Professional Documents
Culture Documents
Nathan Johns
Senior Audit Manager,
Crowe Chizek
Introductions
Nathan Johns
Executive
Over 15 years of experience in conducting IT audits and examinations
Former FDIC regulator – oversaw the IT Examination program for the FDIC
Certifications include CISA and commissioned bank examiner
Agenda
The Goal
Current Data Privacy Landscape
Data Privacy Roadmap
Develop a Program Charter
Conduct a Risk Assessment
Develop a Data Safeguarding Program
Develop and execute ongoing processes
Questions
The Goal: Prevent Disclosure
Understand Legislation, Regulations, Pending Legislation and Best
Practices related to Data Privacy
Assemble a data protection/safeguarding that is practical, yet
effective
Conduct an assessment to understand risks
Identification and Inventory of Data
Systems
Files/Forms
Magnetic Media
Classification of Data
What is and is not Personally Identifiable Information?
Educate staff on privacy and information security
Implement controls that are reasonable
Mitigate reputation, regulatory, litigation, and financial risks
Current Landscape: Numerous
Breaches
TJMaxx – Wireless Network Hacked
Lost 45.7 million consumer credit and debit card numbers due
to an intrusion is believed to be linked to weaknesses in its
wireless network.
Expenses estimated at $500 million to $1 billion - Settlement
with VISA USA- $40.9 million to fund an alternative recovery
payments program
At least 19 lawsuits have been filed, investigations underway by
the FTC and 37 state Attorneys General.
Bank of America – Backup Tape lost
Shipping vendor lost computer data tapes containing personal
information on up to 1.2 million federal employees, including
some members of the U.S. Senate.
Veterans Administration – Laptop stolen
A laptop containing sensitive data was stolen from a VA
employee's home.
For more stories like this go to:
http://www.privacyrights.org/ar/ChronDataBreaches.htm
Current Landscape: Laws for Customer Notification
From Ponemon Institute, 2007 Annual Study: U.S. Cost of a Data Breach
Understanding Financial Impact, Customer Turnover, and Preventative Solutions
Data Privacy Roadmap: The long term plan
When you’re done with your detailed data privacy risk assessment, you will
have a large volume of information on the risks your company takes as it
relates to data
In order to close the loop…consider the “so what” factor
We can do this by assembling our results in the form of a threat assessment
This step is also required under the Gramm-Leach-Bliley Act.
The basic goal
Identify the types of incidents that could happen
Determine the likelihood of occurrence
Determine the potential damage
Determine the sufficiency of controls to prevent this type of incident
Leverage what you’ve just done to add validity to your threat assessment
You know exactly where, what, why and how data is stored
Complete with a group
Effective as a workshop for your key data protection team
A successful data safeguarding program…