| |
Effectively Partnering Information Security and Privacy For Business Success
Christopher Grillo, CISM, CISA, CPA, ITIL
Director, Information Security
Medica
Christopher Grillo, CISA, CISM, CPA, ITIL, has over 15 years of diverse experience in the areas of information security, IT auditing, operational auditing, financial auditing and IT consulting in various industries. Chris is currently the Director of Information Security for an upper Midwest health plan organization, where he created the Information Security department while implementing HIPAA Security Rule compliance requirements by the April 2005 deadline. Chris also held senior information security management positions at highly diverse and regulated companies with international business operations in energy, auto, finance, publishing, education, software development and government interfaces as well as serving as Sr. Principal Consultant for Verisign, Inc. (formally Guardent), and a Sr. Consultant for Canaudit, Inc.
Through these experiences, Chris gained extensive experience and knowledge in building comprehensive information security programs. Chris has also served as a senior advisor for the management and operations of enterprise security and compliance programs. Chris is the author of several seminars such as "Control and Security of Windows Server, Enterprise Security Management," "Security Awareness," "Acquiring Info Security Tools," and "Auditing System Development."
He has published several articles and has been quoted in popular magazines and security-related books such as COMPUTER WORLD, Tangled Web, and the newly released Managing an Information Security and Privacy Awareness and Training Program. Chris is an active member of various Information Security and Audit Associations and is past chairperson of the Computer Security Institute (CSI) Advisory Council.
Presentation Overview:
Establishing effective privacy and information security strategies has moved to the top of the list for companies maintaining customer and employee information. However, there are often gaps in communication and coordination between Privacy and Information Security activities, creating risks for incidents, along with contractual and regulatory noncompliance. Successful efforts require the two strategies to be complementary and integrated throughout all of the enterprise—within every business process stage and at every level within the organization. This workshop will provide insight into Privacy and Information Security practitioners' roles and responsibilities within the organization and offer guidance and discussion for how to effectively work together.
Through presentation, discussion, and case-studies, attendees will obtain a better understanding of the challenges faced by both groups, and be able to create a workable framework for integrating efforts. Participants will take away a roadmap for building synergy between the two groups, as well as tools and methodologies they can start using right away to result in positive organizational impact.
Time-Based Objectives:
Day One
Key Objectives:
- Instill understanding of privacy and information security issues and governance methodologies for best business impact
- Instill understanding of how to use existing governance frameworks, such as ITIL, COBIT, ISO 17799 and OECD, to successfully integrate privacy and information security throughout the entire organization
- Instill understanding of the major privacy and information security common areas and how to establish partnerships to most successfully address all the accompanying issues
- Learn the legal ramifications and necessary key compliance activities necessary to demonstrate regulatory and legal due diligence and establish a standard of due care that supports business success
- Learn to create an actionable roadmap for coordinating privacy and information security activities within the organization and incorporating into the SDLC
- Instill understanding of the importance of planning for incidents and the key components of effective plans
You Will Leave With:
- A valuable set of course materials that you will be able to use as a reference on an ongoing basis immediately upon your return to the office
- A ready-to-use information security and privacy program planning toolkit and sample framework that participants can customize to fit their organizational needs
- Sample IT controls for privacy and information security for regulatory compliance
- A usable information security and privacy posture worksheet with roadmap generator
- Sample website privacy policy
- Privacy impact assessment worksheet
- A ready-to-use buiness partner and vendor security and privacy program assessment and due diligence questionnaire
- A security and privacy contract clause considerations checklist
- A comprehensive listing of useful security and privacy references and resources
|
Privacy and Information Security Trends. We will discuss the evolution of privacy and security activities within businesses, and highlight fourteen import trends for which businesses must be aware. We will define and discuss the Privacy and Security roles, responsibilities, and organizational challenges, as well as business processes that are most impacted by Privacy and Security processes and initiatives. Privacy Strategy. We will discuss effective privacy strategies and the business impact of privacy, including common regulatory and compliance issues. We will describe key privacy issues to address within any type of organization. Information Security Strategy. We will discuss effective Security strategies and the business impact of security, such as those relating to risk management and regulatory compliance. We will provide a practical method of incorporating industry best practices (ISO 17799, COBIT, ITIL, OECD) into any organization, and provide a toolset for creating Security and Privacy Roadmaps. We will provide case studies and exercises throughout the day to support and demonstrate how this information can be used within business.
Day Two
We will discuss at length the five overlapping privacy and information security areas that have the most impact to businesses. For the first common area we will discuss how privacy and information security policies and procedures must be in sync, and the issues involved with making them effective. The second common area will demonstrate the needs and values for privacy impact assessments and information security risk assessments, and how the two types of activities should be coordinated to realize greatest business value. The third common area will address the critical need for business partner and vendor privacy and security program reviews and what to include within the associated contracts. Common area four will provide details about the systems development life cycle (SDLC) and how to effectively address privacy and security issues within every phase of an SDLC. Common area five will provide important information all organizations must know about incident response for both privacy and information security, in addition to providing the key components of an effective response plan. We will provide case studies and exercises throughout the day to support and demonstrate how these common areas impact business, and the ways in which privacy and information security must partner.
|
|
