|
Sun Shines on SB 1386
Case Study #1/SB 1386
A California law requiring firms to inform individuals if their personal information is compromised.
As she wrote the job description, Michelle Dennedy knew exactly the type of person Sun Microsystems needed as a chief privacy officer: someone who was sharp, flexible and could "hold hands with the CIO and CSO." Sun knew too: Dennedy.
Moving into the chief privacy officer role from that of senior counsel, she had her work cut out for her. Dennedy mapped out 100 countries' privacy laws with which Sun needed to comply--including the then-draft form of SB 1386--and met with Sun's privacy council, which draws people from human resources, IT and other departments for guidance. Dennedy and her team then worked with trade groups such as TechNet to shape the wording of SB 1386.
The end result: a comprehensive privacy policy that is enmeshed in Sun's corporate culture. Today, 75 people are on Sun's privacy council, which meets regularly, and SB 1386 is one of the topics covered in Sun's mandatory "fiduciary boot camp" for all employees. Each employee goes through periodic security-awareness training, and an intranet page is devoted to helping staffers understand the law and its ramifications. All e-mail coming into Sun goes through multiple levels of antispam and virus filters, and intrusion detection and identity management systems.
This three-pronged approach--"people, process and technology"--is necessary for Sun to adhere to SB 1386's requirements, Dennedy says.
SB 1386 covers a fairly narrow chunk of personal data, which Dennedy cites as a positive. "It's very important [that the information affected be well delineated] for the legislati...
To continue reading for free, register below or login
To read more you must become a member of SearchSecurity.com
on to be effective, so you know when it is time to act," she says. "That awareness of data segmentation and mapping is the biggest lesson being learned out of all these [privacy] laws."
To bolster its networks against unauthorized access, Sun uses technology it helped develop via the Liberty Alliance: specifications that define open standards for Web services and federation technology to secure personal information. Companies--from product vendors to corporations--that adhere to Liberty Alliance specs in their applications may reduce the number of times users log in to networks and the number of passwords users must remember.
The focus of federation, Dennedy adds, is "sharing as little information as you have to with your partners. It's like booking travel: The car company doesn't care that you like an aisle seat, and the airline doesn't care that you need an economy car. Federation shares exactly what you need, without excess data [being transmitted]."
To help people understand what constitutes a breach that could trigger SB 1386's mandated processes, Dennedy tries to "talk to people all the time," she says.
"If an administrative assistant has her boss's password and she goes into his computer to check something, trying to be proactive, is that a breach?" According to Dennedy, the answer lies in a dialogue. Employees should talk to her about any privacy-related issue such as "a weird e-mail or a gating function in an application that doesn't seem to work. The important thing is that they tell me.
"You don't have to have 100 full-time [people] dedicated to data protection, but you do have that many people owning data, so everyone's input helps," she says.
--Amy Rogers Nazarov
|
 |
|
