©

2014 M

orr

ison &

Foers

ter

LLP

| A

ll R

ights

Reserv

ed | m

ofo

.com

NIST Cybersecurity Framework

Impacting Your Company?

April 24, 2014

Presented By

Sheila FitzPatrick, NetApp

Jeff Greene, Symantec

Andy Serwin, MoFo

2

Sheila FitzPatrick

Sheila currently works with NetApp as their global Data Governance Counsel and Chief Privacy Officer. She is responsible for NetApp’s worldwide data privacy compliance program that includes responsibility for compliance with global laws related to data protection, cybersecurity, data breach notification, cloud computing and records management. She is currently the Vice-Chair of TechAmerica’s Privacy and Cybersecurity Committees and is actively involved in their Big Data and Cloud Computing Subcommittees. Sheila also sits on the European Union Data Protection Advisory Council and the Asia Pacific Data Protection Framework Advisory Board. Sheila is recognized as one of the world’s leading experts in data protection compliance.

Sheila FitzPatrick

Worldwide Legal Data Governance Counsel

Worldwide Data Privacy Counsel

NetApp, Inc.

(408) 822-1487

sheila.fitzpatrick@netapp.com

3

Jeff Greene

Jeff Greene serves as a Senior Policy Counsel at Symantec, where he focuses on issues including cybersecurity, identity management, and privacy. In this role, he monitors executive and legislative branch activity, and works extensively with industry and government organizations. Prior to joining Symantec, he was Senior Counsel with the U.S. Senate Homeland Security and Governmental Affairs Committee, where he focused on cybersecurity and Homeland Defense issues. Jeff has also worked in the House of Representatives, where he was Staff Director of the Management, Investigations and Oversight Subcommittee on the House Committee on Homeland Security.

Jeff Greene

Senior Policy Counsel, Cybersecurity and Identity

Symantec Corporation

jeff_greene@symantec.com

4

Andy Serwin

Andrew B. Serwin is a partner in the Global Privacy and Data Security Practice Group at Morrison & Foerster’s San Diego and Washington, D.C. offices. Mr. Serwin is internationally recognized as one of the leading consumer protection and privacy lawyers, as well as a thought leader regarding information, and its role in society and the economy. Mr. Serwin also serves as the CEO and Executive Director of the Lares Institute, a think tank focused on information management issues, and is also a member of the advisory team of the Naval Postgraduate School’s Center for Asymmetric Warfare.

Andy Serwin

Partner

Morrison & Foerster

(858) 720-5134

aserwin@mofo.com

5

Understanding the Cyber Threat

• The cyber threat presents unique issues that are difficult to solve.

5

6

Cybersecurity

• Cyber-terrorism;

• Organized crime;

• Hactivists; and

• Industrial espionage.

7

Examples of Information

• Your company creates, gathers, and processes a significant amount

of information:

• Financial information;

• Information regarding individuals (employees, customers, or both);

• Proprietary/confidential information

• Undisclosed M&A activity;

• Business and marketing plans; and

• Pricing;

• IP;

• Information regarding businesses processes, including process improvements;

• Information regarding business trends;

• Social data/user generated content;

• Machine data; and

• Many other forms of information.

8

Executive Order

• Executive Order 13636—Improving Critical Infrastructure

Cybersecurity.

• The Framework is supposed to provide a “prioritized, flexible,

repeatable, performance-based, and cost effective approach” for

cybersecurity risk for critical infrastructure.

9

Framework Version 1.0—February 12, 2014

• Document Overview:

• Section 2 describes the Framework components.

• Section 3 gives examples of how the Framework can be used.

• Appendix A puts the Framework Core in a tabular framework.

10

Framework Version 1.0—February 12, 2014

• It is identified by NIST as a “risk-based approach” to managing

cybersecurity risk.

• According to NIST, this permits organizations to prioritize cyber activities.

• Overview of the Framework:

• Framework Core;

• Functions;

• Categories;

• Subcategories; and

• Informative References.

• Framework Implementation Tiers; and

• A Framework Profile.

NIST Cybersecurity Framework –

Impacting Your Company?

Sheila M. FitzPatrick

Global Data Privacy Counsel

Chief Privacy Officer

11 NetApp Confidential - Limited Use Only

NetApp at a glance….

Computer storage and data management

company headquartered in Sunnyvale, CA.

Fortune 500 Company

– 6+ Billion in FY13 revenue

– 13,000+ employees

– 150 offices worldwide

Leading data storage provider to the U.S.

Government

#33 FORTUNE “100 Best Companies to Work

For” in 2014.

12

NetApp Confidential - Limited Use Only

Why the NIST framework matters to our

legal team and our business…

Monitoring and implementing the framework practices aligns with the NetApp legal team mission statement: – “Guard the business, guide the company”

Cybersecurity risk can impact our bottom line – Financial and reputational risk (avoid the “Target” effect)

The framework has imparted new obligations on our senior leaders – Cybersecurity strategy must come from the top of the

enterprise

Absent a codified regulatory scheme, the Framework “best practices” may become the de facto “reasonableness” standard

The framework aligns to the “common sense” approach we have already adopted

13

NetApp Confidential - Limited Use Only

Legal team supporting the adoption of the

Framework Core to our business processes

Identify

Protect

Detect

Respond

Recover

• Dedicated CS focused roles

across relevant business units

• Critical review of supply chain

and updated policies

• Established policies to balance

CS with privacy concerns

• Proactive C-Level involvement

• Participation in industry

leadership forums

• Updated data retention and

destruction polices

• Implemented intrusion detection

capabilities

• Implemented a cross functional

Incident Response Team

• Well-defined data breach

notification program •

• Legal is the first point of breach

contact

• Legal engages the Incident

Response Team

• Legal drives the forensic investigation,

determines the risk mitigation and

communicates with regulatory

authorities and impacted individuals

NetApp Confidential - Limited Use Only 14

NetApp legal is responsible for finding a

balance between privacy & cybersecurity

Cybersecurity Privacy

15 NetApp Confidential - Limited Use Only

Intersection of Trust & Technology

16

Develop Data Protection

Savvy Program

including consents &

notifications related to

cyber attacks

Monitor network

traffic not

personal data

Report breaches

without revealing

personal data

IT

Privacy

Legal

Security

Legal Obligations

NetApp Confidential - Limited Use Only

Symantec & the CSF

• Participated in the development of the CSF dating back to the development of the EO – so we knew it well.

• Began to use the CSF before it was even final –

– CISO used core functions to brief Audit Committee;

– CISO’s office used it to examine our security program.

• Proved to be useful lens to examine what we’re doing and to challenge our assumptions.

• Mapping our internal security efforts to the core functions.

• Using in two ways:

– For our own internal security; and

– To help customers examine their security needs.

18

18

Questions