Presentation is loading. Please wait.

Presentation is loading. Please wait.

Culture Clash: Law, Business and Technology Mitch Dembin Chief Security Advisor (US) Microsoft Corporation.

Published byBrent Rice Modified over 8 years ago

Similar presentations

Presentation on theme: "Culture Clash: Law, Business and Technology Mitch Dembin Chief Security Advisor (US) Microsoft Corporation."— Presentation transcript:

1 Culture Clash: Law, Business and Technology Mitch Dembin Chief Security Advisor (US) Microsoft Corporation

2 How We Got Here Computer OS, Apps and Internet Protocols not designed for security Criminals Malicious Hackers Corrupt Insiders Virus/Worm Writers Publicity Primarily Website Defacements Identity Theft

3 What We Did Panic - Haphazard Frenzied Reaction to Security Incidents Perimeter Protection Pushed Data Security to IT Departments without funding/training or understanding of special skills required Allowed development of one-off security solutions throughout enterprise

4 Results Silos By acquisition, design or reaction to a security event Little attention to security architecture, writing secure code, strategic security planning Some progress in infrastructure protection leading to attacks up the stack

5 Consequences Here come the lawyers EEA, HIPAA, GLB, Sarbanes Common Thread: ReasonablenessAppropriateness Interpreted by lawyers after the fact And, on their heels, come the dreaded AUDITORS

6 Compliance – A Partial Landscape COMPLIANCE Sarbanes-Oxley Fiscal accountability for all public companies Basel II Capital assessment and reporting standards for global banking USA PATRIOT Act Customer documentation requirements in order to “know your customer” DoD 5015.2 and UK PRO Federal standards of records management Health Insurance Portability and Accountability Act (HIPAA) NASD 3110 Written policies and procedures for review of correspondence with the public All records related to securities transactions to be maintained for 3 years Gramm-Leach Bliley Act (GLBA) Privacy of financial information Right to carry insurance between job; privacy of patient Information SEC Rules 17a-3 & 17a-4 Source: Microsoft Compliance Summit; October 2003

7 The Players Business Decision Makers Language = Brand Protection, Competitive Advantage, Value and ROI IT Security Language = Technology Lawyers Language = Reasonableness Auditors Language = Checklists

8 Guiding Principle No. 1 It is really difficult to make predictions, especially about the future (Y. Berra)

9 Problem 1: The Silo Assumptions: Different Data of relatively equal importance With different security solutions created, implemented and managed by different technology, people and processes Of demonstrably different effectiveness

10 Problem 1: Continued Data in less secure silo compromised How do you demonstrate to lawyers/auditors/regulators/shareholders that protection of the data was reasonable/adequate when better solutions were employed for equally important data elsewhere in the enterprise?

11 Problem 2: Emerging Technologies Multiple Factor Authentication Rights Management Network Segmentation

12 Where We Need To Go Enterprise-wide security plan Combat silos People, Process & Technology Dissemination of best practices Emergency and Incident Response Common Language

13 Common Ground? Risk Assessment Risk Mitigation Risk Management

14 Guiding Principle No. 2 In theory, there is no difference between theory and practice. In practice, there is. Y. Berra

15 © 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

Download ppt "Culture Clash: Law, Business and Technology Mitch Dembin Chief Security Advisor (US) Microsoft Corporation."

Similar presentations

Connected Health Framework

Connected Health Framework
IT Security Policy Framework

IT Security Policy Framework
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Privacy Laws & Higher Education. Agenda 1.Five Privacy Laws a.FERPA b.HIPAA c.GLB d.FACTA Disposal Rule e.CAN-SPAM 2.Overview of the Laws a.What does.

Privacy Laws & Higher Education. Agenda 1.Five Privacy Laws a.FERPA b.HIPAA c.GLB d.FACTA Disposal Rule e.CAN-SPAM 2.Overview of the Laws a.What does.
HIPAA Security Regulations Jean C. Hemphill Ballard Spahr Andrews & Ingersoll, LLP November 30, 2004.

HIPAA Security Regulations Jean C. Hemphill Ballard Spahr Andrews & Ingersoll, LLP November 30, 2004.
The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLBA) UNDERSTANDING AND DEVELOPING A STRATEGIC PLAN TO BECOME COMPLIANT.

The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLBA) UNDERSTANDING AND DEVELOPING A STRATEGIC PLAN TO BECOME COMPLIANT.
It’s a jungle out there. IT Governance A 2009 Competitive Advantage.

It’s a jungle out there. IT Governance A 2009 Competitive Advantage.
Il-Sung Lee Senior Program Manager Microsoft Corporation SESSION CODE: DAT302.

Il-Sung Lee Senior Program Manager Microsoft Corporation SESSION CODE: DAT302.
Security Controls – What Works

Security Controls – What Works
Hard Problems in Computer Privacy John Weigelt. Disclaimer The views expressed in this presentation are my own and are not provided in my capacity as.

Hard Problems in Computer Privacy John Weigelt. Disclaimer The views expressed in this presentation are my own and are not provided in my capacity as.
E-Commerce: Legal and Practical Issues Legal Issues: Security – December 2, 2005 Stephen M. Foxman Philadelphia.

E-Commerce: Legal and Practical Issues Legal Issues: Security – December 2, 2005 Stephen M. Foxman Philadelphia.
Silo Compliance Risk vs. Enterprise Compliance Risk Presented to: ORIMS PD Day By: Joe Hardy & Tony Carlisle.

Silo Compliance Risk vs. Enterprise Compliance Risk Presented to: ORIMS PD Day By: Joe Hardy & Tony Carlisle.
WHY CHOOSE CEO-PE?  We employ International Association of Privacy Professionals (IAPP) Certified and Health Insurance Portability & Accountability Act.

WHY CHOOSE CEO-PE?  We employ International Association of Privacy Professionals (IAPP) Certified and Health Insurance Portability & Accountability Act.
Chapter 1 Introduction to Security

Chapter 1 Introduction to Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Security Policies and Implementation Issues.

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Policies and Implementation Issues.
Chapter Extension 22 Managing Computer Security Risk © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.

Chapter Extension 22 Managing Computer Security Risk © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.
Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.

Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing
Resiliency Rules: 7 Steps for Critical Infrastructure Protection.

Resiliency Rules: 7 Steps for Critical Infrastructure Protection.
Understanding ITIL. The Legislation Minefield  Privacy & Security  Personal Information Protection Electronic Document Act (PIPEDA)  US Patriot Act.

Understanding ITIL. The Legislation Minefield  Privacy & Security  Personal Information Protection Electronic Document Act (PIPEDA)  US Patriot Act.

Similar presentations

Ads by Google