Iapp

2y ago
18 Views
2 Downloads
2.52 MB
38 Pages
Last View : 3m ago
Last Download : 2m ago
Upload by : Julia Hutchens
Transcription

www.iapp.org

Welcome & IntroductionsHost:Dave CohenCIPP/US, CIPP/EKnowledge ManagerIAPPSpeakers:Mahmood Sher-JanCHPCCEO & FounderRadarFirstHolly AmorosanaCIPP/US, JDChief Privacy OfficerApple Bankwww.iapp.org

Agenda Things to consider before assessing an incident Operational phases of the incident response lifecycle Incident Risk Assessment Scenarios Elements of an effective incident response program Benchmarking highlights Q&Awww.iapp.org

Incident response lifecycleIdentify & Investigate Incident is detected by infosec or reported by an internal or external source.Clock is ticking for the IR team to investigate, involve key stakeholders, and capture the infoneeded to drive a risk assessment.Risk Assess & Decide Using info gathered, IR team must accurately determine whether notification to regulatorsand/or individuals is required based on all applicable regulations in different nations and states.Breach Notification If notification is required, IR team must notify regulators and individuals of the breach in time tomeet all regulatory deadlines.Notification must contain the info required in each jurisdiction, and delivery must be tracked anddocumented.Reporting & Trend Analysis Incident is detected by infosec or reported by an internal or external source.www.iapp.org

Risk Assess & Decide: Things toconsider ahead of time Who is responsible for the incident risk assessment and notificationdecision? Defined and documented incident assessment process includingensuring consistency, objectivity and defensibility What processes and tools are used by the team to operationalize theincident assessment and decision making process How does the response team communicate and make final decisionswww.iapp.org

Effective Risk Assessment is Essentialfor Organizational Risk MitigationA mature multi-factor risk assessment is the foundation for effective and timelydecision-making and ensuring compliance in a complex and changing regulatory landscape.ConsistentSame incident scenariobut varying andinconsistent notificationdecisions create riskand draw attention to aprogram that is ad-hoc& lacking the necessarymaturity.ObjectiveNotification decisionshould be objectivebased on documentedmulti-factor riskassessment that iscompliant withapplicable regulations.TimelyYour team needs toarrive at the rightnotification decision intime to meetcompliance deadlinesfor all applicableregulation.DefensibleDemonstration ofconsistency andobjectivity of theincident riskassessment andnotification decisionsare key to establishingdefensibility.www.iapp.org

Incident lifecycle time periods www.iapp.org

Electronic vs. Paper vs. Verbal/Visualwww.iapp.org

Let’s dive into scenarios!www.iapp.org

Scenario #1- Identify & InvestigateYou’ve just been informed an employee from an internalbusiness unit mistakenly emailed a file containing customerdata to an incorrect person outside the organization.The employee was attempting to email the file to a coworker,however made a typo on the email address and ended upsending the file of customer data to some unknown person.www.iapp.org

Scenario #1 - Identify & InvestigateData Elements Exposed: Names Mailing address including city, state and zip Phone Numbers Email address (which also functions as the online username for account access)www.iapp.org

Scenario #1 - Risk Assessment Risk Factors: Recipient of the data Were they authorized, notauthorized, generallyauthorized? Nature of the incident Data protection measures Risk mitigation measuresEmail mistakenly sent to a random person outside the organization who is not authorized to see the data.www.iapp.org

Scenario #1 - Notification DecisionWould your organization notifythe impacted individuals?www.iapp.org

Scenario #1 - Your DecisionGuidance Message:Does not meet New Jerseyor Connecticut’s definition ofsensitive customer orpersonal information.Notification is notexpected in either stateunder the law.www.iapp.org

Scenario #1 - But, What If.What if you looked at the file again andnoticed passwords were also includedin the emailed file, it was just in ahidden field?www.iapp.org

Scenario #1 - Identify & InvestigateData Elements Exposed: Names Mailing address including city, state and zip Phone Numbers Email address (which functions as the online username for account access) Password, PIN, or other code for online account accesswww.iapp.org

Scenario #1 - DecideDoes your notificationdecision change based on thenewly discovered info?www.iapp.org

Scenario #1 - DecideNotification is required in the state of New Jersey due to the inclusion of email address (that can be used asusername) and password data elements, which are defined as personal information.www.iapp.org

Scenario #1 - DecideData elements still do not meet Connecticut’s definition of sensitive customer or personal information.Notification is not expected.www.iapp.org

Scenario #2- Identify & InvestigateAt an organization in Netherlands, a file containing namesalong with national id numbers was accidentally shared with anunauthorized processor.We assume we’ll receive sufficient mitigation since they are aprocessor with regulatory obligation to protect personal data,however we have requested but not gotten a written assurancefrom the processor yet.www.iapp.org

Scenario #2 - Identify & InvestigateData Elements Exposed: Names National ID Numberwww.iapp.org

Scenario #2 - Risk AssessRegion: European Unionwww.iapp.org

Scenario #2 - DecideWould your organization notifythe impacted individuals?www.iapp.org

Scenario #2 - DecideNotification required to IrelandData Protection Commissioner,but not required to affectedindividuals.www.iapp.org

Scenario #2 - But, What If.As the investigation continued theprocessor is being non-responsive andwe no longer believe we’ll be able toconfirm sufficient risk mitigation.www.iapp.org

Scenario #2 - Risk AssessmentRegion: European Unionwww.iapp.org

Scenario #2 - DecideDoes your notificationdecision change based on therevised info?www.iapp.org

Scenario #2 - Risk AssessNotification required toboth Data ProtectionCommissioner andaffected individuals.www.iapp.org

What is an optimal notification rate?www.iapp.org

Risks of over or under - reporting Risks of over-reporting Brand and reputational damageErosion of confidence from your customersGreater regulatory scrutiny from authorities and auditorsIncreased operational costs Risks of under-reporting: Fines and penaltiesDiminishing consumer confidence which in turn impacts bottom lineM&A implicationswww.iapp.org

Simplify compliance with automationwww.iapp.org

Is it a breach? Automation in Incident ResponseSee firsthand how the RadarBreach Guidance Engine cutsincident response efforts in half ensuring consistent, om/www.iapp.org

Stay Current with Changing Breach LawsEnables organizations to:Access up-to-date overviews of globalbreach notification laws (including CCPA andGDPR) Remain informed of US federal and stateincident risk assessment and reportingrequirements for data breaches Keep up with the requirements to achieveregulatory compliance and the penalties fornon-compliance radarfirst.com/breach-lawwww.iapp.org

Questions & AnswersHost:Dave CohenCIPP/US, CIPP/EKnowledge ManagerIAPPSpeakers:Mahmood Sher-JanCHPCCEO & FounderRADARHolly AmorosanaCIPP/US, JDChief Privacy OfficerApple Bankwww.iapp.org

THANK YOU!To our speakers, our sponsor, and to all of you in the virtual audience.Marketing PreferencesThis web conference is being provided to you free of charge thanks to the generous support of our sponsor. Inexchange for this support, we provide the sponsor with registrant contact information under strict guidelines. If youwould like to opt-out of being contacted by our sponsor, you may express your preferences here: Radarfirst'sprivacy policy.35www.iapp.org

Web ConferenceParticipant Feedback SurveyPlease take this quick (2 minute) survey to let us know howsatisfied you were with this program and to provide us withsuggestions for future improvement.Click here: https://www.questionpro.com/t/AOhP6ZgIgPThank you in advance!For more information: www.iapp.orgwww.iapp.org

Attention IAPP Certified Privacy Professionals:This IAPP web conference may be applied toward the continuing privacy education(CPE) requirements of your CIPP/US, CIPP/E, CIPP/G, CIPP/C, CIPT or CIPMcredential worth 1.0 credit hours. IAPP-certified professionals who are the namedparticipant of the registration will automatically receive credit. If another certifiedprofessional has participated in the program but is not the named participant thenthe individual may submit for credit by submitting the continuing educationapplication form here: CPE credit application.Continuing Legal Education Credits:The IAPP provides certificates of attendance to web conference attendees.Certificates must be self-submitted to the appropriate jurisdiction forcontinuing education credits. Please consult your specific governing body’srules and regulations to confirm if a web conference is an eligible formatfor attaining credits. Each IAPP web conference offers either 60 or 90 minutes ofprogramming.www.iapp.org

For questions on this or otherIAPP Web Conferences or recordingsor to obtain a copy of the slidepresentation please contact:Dave Cohen, CIPP/E, CIPP/USKnowledge ManagerInternational Association of Privacy Professionals (IAPP)dave@iapp.org603.427.9221www.iapp.org

continuing education credits. Please consult your specific governing body’s rules and regulations to confirm if a web conference is an eligible format for attaining credits. Each IAPP web

Related Documents:

f5.sap_enterprise_portal iApp template, see : Upgrading an Application Service from previous version of the iApp template on page 30. h This document provides guidance for using the iApp for SAP Ente

Kofax Power PDF 4.0 - Kofax Power PDF Automation Interface Guide - IApp interface . 10 . IApp interface . The IApp interface is designed to drive the Power PDF application. It provides a control over the application main window and its UI elements, the ribbons, groups and tools, also to drop-down menus and toolbars.

Using the iApp template for SAP ECC, it is extremely easy to optimally configure the BIG-IP system to optimize and direct traffic to : SAP ECC. Using the options found in the iApp and the guidance in this document, you can configure the BIG-IP system for a number of different s

PeopleSoft 9 2 What is F5 iApp ? New to BIG-IP version 11, F5 iApp is a powerful new set of features in the BIG-IP system that provides a new way to architect application delivery in the data center, and it includes a holistic, application-centric view of how applications are managed a

Creating a separate BIG-IP virtual server for Office Web Apps is recommended for Microsoft Exchange Server 2013 and Lync Server 2013 deployments, and can also be used for Microsoft SharePoint 2013. You can use the iApp template for this option, or configure the BIG-IP system manually.

C. Ace Space’s vendor engagement protocols D. Ace Space’s content sharing practices on social media Correct Answer: A QUESTION 89 SCENARIO Please use the following to answer the next question: Penny has recently

Appendices to Annex VI Appendix I Form of IAPP Certificate (Regulation 8) INTERNATIONAL AIR POLLUTIO

lations of physical systems, using the Python programming language. The goals of the course are as follows: Learn enough of the Python language and the VPython and matplotlib graph-ics packages to write programs that do numerical calculations with graphical output; Learn some step-by-step procedures for doing mathematical calculations (such as solving di erential equations) on a computer; Gain .