1 / 7

A Coherent Strategy for Data Security through Data Governance

A Coherent Strategy for Data Security through Data Governance. Roland L. Trope E. Michael Power Vincent I. Polley Bradford C. Morley Presented by Barry Sebesta Security Management February 26, 2008. A Brief Timeline

flavio
Download Presentation

A Coherent Strategy for Data Security through Data Governance

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Coherent Strategy for Data Security through Data Governance Roland L. Trope E. Michael Power Vincent I. Polley Bradford C. Morley Presented by Barry Sebesta Security Management February 26, 2008

  2. A Brief Timeline • Early 90’s – boards of directors tended to believe they weren’t personally liable if their company’s information security programs failed • 1996 – Caremark lawsuit quickly changed outlook A provider of clinical care and pharmaceutical health care services Violation of federal and state laws applicable to health care providers Stockholders sued directors for breach of fiduciary duties, alleging “director inattention” – a liability that argues a loss occurred from “unconsidered inaction” The courts claimed that Caremark directors failed “to attempt to assure a reasonable information and reporting system exists” The role of boards of directors

  3. Proposed merger between InterCepht and PuntCode Intercepht – aerospace and defense contractor for the US PuntCode – publicly owned software company • Has the scope of a board’s oversight duty to include an enterprise’s data security system changed? • Has a board’s or individual director’s exposure to liability for failure to fulfill the oversight duty increased? • Will elevating data security as a board’s concern and bringing it within their “oversight” duty improve data security? A hypothetical situation

  4. Four trends that pose security risks to InterCepht • Data stored on weakly protected portable devices • Deperimeterization undermines reliability of perimeter-based defenses • Decreasing reliability of user identification and password protection • Introducing new technologies CISO presentation

  5. Legal requirements for data security • Implicit requirements • Coherent security strategy • Deferred or unfocused due diligence Perceived high risks to data security • Market-sensitive information • Review by the Committee on Foreign Investment in US • Parties targeted by trade sanctions regulations Legal counsel presentation

  6. Adopt early and benefit The InterCepht board realized that compliance challenges can become a competitive advantage Y2K compliance is an example of business response Money spent to upgrade systems to avoid potential legal liability resulted in significantly improved IT systems The InterCepht board decided it would be easier to implement comprehensive data security measures early in the merger This results in reduced cost and with greater benefits without a need for “damage control” A hypothetical decision

  7. An answer to our questions • Has the scope of a board’s oversight duty to include an enterprise’s data security system changed? • Has a board’s or individual director’s exposure to liability for failure to fulfill the oversight duty increased? • Will elevating data security as a board’s concern and bringing it within their “oversight” duty improve data security? “YES” Any company that fails to maintain and regularly audit a comprehensive data security program is at increased risk of failing to fulfill its fiduciary oversight duty At a minimum, a data security program should bring red flag warnings to the immediate attention of senior officers, who should be required to relay to the boards audit committee any reports that could seriously affect the company Conclusion

More Related