Professional Documents
Culture Documents
Todays Speakers
Dr Larry Ponemon,
Chairman & Founder,
Ponemon Institute
Joanne Furtsch,
Director of Product Policy,
TRUSTe
Mary Westberg,
Senior Compliance Paralegal
SanDisk Corporation
Sample response
Freq
Pct%
Sampling frame
14,639
100.0%
615
4.2%
48
0.3%
567
3.9%
Total returns
Rejected or screened surveys
Final sample
August 13, 2015
More companies have data breach response plans and teams in place.
Page 8
27%
21%
30%
29%
19%
0%
Unsure
August 13, 2015
Disagree
10%
20%
23%
20%
18%
20%
30%
14%
13%
12%
40%
50%
60%
70%
80%
Strongly disagree
Page 10
30%
25%
23%
21%
20%
17%
15%
9%
10%
5%
0%
Very effective
Effective
Somewhat effective
Not effective
Unsure
11
Each quarter
3%
5%
14%
41%
37%
0%
5%
12
50%
45%
36%
18%
Other
2%
0%
10%
20%
30%
40%
50%
60%
13
50%
43%
40%
34%
30%
20%
17%
10%
3%
0%
Yes
No
Unsure
Privacy/data protection awareness program for employees and other stakeholders who have access to
sensitive or confidential personal information
Customer service personnel trained on how to respond to questions about a data breach incident
August 13, 2015
14
21%
Compliance Officer
12%
10%
8%
6%
6%
5%
General Counsel
5%
4%
Human Resources
2%
21%
0%
5%
10%
15%
20%
25%
15
Page 16
56%
43%
40%
Lack of expertise
23%
21%
15%
2%
0%
10%
20%
30%
40%
50%
60%
17
Anti-virus
89%
54%
34%
31%
25%
5%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
18
28%
25%
20%
20%
21%
16%
15%
10%
8%
4%
5%
2%
1%
0%
Continuous
monitoring
Daily
Weekly
Monthly
Quarterly
Annually
Never
Unsure
19
Page 20
77%
70%
69%
63%
45%
Other
2%
0%
21
45%
17%
Gift cards
13%
13%
9%
3%
0%
22
Conclusion
The incident response plans should undergo frequent reviews and reflect the
current security risks facing the company.
The board of directors, CEO and chairman should play an active role in helping
their companies prepare for and respond to a data breach. These include
briefings on the security posture of the company and a review of the incident
response plan.
23
24
Employee
Training
Collection
Limitation
Data
Privacy
Office
Vendor
Management
Policy
Management
25
26
Collection Limitation
Limit information collection to what is necessary to fulfill business
purposes
Understand what information your organization has
Conduct a data inventory
Assess where the information goes, who has access to it, and how long the
information is retained
Data classification
Classify information based on level of sensitive and business impact if that data is
breached
27
Collection Limitation
28
29
30
Employee training
Most breaches caused by
insiders
Building employee awareness key to
breach prevention
31
Key Take-Aways
Mary Westberg
Senior Compliance Paralegal, SanDisk
32
2
Identify Stakeholders
3
Know Your Data and
Systems
33
5
Communicate & Train
Create awareness
Layer approaches to reach
those who need to know
General audience training or
instruction integrate with
other trainings
Specialized training for
responders, incident response
team members
34
Data Minimization
Vendor Management
Layered Internal
Processes
35
Questions?
36
Contacts
Dr Larry Ponemon
Joanne Furtsch
Mary Westberg
research@ponemon.org
jfurtsch@truste.com
Mary.Westberg@sandisk.com
37
Thank You!
Dont miss the next webinar in the Series
What Does the Proposed EU Regulation Mean for Business
On September 16th
See http://www.truste.com/insightseries for details of future
webinars and recordings.
Privacy Insight Series
v
38