SlideShare a Scribd company logo

David Snead - Nailing Down Security Regulations

Source Conference
Source Conference
1 of 4
Download to read offline
Source Conference Boston Nailing Down Security Regulations W. David Snead Attorney + Counselor Roadmap • Where is technology going? • U.S. v. E.U. • Case study • Analytical framework • Issue Based • Sectoral Based • Key contract clauses • Proactive • Reactive • Framework questions • National • Generally state implementation based • Narrowly tailored Legislative and Regulatory Targets • Data governance laws are here to stay • Expectation that in some format data breach will be extended • Breach – both benign and malicious to cover not just telecoms • Breach notification • General data breach requirements in some EU Member States already • Mitigation • Accountability and transparency principles • Security policies • Broad scope of definition of personal data • Cloud and jurisdictional challenges • Contracting parties, third parties and vendors • The role of controllers and processors MIS Training Institute © Page 1
Broad based Broad based Sectoral / Country Specific Sectoral • eprivacy directive • digital signatures • sectoral standards • GLB • data retention • spam • encryption • HIPAA / HITECH • digital signatures • implementation EU • CFAA • encryption directives • ECPA General Security • Nevada • Massachusetts Sol Vidro is a company headquartered in Cologne. It seeks to outsource email, office applications, payroll and Security Breach backbone to two cloud providers in the U.S. and U.K. who must act in a federated manner. States without: • Alabama • Kentucky • Mississippi • New Mexico • South Dakota Security Vendor has provided Sol Vidro with a copy of its current security policy (Policy) as it applies to the services to be performed by Vendor pursuant to • Define “breach” this Agreement. Vendor represents and warrants that this security policy • Determine when a breach happens represents best of breed security procedures in its industry. Vendor shall • Assume there will be data breach laws give Sol Vidro no less than sixty days prior written notices of any changes in • Review any laws that my currently exist the Policy that impact the services provided to Sol Vidro. Should Sol Vidro • Understand who will be responsible for security determine that these changes materially impact the security of the services, Sol Vidro shall have the right to terminate this Agreement. In such a case, • Create enforceable contract terms Vendor shall provide reasonable assistance to Sol Vidro to transition its • Remember post termination issues services to another provider. • Understand that you may not be made whole MIS Training Institute © Page 2
Data Transfer • How is the data transmitted? • Understand concepts like: controller, processor, Sol Vidro is providing payroll data to Vendor solely for the purpose of transfer and aggregation. processing the data as set out in Exhibit A to this Agreement. Vendor may • Limit uses only provide access to this data to third parties upon written notice and • Require flow down and flow up contract terms receipt of Sol Vidro’s express consent. Sol Vidro’s consent may be withheld. • Evaluate whether “Safe Harbor” is appropriate • Create methods to address data leakage Disposition of data upon termination Upon termination or expiration of this Agreement, Vendor shall delete all data and provide Sol Vidro with written confirmation of this deletion. • Review data retention laws Vendor shall also instruct any entities who have had access to the data to also delete it and provide Vendor with written certification of this deletion. • Specify terms for deletion / transfer The security obligations set out in this Agreement relating to the data shall • Set out obligations for security post termination survive termination or expiration of this Agreement until such time as the data is completely deleted by Vendor and/or Vendor’s suppliers. Vendor shall require this provision, or one similarly protective of Sol Vidro’s rights in all its contracts with suppliers or other vendors who provide aspects of the Services. Vendor shall provide Sol Vidro with no less than ten days prior written Access to data notice of any governmental request for access to the data. For the purposes of this paragraph only, the term “governmental” includes any law • Understand how transmission is outsourced / enforcement or similar entity. Should Vendor be prohibited by law from subcontracted providing this notice, Vendor shall strictly limit any disclosure of the data to that which is required by the law and the written document upon which • Review your obligations to provide access to police disclosure is based. Under no circumstances shall Vendor provide access • Review your provider’s obligations to provide access without a written request of disclosure which cites the law requiring such • Research your laws about third party police access disclosure. Vendor shall require this provision, or one similarly protective of • Set out notification and consent provisions Sol Vidro’s rights in all its contracts with suppliers or other vendors who provide aspects of the Services. MIS Training Institute © Page 3
Do you know where sensitive information resides and how to protect it? Can you lower costs AND improve your security posture by rationalizing your security ? Do you understand termination, survival and deletion issues? Can you control who has access to your information? Do you know how the services will be used How does termination affect you? Have you researched breach notification? Have you researched high risk regulatory areas? W. David Snead Attorney + Counselor david.snead@dsnead.com wdsneadpc / Twitter thewhir.com / Blog MIS Training Institute © Page 4

Recommended

Cybersecurity 101: Government Contracts
Cybersecurity 101: Government ContractsCybersecurity 101: Government Contracts
Cybersecurity 101: Government ContractsPatton Boggs LLP
 
Application of blockchain in law
Application of blockchain in lawApplication of blockchain in law
Application of blockchain in lawAashima Johur
 
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...IBM Security
 
Crossing the streams: How security professionals can leverage the NZ Privacy ...
Crossing the streams: How security professionals can leverage the NZ Privacy ...Crossing the streams: How security professionals can leverage the NZ Privacy ...
Crossing the streams: How security professionals can leverage the NZ Privacy ...Chris Hails
 
Save yourself with the CSDF - ISACA Auckland - 16 June 2021
Save yourself with the CSDF - ISACA Auckland - 16 June 2021Save yourself with the CSDF - ISACA Auckland - 16 June 2021
Save yourself with the CSDF - ISACA Auckland - 16 June 2021Chris Hails
 
Legal Nuances to the Cloud by Ritambhara Agrawal
Legal Nuances to the Cloud by Ritambhara AgrawalLegal Nuances to the Cloud by Ritambhara Agrawal
Legal Nuances to the Cloud by Ritambhara AgrawalClubHack
 
Legal nuances to the cloud
Legal nuances to the cloudLegal nuances to the cloud
Legal nuances to the cloudRitambhara Agrawal
 
Under Lock And Key
Under Lock And KeyUnder Lock And Key
Under Lock And KeyYarko Petriw
 

Recommended

Cybersecurity 101: Government Contracts
Cybersecurity 101: Government ContractsCybersecurity 101: Government Contracts
Cybersecurity 101: Government ContractsPatton Boggs LLP
 
Application of blockchain in law
Application of blockchain in lawApplication of blockchain in law
Application of blockchain in lawAashima Johur
 
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...IBM Security
 
Crossing the streams: How security professionals can leverage the NZ Privacy ...
Crossing the streams: How security professionals can leverage the NZ Privacy ...Crossing the streams: How security professionals can leverage the NZ Privacy ...
Crossing the streams: How security professionals can leverage the NZ Privacy ...Chris Hails
 
Save yourself with the CSDF - ISACA Auckland - 16 June 2021
Save yourself with the CSDF - ISACA Auckland - 16 June 2021Save yourself with the CSDF - ISACA Auckland - 16 June 2021
Save yourself with the CSDF - ISACA Auckland - 16 June 2021Chris Hails
 
Legal Nuances to the Cloud by Ritambhara Agrawal
Legal Nuances to the Cloud by Ritambhara AgrawalLegal Nuances to the Cloud by Ritambhara Agrawal
Legal Nuances to the Cloud by Ritambhara AgrawalClubHack
 
Legal nuances to the cloud
Legal nuances to the cloudLegal nuances to the cloud
Legal nuances to the cloudRitambhara Agrawal
 
Under Lock And Key
Under Lock And KeyUnder Lock And Key
Under Lock And KeyYarko Petriw
 
2015 09-22 Is it time for a Security and Compliance Assessment?
2015 09-22 Is it time for a Security and Compliance Assessment?2015 09-22 Is it time for a Security and Compliance Assessment?
2015 09-22 Is it time for a Security and Compliance Assessment?Raffa Learning Community
 
Auckland (ISC)2 Chapter - Building the ‘Bob Semple Cyber Tank'
Auckland (ISC)2 Chapter - Building the ‘Bob Semple Cyber Tank'Auckland (ISC)2 Chapter - Building the ‘Bob Semple Cyber Tank'
Auckland (ISC)2 Chapter - Building the ‘Bob Semple Cyber Tank'Chris Hails
 
Internet Security Threat Report (ISTR) Vol. 16
Internet Security Threat Report (ISTR) Vol. 16Internet Security Threat Report (ISTR) Vol. 16
Internet Security Threat Report (ISTR) Vol. 16Symantec APJ
 
Cyber Threats & Cybersecurity - Are You Ready? - Jared Carstensen
Cyber Threats & Cybersecurity - Are You Ready? - Jared CarstensenCyber Threats & Cybersecurity - Are You Ready? - Jared Carstensen
Cyber Threats & Cybersecurity - Are You Ready? - Jared Carstensenjaredcarst
 
Webinar: Understanding the Cyber Threat Landscape for Nonprofits
Webinar: Understanding the Cyber Threat Landscape for NonprofitsWebinar: Understanding the Cyber Threat Landscape for Nonprofits
Webinar: Understanding the Cyber Threat Landscape for NonprofitsWithum
 
Cybersecurity Brief: Understanding Risk, Legal Framework, & Insurance
Cybersecurity Brief: Understanding Risk, Legal Framework, & InsuranceCybersecurity Brief: Understanding Risk, Legal Framework, & Insurance
Cybersecurity Brief: Understanding Risk, Legal Framework, & InsuranceSecureDocs
 
New York Department of Financial Services Cybersecurity Regulations
New York Department of Financial Services Cybersecurity RegulationsNew York Department of Financial Services Cybersecurity Regulations
New York Department of Financial Services Cybersecurity RegulationsShawn Tuma
 
The Legal Case for Cybersecurity
The Legal Case for CybersecurityThe Legal Case for Cybersecurity
The Legal Case for CybersecurityShawn Tuma
 
Insight Session with Dr. Daniel Gerstein, Deputy Under Secretary, S&T, DHS
Insight Session with Dr. Daniel Gerstein, Deputy Under Secretary, S&T, DHSInsight Session with Dr. Daniel Gerstein, Deputy Under Secretary, S&T, DHS
Insight Session with Dr. Daniel Gerstein, Deputy Under Secretary, S&T, DHSGovernment Technology and Services Coalition
 
Think You’re Covered? Think Again. Cybersecurity, Data Privacy, Payments Frau...
Think You’re Covered? Think Again. Cybersecurity, Data Privacy, Payments Frau...Think You’re Covered? Think Again. Cybersecurity, Data Privacy, Payments Frau...
Think You’re Covered? Think Again. Cybersecurity, Data Privacy, Payments Frau...Withum
 
Iadis Tns2007 Presentation
Iadis Tns2007 PresentationIadis Tns2007 Presentation
Iadis Tns2007 PresentationCarlos Serrao
 
Managing Personally Identifiable Information (PII)
Managing Personally Identifiable Information (PII)Managing Personally Identifiable Information (PII)
Managing Personally Identifiable Information (PII)KP Naidu
 
Funsec3e ppt ch05
Funsec3e ppt ch05Funsec3e ppt ch05
Funsec3e ppt ch05Skillspire LLC
 
Achieving Caribbean Cybersecuirty
Achieving Caribbean CybersecuirtyAchieving Caribbean Cybersecuirty
Achieving Caribbean CybersecuirtyShiva Bissessar
 
Icete Secrypt2007 Presentation
Icete Secrypt2007 PresentationIcete Secrypt2007 Presentation
Icete Secrypt2007 PresentationCarlos Serrao
 
OCBA Cloud 9: Cloud Computing and Ethics for Florida Attorneys
OCBA Cloud 9: Cloud Computing and Ethics for Florida AttorneysOCBA Cloud 9: Cloud Computing and Ethics for Florida Attorneys
OCBA Cloud 9: Cloud Computing and Ethics for Florida AttorneysDaniel Whitehouse
 
Crypto regulations in Russia
Crypto regulations in RussiaCrypto regulations in Russia
Crypto regulations in RussiaAleksey Lukatskiy
 
Winkler Cloud, ORCON, and Mobility
Winkler Cloud, ORCON, and MobilityWinkler Cloud, ORCON, and Mobility
Winkler Cloud, ORCON, and MobilityVic Winkler
 
Sector Focus; Information Technology; Issue 1 February 2010
Sector Focus; Information Technology; Issue 1 February 2010Sector Focus; Information Technology; Issue 1 February 2010
Sector Focus; Information Technology; Issue 1 February 2010kapil_arora
 
Infotec 2010 Ben Rothke - social networks and information security
Infotec 2010 Ben Rothke - social networks and information security Infotec 2010 Ben Rothke - social networks and information security
Infotec 2010 Ben Rothke - social networks and information security Ben Rothke
 
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBeeTravis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBeeSource Conference
 
Reputation Digital Vaccine: Reinventing Internet Blacklists
Reputation Digital Vaccine: Reinventing Internet BlacklistsReputation Digital Vaccine: Reinventing Internet Blacklists
Reputation Digital Vaccine: Reinventing Internet BlacklistsSource Conference
 

More Related Content

What's hot

2015 09-22 Is it time for a Security and Compliance Assessment?
2015 09-22 Is it time for a Security and Compliance Assessment?2015 09-22 Is it time for a Security and Compliance Assessment?
2015 09-22 Is it time for a Security and Compliance Assessment?Raffa Learning Community
 
Auckland (ISC)2 Chapter - Building the ‘Bob Semple Cyber Tank'
Auckland (ISC)2 Chapter - Building the ‘Bob Semple Cyber Tank'Auckland (ISC)2 Chapter - Building the ‘Bob Semple Cyber Tank'
Auckland (ISC)2 Chapter - Building the ‘Bob Semple Cyber Tank'Chris Hails
 
Internet Security Threat Report (ISTR) Vol. 16
Internet Security Threat Report (ISTR) Vol. 16Internet Security Threat Report (ISTR) Vol. 16
Internet Security Threat Report (ISTR) Vol. 16Symantec APJ
 
Cyber Threats & Cybersecurity - Are You Ready? - Jared Carstensen
Cyber Threats & Cybersecurity - Are You Ready? - Jared CarstensenCyber Threats & Cybersecurity - Are You Ready? - Jared Carstensen
Cyber Threats & Cybersecurity - Are You Ready? - Jared Carstensenjaredcarst
 
Webinar: Understanding the Cyber Threat Landscape for Nonprofits
Webinar: Understanding the Cyber Threat Landscape for NonprofitsWebinar: Understanding the Cyber Threat Landscape for Nonprofits
Webinar: Understanding the Cyber Threat Landscape for NonprofitsWithum
 
Cybersecurity Brief: Understanding Risk, Legal Framework, & Insurance
Cybersecurity Brief: Understanding Risk, Legal Framework, & InsuranceCybersecurity Brief: Understanding Risk, Legal Framework, & Insurance
Cybersecurity Brief: Understanding Risk, Legal Framework, & InsuranceSecureDocs
 
New York Department of Financial Services Cybersecurity Regulations
New York Department of Financial Services Cybersecurity RegulationsNew York Department of Financial Services Cybersecurity Regulations
New York Department of Financial Services Cybersecurity RegulationsShawn Tuma
 
The Legal Case for Cybersecurity
The Legal Case for CybersecurityThe Legal Case for Cybersecurity
The Legal Case for CybersecurityShawn Tuma
 
Think You’re Covered? Think Again. Cybersecurity, Data Privacy, Payments Frau...
Think You’re Covered? Think Again. Cybersecurity, Data Privacy, Payments Frau...Think You’re Covered? Think Again. Cybersecurity, Data Privacy, Payments Frau...
Think You’re Covered? Think Again. Cybersecurity, Data Privacy, Payments Frau...Withum
 
Iadis Tns2007 Presentation
Iadis Tns2007 PresentationIadis Tns2007 Presentation
Iadis Tns2007 PresentationCarlos Serrao
 
Managing Personally Identifiable Information (PII)
Managing Personally Identifiable Information (PII)Managing Personally Identifiable Information (PII)
Managing Personally Identifiable Information (PII)KP Naidu
 
Achieving Caribbean Cybersecuirty
Achieving Caribbean CybersecuirtyAchieving Caribbean Cybersecuirty
Achieving Caribbean CybersecuirtyShiva Bissessar
 
Icete Secrypt2007 Presentation
Icete Secrypt2007 PresentationIcete Secrypt2007 Presentation
Icete Secrypt2007 PresentationCarlos Serrao
 
OCBA Cloud 9: Cloud Computing and Ethics for Florida Attorneys
OCBA Cloud 9: Cloud Computing and Ethics for Florida AttorneysOCBA Cloud 9: Cloud Computing and Ethics for Florida Attorneys
OCBA Cloud 9: Cloud Computing and Ethics for Florida AttorneysDaniel Whitehouse
 
Crypto regulations in Russia
Crypto regulations in RussiaCrypto regulations in Russia
Crypto regulations in RussiaAleksey Lukatskiy
 
Winkler Cloud, ORCON, and Mobility
Winkler Cloud, ORCON, and MobilityWinkler Cloud, ORCON, and Mobility
Winkler Cloud, ORCON, and MobilityVic Winkler
 
Sector Focus; Information Technology; Issue 1 February 2010
Sector Focus; Information Technology; Issue 1 February 2010Sector Focus; Information Technology; Issue 1 February 2010
Sector Focus; Information Technology; Issue 1 February 2010kapil_arora
 
Infotec 2010 Ben Rothke - social networks and information security
Infotec 2010 Ben Rothke - social networks and information security Infotec 2010 Ben Rothke - social networks and information security
Infotec 2010 Ben Rothke - social networks and information security Ben Rothke
 

What's hot (20)

2015 09-22 Is it time for a Security and Compliance Assessment?
2015 09-22 Is it time for a Security and Compliance Assessment?2015 09-22 Is it time for a Security and Compliance Assessment?
2015 09-22 Is it time for a Security and Compliance Assessment?
 
Auckland (ISC)2 Chapter - Building the ‘Bob Semple Cyber Tank'
Auckland (ISC)2 Chapter - Building the ‘Bob Semple Cyber Tank'Auckland (ISC)2 Chapter - Building the ‘Bob Semple Cyber Tank'
Auckland (ISC)2 Chapter - Building the ‘Bob Semple Cyber Tank'
 
Internet Security Threat Report (ISTR) Vol. 16
Internet Security Threat Report (ISTR) Vol. 16Internet Security Threat Report (ISTR) Vol. 16
Internet Security Threat Report (ISTR) Vol. 16
 
Cyber Threats & Cybersecurity - Are You Ready? - Jared Carstensen
Cyber Threats & Cybersecurity - Are You Ready? - Jared CarstensenCyber Threats & Cybersecurity - Are You Ready? - Jared Carstensen
Cyber Threats & Cybersecurity - Are You Ready? - Jared Carstensen
 
Webinar: Understanding the Cyber Threat Landscape for Nonprofits
Webinar: Understanding the Cyber Threat Landscape for NonprofitsWebinar: Understanding the Cyber Threat Landscape for Nonprofits
Webinar: Understanding the Cyber Threat Landscape for Nonprofits
 
Cybersecurity Brief: Understanding Risk, Legal Framework, & Insurance
Cybersecurity Brief: Understanding Risk, Legal Framework, & InsuranceCybersecurity Brief: Understanding Risk, Legal Framework, & Insurance
Cybersecurity Brief: Understanding Risk, Legal Framework, & Insurance
 
New York Department of Financial Services Cybersecurity Regulations
New York Department of Financial Services Cybersecurity RegulationsNew York Department of Financial Services Cybersecurity Regulations
New York Department of Financial Services Cybersecurity Regulations
 
The Legal Case for Cybersecurity
The Legal Case for CybersecurityThe Legal Case for Cybersecurity
The Legal Case for Cybersecurity
 
Insight Session with Dr. Daniel Gerstein, Deputy Under Secretary, S&T, DHS
Insight Session with Dr. Daniel Gerstein, Deputy Under Secretary, S&T, DHSInsight Session with Dr. Daniel Gerstein, Deputy Under Secretary, S&T, DHS
Insight Session with Dr. Daniel Gerstein, Deputy Under Secretary, S&T, DHS
 
Think You’re Covered? Think Again. Cybersecurity, Data Privacy, Payments Frau...
Think You’re Covered? Think Again. Cybersecurity, Data Privacy, Payments Frau...Think You’re Covered? Think Again. Cybersecurity, Data Privacy, Payments Frau...
Think You’re Covered? Think Again. Cybersecurity, Data Privacy, Payments Frau...
 
Iadis Tns2007 Presentation
Iadis Tns2007 PresentationIadis Tns2007 Presentation
Iadis Tns2007 Presentation
 
Managing Personally Identifiable Information (PII)
Managing Personally Identifiable Information (PII)Managing Personally Identifiable Information (PII)
Managing Personally Identifiable Information (PII)
 
Funsec3e ppt ch05
Funsec3e ppt ch05Funsec3e ppt ch05
Funsec3e ppt ch05
 
Achieving Caribbean Cybersecuirty
Achieving Caribbean CybersecuirtyAchieving Caribbean Cybersecuirty
Achieving Caribbean Cybersecuirty
 
Icete Secrypt2007 Presentation
Icete Secrypt2007 PresentationIcete Secrypt2007 Presentation
Icete Secrypt2007 Presentation
 
OCBA Cloud 9: Cloud Computing and Ethics for Florida Attorneys
OCBA Cloud 9: Cloud Computing and Ethics for Florida AttorneysOCBA Cloud 9: Cloud Computing and Ethics for Florida Attorneys
OCBA Cloud 9: Cloud Computing and Ethics for Florida Attorneys
 
Crypto regulations in Russia
Crypto regulations in RussiaCrypto regulations in Russia
Crypto regulations in Russia
 
Winkler Cloud, ORCON, and Mobility
Winkler Cloud, ORCON, and MobilityWinkler Cloud, ORCON, and Mobility
Winkler Cloud, ORCON, and Mobility
 
Sector Focus; Information Technology; Issue 1 February 2010
Sector Focus; Information Technology; Issue 1 February 2010Sector Focus; Information Technology; Issue 1 February 2010
Sector Focus; Information Technology; Issue 1 February 2010
 
Infotec 2010 Ben Rothke - social networks and information security
Infotec 2010 Ben Rothke - social networks and information security Infotec 2010 Ben Rothke - social networks and information security
Infotec 2010 Ben Rothke - social networks and information security
 

Viewers also liked

Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBeeTravis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBeeSource Conference
 
Reputation Digital Vaccine: Reinventing Internet Blacklists
Reputation Digital Vaccine: Reinventing Internet BlacklistsReputation Digital Vaccine: Reinventing Internet Blacklists
Reputation Digital Vaccine: Reinventing Internet BlacklistsSource Conference
 
Dan Crowley - Jack Of All Formats
Dan Crowley - Jack Of All FormatsDan Crowley - Jack Of All Formats
Dan Crowley - Jack Of All FormatsSource Conference
 
Jeremy Allen - Rajendra Umadas - Network Stream Hacking With Mallory
Jeremy Allen - Rajendra Umadas - Network Stream Hacking With MalloryJeremy Allen - Rajendra Umadas - Network Stream Hacking With Mallory
Jeremy Allen - Rajendra Umadas - Network Stream Hacking With MallorySource Conference
 
Matthew Coles - Izar Tarandach - Security Toolbox
Matthew Coles - Izar Tarandach - Security ToolboxMatthew Coles - Izar Tarandach - Security Toolbox
Matthew Coles - Izar Tarandach - Security ToolboxSource Conference
 
Who should the security team hire next?
Who should the security team hire next?Who should the security team hire next?
Who should the security team hire next?Source Conference
 
James Beeson SOURCE Boston 2011
James Beeson SOURCE Boston 2011James Beeson SOURCE Boston 2011
James Beeson SOURCE Boston 2011Source Conference
 
Paul Asadoorian - Bringing Sexy Back
Paul Asadoorian - Bringing Sexy BackPaul Asadoorian - Bringing Sexy Back
Paul Asadoorian - Bringing Sexy BackSource Conference
 
Sebastian Porst - Reverse-Engineering Flash Files with SWFRETools
Sebastian Porst - Reverse-Engineering Flash Files with SWFREToolsSebastian Porst - Reverse-Engineering Flash Files with SWFRETools
Sebastian Porst - Reverse-Engineering Flash Files with SWFREToolsSource Conference
 
Wim Remes SOURCE Boston 2011
Wim Remes SOURCE Boston 2011 Wim Remes SOURCE Boston 2011
Wim Remes SOURCE Boston 2011 Source Conference
 

Viewers also liked (11)

Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBeeTravis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
 
Reputation Digital Vaccine: Reinventing Internet Blacklists
Reputation Digital Vaccine: Reinventing Internet BlacklistsReputation Digital Vaccine: Reinventing Internet Blacklists
Reputation Digital Vaccine: Reinventing Internet Blacklists
 
Dan Crowley - Jack Of All Formats
Dan Crowley - Jack Of All FormatsDan Crowley - Jack Of All Formats
Dan Crowley - Jack Of All Formats
 
Jeremy Allen - Rajendra Umadas - Network Stream Hacking With Mallory
Jeremy Allen - Rajendra Umadas - Network Stream Hacking With MalloryJeremy Allen - Rajendra Umadas - Network Stream Hacking With Mallory
Jeremy Allen - Rajendra Umadas - Network Stream Hacking With Mallory
 
Matthew Coles - Izar Tarandach - Security Toolbox
Matthew Coles - Izar Tarandach - Security ToolboxMatthew Coles - Izar Tarandach - Security Toolbox
Matthew Coles - Izar Tarandach - Security Toolbox
 
Who should the security team hire next?
Who should the security team hire next?Who should the security team hire next?
Who should the security team hire next?
 
James Beeson SOURCE Boston 2011
James Beeson SOURCE Boston 2011James Beeson SOURCE Boston 2011
James Beeson SOURCE Boston 2011
 
Paul Asadoorian - Bringing Sexy Back
Paul Asadoorian - Bringing Sexy BackPaul Asadoorian - Bringing Sexy Back
Paul Asadoorian - Bringing Sexy Back
 
Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser Botnet
 
Sebastian Porst - Reverse-Engineering Flash Files with SWFRETools
Sebastian Porst - Reverse-Engineering Flash Files with SWFREToolsSebastian Porst - Reverse-Engineering Flash Files with SWFRETools
Sebastian Porst - Reverse-Engineering Flash Files with SWFRETools
 
Wim Remes SOURCE Boston 2011
Wim Remes SOURCE Boston 2011 Wim Remes SOURCE Boston 2011
Wim Remes SOURCE Boston 2011
 

Similar to David Snead - Nailing Down Security Regulations

12 02-14 information security managers - unannotated
12 02-14 information security managers - unannotated12 02-14 information security managers - unannotated
12 02-14 information security managers - unannotatedwdsnead
 
Technology Enabled Corporate Communications- Forum For Corporate Directors an...
Technology Enabled Corporate Communications- Forum For Corporate Directors an...Technology Enabled Corporate Communications- Forum For Corporate Directors an...
Technology Enabled Corporate Communications- Forum For Corporate Directors an...Roger Cohen
 
Cloud Computing Legal Risks And Best Practices
Cloud Computing Legal Risks And Best PracticesCloud Computing Legal Risks And Best Practices
Cloud Computing Legal Risks And Best Practiceslisaabe
 
Transforming cloud security into an advantage
Transforming cloud security into an advantageTransforming cloud security into an advantage
Transforming cloud security into an advantageMoshe Ferber
 
MISA Cloud Workshop_ ipc privacy in the cloud
MISA Cloud Workshop_ ipc privacy in the cloudMISA Cloud Workshop_ ipc privacy in the cloud
MISA Cloud Workshop_ ipc privacy in the cloudMISA Ontario Cloud SIG
 
Cloud Computing Legal for Pennsylvania Bar Association
Cloud Computing Legal for Pennsylvania Bar AssociationCloud Computing Legal for Pennsylvania Bar Association
Cloud Computing Legal for Pennsylvania Bar AssociationAmy Larrimore
 
CSO Magazine Confab 2013 Atlanta - Cyber Security
CSO Magazine Confab 2013 Atlanta - Cyber SecurityCSO Magazine Confab 2013 Atlanta - Cyber Security
CSO Magazine Confab 2013 Atlanta - Cyber SecurityPhil Agcaoili
 
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudLegal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudSource Conference
 
NCHICA - Contracts with Healthcare Cloud Computing Vendors
NCHICA - Contracts with Healthcare Cloud Computing VendorsNCHICA - Contracts with Healthcare Cloud Computing Vendors
NCHICA - Contracts with Healthcare Cloud Computing VendorsWhitmeyerTuffin
 
Navigating through the Cloud - 7 feb 2012 at Institute for Information Manage...
Navigating through the Cloud - 7 feb 2012 at Institute for Information Manage...Navigating through the Cloud - 7 feb 2012 at Institute for Information Manage...
Navigating through the Cloud - 7 feb 2012 at Institute for Information Manage...Livingstone Advisory
 
What is Cloud Security, and Can I Have Some?
What is Cloud Security, and Can I Have Some?What is Cloud Security, and Can I Have Some?
What is Cloud Security, and Can I Have Some?John Kinsella
 
Extending security in the cloud network box - v4
Extending security in the cloud network box - v4Extending security in the cloud network box - v4
Extending security in the cloud network box - v4Valencell, Inc.
 
Everyone is talking Cloud - How secure is your data?
Everyone is talking Cloud - How secure is your data? Everyone is talking Cloud - How secure is your data?
Everyone is talking Cloud - How secure is your data? Bianca Mueller, LL.M.
 
Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...
Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...
Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...Alan Yau Ti Dun
 
Personal data and the blockchain – how will the GDPR influence blockchain app...
Personal data and the blockchain – how will the GDPR influence blockchain app...Personal data and the blockchain – how will the GDPR influence blockchain app...
Personal data and the blockchain – how will the GDPR influence blockchain app...BigchainDB
 

Similar to David Snead - Nailing Down Security Regulations (20)

12 02-14 information security managers - unannotated
12 02-14 information security managers - unannotated12 02-14 information security managers - unannotated
12 02-14 information security managers - unannotated
 
Technology Enabled Corporate Communications- Forum For Corporate Directors an...
Technology Enabled Corporate Communications- Forum For Corporate Directors an...Technology Enabled Corporate Communications- Forum For Corporate Directors an...
Technology Enabled Corporate Communications- Forum For Corporate Directors an...
 
Cloud Computing Legal Risks And Best Practices
Cloud Computing Legal Risks And Best PracticesCloud Computing Legal Risks And Best Practices
Cloud Computing Legal Risks And Best Practices
 
Transforming cloud security into an advantage
Transforming cloud security into an advantageTransforming cloud security into an advantage
Transforming cloud security into an advantage
 
MISA Cloud Workshop_ ipc privacy in the cloud
MISA Cloud Workshop_ ipc privacy in the cloudMISA Cloud Workshop_ ipc privacy in the cloud
MISA Cloud Workshop_ ipc privacy in the cloud
 
Risks and Benefits of Cloud Computing
Risks and Benefits of Cloud ComputingRisks and Benefits of Cloud Computing
Risks and Benefits of Cloud Computing
 
Mining IT Summit Nov 6 2014
Mining IT Summit Nov 6 2014Mining IT Summit Nov 6 2014
Mining IT Summit Nov 6 2014
 
Cloud security
Cloud securityCloud security
Cloud security
 
Legal issues in the cloud renzo marchini & gene landy
Legal issues in the cloud renzo marchini & gene landyLegal issues in the cloud renzo marchini & gene landy
Legal issues in the cloud renzo marchini & gene landy
 
Bird&Bird
Bird&BirdBird&Bird
Bird&Bird
 
Cloud Computing Legal for Pennsylvania Bar Association
Cloud Computing Legal for Pennsylvania Bar AssociationCloud Computing Legal for Pennsylvania Bar Association
Cloud Computing Legal for Pennsylvania Bar Association
 
CSO Magazine Confab 2013 Atlanta - Cyber Security
CSO Magazine Confab 2013 Atlanta - Cyber SecurityCSO Magazine Confab 2013 Atlanta - Cyber Security
CSO Magazine Confab 2013 Atlanta - Cyber Security
 
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudLegal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
 
NCHICA - Contracts with Healthcare Cloud Computing Vendors
NCHICA - Contracts with Healthcare Cloud Computing VendorsNCHICA - Contracts with Healthcare Cloud Computing Vendors
NCHICA - Contracts with Healthcare Cloud Computing Vendors
 
Navigating through the Cloud - 7 feb 2012 at Institute for Information Manage...
Navigating through the Cloud - 7 feb 2012 at Institute for Information Manage...Navigating through the Cloud - 7 feb 2012 at Institute for Information Manage...
Navigating through the Cloud - 7 feb 2012 at Institute for Information Manage...
 
What is Cloud Security, and Can I Have Some?
What is Cloud Security, and Can I Have Some?What is Cloud Security, and Can I Have Some?
What is Cloud Security, and Can I Have Some?
 
Extending security in the cloud network box - v4
Extending security in the cloud network box - v4Extending security in the cloud network box - v4
Extending security in the cloud network box - v4
 
Everyone is talking Cloud - How secure is your data?
Everyone is talking Cloud - How secure is your data? Everyone is talking Cloud - How secure is your data?
Everyone is talking Cloud - How secure is your data?
 
Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...
Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...
Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...
 
Personal data and the blockchain – how will the GDPR influence blockchain app...
Personal data and the blockchain – how will the GDPR influence blockchain app...Personal data and the blockchain – how will the GDPR influence blockchain app...
Personal data and the blockchain – how will the GDPR influence blockchain app...
 

More from Source Conference

iBanking - a botnet on Android
iBanking - a botnet on AndroidiBanking - a botnet on Android
iBanking - a botnet on AndroidSource Conference
 
I want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICI want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICSource Conference
 
From DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsFrom DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsSource Conference
 
Extracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus DerivativesExtracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus DerivativesSource Conference
 
How to Like Social Media Network Security
How to Like Social Media Network SecurityHow to Like Social Media Network Security
How to Like Social Media Network SecuritySource Conference
 
Wfuzz para Penetration Testers
Wfuzz para Penetration TestersWfuzz para Penetration Testers
Wfuzz para Penetration TestersSource Conference
 
Security Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSecurity Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSource Conference
 
Securty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSecurty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSource Conference
 
Men in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserMen in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserSource Conference
 
Advanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItAdvanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItSource Conference
 
Adapting To The Age Of Anonymous
Adapting To The Age Of AnonymousAdapting To The Age Of Anonymous
Adapting To The Age Of AnonymousSource Conference
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Source Conference
 
Advanced (persistent) binary planting
Advanced (persistent) binary plantingAdvanced (persistent) binary planting
Advanced (persistent) binary plantingSource Conference
 
The Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawThe Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawSource Conference
 
How To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security SpendHow To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security SpendSource Conference
 
Everything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitationEverything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitationSource Conference
 
Threat Modeling: Best Practices
Threat Modeling: Best PracticesThreat Modeling: Best Practices
Threat Modeling: Best PracticesSource Conference
 

More from Source Conference (20)

iBanking - a botnet on Android
iBanking - a botnet on AndroidiBanking - a botnet on Android
iBanking - a botnet on Android
 
I want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICI want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUIC
 
From DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsFrom DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and Bobs
 
Extracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus DerivativesExtracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus Derivatives
 
How to Like Social Media Network Security
How to Like Social Media Network SecurityHow to Like Social Media Network Security
How to Like Social Media Network Security
 
Wfuzz para Penetration Testers
Wfuzz para Penetration TestersWfuzz para Penetration Testers
Wfuzz para Penetration Testers
 
Security Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSecurity Goodness with Ruby on Rails
Security Goodness with Ruby on Rails
 
Securty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSecurty Testing For RESTful Applications
Securty Testing For RESTful Applications
 
Esteganografia
EsteganografiaEsteganografia
Esteganografia
 
Men in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserMen in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the Browser
 
Advanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItAdvanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done It
 
Adapting To The Age Of Anonymous
Adapting To The Age Of AnonymousAdapting To The Age Of Anonymous
Adapting To The Age Of Anonymous
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?
 
Advanced (persistent) binary planting
Advanced (persistent) binary plantingAdvanced (persistent) binary planting
Advanced (persistent) binary planting
 
The Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawThe Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime Law
 
JSF Security
JSF SecurityJSF Security
JSF Security
 
How To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security SpendHow To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security Spend
 
Everything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitationEverything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitation
 
Keynote
KeynoteKeynote
Keynote
 
Threat Modeling: Best Practices
Threat Modeling: Best PracticesThreat Modeling: Best Practices
Threat Modeling: Best Practices
 

David Snead - Nailing Down Security Regulations

  • 1. Source Conference Boston Nailing Down Security Regulations W. David Snead Attorney + Counselor Roadmap • Where is technology going? • U.S. v. E.U. • Case study • Analytical framework • Issue Based • Sectoral Based • Key contract clauses • Proactive • Reactive • Framework questions • National • Generally state implementation based • Narrowly tailored Legislative and Regulatory Targets • Data governance laws are here to stay • Expectation that in some format data breach will be extended • Breach – both benign and malicious to cover not just telecoms • Breach notification • General data breach requirements in some EU Member States already • Mitigation • Accountability and transparency principles • Security policies • Broad scope of definition of personal data • Cloud and jurisdictional challenges • Contracting parties, third parties and vendors • The role of controllers and processors MIS Training Institute © Page 1
  • 2. Broad based Broad based Sectoral / Country Specific Sectoral • eprivacy directive • digital signatures • sectoral standards • GLB • data retention • spam • encryption • HIPAA / HITECH • digital signatures • implementation EU • CFAA • encryption directives • ECPA General Security • Nevada • Massachusetts Sol Vidro is a company headquartered in Cologne. It seeks to outsource email, office applications, payroll and Security Breach backbone to two cloud providers in the U.S. and U.K. who must act in a federated manner. States without: • Alabama • Kentucky • Mississippi • New Mexico • South Dakota Security Vendor has provided Sol Vidro with a copy of its current security policy (Policy) as it applies to the services to be performed by Vendor pursuant to • Define “breach” this Agreement. Vendor represents and warrants that this security policy • Determine when a breach happens represents best of breed security procedures in its industry. Vendor shall • Assume there will be data breach laws give Sol Vidro no less than sixty days prior written notices of any changes in • Review any laws that my currently exist the Policy that impact the services provided to Sol Vidro. Should Sol Vidro • Understand who will be responsible for security determine that these changes materially impact the security of the services, Sol Vidro shall have the right to terminate this Agreement. In such a case, • Create enforceable contract terms Vendor shall provide reasonable assistance to Sol Vidro to transition its • Remember post termination issues services to another provider. • Understand that you may not be made whole MIS Training Institute © Page 2
  • 3. Data Transfer • How is the data transmitted? • Understand concepts like: controller, processor, Sol Vidro is providing payroll data to Vendor solely for the purpose of transfer and aggregation. processing the data as set out in Exhibit A to this Agreement. Vendor may • Limit uses only provide access to this data to third parties upon written notice and • Require flow down and flow up contract terms receipt of Sol Vidro’s express consent. Sol Vidro’s consent may be withheld. • Evaluate whether “Safe Harbor” is appropriate • Create methods to address data leakage Disposition of data upon termination Upon termination or expiration of this Agreement, Vendor shall delete all data and provide Sol Vidro with written confirmation of this deletion. • Review data retention laws Vendor shall also instruct any entities who have had access to the data to also delete it and provide Vendor with written certification of this deletion. • Specify terms for deletion / transfer The security obligations set out in this Agreement relating to the data shall • Set out obligations for security post termination survive termination or expiration of this Agreement until such time as the data is completely deleted by Vendor and/or Vendor’s suppliers. Vendor shall require this provision, or one similarly protective of Sol Vidro’s rights in all its contracts with suppliers or other vendors who provide aspects of the Services. Vendor shall provide Sol Vidro with no less than ten days prior written Access to data notice of any governmental request for access to the data. For the purposes of this paragraph only, the term “governmental” includes any law • Understand how transmission is outsourced / enforcement or similar entity. Should Vendor be prohibited by law from subcontracted providing this notice, Vendor shall strictly limit any disclosure of the data to that which is required by the law and the written document upon which • Review your obligations to provide access to police disclosure is based. Under no circumstances shall Vendor provide access • Review your provider’s obligations to provide access without a written request of disclosure which cites the law requiring such • Research your laws about third party police access disclosure. Vendor shall require this provision, or one similarly protective of • Set out notification and consent provisions Sol Vidro’s rights in all its contracts with suppliers or other vendors who provide aspects of the Services. MIS Training Institute © Page 3
  • 4. Do you know where sensitive information resides and how to protect it? Can you lower costs AND improve your security posture by rationalizing your security ? Do you understand termination, survival and deletion issues? Can you control who has access to your information? Do you know how the services will be used How does termination affect you? Have you researched breach notification? Have you researched high risk regulatory areas? W. David Snead Attorney + Counselor david.snead@dsnead.com wdsneadpc / Twitter thewhir.com / Blog MIS Training Institute © Page 4