|Security and Privacy: Trends, Tools & Techniques (2-Day Training)
Rebecca Herold, CIPP, CISSP, CISM, CISA, FLMI
Christopher Grillo, CISM, CISA, CPA, CIPP, ITIL
Handling complex and difficult Privacy and Information Security risks and compliance requirements has moved to the top of
the list for companies maintaining customer and employee information. However, there are often gaps in communication
and coordination between Privacy and Information Security activities. These gaps create more complexity and bigger
challenges for companies to handle as well as putting the organization at greater risk for incidents, along with contractual
and regulatory noncompliance. Successful programs require the two strategies to be complementary and integrated
throughout all of the enterprise—within every business process stage and at every level within the organization. This
workshop will provide practical knowledge and tools to address complex privacy and information security issues within
your organization as well as learn how other organizations are handling these Privacy and Information Security
Through discussing key trends, legal requirements and frameworks that are common to both areas, attendees will learn
how privacy and security teams can effectively work together. Participants will take away several resources and tools
they can start using right away to help successfully meet these complex and difficult challenges.
Privacy and Information
Security Trends. We will discuss
security activities within 20
important convergence trends for
which businesses must be aware.
We will define and discuss the
Privacy and Security roles,
well as business processes that
are most impacted by Privacy and
Security processes and initiatives.
Privacy Laws and Strategy. We
will provide an overview of the
many laws and regulations that
organizations must be aware of
and address, including those most
current. We will also discuss
effective privacy strategies and the
business impact of privacy,
including common regulatory and
Information Security Strategy.
We will discuss effective security
strategies and the business impact
of security, such as those relating
to risk management and
regulatory compliance. We will
provide a practical method of
incorporating industry best
practices into any organization
within every phase of the systems
methodologies for best business impact
- Instill understanding of privacy and information security issues and governance
how to establish partnerships to most successfully address all the accompanying issues
- Instill understanding of how to use existing governance frameworks to successfully integrate
privacy and information security throughout the entire organization
- Instill understanding of the major privacy and information security common challenges and
incident planning, implementation, and execution.
- Learn the legal ramifications and necessary key compliance activities necessary to
demonstrate regulatory and legal due diligence and establish a standard of due care that
supports business success
- Learn to create an actionable roadmap for coordinating privacy and information security
activities within the organization
- Learn key security and privacy metrics for evaluating effectiveness and demonstrating value
- Instill understanding of the importance of partnering information security and privacy in
Attendees Will Leave With:
and due diligence toolkit
- A valuable set of course materials attendees will be able to use as a reference on an ongoing
basis immediately upon returning to the office
- A ready-to-use information security and privacy program planning toolkit and sample
framework that participants can customize to fit their organizational needs
- Sample IT controls for privacy and information security for regulatory compliance
- A usable information security and privacy posture assessment and metrics tools and along
with a visual roadmap generator
- Privacy impact assessment worksheet and project plan
- An excerpt from a business partner and vendor security and privacy program assessment
- A security and privacy contract clause considerations checklist
- A comprehensive listing of useful security and privacy references and resources
measuring the security and privacy strategy.
We will discuss at length the five most common overlapping privacy and information security areas that have the most impact to businesses.
For the first common area we will discuss how privacy and information security policies and procedures must be in sync, and the issues
involved with making them effective. The second common area will demonstrate the needs and values for privacy impact assessments
(PIAs) and information security risk assessments, and how the two types of activities should be coordinated to realize greatest business
value. Participants will perform at least one PIA case study, using a provided PIA worksheet and project plan. The third common area will
address the critical need for business partner and vendor privacy and security program reviews and what to include within the associated
contracts. Common area four will provide details about the systems development life cycle (SDLC) and how to effectively address and
incorporate privacy and security controls within every phase of an SDLC. Common area five will provide important information all
organizations must know about incident response for both privacy and information security, in addition to providing the key components of
an effective response plan. We will provide case studies and exercises throughout the day to support and demonstrate how these common
areas impact business, and the ways in which privacy and information security must partner.
Rebecca Herold Bio
Rebecca Herold, CIPP, CISSP, CISM, CISA, FLMI, “The Privacy Professor”® is an information privacy, security and regulatory compliance
consultant, author and instructor with her own company, Rebecca Herold & Associates, LLC, since mid-2004. Rebecca has over two
decades of information privacy, security and regulatory compliance security experience, has created and implemented corporate strategies
and programs and provided numerous security and privacy services to organizations in a wide range of industries throughout the world.
Rebecca was named one of the “Best Privacy Advisers” in two of three categories by Computerworld magazine in 2007 and 2008. In 2008
Rebecca’s blog was named one of the “Top 50 Internet Security Blogs” by the Daily Netizen. Rebecca was also named one of the "Top 59
Influencers in IT Security" for 2007 by IT Security magazine. The information security program Rebecca created for Principal Financial
Group, where she worked for 12 years, received the 1998 CSI Information Security Program of the Year Award.
Rebecca has authored many books and is currently authoring her 14th and 15th. Some of them include The Privacy Papers (Auerbach)
in 2001, co-authored The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach) in 2003, Managing an Information
Security and Privacy Awareness and Training Program (Auerbach) in 2005 with the 2nd edition being published in 2010, the Privacy
Management Toolkit (Information Shield) in 2006 and co-authored Say What You Do in 2007. Rebecca is the editor and primary
contributing author for the “Protecting Information” quarterly subscription security and privacy awareness multi-media publication
(Information Shield). Rebecca also provides effective training products, such as “The Privacy Professor’s Security Search #1.” Rebecca
has authored chapters for dozens of books along with over two hundred other published articles. She has been writing a monthly
information privacy column for the CSI Alert newsletter since 2001 and regularly contributes articles to other publications. Rebecca has a
B.S. in Math and Computer Science and an M.A. in Computer Science and Education.
Rebecca is also an adjunct professor for the Norwich University Master of Science in Information Assurance (MSIA) program, and has been
a frequent and requested speaker at organizations, conferences and seminars for the past several years. You can contact Rebecca here
or on twitter using PrivacyProf.
Christopher Grillo Bio
Christopher Grillo, CPA(inactive), CISM, CISA, CIPP, ITIL is the Director of Information Security for Medica Health Plans. Chris is a
business focused and technically adept leader with over 15 years of experience in information security, privacy, risk management, audit,
and IT consulting in various industries. Chris has a proven track record of implementing and maintaining effective Information Security programs
in various industries.
Prior to joining Medica, Chris was the Director of Information Security at Pearson Education where he led the global Information Security
Program. Chris also held Information Security management positions at highly diverse and regulated companies with business operations
in energy, auto, finance, and software development. In addition, Chris served as Sr. Principal Consultant at Guardent and Canaudit, where
he led comprehensive information security and privacy engagements.
Chris is the author of several seminars such as: Handling Complex and Difficult Privacy and Information Security Issues, Enterprise Security
Management, Security Awareness, Acquiring Information Security Tools, and Auditing System Development. He has published several
articles and has been quoted in popular magazines such as InformationWeek, Computerworld and the CSI Alert.
Chris is an active member in various Information Security and Audit Associations, Privacy groups, and has served as chairperson of the
Computer Security Institute (CSI) Advisory Council. Chris can be reached at firstname.lastname@example.org.