April 24, 2014 Presented By Sheila FitzPatrick, NetApp Jeff Greene, Symantec Andy Serwin, MoFo ©2014 Morrison & Foerster LLP | All Rights Reserved | mofo.com NIST Cybersecurity Framework Impacting Your Company? Sheila FitzPatrick Sheila FitzPatrick Worldwide Legal Data Governance Counsel Worldwide Data Privacy Counsel NetApp, Inc. (408) 822-1487 [email protected] Sheila currently works with NetApp as their global Data Governance Counsel and Chief Privacy Officer. She is responsible for NetApp’s worldwide data privacy compliance program that includes responsibility for compliance with global laws related to data protection, cybersecurity, data breach notification, cloud computing and records management. She is currently the Vice-Chair of TechAmerica’s Privacy and Cybersecurity Committees and is actively involved in their Big Data and Cloud Computing Subcommittees. Sheila also sits on the European Union Data Protection Advisory Council and the Asia Pacific Data Protection Framework Advisory Board. Sheila is recognized as one of the world’s leading experts in data protection compliance. 2 Jeff Greene Jeff Greene Senior Policy Counsel, Cybersecurity and Identity Symantec Corporation [email protected] Jeff Greene serves as a Senior Policy Counsel at Symantec, where he focuses on issues including cybersecurity, identity management, and privacy. In this role, he monitors executive and legislative branch activity, and works extensively with industry and government organizations. Prior to joining Symantec, he was Senior Counsel with the U.S. Senate Homeland Security and Governmental Affairs Committee, where he focused on cybersecurity and Homeland Defense issues. Jeff has also worked in the House of Representatives, where he was Staff Director of the Management, Investigations and Oversight Subcommittee on the House Committee on Homeland Security. 3 Andy Serwin Andy Serwin Partner Morrison & Foerster (858) 720-5134 [email protected] Andrew B. Serwin is a partner in the Global Privacy and Data Security Practice Group at Morrison & Foerster’s San Diego and Washington, D.C. offices. Mr. Serwin is internationally recognized as one of the leading consumer protection and privacy lawyers, as well as a thought leader regarding information, and its role in society and the economy. Mr. Serwin also serves as the CEO and Executive Director of the Lares Institute, a think tank focused on information management issues, and is also a member of the advisory team of the Naval Postgraduate School’s Center for Asymmetric Warfare. 4 Understanding the Cyber Threat • The cyber threat presents unique issues that are difficult to solve. 5 5 Cybersecurity • • • • Cyber-terrorism; Organized crime; Hactivists; and Industrial espionage. 6 Examples of Information • Your company creates, gathers, and processes a significant amount of information: • Financial information; • Information regarding individuals (employees, customers, or both); • Proprietary/confidential information • Undisclosed M&A activity; • Business and marketing plans; and • Pricing; • IP; • Information regarding businesses processes, including process improvements; • Information regarding business trends; • Social data/user generated content; • Machine data; and • Many other forms of information. 7 Executive Order • Executive Order 13636—Improving Critical Infrastructure Cybersecurity. • The Framework is supposed to provide a “prioritized, flexible, repeatable, performance-based, and cost effective approach” for cybersecurity risk for critical infrastructure. 8 Framework Version 1.0—February 12, 2014 • Document Overview: • Section 2 describes the Framework components. • Section 3 gives examples of how the Framework can be used. • Appendix A puts the Framework Core in a tabular framework. 9 Framework Version 1.0—February 12, 2014 • It is identified by NIST as a “risk-based approach” to managing cybersecurity risk. • According to NIST, this permits organizations to prioritize cyber activities. • Overview of the Framework: • Framework Core; • Functions; • Categories; • Subcategories; and • Informative References. • Framework Implementation Tiers; and • A Framework Profile. 10 NIST Cybersecurity Framework – Impacting Your Company? Sheila M. FitzPatrick Global Data Privacy Counsel Chief Privacy Officer NetApp Confidential - Limited Use Only 11 NetApp at a glance….  Computer storage and data management company headquartered in Sunnyvale, CA.  Fortune 500 Company – 6+ Billion in FY13 revenue – 13,000+ employees – 150 offices worldwide  Leading data storage provider to the U.S. Government  #33 FORTUNE “100 Best Companies to Work For” in 2014. 12 NetApp Confidential - Limited Use Only Why the NIST framework matters to our legal team and our business…  Monitoring and implementing the framework practices aligns with the NetApp legal team mission statement: – “Guard the business, guide the company”  Cybersecurity risk can impact our bottom line – Financial and reputational risk (avoid the “Target” effect)  The framework has imparted new obligations on our senior leaders – Cybersecurity strategy must come from the top of the enterprise  Absent a codified regulatory scheme, the Framework “best practices” may become the de facto “reasonableness” standard  The framework aligns to the “common sense” approach we have already adopted 13 NetApp Confidential - Limited Use Only Legal team supporting the adoption of the Framework Core to our business processes • • Identify • • • Protect • • Detect • • Dedicated CS focused roles across relevant business units Critical review of supply chain and updated policies Established policies to balance CS with privacy concerns Proactive C-Level involvement Participation in industry leadership forums Updated data retention and destruction polices Implemented intrusion detection capabilities Implemented a cross functional Incident Response Team Well-defined data breach notification program • • Respond • • Recover NetApp Confidential - Limited Use Only Legal is the first point of breach contact Legal engages the Incident Response Team Legal drives the forensic investigation, determines the risk mitigation and communicates with regulatory authorities and impacted individuals 14 NetApp legal is responsible for finding a balance between privacy & cybersecurity Cybersecurity NetApp Confidential - Limited Use Only Privacy 15 Intersection of Trust & Technology Report breaches without revealing personal data Monitor network traffic not personal data Privacy Legal Legal Obligations IT Security Develop Data Protection Savvy Program including consents & notifications related to cyber attacks NetApp Confidential - Limited Use Only 16 Symantec & the CSF • Participated in the development of the CSF dating back to the development of the EO – so we knew it well. • Began to use the CSF before it was even final – – CISO used core functions to brief Audit Committee; – CISO’s office used it to examine our security program. • Proved to be useful lens to examine what we’re doing and to challenge our assumptions. • Mapping our internal security efforts to the core functions. • Using in two ways: – For our own internal security; and – To help customers examine their security needs. 18 Questions 18