Marriott Proprietary & Confidential

IAPP Privacy Security Risk 2015

Thursday, October 1st, 2015

1 Marriott Proprietary & Confidential Marriott Proprietary & Confidential

A Tour de Force: How to Take Your Privacy and Security Program to the Next Level

Privacy determines what

needs to be protected

Security determines how

best to protect it

Kathy Memenza, Senior VP, IT Security and Privacy, Marriott International Dorene Stupski, CIPP/C, CIPP/US, Director of Information Protection and Privacy, Marriott International This topic is about taking your program to the next level. We will discuss how privacy and security can join forces to build a privacy/security program and take it to the next level. Now that you have the basics in place - what do you do next, how do you really operationalize your program. What you’ll take away: Obtain examples how to operationalize Privacy by Design & Security by Design Obtain real examples of privacy/security tools built in-house with low budgets Obtain examples how to train/communicate to all levels of associates

2 Marriott Proprietary & Confidential Marriott Proprietary & Confidential

Why are Cyber Threats Growing?

The Internet has become so integral to life:

2015 3 Billion Devices

2020 13 Billion Devices

Supply chains are increasingly interconnected:

Avg. Global Company 900 Service Providers

Marriott 750 Service Providers

Cyber Black Market is more profitable than illegal drug trade ($3 Trillion)

Hackers can earn $10 - $20k per hour

People can be the weakest link:

90% of breaches are caused by employee mistakes

“Phishing” attacks are on the rise

110 Million Records (Credit Cards

and Customer PII)

350,000 Records (Credit Cards

and Debit Cards)

800,000 Records (Account IDs,

Phone Numbers)

310,000 Records (SSN, DOB)

12 Million Records ( Bank Account,

Employment Details)

3 Million Records (Credit Cards,

Expiration Dates)

310,000 Records (SSN, DOB,

Billing, Diagnosis)

145 Million Records (Pswds, Addresses,

DOB, Phone Numbers)

4.5 Million Records (SSNs, DOB,

Address, Phone #s)

868,000 Records (Names, Credit Cards)

350,000 Records (Credit and Debit Cards)

80Million Records (SSNs, DOB,

Address, Phone #s)

145 Million Records SSNs, DOB, Insurance, Diagnosis)

21.5Million Records (Names, SSNs, DOB,

Address, Phone #s)

Sample of Breaches 2014/2015

6 Million Records

(Addresses, Phone, Email)

3 Marriott Proprietary & Confidential

The Scale of Cyber Threats

$400B Annual economic breach

impact

$12.69M Average cost per breach

50% of the time users click links in

phishing emails within the first hour

60% Attackers compromise an

organization within minutes

23% of breaches are attributable to

third party vendors

650% ▲ Malware (390k new

malicious programs/day)

66% ▲ Detected security incidents

per year

Malware Growth 2006-2015

4 Marriott Proprietary & Confidential

Don’t get stuck in old ways of thinking……

s:/filepath...

5 Marriott Proprietary & Confidential

Inherent Tensions between Privacy & Security

Right to Privacy vs. Importance of Surveillance

Privacy and Security are in the same foxhole – we need to work as a team in order to overcome formidable obstacles.

Most facets of our work intersect

Requires a workable equilibrium

Can provide both privacy & security by partnering

Added on privacy or security creates conflicts

Security and Privacy Joining Forces! Why is this Important?

Privacy

Security

6 Marriott Proprietary & Confidential

Step 1: Create a Successful Partnership:

Start by creating a shared vision & mission

Make sure each partner's needs and expectations are addressed

Identify and utilize the strengths of each partner

Create a common language and common understanding

Handle disagreements, disappointments and frustrations early

Leave your ego at the door

TRUST is paramount!

How to Take Your Privacy and Security Program to the Next Level

7 Marriott Proprietary & Confidential

Where do Marriott’s Privacy and Security teams Partner and How Do our Processes Intersect?

Answer: Everywhere More Risk = More

Engagement

Where we Partner

PROJECT Framework 3RD PARTY Assessments CLOUD Framework INCIDENT Response RISK Assessment Mergers & Acquisitions

Intersections

All Projects Sales & Marketing Digital HR Operations IT

Intersections Regulatory & PCI

Compliance In Country Registrations Safe Harbor

Intersections Mergers & Acquisitions

Data transfers and Cyber controls

Intersections Business and Property

Processes

Intersections

Fully Integrated Project Lifecycle & Stage Gates

Data collection, transfers and handling

Applications, Social media, Cookies, Websites

Intersections

Training &

Awareness

8 Marriott Proprietary & Confidential Marriott Proprietary & Confidential

Working to Simplify Engagement

Combining multiple engagement channels into a single engagement process

Request Center Forms

Third party hosting

assessment

Business continuity request

Policy exception request(s)

Risk management request

Lost or stolen device notice

High risk data access

requests

Phone & Email Privacy consulting Security consulting Investigations request

Our Work in

Progress

9 Marriott Proprietary & Confidential Marriott Proprietary & Confidential

Privacy/Security Training & Communication

Region Specific Training

Role Based Training

Computer Based

Training

Instructor Led Training

Discipline Specific

Training

Franchises & Owner Webinars

PCI Webinars

Discipline/Role

Specific Webinars

Privacy & Security Day

Posters

Privacy & Security

Brochures

Privacy & Security Booths at Company Sponsored Events

On Site Training

Privacy & Security Staff combined 51

Certifications

Mediapro Training

Webinars Awareness Programs

Cross Discipline Training

Audit Committee

Information Security & Privacy

Governance Committee

Corporate &

Continental Legal & Ethical Compliance

Committee

Information Protection &

Privacy Committee

Privacy/Security Account Managers

Governance Committees

10 Marriott Proprietary & Confidential

Risk Assessment/Acceptance Methodology

Likelihood

of Incident

Scenario

Very Low

(Very

Unlikely)

Low

(Unlikely)

Medium

(Possible)

High

(Likely)

Very High

(Frequent)

Very Low 0 1 2 3 4

Low 1 2 3 4 5

Medium 2 3 4 5 6

High 3 4 5 6 7

Very High 4 5 6 7 8

Business

Impact

Risk No

Challenge or Risk

Risk Level

Marriott Requirement

Abuse Cases Comments Suggestions

Security Risks

Privacy Risks

Legal Risks

11 Marriott Proprietary & Confidential Marriott Proprietary & Confidential

New Privacy and Security Framework

Ensures applications and systems meet regulatory expectations and industry best practices

Creates reusable patterns

Helps make projects easier and faster to implement

Demystifies requirements through pre-defined controls

Assesses providers and vendors against a common set of capabilities

12 Marriott Proprietary & Confidential Marriott Proprietary & Confidential

Privacy & Security Demystifying Requirements

Privacy & Security

Programs

Safe Harbor Certification

Program

Hosted Service Providers

MIP-34 Process

PAMS (Privacy Account

Managers)

SAMS (Security Account

Managers)

Data

Classification & Security Patterns

Privacy & Security

Decision Tree

Privacy & Security

Portal- SDLC

Modularize Offerings

13 Marriott Proprietary & Confidential Marriott Proprietary & Confidential

Case Study:

50% of Marriott’s systems will be moved into the cloud in the next two

years and all new applications will be built

in the cloud.

14 Marriott Proprietary & Confidential Marriott Proprietary & Confidential

We Built Our Framework on Regulatory Expectations and Best Practices

Privacy/Security Laws Cloud Security Alliance NIST Framework Regulations such as SOX, PCI Int’l Standards Organization-27001 Marriott’s Policies and Standards

• Defined over 460 controls

• Evaluated each control

against Service and Deployment Model and Solution Design

• Adopted a risk-based approach, assigning different level of controls for different levels of risk

Multidimensional Framework Data Classification (by Country) Cloud Service and Deployment Model Solution Design

Outcome

• Credit Card Data • High Risk

Service Model • Infrastructure as a Service (IaaS) • Platform as a Service (PaaS) • Software as a Service (SaaS)

Deployment Model

• MI Data Center • Public • Private • Hybrid • Community

• Restricted • Non- Public • Public

Data Classification

15 Marriott Proprietary & Confidential

MARRIOTT’S DATA CLASSIFICATION

DIFFERENT “CLASSES” OF DATA =

DIFFERENT CONTROLS

16 Marriott Proprietary & Confidential Marriott Proprietary & Confidential

Marriott Security and Privacy Framework Components

High Risk

Restricted

More

Risky

Non Public

PCI data

Less

Risky

Public

Security and Privacy Pattern “What needs to be done”

Architectural Solution

17 Marriott Proprietary & Confidential Marriott Proprietary & Confidential

Decision Tree Portal

In order to support the Plan intake process, Information Protection & Privacy and Enterprise Security teams are building a system that will provide privacy and security guidance to the project team.

This system will guide a user through a series of questions during the Business Modeling and Planning phase. Answers to those questions will determine specific set of recommendations.

This system will use the decision tree logic to produce a repeatable set of requirements based on the type and volume of data involved, countries that the data is stored in, and the application architecture.