Ponemon Institute© Private & Confidential DocumentPage 1 Recent Research on Privacy, Trust and Data Protection The Privacy Symposium at Harvard University.

Slides:

Advertisements

Similar presentations

The Role of the IRB An Institutional Review Board (IRB) is a review committee established to help protect the rights and welfare of human research subjects.

Advertisements

Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.

IAPP CONFIDENTIAL Insider Leakage Threatens Privacy.

SL21 Information Security Board Mission, Goals and Guiding Principles.

Information Security Jim Cusson, CISSP. Largest Breaches 110, NorthgateArinso, Verity Trustees 6, Aurora St. Luke's Medical.

Sponsored by Lumension Ponemon Institute© Private & Confidential Document Page Security Mega Trends Survey Independently conducted by Ponemon Institute.

The Islamic University of Gaza

Global Information Systems

© 2006 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Privacy Management for a Global Enterprise.

Information Security Policies Larry Conrad September 29, 2009.

Security Controls – What Works

Developing a Records & Information Retention & Disposition Program:

Affiliated Information Security Collaborative An Affiliated Enterprise Approach to Information Security Deans and Vice Presidents Meeting April 17, 2014.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

By: Dr. Mohammed Alojail College of Computer Sciences & Information Technology 1.

Resiliency Rules: 7 Steps for Critical Infrastructure Protection.

IT-Partners Limited © 2011 IT Partners Limited Y OUR IT SOLUTION P ARTNERS Managing Director Confidential Data Loss Prevention Sunny Ho 1.

Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.

The Financial Impact of Cyber Security 50 Questions Every CFO Should Ask A publication of the American National Standards Institute and the Internet Security.

Put your organisation’s logo here. Conflicts of Interest A conflict occurs when the interests of one role/ position/ relationship are not aligned with.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Business Computing 550 Lesson 6. 2 Security Threats on Web Sites Issues and vulnerabilities 1.Illegal Access and Use (Hacking the system or users exposing.

BRING YOUR OWN DEVICE. BYOD AND THE IMPACT ON IT SECURITY BYOD and pressure employees put on IT organization to supply or allow consumer mobility devices.

Privacy and Security Laws for Health Care Organizations Presented by Robert J. Scott Scott & Scott, LLP

ENCRYPTION Team 2.0 Pamela Dornan, Thomas Malone, David Kotar, Nayan Thakker, and Eddie Gallon.

Policy Review (Top-Down Methodology) Lesson 7. Policies From the Peltier Text, p. 81 “The cornerstones of effective information security programs are.

ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:

Data Security: Steps to Improved Information Security September 22, 2015 Presented by: Alex Henderson General Counsel and Chief Administrative Officer.

PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.

Product Stewardship: Putting It into Practice GCWellon, Manager, Responsible Care Methanex Corporation June 2010.

Managing Data Against Insider Threats Dr. John D. Johnson, CISSP.

IBT - Electronic Commerce Privacy Concerns Victor H. Bouganim WCL, American University.

LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.

Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.

Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.

SPH Information Security Update September 10, 2010.

The State of Computer & Data Security in Corporations Independent Survey.

The Impact of Privacy on HP’s Customer Relationship Management Solution Mike Overly Vice President, Marketing © 2003 Hewlett-Packard Development Company,

Data Security and Payment Card Acceptance Presented by: Brian Ridder Senior Vice President First National September 10, 2009.

G:\99Q3\9220\PD\AJD2.PPT 1 Harriet P. Pearson Chief Privacy Officer IBM February 7, 2003 IBM.

Nuclear Security Culture William Tobey Workshop on Strengthening the Culture of Nuclear Safety and Security, Sao Paulo, Brazil August 25-26, 2014.

Scott & Scott, LLPPage 1 Business Impact of a Data Breach Research Sponsored by Scott & Scott, LLP Julie Machal-Fulks May 23, 2007.

McGraw-Hill/Irwin Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved. BUSINESS PLUG-IN B19 Global Information Systems.

The Internet of Things and Consumer Protection

Tamra Pawloski Jeff Miller. The views, information, and content expressed herein are those of the authors and do not necessarily represent the views of.

1Copyright Jordan Lawrence. All rights reserved. U. S. Privacy and Security Laws DELVACCA INAUGURAL INHOUSE COUNSEL CONFERENCE April 1, 2009 Marty.

Supplier Image A component of AASA’s mission is to promote and enhance supplier image Marketing Executives Council formed in 2006 with this as the primary.

Privacy Advisory Services … … A Best Practices, Integrated Approach Insert Firm Name Here.

Fred Carter Senior Policy & Technology Advisor Information and Privacy Commissioner Ontario, Canada MISA Ontario Cloud Computing Transformation Workshop.

Implications of Privacy Risks in IT and Operations Virginie Hupé Strategist, Trustworthy Computing Microsoft Corporation.

James Fox Shane Stuart Danny Deselle Matt Baldwin Acceptable Use Policies.

Visibility. Intelligence. response Information Security: Risk Management or Business Enablement? Mike Childs Vice President Rook Security.

The cost of Cybercrime 1 Steve Lamb Regional Marketing Manager – EMEA, Enterprise Security Products Twitter: actionlamb.

1 Privacy Lessons from Other Industries Chris Zoladz, CIPP, Vice President, Information Protection Marriott International, President, International Association.

The Privacy Symposium August 22, 2007 ©2007. Goodwin Procter LLP The Ethics and Responsibilities of a Privacy Professional.

CYBERSECURITY: RISK AND LIABILITY March 2, 2016 Joshua A. Mooney Co-chair-Cyber Law and Data Protection White and Williams LLP (215)

1 Information Governance (For Dental Practices) Norman Pottinger Information Governance Manager NHS Suffolk.

Learning Intention Security of Information. Why protect files? To prevent unauthorised access to confidential information To prevent virus/corruption.

Ponemon Institute© Private & Confidential ReportPage 1 State of the Endpoint Survey Analysis of Global Results Briefing for Lumension October 30, 2009.

HOW TO AVOID COMMON DATA BREACH PITFALLS IAPP Privacy Academy 2014.

Cyber Insurance Risk Transfer Alternatives Heather Soronen - Operations Director Rocky Mountain Insurance Information Association.

Welcome to the ICT Department Unit 3_5 Security Policies.

Bob Siegel President Privacy Ref, Inc.

The Financial Impact of Cyber Risk 50 Questions Every CFO Should Ask

DATA LOSS PREVENTION Mr. Collins Oduor.

Protecting Knowledge Assets – Case & Method for New CISO Portfolio

Presentation transcript:

Ponemon Institute© Private & Confidential DocumentPage 1 Recent Research on Privacy, Trust and Data Protection The Privacy Symposium at Harvard University Dr. Larry Ponemon, Chairman Ponemon Institute LLC August 22, 2007

Ponemon Institute© Private & Confidential DocumentPage 2 Ponemon Institute LLC The Institute is dedicated to advancing responsible information management practices that positively affect privacy and data protection in business and government. The Institute conducts independent research, educates leaders from the private and public sectors and verifies the privacy and data protection practices of organizations. Ponemon Institute is a full member of CASRO (Council of American Survey Research Organizations. Dr. Ponemon serves as CASRO’s chairman of Government & Public Affairs Committee of the Board. The Institute has assembled more than 50 leading multinational corporations called the RIM Council, which focuses the development and execution of ethical principles for the collection and use of personal data about people and households. The majority of active participants are privacy leaders (CPOs).

Ponemon Institute© Private & Confidential DocumentPage 3 Proposed Agenda  What is privacy trust?  What does recent research tell us? Scott & Scott – business impact of data breach Redemtech – debut today of newest study on off- network security Ponemon – Is desktop safe  Implications, privacy and the public’s trust  Questions

Ponemon Institute© Private & Confidential DocumentPage 4 How the World Looks at Privacy Based on over 100 studies conducted between 2003 and 2006, we compiled the following distribution for adult-aged individuals in 16 countries with respect to their preferences for privacy: –About 12% of the public appear to be privacy-centric. Events that minimize their sense of privacy or diminish the safety of their sensitive personal information will have a significant impact on behavior. –About 68% of the public appear to be privacy-sensitive. While they say that privacy is important to them, it will not change their behaviors or information sharing practices. –About 21% of the public appear to be privacy-complacent. They really don’t care very much about the sharing or selling of their most sensitive personal information, such as Social Security number or Country ID.

Ponemon Institute© Private & Confidential DocumentPage 5 Distribution of the Public by Four Geographic Regions

Ponemon Institute© Private & Confidential DocumentPage 6 What is Privacy Trust?  A process for engendering trust and confidence in how an organization’s leaders, employees, agents and contractors handle, manage, retain and secure private information about people and our families.  Privacy trust requires an organization to ensure that actual practices are aligned with the perceptions of key stakeholders such as customers, consumers and employees.  The key components of privacy trust include: disclosure and notice, choice or consent, good security measures, reasonable access rights and data quality (accuracy).

Ponemon Institute© Private & Confidential DocumentPage 7 How Does Privacy Increase Corporate Value?  Good privacy creates real value to organizations because it promotes the trust of stakeholders such as customers, employees and business partners.  Beyond perception, privacy practices create real economic benefits in terms of: Reducing operating inefficiencies Improving information flows about people Increasing brand or marketplace image Decreasing risk of regulatory action, fines and lawsuits  Cost and ROI metrics can be developed that demonstrate the full value of good privacy practices in corporations and governmental entities.  Starting point: need to understand what the public (consumers) thinks – or, what do they care about?

Ponemon Institute© Private & Confidential DocumentPage 8 Business Impact of a Data Breach Study released in May 2007 Sponsored by Scott & Scott, LLP

Ponemon Institute© Private & Confidential DocumentPage 9 About the study Sample of 702 IT and IT security practitioners in US companies Following are the key questions in our inaugural study: Are organizations prepared to respond to the breach and what do they consider the most important actions to take? Do they measure the cost of the breach to their organization? What causes data breach incidents? How has the breach affected an organization’s strategy for preventing a breach? What are the differences in approaches to the prevention and detection of a data breach between organizations that have experienced a breach and organizations that have not had a data breach?

Ponemon Institute© Private & Confidential DocumentPage 10 85% of respondents’ companies experienced a breach incident

Ponemon Institute© Private & Confidential DocumentPage 11 42% of data breaches occurred because of missing devices such as a laptop computers

Ponemon Institute© Private & Confidential DocumentPage 12 What technologies are not being deployed to remedy future breaches?

Ponemon Institute© Private & Confidential DocumentPage 13 57% did not have an incident response plan in place when the breach happened

Ponemon Institute© Private & Confidential DocumentPage 14 Notification strategy 37% over-report

Ponemon Institute© Private & Confidential DocumentPage 15 Majority of respondents do not believe that breach victims suffer monetary damages

Ponemon Institute© Private & Confidential DocumentPage 16 National Survey: The Insecurity of Off-Network Security Study released today (August 2007) Sponsored by Redemtech

Ponemon Institute© Private & Confidential DocumentPage 17 About the study Sponsored by Redemtech, Ponemon Institute independently conducted this study to better understand how business and government organizations are securing confidential data on off-network electronic equipment. Our national survey queried 735 respondents who are employed in corporate information technology (IT) departments within U.S.-based business or governmental organizations. Our survey focused on the following four key issues: –How important is it for an organization to control data on electronic devices that are off-network? –What controls or procedures do organizations have in place to secure off- network data-bearing equipment or devices? –How rigorous is the enforcement of policies and procedures to protect confidential off-network data? –What are the primary causes for the theft or loss of data on electronic devices that are off-network? –Is an organization’s confidential data as much at risk off-network as when it is on-network?

Ponemon Institute© Private & Confidential DocumentPage 18 About the study Off-Network electronic equipment – includes all data-bearing devices that are disconnected from your organization’s system or network for various reasons, such as for relocation, repair or disposition. Electronic equipment includes data-bearing servers, desktop and laptop computers, PDAs or other portable storage devices. Off-network includes equipment that is idle; not actively in use or in storage. The term also applies to equipment being moved; for transition to another user or being sent for repair, refurbishment, reconfiguration, redeployment, return on lease, or retirement (disposal).

Ponemon Institute© Private & Confidential DocumentPage 19 Sample of respondents

Ponemon Institute© Private & Confidential DocumentPage 20 Attitudes

Ponemon Institute© Private & Confidential DocumentPage 21 Data breach experience

Ponemon Institute© Private & Confidential DocumentPage 22 Off-network data loss

Ponemon Institute© Private & Confidential DocumentPage 23 Most likely causes

Ponemon Institute© Private & Confidential DocumentPage 24 Devices lost

Ponemon Institute© Private & Confidential DocumentPage 25 Security steps

Ponemon Institute© Private & Confidential DocumentPage 26 Is policy enforced?

Ponemon Institute© Private & Confidential DocumentPage 27 How long will it take to detect data loss?

Ponemon Institute© Private & Confidential DocumentPage 28 Is Desktop Search Safe? Study released in July 2007

Ponemon Institute© Private & Confidential DocumentPage 29 Background Security researcher Robert Hansen recently published details of a man-in- the-middle attack against Google’s Desktop, which places an attacker between Google and someone launching a desktop search query. From this position, the attacker is able to manipulate the search results and possibly take control of or install other programs on the desktop. According to Hansen, this drives home the point “that deep integration between the desktop and the Web is not a good idea.“ A security research firm named Watchfire identified a cross-site scripting vulnerability that would allow an attacker to place malicious code on a Google Desktop user's computer and possibly to take full control of the computer. Google says that it fixed this particular flaw.

Ponemon Institute© Private & Confidential DocumentPage 30 Survey Our Web based study was conducted between June 8 and June 12, Our national sampling frame included adult-aged respondents (≥ 18 years) who are in corporate IT or IT security. In total, people who reside in the United States received an invitation to participate. This resulted in 1,268 individuals responding (with approimxately a 5.4% response rate). About 60% of respondents said they were aware of this controversey. Only this sub-sample were asked to take the survey the remaining survey questions.

Ponemon Institute© Private & Confidential DocumentPage 31 Do you agree with Hansen?

Ponemon Institute© Private & Confidential DocumentPage 32 Is the problem resolved?

Ponemon Institute© Private & Confidential DocumentPage 33 Does antivirus software fix the problem?

Ponemon Institute© Private & Confidential DocumentPage 34 What should users do?

Ponemon Institute© Private & Confidential DocumentPage 35 What should users do?

Ponemon Institute© Private & Confidential DocumentPage 36 What can we learn from this jumble of findings?  Privacy matters. Take steps to implement responsible information management practices across the enterprise for all data subjects.  Technology makes a difference. Take stock in new enabling technologies that help protect personal information such as data leak prevention and encryption solutions.  Human factor is important. One of the top privacy risks concern negligent or incompetent employees (a.k.a. the Insider Threat). Make sure employees, temporary employees and contractors understand good privacy and data protection practices. Also, take steps to vigorously monitor behaviors that push the limits of the company’s policies or SOPs.  Understand the law. Privacy requirements vary by state, industry sector and nation. You need to understand how legal requirements impact the company’s information technology requirements. Responsible information management requires more than an adequate level of compliance.

Ponemon Institute© Private & Confidential DocumentPage 37 Questions? Dr. Larry Ponemon Ponemon Institute LLC Tel: Toll Free: New Michigan HQ: 2308 US 31 N. Traverse City, MI