©
2014 M
orr
ison &
Foers
ter
LLP
| A
ll R
ights
Reserv
ed | m
ofo
.com
NIST Cybersecurity Framework
Impacting Your Company?
April 24, 2014
Presented By
Sheila FitzPatrick, NetApp
Jeff Greene, Symantec
Andy Serwin, MoFo
2
Sheila FitzPatrick
Sheila currently works with NetApp as their global Data Governance Counsel and Chief Privacy Officer. She is responsible for NetApp’s worldwide data privacy compliance program that includes responsibility for compliance with global laws related to data protection, cybersecurity, data breach notification, cloud computing and records management. She is currently the Vice-Chair of TechAmerica’s Privacy and Cybersecurity Committees and is actively involved in their Big Data and Cloud Computing Subcommittees. Sheila also sits on the European Union Data Protection Advisory Council and the Asia Pacific Data Protection Framework Advisory Board. Sheila is recognized as one of the world’s leading experts in data protection compliance.
Sheila FitzPatrick
Worldwide Legal Data Governance Counsel
Worldwide Data Privacy Counsel
NetApp, Inc.
(408) 822-1487
3
Jeff Greene
Jeff Greene serves as a Senior Policy Counsel at Symantec, where he focuses on issues including cybersecurity, identity management, and privacy. In this role, he monitors executive and legislative branch activity, and works extensively with industry and government organizations. Prior to joining Symantec, he was Senior Counsel with the U.S. Senate Homeland Security and Governmental Affairs Committee, where he focused on cybersecurity and Homeland Defense issues. Jeff has also worked in the House of Representatives, where he was Staff Director of the Management, Investigations and Oversight Subcommittee on the House Committee on Homeland Security.
Jeff Greene
Senior Policy Counsel, Cybersecurity and Identity
Symantec Corporation
4
Andy Serwin
Andrew B. Serwin is a partner in the Global Privacy and Data Security Practice Group at Morrison & Foerster’s San Diego and Washington, D.C. offices. Mr. Serwin is internationally recognized as one of the leading consumer protection and privacy lawyers, as well as a thought leader regarding information, and its role in society and the economy. Mr. Serwin also serves as the CEO and Executive Director of the Lares Institute, a think tank focused on information management issues, and is also a member of the advisory team of the Naval Postgraduate School’s Center for Asymmetric Warfare.
Andy Serwin
Partner
Morrison & Foerster
(858) 720-5134
5
Understanding the Cyber Threat
• The cyber threat presents unique issues that are difficult to solve.
5
7
Examples of Information
• Your company creates, gathers, and processes a significant amount
of information:
• Financial information;
• Information regarding individuals (employees, customers, or both);
• Proprietary/confidential information
• Undisclosed M&A activity;
• Business and marketing plans; and
• Pricing;
• IP;
• Information regarding businesses processes, including process improvements;
• Information regarding business trends;
• Social data/user generated content;
• Machine data; and
• Many other forms of information.
8
Executive Order
• Executive Order 13636—Improving Critical Infrastructure
Cybersecurity.
• The Framework is supposed to provide a “prioritized, flexible,
repeatable, performance-based, and cost effective approach” for
cybersecurity risk for critical infrastructure.
9
Framework Version 1.0—February 12, 2014
• Document Overview:
• Section 2 describes the Framework components.
• Section 3 gives examples of how the Framework can be used.
• Appendix A puts the Framework Core in a tabular framework.
10
Framework Version 1.0—February 12, 2014
• It is identified by NIST as a “risk-based approach” to managing
cybersecurity risk.
• According to NIST, this permits organizations to prioritize cyber activities.
• Overview of the Framework:
• Framework Core;
• Functions;
• Categories;
• Subcategories; and
• Informative References.
• Framework Implementation Tiers; and
• A Framework Profile.
NIST Cybersecurity Framework –
Impacting Your Company?
Sheila M. FitzPatrick
Global Data Privacy Counsel
Chief Privacy Officer
11 NetApp Confidential - Limited Use Only
NetApp at a glance….
Computer storage and data management
company headquartered in Sunnyvale, CA.
Fortune 500 Company
– 6+ Billion in FY13 revenue
– 13,000+ employees
– 150 offices worldwide
Leading data storage provider to the U.S.
Government
#33 FORTUNE “100 Best Companies to Work
For” in 2014.
12
NetApp Confidential - Limited Use Only
Why the NIST framework matters to our
legal team and our business…
Monitoring and implementing the framework practices aligns with the NetApp legal team mission statement: – “Guard the business, guide the company”
Cybersecurity risk can impact our bottom line – Financial and reputational risk (avoid the “Target” effect)
The framework has imparted new obligations on our senior leaders – Cybersecurity strategy must come from the top of the
enterprise
Absent a codified regulatory scheme, the Framework “best practices” may become the de facto “reasonableness” standard
The framework aligns to the “common sense” approach we have already adopted
13
NetApp Confidential - Limited Use Only
Legal team supporting the adoption of the
Framework Core to our business processes
Identify
Protect
Detect
Respond
Recover
• Dedicated CS focused roles
across relevant business units
• Critical review of supply chain
and updated policies
• Established policies to balance
CS with privacy concerns
• Proactive C-Level involvement
• Participation in industry
leadership forums
• Updated data retention and
destruction polices
• Implemented intrusion detection
capabilities
• Implemented a cross functional
Incident Response Team
• Well-defined data breach
notification program •
• Legal is the first point of breach
contact
• Legal engages the Incident
Response Team
• Legal drives the forensic investigation,
determines the risk mitigation and
communicates with regulatory
authorities and impacted individuals
NetApp Confidential - Limited Use Only 14
NetApp legal is responsible for finding a
balance between privacy & cybersecurity
Cybersecurity Privacy
15 NetApp Confidential - Limited Use Only
Intersection of Trust & Technology
16
Develop Data Protection
Savvy Program
including consents &
notifications related to
cyber attacks
Monitor network
traffic not
personal data
Report breaches
without revealing
personal data
IT
Privacy
Legal
Security
Legal Obligations
NetApp Confidential - Limited Use Only
Symantec & the CSF
• Participated in the development of the CSF dating back to the development of the EO – so we knew it well.
• Began to use the CSF before it was even final –
– CISO used core functions to brief Audit Committee;
– CISO’s office used it to examine our security program.
• Proved to be useful lens to examine what we’re doing and to challenge our assumptions.
• Mapping our internal security efforts to the core functions.
• Using in two ways:
– For our own internal security; and
– To help customers examine their security needs.
18