The turnout was great, somewhere between 40 and 50 people, I didn't get an exact count. There were two sessions for the evening:
- A talk by Tom Stracener of Cenzic on XSS
- A panel discussion on Privacy with a pretty broad group of security folks and some people in adjacent areas such as Law and Privacy proper.
- What is Privacy?
- What are a companies obligations to protect Privacy? Legal, Ethical, Moral, good business sense, etc.
- How do companies, especially large ones that operate in multiple states or are multinationals, deal with all of the different privacy regulations?
- How do we integrate Privacy concerns into security operations, secure development, etc.
The best discussion of the night in my mind came on point #3. How do large companies manage to diverse privacy regulations and policies across jurisdictions...
All of the panelists in this area made two points:
- Set a baseline policy that encompasses the vast majority of your requirements and implement it across the board. This way you don't have to continuously manage to specific privacy regulations as you've embodied them in your general policy.
- Setting the privacy policies and controls around it is an exercise in risk management. People don't often look at writing policies as managing risk, but that is exactly what policies do.
If nothing else was achieved last Thursday we had great turnout for the local OWASP event, better than I've seen so far. We also got to try out part of the space that will be used for the fall conference. I think it went well, but I guess we'll have to get the other folks present to weigh-in with their thoughts since I'm obviously a little biased.