NIST Cybersecurity Framework Impacting Your Company? April 24, 2014

April 24, 2014
Presented By
Sheila FitzPatrick, NetApp
Jeff Greene, Symantec
Andy Serwin, MoFo
©2014 Morrison & Foerster LLP | All Rights Reserved |
NIST Cybersecurity Framework
Impacting Your Company?
Sheila FitzPatrick
Sheila FitzPatrick
Worldwide Legal Data Governance Counsel
Worldwide Data Privacy Counsel
NetApp, Inc.
(408) 822-1487
[email protected]
Sheila currently works with NetApp as their global Data Governance Counsel and
Chief Privacy Officer. She is responsible for NetApp’s worldwide data privacy
compliance program that includes responsibility for compliance with global laws
related to data protection, cybersecurity, data breach notification, cloud computing
and records management. She is currently the Vice-Chair of TechAmerica’s Privacy
and Cybersecurity Committees and is actively involved in their Big Data and Cloud
Computing Subcommittees. Sheila also sits on the European Union Data Protection
Advisory Council and the Asia Pacific Data Protection Framework Advisory Board.
Sheila is recognized as one of the world’s leading experts in data protection
Jeff Greene
Jeff Greene
Senior Policy Counsel, Cybersecurity and Identity
Symantec Corporation
[email protected]
Jeff Greene serves as a Senior Policy Counsel at Symantec, where he focuses on
issues including cybersecurity, identity management, and privacy. In this role, he
monitors executive and legislative branch activity, and works extensively with
industry and government organizations. Prior to joining Symantec, he was Senior
Counsel with the U.S. Senate Homeland Security and Governmental Affairs
Committee, where he focused on cybersecurity and Homeland Defense issues. Jeff
has also worked in the House of Representatives, where he was Staff Director of the
Management, Investigations and Oversight Subcommittee on the House Committee
on Homeland Security.
Andy Serwin
Andy Serwin
Morrison & Foerster
(858) 720-5134
[email protected]
Andrew B. Serwin is a partner in the Global Privacy and Data Security Practice
Group at Morrison & Foerster’s San Diego and Washington, D.C. offices. Mr. Serwin
is internationally recognized as one of the leading consumer protection and privacy
lawyers, as well as a thought leader regarding information, and its role in society
and the economy. Mr. Serwin also serves as the CEO and Executive Director of the
Lares Institute, a think tank focused on information management issues, and is also
a member of the advisory team of the Naval Postgraduate School’s Center for
Asymmetric Warfare.
Understanding the Cyber Threat
• The cyber threat presents unique issues that are difficult to solve.
Organized crime;
Hactivists; and
Industrial espionage.
Examples of Information
• Your company creates, gathers, and processes a significant amount
of information:
• Financial information;
• Information regarding individuals (employees, customers, or both);
• Proprietary/confidential information
• Undisclosed M&A activity;
• Business and marketing plans; and
• Pricing;
• IP;
• Information regarding businesses processes, including process improvements;
• Information regarding business trends;
• Social data/user generated content;
• Machine data; and
• Many other forms of information.
Executive Order
• Executive Order 13636—Improving Critical Infrastructure
• The Framework is supposed to provide a “prioritized, flexible,
repeatable, performance-based, and cost effective approach” for
cybersecurity risk for critical infrastructure.
Framework Version 1.0—February 12, 2014
• Document Overview:
• Section 2 describes the Framework components.
• Section 3 gives examples of how the Framework can be used.
• Appendix A puts the Framework Core in a tabular framework.
Framework Version 1.0—February 12, 2014
• It is identified by NIST as a “risk-based approach” to managing
cybersecurity risk.
• According to NIST, this permits organizations to prioritize cyber activities.
• Overview of the Framework:
• Framework Core;
• Functions;
• Categories;
• Subcategories; and
• Informative References.
• Framework Implementation Tiers; and
• A Framework Profile.
NIST Cybersecurity
Framework –
Impacting Your
Sheila M. FitzPatrick
Global Data Privacy Counsel
Chief Privacy Officer
NetApp Confidential - Limited Use Only
NetApp at a glance….
 Computer storage and data management
company headquartered in Sunnyvale, CA.
 Fortune 500 Company
– 6+ Billion in FY13 revenue
– 13,000+ employees
– 150 offices worldwide
 Leading data storage provider to the U.S.
 #33 FORTUNE “100 Best Companies to Work
For” in 2014.
NetApp Confidential - Limited Use Only
Why the NIST framework matters to our
legal team and our business…
 Monitoring and implementing the framework practices
aligns with the NetApp legal team mission statement:
– “Guard the business, guide the company”
 Cybersecurity risk can impact our bottom line
– Financial and reputational risk (avoid the “Target” effect)
 The framework has imparted new obligations on our senior
– Cybersecurity strategy must come from the top of the
 Absent a codified regulatory scheme, the Framework “best
practices” may become the de facto “reasonableness”
 The framework aligns to the “common sense” approach we
have already adopted
NetApp Confidential - Limited Use Only
Legal team supporting the adoption of the
Framework Core to our business processes
Dedicated CS focused roles
across relevant business units
Critical review of supply chain
and updated policies
Established policies to balance
CS with privacy concerns
Proactive C-Level involvement
Participation in industry
leadership forums
Updated data retention and
destruction polices
Implemented intrusion detection
Implemented a cross functional
Incident Response Team
Well-defined data breach
notification program
NetApp Confidential - Limited Use Only
Legal is the first point of breach
Legal engages the Incident
Response Team
Legal drives the forensic investigation,
determines the risk mitigation and
communicates with regulatory
authorities and impacted individuals
NetApp legal is responsible for finding a
balance between privacy & cybersecurity
NetApp Confidential - Limited Use Only
Intersection of Trust & Technology
Report breaches
without revealing
personal data
Monitor network
traffic not
personal data
Develop Data Protection
Savvy Program
including consents &
notifications related to
cyber attacks
NetApp Confidential - Limited Use Only
Symantec & the CSF
• Participated in the development of the CSF dating back to the
development of the EO – so we knew it well.
• Began to use the CSF before it was even final –
– CISO used core functions to brief Audit Committee;
– CISO’s office used it to examine our security program.
• Proved to be useful lens to examine what we’re doing and to
challenge our assumptions.
• Mapping our internal security efforts to the core functions.
• Using in two ways:
– For our own internal security; and
– To help customers examine their security needs.