fmidblecllee f iziwldwide.

or Many, strCtr CoMPce cld elp fc me-me ei ecib if e e cec-lippc cmplice i willdec fm cll m-i i d m impe

eci.

th nW CoMPanC anDcpe will die p c di. F emple, i e imed ece biecmplice. Iceed eqie-me f eice pideie ie me id-pi.

Wth Mor transParnCy,ee e w ee ce-

qece f d bece. Femple, epec ee meliii cme dbie pe ee cmpe-i f cmpmied d. e e dmewill liel cme fm e cf pblic pii wi epeil pemel dm-e eepie epi.

toDay, th nW ra s orCi ll cmplice pm e e leel.

as th rCoMMnDatonseel, ec ie leel fmi, izi mwe d-ii qeib ei cmplice p-m c :

D He we deelped e ece-

ece ce

d cmpeec i imeme?

D we e cie

cl fmew c e

eie eepie?

D Ae we ble de e

meili f i d dee-

mie e pppie leel f

cl?

D we icle d defed

i decii d c-

l eld di?

D He we emlied p-

cee ebli ile -eme pdce mliple

ep f diee ppe?

D we e pl f m-

i edce e mbe

f pe epeiie

d ml d cl-

leci?

D ld e de diliece we

pefm i ei eice

pide d p i c?

D e ed ei

pm if e i f

eli?D I cmplice fll embedded

i bie pcee

mei we d e ide?

D Ae we mi e

e e d f pcmi

eli w cipple

bie?

TEN YEARSago, security wasnt a common business practice. Butcompliance has made security a business imperatie. Enterprises todayare expected to hae mature disciplines o priacy and risk in order to do

business in an international enironment.roanD Coutr, Viceeide, ief Seci Oce, Amic cei, Ic.

Report Highlights

ths rPort pide cmpeeie e f

ccee ecmme-di fm 15 f e

wld ledi ecice d epe id peci elp

izi li eipm e ei-eed demd f d

cmplice ldcpe dpepe f mw.


4/32

2| secuRity foR business innovation council RepoRt|RSA, The Security Division of EMC

th th DaWnf e Ie-e e, e

lme f bie

ci d pe-l d med lie.Ab 10 e , -eme d idelized iz-i ld be eld e-pible f pecii diil ifmid ed mdifed. Sice e,ee bee c- w f elid dd lbll

(s taB ).Nw el

d e wld eppi e e, pmp-ed b mie dbece e e l

W

COMPANIES ARE increas-ingly disqualiyingbusiness partners becausetheyre not able to meet thedue diligence standards,based on data priacy andother regulatory require-ments. So it is certainlyimpacting business.

DavD knt, Vice ei-de, Glbl Ri d i-

e Rece, Gezme

decde i cmplice,we e eei ewe cceized bie leel f cid ee epi-biliie f peciifmi.

Iceil, ee -izi diecl

ceed b eli dd will e mee e eqie-me cc.Eepie e becm-i me ccble fe ifmi ecipcice f ei eicepide. ei ble cmpl wi ifm-i eci d piceli becme peeqiie f di

bie i e 21ce. e d mecmpie will be le f lcie delif e e ble deme cmplicewi ifmi pec-i mde.

Heieed cm-

plice bliie emei ecmic cdiimie izi becme ee me de-pede id pie.c f d bieii ile ewbie mdel d ITeime eleil e e feel eice pid-e d cld cmpi.

few e, wic edmied e edlied ced pblic c.New bec ic-

i lw e pedic e lbe, fcime pec fifmi ecifile. Efceme feli i e ie.

O e liii f,me f e ece d cl cilwi e miei w eU.S. c cm-e, elde d

bie pe eeei lel eibifm izi filed fed dpeced b lw. Sicem me idic-i e implemeibec ici lw,ee will liel be meicide dicled fl-lwed b me lwi.

izie embced ei-

i mde d emde e ide ideelpi cmplicepm. Te iicmplice ldcpew dd e ewcllee f eeple. Oe i-zi e ed bwi lcdiicl ebece e fced mii-ml ei. Ted e e. Td,

1 Introduction The End of Business As UsualIts a very interesting time to be active in this eld because so much is changing. An innovative or clever approach to compliance

actually gives a competitive advantage, because compliance applies to everyone now and its really survival of the ttest.

Dr. Martijn Dekker, Senior Vice President, Chie Inormation Security Ofcer, ABN Amro


5/32


Ad ll f i i cc-i i bcdpf ecli e.

Ti ew e fcmplice will eiic impc bie. Oizi meei peilidd will e

mp p qicl i de ie plei ieil bi-e. Eepie e bee dilie iciei eliel idd d bild-i me cmplicepm will eed pidl dde ewcllee.

Te ee ep fe Seci f ie

The regulators are moving away rom light-touch to moreinterventionist regulation. Thats clear in all senses o society andeconomy so its not surprising regulation is tightening up in the data

protection feld. As I see it, the trajectory o the law here is one way only,which is towards more requent regulatory intervention, more disputes,

more arguments, and more litigation.Stewart room, Pn, Pivcy nd Inin L Gp,Fild Fish Whs LLP

DATES RE GULATIO N O R STANDARD G EO A PPLIES TO

Late 90s-2005 eci ieciemembe c imple-mei

Epe- UiEU

All izi peii e 27 membe cie

2000-04 el Ifmi

eci d Eleciccme Ac IEA

d All izi i d

2001-03 Gmm Lec lile AcGLA FT d Ie-ec Rle

U.S. All cil iii ie U.S.

2003-05 Helce Ice -bili d AccbiliAc HIAA ic dSeci Rle

U.S. All elce izii e U.S.

2003 S-1386 pic lw wiici

lif-i

All izi dlid lifi eide

2003-05 el Ifmieci Ac IA

Jp Geme pie ei-ie dli pel if

5,000+ idiidl

2004-05 Sbe-Ole SOXSeci 404 Iell

U.S. All pblicl ded cmp-ie i U.S. eempi fmlle epi cmpie

2004-07 el II Opeil RiReqieme

Glbl All ieill-cieb wi e f $250+

2004-10 me d Id Seci SddI SS

Glbl All izi pceicedi cd d

2006-10 N Ameic Elec-ic Relibili cilNER iicl If-ce eci be

Seci Sdd

NAmeic

Ue, we d pef e bl elecic pweem

2008-9 IT Amedme Ac Idi All izi

*Sampling o regulations with inormation protection requirements; dates listed are time periods or eectie datesand/or compliance deadlines

TABLE : A DECADE OF REGULATION GROWTH*

Ii cil willl w e cicmplice ldcpe iii e b f iz-i wldwide d w mee e cllee. Ie e f ee ccee

ecmmedi dwfm dici wi 15p eci eecie fme f e wld lecmpie well e fe wld fem epe d peci lw.


6/32


tr a DCaD o normi peci m-de, cmplice i ill m fc f eepiewldwide. Te le E&Y

Glbl Ifmi Seci

Se fd 77 pece f IT deci eecie ed cie-i cmplice wi eli

p pii.1 le lbl eepie

d m cmpl wi leli ee p ded feli d dd wieqieme f ifmi

peci. A izipicl li deped eipe f bie, eicl id,

AFour emerging trends usher in the new era

IT GETS more and more complex. Iyoure a public company, youe gotSOX. I you take credit cards youe got

PCI. Then there are the priacy laws.A company like ours has operations in7 countries around the world. Globalorganizations hae to comply with all theariations o priacy laws in the US, the

EU and Asia and there are new lawsand new requirements all the time.

Dav Cunan, ief Ifmi Se-ci Oce d Vice eide, e

2 The Changing Compliance Landscape

Q

d e epie i wic epee. Ee izi lii cil ei le ew eli ppe ecee. F emple, m i-zi will be eced b e ew

dd-F Lw i e U.S. Slec II i e EpeUi EU.

eide e c w few eli, izim w ced wi ew ef cmplice. Oe e p 18m e cmplice ldcpe iicl ied. Speci-cll, f emei ed ew ei i i ew e:

D Seeed efceme

D Glbl ped f d bec

ici lwD e pecipie eli

D Gwi eqieme ed-

i bie pe

Strengthened EnforcementAl efceme f if-mi peci leili bee we i m idiciwldwide, el e w


7/32


TABLE : STRENGTHENED ENFORCEMENT IN EUROPE

Germany n at 9 e Fedel eci Ac w med-ed icee mimm e f ili d ee pwe eci Aiie.

UK n aPr , e Ifmi mmiie OceIO w ie ew pwe iclde e bili d iic e m cmmi eibece f e eci Ac, cdc cmplcmplice eme d e peil impe ciilme pelie d clle.

th statD oBjCtvs e Te ppefl i-bed efceme ci wee blii e ied,wee cde idce e fllwed d weeemple eed be e ie clied.

France n MarCh, , e See ewelmil pped d bill wic wld eifce e blii f dpce, epd e pwe f Fce il eci Ai w NIL d dble epeil e f ifieme.

th statD goa i pde e d peci lw bee ee e i pic i e diil e.

th Drat aW i cel de eiew b e NilAembl.

eei i epd-ed pwe, ie pelie d efceme ci.

European Union

Oiill ied i 15, eEU eci iecie icel dei cmpleeel. I eiewi e lw, eEpe mmii ed eeed efcemei e f e m becie.2l f e ew leili willbe pblied i le 2010 wi eew pped lw be pml-ed i 2011.3 Recmmedif eei efcemeiclde pidi eci

Aiie wi fll pwe ieie e.. cdc di, i-eee e.. l d pceid ee i lel pceedi.4

Aed f e EU pledel f e iecie, me fe idiidl membe cieicldi Gem5, e UK6d Fce7, e ecel beeeei efceme fei eii il lw (staB ).

USARecel ee e l beee ie efceme fifmi peci leil-i i e U.S. (s taB ). Fizi i elce, eHITEH Ac f 200 pdedHIAA efceme pi-i.8 Ti iclde epdiefceme pwe icldee e eel w cw e izi f HIAAifci, iceiizi e

efce HIAA dd. I Jl2010, ecic becme e e e ee ew efce-me pwe.

Te ee id fce ice eime well. e edf Je 2010, ceed eiie eell we, pe de f pi f e blpwe em wee epeced pe cmplice wi ll pi-i f e N AmeicElecic Relibili pi

TABLE : STRENGTHENED ENFORCEMENT IN U.S.

HITECH

Act

HIAA w iclde md ieii fcmpli, cmplice eiew d ie pelie.

I ddii e epme f Hel d Hm

Seice, e e eel c w efce HIAA.

I Jl 2010, Ae Geel Oce f ecicied $250,000 e d ecie Aci l cmp f fili pec el ifmi.

NERC NER i w de i efcecmplice m ll me picip.

NER will mi cmplice i ell cedleddi, dm p cec, d ieii.

FTC FT ieii f w eci icide deemied Twie filed impleme deqe eci me-e.

Twie beced idepede eci di f e

e d FT ei f 20 e.

FT ieii fd RieAid filed peccme d emplee ifmi.

RieAid eqied ebli ifmi ecipm d eed p $1 milli d i bec id-p eci di f e e 20 e.

NER iicl Ifceeci I be SeciSdd. NER d i eiliie will mi cmpli-

ce d e e pwe lee well ci.10 Ticee wee d elp e-fce cmplice wi e Fedel


8/32


Tde mmii FT -dd, i e e FT le-ied i-iibili ci. Femple, Twie11 d RieAid12wee bec FT ci

eceied l f medi e-i. I Jl 2010, FT imJ Leibwiz eied befee edi e FTiei cie fci pic13, wic liel meme ieii d cii e fe.

PCI in Europe and AiaGlbl efceme f e -me d Id Seci

Sdd I SS i l eime ei. ile e Idd e bee widel imple-meed d efced i e Ui-ed Se, f cmplice i E-

pe d Ai bee elielwe. Vi d edied ep p efcemed e impi cmplicededlie f Epe d Aiizi. Te cd cmp-ie e lbl 2010 dedlie fll Leel-1 d Leel-2 mecwldwide, icldi l -ie di b Qlied SeciAe QSA d iceed feef -cmplice.14 Recel e

I Seci Sdd -cil ppied e Epediec pecicll iceewee d l ec-e Epe cmpie dp

e I dd.15

Global Spread of Data BreachNotication LawRel e li w ie p eii lw,e e idci ew lwimed fci me p-ec. bec dicle ibecmi lbl piciple idici wldwide dppic d d peci lw

TO UNDERSTAND

the impact o breachdisclosure you hae tounderstand what breachdisclosure is about in a

philosophical sense. Itsabout changing the pow-er relationship betweenthe regulator and theregulated. The classic

ailure o regulation isthat the regulator doesntknow as much aboutthe regulated entity asthe entity itsel. Breachdisclosure is a transpar-ency mechanism thatequips the regulator

with inormation andthereore empowers theregulator.

stWart rooM,e, ic dIfmi Lw Gp,Field Fie eeLL

THE CHANGING COMPLIANCE LANDSCAPE

Q


9/32


10/32


TABLE 5: PRESCRIPTIVE REGULATION

E XA MPLE S REQ UI REM EN TS

Nevadasupdated privacy

law

Add epded ecpi eqieme f d imii d pble deice

e I cmplice lw f ll biee c-cep cedi cd

Massachusettsnew privacy law

Encompasses a lengthy list o securityrequirements such as:

ie ifmi eci pm

icl d licl cce cl

ii f ized cce

Seice pide ei

Ecpi f d i mii d pbledeice miimm 128-bi

Iclde pelie d icie elief i.e. cde c be ied p ili

TABLE 6: MASSACHUSETTSPRIVACY LAWS REQUIREMENTSREGARDING THIRD-PARTIES

DSelec d ei id-p eicepide e cpble f miiipppie eci mee pec

ifmi cie wi e el-i

Dcll blie id-p eicepide impleme d mii p-ppie eci mee.

i edi eieide. A lbleepie debie i e U.S.will liel be ceed

b ee eli.Te ce

lw p f mef e m cmpe-eie ifmieci eqiemee be imped biee b leile. Awell, Ned d cee w f e idici ie wld mde ecpif pell ideible ifm-i II.

Tee ew e pic lweec wi cce mAmeic e leil bcied le-cle d bec-e d e eli idei e.I i widel belieed eeme pecipie e lw ebie f i cme. Tee f i ledfllwed Ned led i m-i I lw.27 Sice ee i ill eci fedel ifm-i peci leili i e

U.S., e ce lw cldiece e e d, lie

e e bec icilw eced b lifi, e iwide ec. Aled ee f New Jee eleedi e-pl f imileli.28

Growing RequirementRegarding Buine Partner eii eli ddd cll f izi e id-pie dle peced d empl d-eqe eci mee. A ecewe f el cii eee fe i eblii leleqieme f eepie well ei bie pe ee e eci f ifmi.

New obligationTe ew ce piclw e p me bil bli-i ee i pe-cceli d i mi-i f e eci pcice fid pie m epei leili i e U.S.Ad elewee2 (s taB ).

Rece mdici HIAA, e HITEHAc, me me iz-

i e w ceed b HIAA:e deii f bie -cie bee bdeed eplicil iclde b-cc,pide f el d -mii eice, d edf pel el ecd.30 Awell, bie cie w ediec epibili d libilif bec, icldi icid emedii, d e bec e Ac ciil d cimilpelie.

THE CHANGING COMPLIANCE LANDSCAPE

In a regulated environment, you essen-

tially have to vouch for the fact that youve

partnered with organizations which can

handle the information in a secure fashion,

consistent with regulation. David Kent,

Vice President, Global Risk and Business

Resources, Genzyme


11/32


TABLE : GERMAN DPA GUIDELINES ON CLOUDSERVICE PROVIDER ASSURANCE

Ee el cl e e cld ed ecicl d i-zil mee ed pec e d.

Two ways to exert regular control were suggested:

Obi epe pii i e fm f di ceice idi-ci e eice pide i bei e lel eici.

Obi bidi ee decli i wic e eice p-ide me cmpeeie cmmime mee e bliiimped b e lw.

Enforcement actionTi ccep ceedei i limel epible fe ci f i id pie ieifced b ece FT e-

fceme ci ili m-e lede emie pil Led-i. I ce, e FT b ci f, m e i,ili e Sfed Rle bei wi bie pe did empl e-ble d pppie eci fed eiie d, ccecme cedi ep emie em.31

Guidance on cloud ervice

providerI Jl 2010, eciAi A i Gemied e eme b el edi icld cmpi eice pid-e.32 Accdi e idelie,cmpie qlied eelid pie m ee e-l cl e wee cldcmpi eice pide ebei e eici f efedel pic lw i Gem

(s taB ). Ti e-me fm el pide idici izi willbe eld lell ccble f -i ei cld cmpieice pide e deqeeci.

THE REGULATORS in generalseem to be heading towards more

prescriptie regulations. Whenstandards get too prescriptie they

can be a hindrance. They startto impose things that may notbe releant to an organizationsrisk management. The organiza-tion may do things in a dierentway, yet manage risk well. Butthat wouldnt be acceptable to the

prescriptie regulator.

Prossor Pau Dory,Fde d iec, SO -deil d Fme ief Ifm-i Seci Oce,

Q


12/32

10|

nC norMaton ProtCton rguatons ppeed decde , cmplice f-feced eepie IT d bie eie. Teew e f cmplice will dd e ledfmidble cllee d fce eewed fc

cmplice.

Get Management AentionA m impc f cmplice i i e eei f eecie meme. Te ew meie el eime m elp miememe i izi wic e eeci eil e.

I m izi, cmplice eleedifmi eci becme -ie d bd-

S

3 Business Impact Only the Strongest May Survive

leel ie. mplice e eble e eceieme i e ece d peple eqied pec ifmi. I cee willie ce bie pcee d elp die cllce. Te e , m ifmi eci -izi did e e mide, fdi,

ecl e d d. Rece eec idice 64 pece f IT d eci eecie -eed beliee el cmplice iceede eeciee f ifmi eci.33

wee cmplice elp impe e-ci deped izi ppc. Ifmeme impl mee e eqieme f eeli dd e mi i,ifmi eci will eceil impe.

Compliance is the best and worst thing that ever happened to

security. Its a combination. It gives you awareness. It gives you reallie justifcation or good security practices. But at the same time,especially when regulations get prescriptive, it can make it moredicult to have a truly risk-based program where your highest riskitems always get your fnancial investment.DeSe wooD, Chi Inin ciy Oc nd Cp VicPsidn, FdEx Cpin

Heightened scrutiny of other people and by other people is going to cost you. Besides regulators, customers or partners who are

working with you are going to demand more of you. Thats going to add cost. Stewart Room, Partner, Privacy and Inormation LawGroup, Field Fisher Waterhouse LLP


13/32


Ifmi eci c be eed ed e. I i i pce mepd ci eime.

Increae Cot

I e ew e f cmplice, c ee ie. I ece e, 55 pecef IT d eci eecie idiced el cmplice c cced fmdee iic icee i eiell ifmi eci c.34 A ecmplice ldcpe e me cmple,demi cmplice e me imecmi d cl. Eepie m c-l pde ei cmplice pm cc f ew eqieme. F lbleepie, e m le i deliwi ieil lw cll e

cici eqieme. Oe c ell d e i; wile e ell c d . I me i dicl e lbl mdel f cmplice. Oizied p i dplice fci ceei bdie cmpli, dd-i c.

Ae e c p i embe f eqe deme cmpli-ce cill icee l e e-qe cmi fm el d di,b l fm cme d pe. izi cie el ml

ml e d em f ppe f dclleci d epi, wic cme idiem f ece.

Iceed epibili f ifmi ecic e eeded eepie l iicc impc izi. F emple, iz-i m dee eie w eled eee eice pide eci pcice. Ae me ime, eice pide m ie i de-elpi eme pcee e c iecme e eqied ce.

Geell, if eli cll f i-bedppc, izi e iei i eci

cl bed li f ei i weiedi ei ppeie f i. Tei iemeddee ei bie eed pec ifm-i. I i we eli e me pecipie cmplice cee ddiil c f ecicl. Oizi e ped bde dllimplemei ecl pecied b eleqieme e ecl wic elp me i.

Create Greater Conequence for Data BreacheTe cce f i d bec will be mcie f e izi ie i d

lile miie em. ee dilie iz-i m epeiece bec. If bec cc de d iled i eed b lw, ee cld beel ci d e. i bec iciw eqieme i me d me idici,i i iceil liel izi willl e dicle e bec iie d/e eced.

Geell, i e el e ci e e m deded ceqece f bec e w p m cmpie f bie i e eli pblic im. Te me ii-c fll em fm i dicle icide

d c iclde:D iec c f ici, dme cl ciiie

d bec ieii d cle-p;

D me epi ced b eie medi;

D L f cme, bie pe d ie ;

D Lel c f liii;

D eclie i elde le;

D L f bie;

D Heieed ci b bie pe d c-

me me deiled eme; d

D Hie c f meei fe cc eqieme.

Sme f e e ce ili d bece

TABLE 8: DATA SECURITY BREACH LITIGATION*

TYPE OF

LITIGA-

T IO N

EXAMPLES FROM 2009-2010

Investorlaw suit

A eile eled lwi b b empleepei pl llei e eile filed pec

cme pel d eli i bec.

Classaction law

suits

Fie cil iii led cl ci i l-lei w cqii b ld be iclded defed d e epibili f dme cedb d bec wic impced milli f cedi ddebi cd.

Tw cl ci wee led i i defe-d icldi pme pce, ii f ized ii i e pce cmpeem.

A b eled lwi, wic lleed i filed limi cce d/ deqel fed piecme ifmi, eei p ideif eice d fee cedi mii eimbemef milli f cme.

B2B LawSuits

A lwi led b mfci cmp lleed b peed e mfce cme pii c b edi e-mil i cme clic li pde e b eci we.

A lwi led b e ci i eei cmpe-i fm pi-f-le em ed d eellellei pblem wi e em d illiled eci bec.

*Lawsuits caused by a breach o inormation protected under priacy legislation or PCI


14/32


e mi ei w e U.S. c em(s taB ). clim f cmpei d me i i e pblic elm biee iedce ele f c. e bec iled pceed b m izi l le

ci, ee will be dipe b w i blme.I fc, wi me bec ici lw d e-qieme f bie pe, e clime i ipef cmmecil liii.

mel epeed ifmi ecifile m cll e dw cmp. F e-mple, dSem, pme pce, eed cpic d bec we 40 milli cedicd ecd wee le i 2005.35 Te cedi cdcmpie widew ei bie d dS-em eell ceed pee. I e fe, epe f cmpie ee i f file m bee ce cld cmpi eice pid-

e dle eled d, e cclblii pec i, b limel d edeqe fed.

Te l em eec d, wicled e c f d bece i e U.S., fd 42 pece f ll icide died iled id-p izi d ee wee e m clde ddiil ieii d cli fee.Te d l fd c i eel cie ie. Te ee c pe icide i e U.S. w$6.75 milli US, wi eli c i

TODAY IF a companysuers a signicant databreach, its going to go iraland stay iral. And onceit gets on the web, it doesntgo away.

B Bon, peIfmi SeciOce, V EepieIfmi Seci,T-bile USA

BEFORE SECURITY wasalmost like a pet peee othe security department.Compliance makes iteeryones responsibility,which makes a huge dier-ence. Now its easier to goabout embedding securityinto the business.

Dr. C auDanatanson, iefIfmi SeciOce, ie

fm $750,000 $31 milli. Oizi e lpedi me lel defee c i pei- e.36

I fllw- d cmpi c f dbece ieill, i w fd e e-

e c pe icide wldwide w $3.43 milliUS. Te c e ie f izi e d bec i cie wi icilw cmped icide cc i ciewi. F emple, i e U.S., c eled lecd wee 43 pece ie i ciewi ici lw.37 Gi fwd, c m p i e cie e idici ddici eqieme.

Ulimel, i d elelel cmpeiielbl meplce, e dme fe m cldbe e c f pblic pii. I Jl 2010, led-i mfce d icide ili e

diibi f mebd ifeced wi mlwe,wic w eped i e pe. Hwee e medmi cee w e il ciicl ediili e blpee. I l-ceced cie,peple w e e me w w i i cmpie d bdc ei pii b i e wld.

Give Rie to More Thirdparty RikTe ee lme f eel eice pide eepie m eee i e d e mbe

Q

BUSINESS IMPACT


15/32


cie w. Oe f e mi e eepie e icei ei e f id-piei bece i elp edce c. F emple, eewi e ecm lwl i d, eepiee imi edce c ci. Tedi f e Oci 2010 ep b eIeil Acii f Oci fei-l IAO w pwd ed wi 70 pece fcmpie w pli epdi ei feci pm.38

Ufel, e icei e f id-piei cllii ce wi e icei demd

f cmplice. Nwd, eepie e epiblef e wle le ci weee ei de. i me d me eice pide d e-d i e ci, ee i iceed cce e f em will fil; eli i -cmpliced/ d bec.

Ti cee cllee f b ide. F e-epie cci eice pide, ime deelpi eecie ei mecim.Al cmpie i eil eled ecc cil eice m e ccmed i-leel ci f ei pplie, i bde imei ew f m e. F eice pid-

e w e p e dd eqied feled eime, i will be me d medicl d bie wi le eepie -eme ecie. F me, cmi p peed cmplice will be me f il. Iceil,izi e wli w fm eice pid-e c mee dd.

A fe cl m be e mlleeice pide c d i leel feci cl d/ e pcee ece fcme eme. T edce e c f eif cmplice, le eepie m l lepide c ppl mliple eice.

Compliance and the Move to the Cloude i cme id-p i, e f e bi-e ie eced b cmplice i e e f cldeice pide. ld cmpi i mi fmmei bzz pime ime, m iz-i ciel eple li. A ece TIef me 140 lbl IT decii me eeled 18 pece e led i dici wi cldeice pide, d ddiil 45 pece pl d wii e e 6 m.3 Seel Fe500 cmpie e led med ei e-milem e cld; d ccdi l, m

e will be i cld e-mil i de.40idi e ece leel f ce i

cld eime will be dicl. Ee lecld eice pide cld e ble mee-i cmplice eqieme. F emple, Gleied ldm del pide e-mil d epplici, c dcme cii d ped-ee, e i f L Aele. Oiill ecc imped dedlie f Je 30, 2010 ee mii e cld cmpleed. Gle ii me dicl meei e ie ecieqieme e b e e Jice epmed e L Aele lice. Teefe e dedlie

bee eeded.41 I i pii cmpli-ce i plci dle e d e cld.

F me idici, cmplice ie ee e f e cld eice pide biemdel i wic d pcei me d e picl lci wee e lwe-c cpcii ilble. Te EU iecie plce limii wee d c lie d me i.e., i bewii e bde f e Epe Ui membee ic ccl eme e eqied fe d ide f e EU. eei eeeqieme m ee e c i eed be cld.

The defcit reduction plan in Europeand the States is going to mean loads ooutsourcing. But i youre an outsourcedservice provider you have no hope ogeing government contracts nohope whatsoever unless youre ableto demonstrate very good systems andoperations or security.Stewart room, Pn, Pivcynd Inin L Gp, Fild FishWhs LLP


16/32


O

4 Recommendations Best practices go to the next level

vr th ast DCaD, Many organai cmplice pm e bee elid e i e f mi (s taB9). ee e e peel e mice deped cmp ize, eicl id-

, d leel f meme ei. Td c-

ece f fc i fci ll cmplice pm e e leel. Ti e f ecmmedi elpizi li ei pm e ei-eed demd f d cmplice ldcpe dpepe f mw.

1 | Embrace rikbaed compliance

A i-bed cmplice pm i peimdel wi ee mi cmpe:

D A ece pce

D A ifmi i meme cmpeec

D A d clleci d epi bili

I e p decde, eli e e pid-ed e impe f izi p ee emi plce. eli pecicll cll f i i-bed ppc. Hwee ee em e ecliel f cmplice; e e dde bie eed me i d ee e pec-i f izi ifmi e.

A ece pce eblie ei, f-mlize decii-mi d cee izilce f ppl. Ifmi i me-me i ideifi d mei e i ifmi d ei e eci cl

implemeed eep e i ccepble leel pec d eble e bie.42 A ccepbleleel f i i deemied b izi ppe-ie f i. I e cmplice ce, ccepbleleel f i m ee ll el eqie-me e me d e cl p i plce c be

defeded cmmecill eble d pppi-e. A fdmel, epeci f m elii izi impleme eble dpppie mee pec ifmi. Ecepf e e pecipie, m eli dpecif cl. A i-bed ppc i e bif deemii w i deqe.

A d clleci d epi bili i eqied deme cmplice wi iel ifmieci plicie well eel eli ddd. F m le lbl eepie, i ilimel wee e bde f cmplice i fd;i i i pi cl i plce. A pee m

le lbl eepie e led p i plcecl d e di em i bii epe e i eime. Tei e c-l d pidi eidece f e cl ed e i w e i ll e izi.

Oe i i e iepei f -ie di deemie wee izi i cmpli- , b eecie cmplice pm i di-die. ecii edi e impleme-i f eci cl ld be fced imeme, di. Ti eqie iz-i ee wi e di epli ced ee e/e c me e li bewee

Security practitioners must link the compliance program to the strategy of the organization. Doing compliance for compliance

sake is just using up your resources. Ensure that whatever youre doing for compliance actually derives value for your organizationand is not just something which pleases a regulator. Vishal Salvi, Chie Inormation Security Ofcer and Senior Vice President,

HDFC Bank Limited

As you move up the maturity curve, integrating compliance to becomepart o business processes is towards the top. The ability to measure it,track it, and report on it outside the context o security alone and makingit part o board-level reporting is another obvious sign o maturity.roaD outer,Vic Psidn, Chi ciy Oc, Aic Pcssing, Inc.


17/32


el eqieme d e izi idecii. Adi ld be dici w d, b e lidi epeci e beime. A izi pm me, diwill epec ci impeme.

Hi mee wi IT di bcd e eci em c elp fme diciwi di icldi: w i e meemef cl eeciee, w i e eidl i dw i e leel f i e bie cceped?Smee wi IT di bcd c l elpe di fc emii e m ciiclcl d ded i-bed cpi.Adi e imp llie wi cllbielwi eci ee cmplice e e-ble e ide bie.

I eel, eecie cmplice pmeqie e i clibe f peel: f emple

ecli w ded ce f lel e-qieme d e bie/i eime; dlwe w e ble ded d iclepicl ecl i. Y eed peple w ecmfble wi c e i dmi.

mplice l eqie il dpie pe-el ew eli cme p d ew iemee. Oe ppc ei e eci em e i ill i ie i cee deelpmed pp ceici i i diciplie. Tielp bild e em w-w e-eieepcee d we mdel e ci ei-me.

Sccefll bildi i-bed cmplicepm eqie eecie meme iwilli me e ece ieme i peple,pce d ecl. I l eqie cmmime ciei ie leel f mi d de-

TABLE 9: COMPLIANCE PROGRAM STAGES OF MATURITY

First stages Fc i bildi wee

Iei i deelpi cmpeecie, pcee, d eci cl

iecemel ppc ec eli d dd

mplice i iewed pec d i eme-ieed

Adi-die d ecie: pepi f d epdi di

Ad-c cecli pcee

Ifml meme b i il icldi ifmi eci

More mature

stages

Fc i bildi weip c e bie

Semlii pcee d cl, li f w cee eciecie

Fmew ppc mliple eli

Ri meme-die d pcie: ele i d deemie leel f cl bed i ppeie

mplice i iewed pce d i epi-ieed

Fmlized pcee

Implemei mi f d clleci d epi f elec e ceie fcl

Gece b c-fcil ifmi i cmplice ccil

Ved/pe ce pm

Advanced

stages

Adds to more mature stages:

Fc i bildi pel epibili wi ll elde c e eepie

Iei cmplice wi bie pcee

Implemei mi f cmplice pcee em-wide

Aciei ci-cl mii

Iei wi Eepie Ri eme d mplice pm


18/32


di f e cllee ee e. El , e mifc i cei wee fe eed pec ifmid w pec i. Oe ime

e fc ele ei ebie d elde e weip f cmplice.A e ep i mi fm i-fml meme f cmpli-ce iled ciiie fml meme b c-fcil em picll eepie i cmplice cmmiee.

Ifmi peci eli e l mll be f eepie l eleime. eide eli ei ifmipeci, izi m dee qli

dd, lb le, fe cde d eime-l leili, ec. T eeciel li wi bi-e e, cmplice pm ddeeifmi peci eli m ieewi e ece, i meme d epie e p i plce dde ll eli.A eecie eepie pm pide eee ie ci fm idiidl bie pce we e bd f diec wi ll f e mli-fc-eed ifmi eeded me i decii. Aeecie eepie pm pide eee i eci fm idiidl bie pce we e bd f diec wi ll f e mli-fceed

ifmi eeded me i decii.

2 | Etablih an enterprie controlframework

Most organatons toDay aC MutPeli edi ifmi peci. I iiecie d ible me cmpliceb miii epe li f eqieme fee eli. Ied, deelp e ell li fifmi eci cl ie ll f ei eli d ddee bie eqie-me. Te ed el ld be mc me

li b eepie cl fmew, ecmpe e izi mdel f ec-i cl. I i picll mi wi clmpped e i eli d bieeed c peci f iellecl ppe. I ceed eci eime, i m iclde l ifmi eci cl b l cleled picl eci, pdc qli, dieece d bie cii, ec.

A e ie leel, e fmew e bd cl c Aeici, wi b-cl pidi me deil c Keep -eici mecim eecie. I m l e

pcice c , wdld be ced eliel.

A bi f deelpi cmized cl fme-

w, m izi edd c :

D l Obecie f If-

mi d eled Tecl

OIT fm e Ifmi

Sem Adi d l A-

cii ISAA;

D ISO 27001/2 Ifmi Seci eme

Sem d de f cice Sdd fm e

Ieil Sdd Oizi; d

D Te Sdd f Gd cice f Ifmi Sec-

i fm e Ifmi Seci Fm ISF.

eelpi cl fmew cee cie e f cl c eie eepiec be immee . I i c-izil,c-fcil e e die b e ifm-i eci em wi ei b e eepiei cmplice cmmiee. Oce iiilfmew i eblied, i cmmiee eep cf ce el bie eqiemed deemie ece mdici ecl fmew.

i i med, m le eepie eble c pedi leili d pcmieqieme d e impleme ce ed f

el mde, ciei cmplice pe-eli. Te me me cmplice pme eqie l mi mdici eieii cl we ew lw cme becee e led implemeed e ele ecimee bed ei i li d bieeqieme.

3 | Set/adjut your threhold forcontrol

n a rskBasD CoMPanC PrograM, Conl e pplied picl cle f ifmi

e bed eme f i. ieecle f i mi iclde iel ifmi,cdeil d, cme ecd. Hw de izi deemie w leel f eci cli pppie f picl leel f i? F em-ple, w e i leel f eici we cll cee emplee i ccei cme ecde e lcl ew? O cc i cce-i cpe d fm i me ? O eicepide i ccei cedi cd d e Vilie New? I e i leel pwd? Am cd? A bimeic? e i leel fecpi ppl? Ecp ll d mii?

RECOMMENDATIONS

RECOMMENDATIONS

1. Embrace risk-based compliance

2. Establish an enterprise controls ramework

3. Set/adjust your threshold or controls

4. Streamline and automate complianceprocesses

5. Fortiy third-party risk management

6. Uniy the compliance and businessagendas

7.Educate and infuence regulators andstandards bodies


19/32


Ui 128-bi ecpi? Sld i be ie fme mii?

eemii e i leel f eci cl mee cmplice eqieme d biebecie i cmple. ee de izi

e i eld? Ulimel i i dme cll cide eci d lel i. A ciicl pecf ee decii i i w wld be deemedcmmecill eble d pppie. Te e-epie m e pii e ce iddd. I e wd, i e peilidd f pcice i e id ie e cei d c? Of ce izi c beepeced impleme c i leel f ecicl e c le cmpee i eiid.

Te id dd i i be c-eiel lid i ml lced web

ie. Seci ce d ifmi i mewill eed e ee f e peili ddb ewi wi pee fm e cmpie d w eee ele i di, well b dedi e ele ed. Oe ime epeci ie, e eld will eed be ee.Geell i ee id e belie f ecicl will liel cie p. Te eldi ped p bece f dce i ecl,impeme i e pcice f eci, ecl-i e d iceed d i wi id-pie.

I me idici c Idi, cmpie

e bee ie me pecic dieci ediw deemie e id dd. Te ITAmedme Ac, wic cme i eec i 200,cll f izi e eble ecipcice d pcede pec ifmi, d

pecicll mei i wld be pecibed icli wi e cceed pfeil bdie cii, c e fedei f IdiId d e Seci cil f Idi.

e e ceqece f eepi p wie id dd? A di m d c-l e cie, eli i e b el- cei dipe wi bie pe. Neepi p wi id dd l p eizi ee i f d bec. Sld d bec cc, i lee e izi wi le lell-defeible pii if e cmp iplled i c.

Oizi eed e e eld ie d i e ce e leel.mplice de eql eci d beicmpli de elimie i. i e bemiimm mee cmplice eqieme will beei eld f eci cl i me liel i be beid-e-ime.

e deli wi mliple eli, e p-pc i e e eld bed e iceeli. A e idici ie eqieme mc, e izi will led be ceed.F emple, ce ew ecpi e-qieme cll f 128-bi ecpi we pel

Implementing baseline controls around the systems that process creditcard or customer-sensitive inormation to achieve compliance is notsucient to achieve security. Its necessary but not sucient. Compliance

is typically a subset o the necessary controls. Legislation lags the stateo technology and threats because the institutional and bureaucraticoperations that codiy the standards take so much time.B Bo, Cp Inin ciy Oc, VP Enpis Ininciy, T-Mbil UA


20/32

18|

ifmi edi ce eide imied. izi e implemeiee pe f ecpi cl l f dpeii ce eide, b l feide f e e. Sme izi e

ei i eld lbll. Oe izime ee ecpi cl ilble lbll eice be ed e dicei f biei. ee e izi e e elddeped ei i eme d bie bec-ie.

4 | Streamline and automatecompliance procee

organatons ar nCrasngy CaD uPon pe cmplice el, iel deel di well cme d bie

pe. Hw d izi pe cmplice?Eeill b pi ifmi eci c-l ei d e e eecie. Ti ile:

D cmei e cmplice pm, icldi

plicie d pcee;

D ii, mei d ei e eci

cl;

D lleci ll f e d e cl; d

D Geei ep e cl wi epec e

eqieme f eli d dd d i e

ce f e izi i decii.

Filli elf-eme qeiie i cmm w deme cmplice. Aei e di cme ie ed dcme-i; cll l iide pplici d ew;d pibl e cl. ee e med, fm izi d, ee e wi elielme cmplice pm, i i e, ime-cmi d lb-ieie miie dcmei, cllec e d d cee eep.

Ad c cie ie e cmplice

ldcpe e me cmple d izi ebec wi mbe f eqe pecmplice. Tpicll cmplice pmme, izi im f cei eciecie,emlii pcee d i me med

To provide evidence o compliance or all o the regulations, its the samedata pool. Its the same inormation about your controls; you just haveto produce dierent reports or dierent regulators. It makes sense tocombine your eorts or compliance, security and risk. Not only is that

approach more ecient, the outputs will also be o higher quality due tocross pollination.Dr. mart Dekker, ni Vic Psidn, Chi Inin ciy Oc,AN A

RECOMMENDATIONS


21/32


med. A pee m izi ill lewi ml e. i me medmed c elp l edce c, b licee ciec i epi.

Ami ile mliple e. I e be-

i b eplci dipe pedee, le ed bide wi ce meme em. Acel epi i ed f:

D licie

D Rel eqieme

D Eepie cl fmew

D l ei pcee

D Ie f e wi clici

apped to organizational structure (i.e. asset owners,

business process owners)

Possibly including third-party systems

D Ri eme

D Self-eme qeiie

D Adi el d emedii pl

Te e e i ddi w w eie de-elp d mii e ce; icldi ppld ecli. Te becie i e ieediew f ll i ifmi c l dme ece, i meme dcmplice pm i liic w.

Ti ppc eqie ieme i ii ide ee d qli. S membe w eeqied ip ifmi i e em ldded e i eqied f d qli. e-fl pli i l ece eep e me-

me ld miimm. eelpi depli ecl li will l e ime if i cc-i, izi i ll f e ipcee iled i bii cmplice ddeelp pl emlie em. Uded wc be med d w will ill eqie mieei.

Oe e ii f e id e i med clleci d ep eei. Te l i we qei i mic em qeiee e pplici we mll ipe ifmi. F emple, cide e qe-i He cce i f emied emplee

bee emed fm e em? I i ce, lif emied emplee wld be ceced i dbe f cce i d ep miclleeed.

Aciei leel f mi weeb ll eece d i eed em qe-ie pdce pecic meic demecmplice i mie d iei, cel-i d bie ielliece pblem. Ulimele becie i ci cl cmplice cil mii eeciee f cld ilii cmplice ecepi. I i e mli-e pec e i id f d-

mi f cl lidi d e mi fizi e ied i leel e. I ece e, l 36 pece f izi ddepled li f ci mii feci cl.43 m e wi wd

i, wi e epeci ieme i m-i will elp edce c d impe cmplicepe e e ce f e l em.

Te ppc mi deped e -izi eed. Sme p bild ei w cm-deied li wile e -e-elf Eepie Gece, Ri d mpliceeGR plfm. Ti plfm ie i eepiepplici d ifce, clidi llf e ifmi ece me i dcmplice. F m izi, e becief eGR deplme e bed mi id cmplice eled ifmi peci.

A eGR plfm c elp iee ifmifm ll f e i i d el dmi pide cmplee pice f i d cmplicec e eie eepie.

pidi ISO dbd d ceiqel ep bie i e f eci, eGR plfm c delie eid f iibili i cmplice i eeded fe bie e weip. Idell, impleme-i eGR ecl c elp pide cmmmedl, pce d le f llcmplice elde.

Oe f e cllee f med d clleci

will be iepebili c diee pplicid plfm. Ti d feed i fm embe d ie f em i ll de. All ed fm fm ll f e i feed e beedble b e eGR plfm d cmed dpeeed i efl fm. Ope dd mielp le me f ee ie.

Implemei eGR plfm, eie cm-bil -e-elf li, will eed de be i mliple ep. Gie e mbe fem eed feed i eGR plfm, ii picll feible iee ee idiidld ce. Sdd middlewe i e eqied

wic llw feed fm wle eie f emlie eci meme, ci me-me, piilee meme d cce clem, ec.

F ile ifmi e, ee m be 20cl; izi c b mi e w f em d e me me e ime.Ae ppc i l e cmm e feqieme c ll eli dbie eed, c idei d cce me-me. Impleme mi f e e f eqie-me e e e.

Td ee i ill pl-d-pl eGR ec-


22/32


l; li m be cmized d iled

izi bie pcee. Hwee,cmmecil li e ilble pide-f-e-b plicie d ww mpped pecic eli izi d e fm cc. Oe ime eGR eclwill cie ele, pibl mi ie-i eie d mi e cmplei. Oe ee ecl m e i eicl id-bedle wic bild i fcili f e pecicbie pcee f picl ec. Aei pplice wic ce mliple fci i edeice c pplice f ied e me-me. I ld be ed ee e ecl

ele, cmplice will ee be cmpleel -med impl bece peple will lw be iled me leel f decii-mi.

5 | Fortify thirdparty rikmanagement

Wth rguatons arounD th WorD xtnDi epibili f e eci f d c ele ci, izi eed deelp lidid-p e f miii i e eeded eepie. A cmm ppc ie p bee deelp bileple eci

eqieme f eice pide cc d leei . ie e iceed i, eepiec le el lel eeme d ccd m e me cie le i eifi ei pe cpbiliie e p e eqieddd.

A cmpeeie id-p e wldiclde e fllwi cmpe:

Diversifcation

D Ui mliple eice pide dle diee

pec f bie pce

D N ii ll e d e eice pide

pce

QYOU NEED a whole process set up or ealuating endors.

In eery organization, business units are contracting outdata processing to serice proiders all o the time. So itsery hard to keep track o it all. You hae to work withyour purchasing department and put a system in place toensure that you know which endors are geing customerinormation.

Dav Cunan, ief Ifmi Seci Oced Vice eide, e

Due Diligence

D Ti peil pe eeie

eiew, wi -ie di d i lie f

qeii edi eci plic, ciece

d cl

D ibl e e -ie di de b epeid-p e

D ibl eqie ceici lie ISO 27001/2

SAS 70

Thorough contractual agreement

D eiled eqieme f meei el cmpli-

ce d eci cei dd wi epec

eci cl

D Repi eqieme

D c ci i di cle

D cl idemici libiliie if ee i

d bec

D ec ici eqieme d pceD Icide meme pcede

Consequence management

D Eedi dicipli pcee i pe -

izi

Governance including regular reviews and surprise audits

D Seice pide ld be ell died; w

e d w deep i e ifce e

cme emii will ld be diced

di cc eii

Si ifmi eci wi biepe i pm ccefl eliip.O e e d, eice pide e elc eel deiled ifmi b ei eci pli-cie d pcede bece i ifmi m bemied. O e e d, d we c el impecie decipi f eci mee fmeice pide. Aciei pppie blcei ccil.

I i imp f eepie i b pii d we d/ eice pide d ef-fecie w ee ei ccl eli-ip if e eqied eli. F mi

eice pide, izi ld cidecei cmmi f pciie, wi lf cei cie pcice c e wleeeded eepie. F pefmi eme, leie i e eei f epble idepededi lze eice pide eci pcic-e. A e mbe f eice pide cie climb f m eepie, cei pi i iel em d ll f e eqied emem le be ible.

A cllee fced b m izi i eice pide e e cced ide f edd pci pce f emple bi-


23/32

e i ed emplee d HR c-i cmp wi i e ddpce. i e epded el eqiemef eice pide, eci ce will w ee dded wei f cmplice elp cee me

wee d ei cpbili f e em wee peil ced wippe ifmi eci eme. Ti mlimel edce i.

Managing cloud ervice providerAdpi f cld eice be, lbei iiillpimil f -eled d pcei. Hw-ee, cld cmpi e cie bied peil ppii f cmpie pcele lme f d, icldi eled d. cmpie e imi e cld eiceee f d bec cmplice blii.

A ew membe f e pfli f id-ppide, izi eed p cld pide e me i de diliece d di-i eie decibed be. I ddii, e willeed decc e ciece d wepible f d, miece, cce, piileede, ec. deemie w m le wic cdc de diliece.

O ei ed, cld pide will eed eb-li pcee d cl eee lel del cdece. Idell e eed e-i pce pe e e e i cli plce. Te Ted ld Iiiie wii ld

Seci Allice i cei efeece ci-ece eble cld ed e idedi e e e f ei cl imil SAS70 pe f ceici f cld eicepide.

e iiiie e imed li ecld ce pblem. A6, wic d f A-med Adi, Aei, Aeme, d A-ce AI, l w ldAdi, i led b ic.Te mm Ace i del Ai 24-membe cim f ml ed wicl iclde e Epe New d Ifm-i Seci Aec ENISA. Te Fedel Ri d

Aizi eme m FedRAi c-cied b NIST. I ied pide i

izi d ci eci mii fed IT eice f fedel depme d e-cie ee cc wi ide pide. 44

Te lc f cie w e IT eicepide bee pblem f le decde.

Te cld m fce e wle id le ipblem. A me d me cmpie me cmm e f cld eice pide, ed c-cedii will be bi eqieme.

Tee e ieei pibiliie f ppci cmpli cld. Oe pible mdel, bed me ccepce, will ee cld pide pc-iel ie i e bili le lme fd wi pecic cl d ce mee picl eli. Ti mdel i led eme-i, wi cld c e ece idci fGle FISA cmpli cld f e fedel -eme.45 Oe c cld, lie HIAA cld,

ec, m fllw.Ae deelpi mdel i bid

mli-ze eime, i wic eiie dwill eide wii e cme picl pemie de ccl cl i ed epedcee, wile -ciicl d will eide weeee i e lwe-c cpci. Ae e m izi e i i i piecld mdel wic ie cl e wee e dwill el wii e eepie dcee.

Seci izi eed w clel wiei cld pide d dp cld mdel mce e izi i ple. Te eed

icpe cld pide i ei id-pmeme eie miie e i f eeeded eepie.

6 | Unify the compliance andbuine agenda

n th Past, CoMPanC Was otn sn ase eci d cmplice em epibl di w iled fci. Nw fdmel ii i plce i m izi. mplice iiceil ecized eeil cmpe fdi bie.

e d me, cmplice em e bei i-ied e ble e f pec. mplice

We needan open-standards way or cloud computingproviders to measure their controls. The idea is orthe providers to measure how well they are complyingagainst certain requirements and then display the results

publicly on their websites. This could eventually reducethe need to measure those particular controls.

etr kuaa,Chi Inin ciy Oc, Ni


24/32


i me e ieed i bie iipcee el , f emple we bie be-i &A de diliece. ie pce wee ecizi cmplice ld be del wii e me w e bie i; p f d e 11 , i de ee ppe e-me, pli d fdi.

Oizill, i cmplice fciwii ec bie i i ccil lii cm-plice bie. Te epibili f cmpli-ce ld e lel wii e ifmi

eci d cmplice depme; i ld bemed e bie-lie d diii me.i e i cec d blce ce, e c-pe cmplice p eblie e dd;wile e bie i, wic e p d lepibili, impleme e dd. Ti we i de- c be mde bewee e bi-e eed d e eepie lel i.

A cel fee f eliel me cmpli-ce pm i cpe i cmplice cm-miee mde p e Hed f mplice, e Geelel, ief Seci Oce Ri Oce,ief Adi, d e lle Oce. Ti p

e ep e Hed f Fice e iefAdmiiie Oce. Ti cmmiee mei d cmplice ie c e eepie ie ce f bie e.

eide e i izil ce, embed cmplice i e bie l eedeee i e eepie ee leel fm e-

ecie membe d cc fllded ei le i cmplice. Te clleei e pic f cmplice i e; ee e m eli d i cmple ldcpe. Ii feible e eee ed d dedll e lw. Fid w ee peple w f-cie m. Te fc cei pcee fem fllw e cmplice bil-i. mpli-ce ld be p b-pdc f peple fllw-i pcede, ci i pfeil me ddi ei b ppel. F emple, HR m-

e ld ded e imp lei cmplice b ccieil eepi e HRdbe p de.

Al cmplice cee cllee mizi e fd i c l pide be-e. Te l f cmplice iiiie i impedifmi pcice; b e ed el c el delie imped IT pei d biepcee. F emple, wi e i f el-i, m izi wld e dpedbee em me idei d cce m-eme pc meme. Nw izic ep e bee f ecie -bdi d

-bdi f emplee d cc; d meelible IT em.

7 | Educate and inuence regulatorand tandard bodie

t s WDy rCognD that athough rgul f e m p e bei iei e deelp d e e e le, e dded e el wld eime d ecmplei f implemei. Ae decde fepeiece cmpli wi ifmi pecieli, izi e wel f wl-

ede f w w d w i eecie. I iciicl eci lede e p f e ce-i wle f ew leili ediidei e, pic d ciicl ifce ieei e cee (s taB ).

Seci d bie lede eed deelpcedible w edce leil d cc-iel ec eli. Iell e eed wclel wi e Geme Ai fci di fce wi em. Eell e eed p-icipe i p lie TecAmeic ifmieci ccil, wic ie cmpie pp-i pide ii i leili.

COMPLIANCE REQUIRES an organization to establisha cultural change. People themseles should be ableto distinguish compliant behaior and incompliantbehaior. Compliance will always be there. There willalways be regulation. Its not an incident that you can

just react to and then its gone. Compliance should beconsidered part o doing business-as-usual.

Dr. Martjn Dkkr, Sei Vice eide, iefIfmi Seci Oce, AN Am

TABLE : EXAMPLES OF CURRENTLEGISLATIVE INITIATIVES

Nil Se f Ted Ideiie i bepce 2010

Seci Ac f 2010

Seci d ec Nici Ac f 2010

Te eci bepce Nil Ae Ac f 2010

2010 dd-F ll See Refm d me eciAc

2010 Epe Ui Refeece New f iicl If-ce eci ERN-I

2010 Epe Ui iil Sile e Iiiie

2010 Epe Ui Slec II iecie

Q


25/32


AGet it right and reap the rewards

5 Conclusion

successful complianceprogram in a large globalenterprise today takesa holistic approach to

meeting the requirementsof multiple regulations. Asuccessful program embedscompliance in businessprocesses. It uses automationas much as possible; andhas the risk managementcompetency to makedefensible decisions about

materiality of risk. Leveragingcontinuous compliancemonitoring technologieswill allow organizations toreduce the amount they spenddemonstrating compliance.This will enable organizationsto reduce their overall securityinvestment and/or focus it on

more value-added informationsecurity services.

Compliance does not haveto be a hindrance to businessinnovation. If it is doneright, it wont be a drag on

resources. If organizationsfocus compliance eorts onbuilding core risk managementstrength, compliance canactually enable innovation.The key is to have a risk-basedcompliance program thatputs fewer resources towardsnon-productive compliance

activities and leaves more foran organization to invest inbusiness innovation.

ON BALANCEI dont think compli-ance hinders innoation. Compli-ance just changes the game a bit. Itoers an opportunity to innoatein a new more compliant space. Itoers new challenges to do what wedo more securely.

Dns WooD, ief IfmiSeci Oce d pe Viceeide, FedE pi

IN A way, because regulationsmandate organizations to mitigaterisks, regulators are actually proid-ing opportunities or innoation.When you build core strength inrisk management, it enables you to

or example, be rst moers in anindustry with a new business line.Youre already prepared to manageany new risks.

x Mohan, Sei Vice ei-de, ISO & ief Aciec, iAiel Ld.


26/32


BAbout the Security for BusinessInnovation Initiative

6 Appendices

uSeSS oato hs chd h p h gnd s npiss, s h C-si sivs hnss h p glblizin nd chnlgy c n vl nd cincis.

Y h is sill issing lin. Thgh bsinss innvin ispd by inin; pcing inin is ypiclly n

cnsidd sgic; vn s npiss c ning glypsss nd scling hs. In c, inin sciy is fnn fhgh, cd n h nd pjc vn s

ddeed ll. wie i eci e,bie ii cld eilbe ied p e izi e i.

A RSA, we beliee if e-ci em e e pe ie bie ii pce,e c elp ei izi

ciee pecedeed el.Te ime i ipe f ew p-pc; eci m defm ecicl pecil bie e. ile meci em e ecizede eed bee li eciwi bie, m ill le le i dedii ccee pl f ci. Tew wee e eed , be e w e ee. Tii w RSA i wi wi me

f e p eci lede i ewld die id ce-i ideif w fwd.

RSA ceed p fil ccefl eci eec-ie fm Glbl 1000 eepiei ie f idie wicwe cll e Seci f i-e Ii cil. e ecdci eie f i-dep

ieiew wi e cil,pblii ei ide i eief ep d pi ide-pede eec eplei pic. RSA iie ie cei. G wwwracom/ecurityforinnovation/ iew e ep cce e e-ec. ide cmme eep d cibe wide. Tee we c cceleei ciicl id fm-

i.

BUSINESS INNOVATION

DEFINED

Enterprise strategies to enter newmarkets, launch new productsor services, create new businessmodels, establish new channels orpartnerships, or transorm operations


27/32

RSA, The Security Division of EMC |secuRity foR business innovation council RepoRt | 25

Security for BuineInnovation ReportSerie

Go to www.rsa.com/securityorinnoation

Te Time i Nw: iIfmi SeciSeic ieIi

Recommendations rom Global Executies

ei e Ri/RewdEqi: OpimiziIfmi Ri imize ieIi Rewd


ii F d Fwd:i IfmiSeci f SeicAde i TEcm


i e : Eblie Hpe-Eeded

Eepie i e Fce fUpecedeed Ri


idi e ISO-EOiide


Te Rie f Ue-die IT:Re-clibi IfmiSeci f icempi


Q


28/32


Contributors

ANISH BHIMANI, ISSP,h Ir kOr, J s

ANISH HASglobal respon-sibility or ensuring thesecurity and resiliencyo JPMorgan Chases ITinrastructure and supportsthe rms Corporate RiskManagement program.

Preiously, he held seniorroles at Booz Allen Ham-ilton and Global IntegrityCorporation and PredictieSystems. Anish was selectedInormation Security Ex-ecutie o the Year or by the Executie Allianceand named to Bank Technol-ogy News Top Innoatorso list. He authoredInternet Security or Busi-ness and is a graduate o

Brown and Carnegie-MellonUniersities.

BILL BONI, ISM, PP,ISA, rr Ir- Sr Or, VPErr IrSr, s

AN INFORMATION protectionspecialist or years, Bill

joined T-Mobile in .Preiously he was CorporateSecurity Ofcer o Motorola

Asset Protection Serices.Throughout his career Billhas helped organizationsdesign and implement cost-eectie programs to protectboth tangible and intangibleassets. He pioneered the appli-cation o computer orensicsand intrusion detection todeal with incidents directedagainst electronic businesssystems. Bill was awardedCSO Magazines Compass

Award and InormationSecurity Executie o theYear Central in 7.

ROLAND CLOUTIER,

V Pr,h S-r Or, ss,

ROLAND HAS unctional andoperational responsibility

or ADPs inormation, riskand crisis management;and inestigatie securityoperations worldwide. Prei-ously, he was CSO at EMCandheld executie positionswith consulting and man-aged serices rms. He hassignicant experience ingoernment and law enorce-ment, haing sered in theU.S. Air Force during theGul War and later in ederallaw enorcement agencies.

Roland is a member o HighTech Crime Inestigations

Association, State Depart-ment Partnership or Criti-cal Inrastructure Securityand Inragard.Uniersities.

DAVE CULLINANE,

h Ir S-r Or VPr,

DAVE HAS more than years o security experience.

Prior to joining eBay, Daewas the CISO or Washing-ton Mutual and held leader-ship positions in securityat nCipher, Sun Lie and

Digital Equipment Corpora-tion.Dae is inoled withmany industry associationsincluding as current Past

International Presidento ISSA. He has numer-ous awards including SCMagazines Global Awardas CSO o the Year or and CSO Magazines Compass Award asa Visionary Leader o theSecurity Proession.

DAVE MARTIN, ISSPh Sr Or,

DAVE IS responsible ormanaging EMCs industry-leading Global SecurityOrganization (GSO) ocusedon protecting the companysmultibillion dollar assets

and reenue. Preiously, heled EMCs Ofce o Inorma-tion Security, responsible or

protecting the global digitalenterprise. Prior to joining

EMC in Dae builtand led security consult-ing organizations ocusedon critical inrastructure,technology, banking andhealthcare erticals. Heholds a B.S. in Manuactur-ing Systems Engineering

rom the Uniersity o Hert-ordshire in the U.K.

DR. CLAUDIA NATANSON,

h Ir S-r Or,

CLAUDIA SETS the strategy,policy and processes orinormation security across

Diageos global and dier-gent markets. Preiously,she was Head o Secure

Business Serice at BritishTelecom, where she oundedthe UKs rst commercialglobally accredited Com-

puter Emergency ResponseTeam. Claudia is Chair othe Corporate Executie

Programme o the WorldForum o Incident Responseand Security Teams. Sheholds an MSc. in ComputerScience and a Ph.D. in Com-

puters and Education.

PETRI KUIVALA,

h Ir S-r Or,

PETRI HAS been CISO atNokia since . Prei-ously he led Corporate Secu-rity operations globally and

prior to that in China. Sincejoining Nokia in , he has

also worked or Nokias ITApplication Deelopmentorganization and on the

Nokia Siemens Networksmerger project. Beore

Nokia, Petri worked with theHelsinki Police departmentbeginning in and wasa ounding member o the

Helsinki Criminal PoliceIT- inestigation depart-ment. He holds a degree inMasters o Law.

FELIX MOHAN,

Sr V Pr,ISO & h Arh,

AT AIRTEL, Felix ensuresinormation security and

IT aligns with changes tothe risk enironment andbusiness needs. Preiously

he was CEO at a securityconsulting rm, an adisorwith a Big- consulting

rm, and head o IT andsecurity in the Indian

Nay. He was a member oIndias National Task Forceon Inormation Security,Co-chair o the Indo-USCybersecurity Forum, andawarded the Vishisht SeaMedal by the President o

India or innoatie work inInormation Security.

Top information security leaders from Glob


29/32


PROFESSOR PAUL DOREY,

Fr Drr,SO Frr h IrSr Or,

PAUL IS engaged inconsultancy,training andresearch to help endors,end-user companies andgoernments in deelopingtheir security strategies.

Beore ounding CSO Con-dential, Paul was respon-sible or IT Security and

Inormation and RecordsManagement at BP. Prei-ously, he ran security andrisk management at MorganGrenell and Barclays Bank.

Paul was a ounder o theJericho Forum, is Chairmano the Institute o Inorma-tion Security Proessionalsand a Visiting Proessor at

Royal Holloway College,Uniersity o London.

RENEE GUTTMANN,

V Pr, Ir- Sr & PrOr,

RENEE IS responsible orestablishing an inormationrisk management pro-gram that adances TimeWarners business strategies

or data protection. Shehas been an inormationsecurity practitioner since. Preiously, she ledthe Inormation SecurityTeam at Time Inc., was asecurity analyst or Gartnerand worked in inormationsecurity at Capital One andGlaxo Wellcome. Reneereceied the Compass

Award rom CSO Magazineand in 7 was named aWoman o Inuence by the

Executie Womens Forum.

DAVID KENT,

V Pr, k B -r, z

DAVID IS responsible or thedesign and management oGenzymes business-alignedglobal security program,which proides Physical, In-

ormation, IT and ProductSecurity along with Busi-ness Continuity and CrisisManagement. Preiously, hewas with Bolt Beranek and

Newman Inc. Daid has years o experience aligningsecurity with business goals.

He receied CSO Magazines Compass Award orisionary leadership in theSecurity Field. Daid holdsa Masters degree in Man-agement and a Bachelor oScience in Criminal Justice.

VISHAL SALVI, ISMh Ir S-r Or Sr

V Pr,

VISHAL IS responsible ordriing the InormationSecurity strategy and its im-

plementation across HDFC

Bank and its subsidiaries.Prior to HDFC he headedGlobal Operational Inor-mation Security or Stan-dard Chartered Bank (SCB)where he also worked in ITSerice Deliery, Goer-nance & Risk Management.

Preiously, Vishal workedat Crompton Greaes, De-elopment Credit Bank andGlobal Trust Bank. He holdsa Bachelors o Engineeringdegree in Computers and aMasters in Business Admin-istration in Finance rom

NMIMS Uniersity.

CRAIG SHUMARD,

h IrSr Or,

CRAIG IS responsible orcorporatewide inormation

protection at CIGNA. Hereceied the Inorma-tion Security Executie o

the Year Tri-State Awardand under his leadershipCIGNA was ranked rstin IT Security in the

Inormation Week . Arecognized thought leader,he has been eatured inThe Wall Street Journaland InormationWeek.

Preiously, Craig heldmany positions at CIGNAincluding Assistant VP o

International Systems andYear Audit Director.

He is a graduate o BethanyCollege.

DENISE WOOD,

h Ir S-r Or rrV Pr, x

DENISE IS responsible orsecurity and business con-tinuity strategies, processesand technologies that secure

FedEx as a trusted businesspartner. Since joining in she has held seeral In-

ormation Technology ofcerpositions supporting key cor-porate initiaties, includingdeelopment o edex.com;and was the rst Chie In-

ormation Ofcer or FedExAsia Pacic in . Priorto FedEx, Denise worked or

Bell South, AT&T and U.S.West. Denise was a recipiento ComputerworldsPremier IT Leaders or 7award.

000 enterprises

STEWART ROOM,

Prr, Pr Ir Lw r,

ss

WITH 19 years experienceas a litigator and adocate,Stewart is a recognizedexpert in data protection;

ranked at the oreront o thiseld by the legal directoriesChambers UK and Legal. He is also President othe National Association o

Data Protection Ofcers anda Director o Cyber SecurityChallenge UK. Stewartwas Financial Times Legal

Innoator o the Year and is the author o seeralbooks including his latest

Data Security Law andPractice.

G U E S T

C O N T R I B U T O R{

DR. MARTIJN DEKKER,

Sr V Pr,h Ir S-r Or,

MARTIJN WAS appointedChie Inormation SecurityOfcer o ABN Amro inearly . Preiously heheld seeral positions ininormation security and ITincluding Head o Inorma-tion Security and Head oTechnology Risk Manage-ment in the Netherlands.Other positions included IT

Architect, Program/PortolioManager, and IT Outsourc-ing/Oshoring Specialist.Martijn joined ABN Amroin 7 aer completing his

Ph.D. in Mathematics at theUniersity o Amsterdamand a Masters o Mathemat-ics at the Uniersity oUtrecht.


30/32


References

1 Opci e, E& Y 12 Al GlblIfmi Seci SeRep

2 Viie Redi embef e Epe mmiiepible f IfmiScie d edi ic:e cllee ed f eEpe Ui, KeeSpeec e eci 28 J 2010,Epe lime, el

3 mmii defed dpeci eiew imeble,Te Reie, A 10, 2010

4 eci ie Epe Ui:e le f Nil eci Aiie, FRAEpe Ui Aec fFdmel Ri, 2010

5 Gem See eci Ac,Idce ecNici Reqieme,Je , Oc 200

6 Fim peped f ewIO pwe, V3.c., Apil4, 2010

7 Fec See pped

ill med eciAc, dpecilw&plic,Feb 2, 2010

8 Uied Se: HIAAic, Seci, dEfceme Rle diedUde e HITEH Ac,dq, Jl 20, 2010

ecic AeGeel Rece Fi SeHIAA Seleme wiHel Ne, Seci, ic& e Lw, Jl 7, 2010

10 i NER I,d IT le i ciiclifce peci?,Secmplice.cm

11 Twie, FT ele ce f d ecilpe, IfSeci.cm, Je24, 2010

12 Rie Aid Sele FTe, SJ, Jl 27, 2010

13 FT Teie E ec me ic,Sm-Gid, Jl 28, 2010

14 I SS eqiemeill bi cmplice

dedlie ppce,SecSeci.c.UK, c8, 2010

15 Eclie I SSew: EU eil diecllie UK mec,SecSeci.c.UK, Jl, 2010

16 Epe mmiipe ew e-ic iecieeqii md dbec ici b pbliccmmici pide,Leicl, Feb, 2010

17 Viie Redi embef e Epe mmii

epible f IfmiScie d edi ic:e cllee ed f eEpe Ui, KeeSpeec e eci 28 J 2010,Epe lime, el

18 Gidce d ecibec meme, IO,c 27, 2008

1 Gem See eci Ac,Idce ecNici Reqieme,Je , Ocbe 200

20 New d bec

ici d idcedi e 2010 Amedme e eci Ac,elm Recw Le.,c 2010

21 Fec See ppedill med eciAc, dpecilw&plic,Feb 2, 2010

22 Ii ecimmiie idce dcde f pcice becici, S zie,Je 10, 2010

23 d ewlidced d bec lw i , b i lc ee, Szie

24 eic pe ew lwimed d-le peeif idiidl d piecmpie, Seci &mplice New, Jl 1,2010

25 ic mmiieblie Gidce Ne ec Hdlid e Gii f ecNici, icmmiie f el H Kedi Seme, Je 21, 2010

26 500 illi SeiieRecd eced Sice 2005,ic Ri leie,A 26, 2010

27 FAQ iSe I Lw,INFORATIONLAGROU,c 24, 2010

28 New Jee bliee-pl f Rleeci elIfmi, ic & Seci Lw Jl, Apil200

2 Eepie Sldewe e ifll fmplice wi ece IfmiSeci Reli, HLell icle f eci, c 2, 2010

30 Uied Se: HIAAic, Seci, dEfceme Rle diedUde e HITEH Ac,

dq, Jl 20, 2010

31 FT e eceeAllee e LedeFiled Ee e eci f meIfmi ided Tid , Glbl Ficile c l, J28, 200

32 ld cmpi mile Gem d piclw, Lel, Jl 20, 2010

33 Opci e,E & Y 12 AlGlbl Ifmi SeciSe Rep


35 Vi c dSeme eci bec, TeReie, Jl 1, 2005

36 em Sd Swe f ecie Icee,em Iie, J

25, 201037 Ifeci Epe2010: Se US bie d bec c,IfSeci, Apil 28, 2010

38 Oci 2010:Smm f Fidi fmIAO Se f e IdSe, IAO AcceeRep

3 TI Ide AIfmed View f e Se fe mmecil Ocie Secd Qe2010, TI, Jl 26, 2010

40 Eepie Red

T ld E-il, IO,A 18, 2010

41 Gle-i f LAele del deled,Ameic blic edieplce, Jl 26, 2010

42 ei e Ri/Rewd Eqi: OpimiziIfmi Ri imizeie Ii Rewd,Seci f ieIi cil Rep


44 ld cmpi id w me emIe, Ifmi Secizie, Je 2010

45 Gle Receie FISAeici f ldSeice, EecieG, Jl27, 2010

RSA invitesyou to join theconversation

Go to www.rsa.com/securityorinnoation

Q


31/32

Bill Boni, Corporate InformationSecurity Ofcer, VP EnterpriseInformation Security, T-MobileUSA

WE HAVE a legal and regulatorysystem that is accustomed tothings like physical presence andisible control. For cloud-basedsolutions, deeloping equialentleels o condence within legaland regulatory bodies is going to bechallenging. The proiders o newcloud solutions hae to embrace theleel o rigor required by regulationand need to beer understand whatauditors are asking them in orderto demonstrate compliance.

Dave Cullinane,Chief InformationSecurity Ofcer and VicePresident, eBay

YOU NEED a broad perspectieo all o the arious legislation inthe US and elsewhere. Legislatorsand people in Congress dontoen understand the nuances othings like identity the. Theymight pass all sorts o legislationthats actually not going to reduceidentity the but just create a

whole bunch o requirements. Itsimportant or security ofcers to beparticipating in that conersationand proide insight into dralegislation.

Professor Paul Dorey, Founderand Director, CSO Condential andFormer Chief Information SecurityOfcer, BP

THE FACT that the complianceissues extend along the supplychain means that people arebecoming ery sensitized to thecompliance implications o usingthird parties. It actually restricts

certain third parties rom beingsuppliers, because they cant reachthe high compliance thresholdrequired o the end-customercompany.

YOU NEED a process thatsubstantiates your decisions to theauditor. You need complete anddeensible clarity about the riskdecisions youe taken. A goodcompliance team is thereore ableto ully articulate the issues tocreate a deensible position.

Petri Kuivala, Chief InformationSecurity Ofcer, Nokia

IF YOU hae implemented yoursecurity procedures by ollowing

or example, the ISF Standardo Good Practice or some othercommon methodology, wheneerthere is a question with regards towhateer new law, you can answerthat question based on yourcurrent approach.

Dave Martin, Chief SecurityOfcer, EMC Corporation

CONTINUOUS CONTROLmonitoring is going to become italin cloud-based datacenters. Itllbe essential or puing regulateddata in the cloud. Stus going tobe moing around. Youre goingto need the ability to constantlymake sure that your regulated datais in the right place with the rightcontrols.

YOU DEVELOP eectie controlsby working with the business,understanding the details othe process and building incompliance instead o bolting iton. But the process owners hae

to hae a willingness to improetheir process to ensure compliance.Make sure theye got some skin inthe game.

Felix Mohan, Senior VicePresident, CISO & Chief Architect,Bharti Airtel Ltd.

THERE ARE many regulationsand internal policies; and thesewill keep increasing. I you look atthem closely, they are all basicallyaddressing a similar set o risks.

Put in place a ramework basedon best practices like ISO 7/to address the risks and you can

map your ramework to any newregulation that comes along.

Dr. Claudia Natanson, ChiefInformation Security Ofcer,Diageo

AN ORGANIZATION will neer, eerachiee compliance unless the Iis part o it. So eery person in theorganization must know the partthey must play to be able to achieetrue compliance.

Stewart Room, Partner, Privacyand Information Law Group, FieldFisher Waterhouse LLP

THERE WILL be commercial

contracting consequences that owrom you being named, shamedand outed or bad data handling.Organizations might seek tighterindemnities rom you or theymight reuse to work with you.

Vishal Salvi, Chief InformationSecurity Ofcer and Senior VicePresident, HDFC Bank Limited

REGULATION HAS been a primarydrier or the implementation oinormation risk managementand it has made a signicantimpact. For example i you look atthe arious sectors that are highlyregulated like nancial sericesor telcos their security practicesare more mature than those ingeneral industry.

Craig Shumard, ChiefInformation Security Ofcer,CIGNA Corporation

THE IMPACT o HITECH isjust beginning to be elt. Forexample outsourcers hae reallygoen a wake-up call in the lastyear. Theye started to realizethe impact the extension o thebusiness associate in HIPAA isgoing to hae on their business.

FROM Abusiness standpointor example, protecting ourcustomers identities is importantto us. Protecting our business

pricing inormation is importantto us. There are a lot o corporateobjecties that are also met withthe security controls that get put in

place to satisy the regulations.

Quotable Highlights from the ongoing conversation


32/32

Successfully building a risk-based compliance program requires

that executive management is willing to make the necessary

investments in people, process and technology.

ITS NOT enough to hold people responsible or compliance; you need to make themtruly accountable. To do this you need isibility into the controls through real-timemonitoring. You need to go rom asking people to show you that their systems arecompliant at a point-in-time to proactie alerting o compliance gaps in real-time.

Security for Business

Documents