Public Private Partnerships and National Input to International Cyber Security

Size: px
Start display at page:

Download "Public Private Partnerships and National Input to International Cyber Security"

Transcription

1 Public Private Partnerships and National Input to International Cyber Security 10 September 2009 Tallinn, Estonia Maeve Dion Center for Infrastructure Protection George Mason University School of Law Arlington, Virginia. U.S.A.

2 CIP and National Inputs Law Organization Strategy / Policy Breakout Sessions

3 Sample* Areas of Law Security Regulations by Industry / Sector Information Sharing (Open Government, Privacy) Antitrust / Competition Criminal Law Tort Law Private Ordering (Contracts) National Security & Defense Law International Agreements / Law

4 Legal Complexities (?) in Cyber Military support to civil authorities (e.g., Estonia, U.S.) Agency? Clarity re: when business may be acting as agent of the state all parties understand when that happens and the ramifications (business expectations). Primers?

5 CIP and National Inputs Law Organization Strategy / Policy Breakout Sessions

6 Organization Private Sector networks Government hierarchical Decisive leadership and vision Organization whom to go to to get things done Expertise Speed of solution Authorities for coordination Appropriations / Funding CERT MOD, Civilian

7 Organization Threat Mitigation (all state powers of coercion, private sector, users) State Defense (military, intelligence, interior / homeland) private sector when?

8 CIP and National Inputs Law Organization Strategy / Policy Breakout Sessions

9 Strategy / Policy Strategy led, not tool led (mitigation, offense, defense) Strategy incorporates law & policy (permissible & preferable)

10 Strategy / Policy Examples re: CIP Cyber conflict between countries X & Y. Effects on CI in country A. Strategy for interference (harm to life, vs economy) Effects on CI in countries A, B, C. Coordinated strategies for interference? What if potential effects are worse in country B (size of economy, type of information society / vulnerabilities), and needs assistance in interference from country A (politically sensitive?) Risk Management (methodologies)

11 Methodologies Respondents identified 124 unique methodologies or techniques for security risk analysis. The top five accounted for only 28% of all responses. Top 5 Methodologies CARVER 14 RAM-x (C, D, W) 14 ARM/CRM 12 MSRAM 6 OPSEC 6 Some other answers: SHIRA, TRAM, RAMCAP, HLS-CAM

12 CIP and National Inputs Law Organization Strategy / Policy Breakout Sessions

13 Measures for Security

14 Measures for Security

15 Measures for Security (flexibility? Coordination?)

16 TECH-LAW-POLICY RELATIONSHIP TECHNOLOGY the Possible* POLICY the Preferable* LAW the Permissible*

17 TECH-LAW-POLICY RELATIONSHIP TECHNOLOGY the Possible* POLICY the Preferable* LAW the Permissible*

18 TECH-LAW-POLICY RELATIONSHIP TECHNOLOGY the Possible* POLICY the Preferable* LAW the Permissible*

19 TECH-LAW-POLICY RELATIONSHIP LAW the Permissible* TECHNOLOGY the Possible* POLICY the Preferable*

20 LAW OF CYBER CONFLICT information society law criminal law law of armed conflict privacy digital evidence slas e-commerce information society services isp liability e-government access to public information domain names intellectual property freedom of expression it procurements criminal proceedings sanctions crimes wiretapping forensics war crimes terrorist crimes critical information infrastructure protection jus ad bellum jus in bello neutrality

21 LAW OF CYBER CONFLICT information society law criminal law law of armed conflict privacy digital evidence slas e-commerce information society services isp liability e-government access to public information domain names intellectual property freedom of expression it procurements criminal proceedings sanctions crimes wiretapping forensics jus ad bellum war crimes terrorist crimes critical information infrastructure protection jus in bello neutrality

22 LAW OF CYBER CONFLICT information society law criminal law law of armed conflict privacy digital evidence slas e-commerce information society services isp liability e-government access to public information domain names intellectual property freedom of expression it procurements criminal proceedings sanctions crimes wiretapping forensics jus ad bellum war crimes terrorist crimes critical information infrastructure protection jus in bello neutrality

23 Breakout Sessions Laws and procedures are different per country (not necessarily endorsing consensus) Different threats Different vulnerabilities Different social groundworks International Heli: minimum standards, NATO Practical Effects (e.g., rapid response teams)

24 CIP and National Inputs Law Organization Strategy / Policy Breakout Sessions QUESTIONS?

25 Critical Information Infrastructure Protection Law CCD COE Training 8 September 2009 Tallinn, Estonia Maeve Dion Center for Infrastructure Protection George Mason University School of Law Arlington, Virginia. U.S.A.

26 CIIP Law Definitions & Lexicon (CIIP as part of CIP) Sample* Areas of Law Policy Considerations for CIIP

27 Defining CI 2007 Survey Netherlands France New Zealand Germany [A] sector was deemed critical if its breakdown or serious disruption could lead to damage on a national scale. All infrastructures that are vital to the maintenance of primary social and economic processes are considered critical sectors.... infrastructure necessary to provide critical services. Critical services are those whose interruption would have a serious adverse effect on New Zealand as a whole or on a large proportion of the population, and which would require immediate reinstatement. Critical infrastructures (CI) are organisations and facilities of major importance to the community whose failure or impairment would cause a sustained shortage of supplies, significant disruptions to public order or other dramatic consequences.

28 Defining CIP 2007 Survey Australia Canada U.K.... those physical facilities, supply chains, information technologies and communication networks which, if destroyed, degraded or rendered unavailable for an extended period, would significantly impact on the social or economic well being of the nation, or affect Australia s ability to conduct national defence and ensure national security.... those physical and information technology facilities, networks, services and assets which, if disrupted or destroyed, would have a serious impact on the health, safety, security or economic well being of Canadians or the effective functioning of governments in Canada.... those assets, services and systems that support the economic, political and social life of the UK whose importance is such that loss could: cause large scale loss of life have a serious impact on the national economy have other grave social consequences for the community be of immediate concern to the national government.

29 Defining CIP 2007 Survey Belgium Finland... identifies three types of critical infrastructure: vital points, i.e. facilities that require protection because of their socio economic importance, e.g. nuclear plants, bridges, ports, etc.; sensitive points, i.e. facilities that require protection because of their importance for the national or allied defence potential; critical points, i.e. persons, public authorities, communities, buildings, facilities, places and goods which face a real or potential threat of political or criminal nature. Critical Infrastructure to Be Secured: Technological infrastructure of society Transportation, logistics and distribution systems Food supply Energy supply Social and health care arrangements Industry and systems related to national defence

30 CIIP Law Definitions & Lexicon (CIIP as part of CIP) Sample* Areas of Law Policy Considerations for CIIP

31 Sample* Areas of Law Security Regulations by Industry / Sector Information Sharing (Open Government, Privacy) Antitrust / Competition Criminal Law Tort Law Private Ordering (Contracts) National Security & Defense Law International Agreements / Law

32 Security Regulations by Industry Industry / Sector Specific Limited? Interconnections? Operations vs. safety vs. security Comprehensive? Culture / Policy Accountability

33 Information Sharing Required vs. Voluntary Public vs. Private Vulnerabilities AND Threats Third Party Access to Information Proprietary Info / Market Strength Increased Regulation Private lawsuits Privacy / Open Government Laws Within / Between Governments

34 Antitrust / Competition Law Private Sector Collaboration & Cooperation Information Sharing Relationship with Regulators Structures for Exemptions / Approvals Timely? Costly?

35 Criminal Law Wrongful Activity: Alteration / Deletion of Content Degradation / Damage to System Unauthorized Access Traditional Crimes (theft, insider trading, etc.) Intent (act vs. consequential harm) Damage Requirements Aggregation Timing Corporate Accountability Investigation & Enforcement (international)

36 Tort Law ISPs = Publisher or Distributor Slander / Defamation (waiver / immunity) Contributory Infringement (copyright) Negligence vs. Negligent Enablement E.g., Breach Notifications (legislative) Consequential Harm Evolution of Foreseeable (reasonableness) Likelihood of Bad Activity Likelihood of Harm (> intervening criminal act) Least Cost Avoider Contractual Relationship (definition of legal duty )

37 Private Ordering (Contracts) Private Re distribution of Risk Waivers / Immunities (e.g., software) User s Negligence Trumps (e.g., U.K. banking) Risk Assessment based on Knowledge Unequal Knowledge of Risks? Private Risk = Based on Business Practice Risk to Business Profitability Risk of Damage to Assets Risks when Government = Customer Awareness of Threat Levels Costs for Mitigation of Risks (e.g., Estonia vs. U.S.)

38 National Security & Defense Balance of Government Interests Security / Defense Intelligence Law Enforcement Emergency Powers Resource Allocation Control of Systems Prioritization of Restoration War Powers Use of the Military to Support Civil Authorities State Secrets Foreign Ownership (access & control)

39 International Agreements / Law Humanitarian Law NATO Mutual Cooperation Agreements (law enforcement)

40 CIIP Law Definitions & Lexicon (CIIP as part of CIP) Sample* Areas of Law Policy Considerations for CIIP

41 Policy Considerations for CIIP Access & Availability Identification, authentication, access controls, and auditing. Intrusion detection, firewalls, antivirus software. Network resilience, redundancy. Data storage, integrity, encryption. Protecting CII Human Factors Training / certification for technological capabilities. Organizational security programs, training, and oversight. End user education. Organizational Responsiveness To law enforcement and intelligence: technical requirements, information demands, etc. To regulators: Informational auditing, security plans, licensing requirements, etc. Proactive Abilities Awareness and monitoring of interdependencies. Threat identification and prediction.

42 Policy Considerations for CIIP Threats Threats to CII, and threats via CII (disruption & weaponization) WHO? HOW? WHY? Natural disaster. Insider. Associate (contractor / vendor). External (competitor / enemy). Human error (development or operations). Failure of awareness (human error at policy & management level). Deliberate act. Accident. To hurt the infrastructure operator. To hurt an entity reliant upon the infrastructure. Theft / Extortion. To hurt an economy.

43 Policy Considerations for CIIP CIIP Needs Credible monitoring of activity in the Internet and the network backbone. Early warning system. Incident tracking. Response protocols to escalation of incidents. Clearly defined frameworks for response and reconstitution. Trusted processes that enable intelligence transfer between public and private sectors. Alignment of physical CIP and cyber CIP. Establishment of common definitions, taxonomy, and standards. Dedication to the next generation (education & training). Decisive leadership & vision.

44 CIIP Law Definitions & Lexicon (CIIP as part of CIP) Sample* Areas of Law Policy Considerations for CIIP QUESTIONS?

45 SPECTRUM OF CYBER CONFLICT not patching the software breach of internal policy or regulations illegal interception crime armed attack cyber warfare breach of a legal obligation ISPs not reporting illegal activity terrorist activity + purpose to force the government or interfere with social structure of the state

46 LAW OF CYBER CONFLICT information society law not patching the software breach of internal policy or regulations criminal law illegal interception crime law of armed conflict armed attack cyber warfare breach of a legal obligation terrorist activity ISPs not reporting illegal activity + purpose to force the government or interfere with social structure of the state

47 LAW OF CYBER CONFLICT information society law criminal law law of armed conflict privacy digital evidence slas e-commerce information society services isp liability e-government access to public information domain names intellectual property freedom of expression it procurements criminal proceedings sanctions crimes wiretapping forensics war crimes terrorist crimes critical information infrastructure protection jus ad bellum jus in bello neutrality

48 INTERNATIONAL ORGANISATIONS NATO ICANN OECD COUNCIL OF EUROPE EUROPEAN UNION UN OSCE INTERNATIONAL TELECOMMUNICATIONS UNION UNESCO UNCITRAL

49 LEVELS OF CYBER INCIDENT MANAGEMENT INTERNATIONAL STATE ORGANISATION USER

50 LEVELS AND SOURCES OF LAW international treaties bilateral agreements customary law national constitution statutes regulations case law organisation contracts internal regulations soft standards best practices

51 AREAS OF CYBER INCIDENT MANAGEMENT DIPLOMACY INTELLIGENCE MILITARY POLICY LAW ECONOMICS

52 TECH-LAW-POLICY RELATIONSHIP TECHNOLOGY the Possible* POLICY the Preferable* LAW the Permissible*

53 THE BOX

54 LEGAL AUTOMATION

Legal Issues / Estonia Cyber Incident

Legal Issues / Estonia Cyber Incident Control System Cyber Security Conference 22 October 2009 Legal Issues / Estonia Cyber Incident Maeve Dion Center for Infrastructure Protection George Mason University School of Law Legal Issues / Estonia

More information

Mitigating and managing cyber risk: ten issues to consider

Mitigating and managing cyber risk: ten issues to consider Mitigating and managing cyber risk: ten issues to consider The board of directors is responsible for managing and mitigating risk exposure. A recent study conducted by the Ponemon Institute 1 revealed

More information

(U) Appendix E: Case for Developing an International Cybersecurity Policy Framework

(U) Appendix E: Case for Developing an International Cybersecurity Policy Framework (U) Appendix E: Case for Developing an International Cybersecurity Policy Framework (U//FOUO) The United States lacks a comprehensive strategic international policy framework and coordinated engagement

More information

On the European experience in critical infrastructure protection

On the European experience in critical infrastructure protection DCAF a centre for security, development and the rule of law On the European experience in critical infrastructure protection Valeri R. RATCHEV ratchevv@yahoo.com @ratchevv DCAF/CSDM 1 This presentation

More information

JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015

JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015 JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015 The following consists of the joint explanatory statement to accompany the Cybersecurity Act of 2015. This joint explanatory statement

More information

Distributor Liability Contract Risk Management THOMAS DOUGLASS APRIL 15, 2015

Distributor Liability Contract Risk Management THOMAS DOUGLASS APRIL 15, 2015 Distributor Liability Contract Risk Management THOMAS DOUGLASS APRIL 15, 2015 Today s Agenda What are we talking about today? What is Risk Evolution of risk management Understand the importance of Risk

More information

NATIONAL CYBERSECURITY STRATEGIES: AUSTRALIA AND CANADA

NATIONAL CYBERSECURITY STRATEGIES: AUSTRALIA AND CANADA NATIONAL CYBERSECURITY STRATEGIES: AUSTRALIA AND CANADA JOÃO MANUEL ASSIS BARBAS Coronel de Artilharia. Assessor de Estudos do IDN INTRODUCTION Globalization and information and communication technologies

More information

Germany: Report on Developments in the Field of Information and Telecommunications in the Context of International Security (RES 69/28),

Germany: Report on Developments in the Field of Information and Telecommunications in the Context of International Security (RES 69/28), Germany: Report on Developments in the Field of Information and Telecommunications in the Context of International Security (RES 69/28), General appreciation of the issues of information security Information

More information

PROTECTION OF CRITICAL INFRASTRUCTURE AND THE ROLE OF INVESTMENT POLICIES RELATING TO NATIONAL SECURITY. May 2008

PROTECTION OF CRITICAL INFRASTRUCTURE AND THE ROLE OF INVESTMENT POLICIES RELATING TO NATIONAL SECURITY. May 2008 PROTECTION OF CRITICAL INFRASTRUCTURE AND THE ROLE OF INVESTMENT POLICIES RELATING TO NATIONAL SECURITY May 2008 This report is published under the OECD Secretariat's responsibility and was prepared by

More information

Comparison of Information Sharing, Monitoring and Countermeasures Provisions in the Cybersecurity Bills

Comparison of Information Sharing, Monitoring and Countermeasures Provisions in the Cybersecurity Bills April 4, 2012 Comparison of Information Sharing, Monitoring and Countermeasures Provisions in the Cybersecurity Bills The chart below compares on civil liberties grounds four bills that seek to promote

More information

www.pwc.com The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v8 2-25-14

www.pwc.com The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v8 2-25-14 www.pwc.com The data breach lifecycle: From prevention to response IAPP global privacy summit (4:30-5:30) Draft v8 2-25-14 Common Myths 1. You have not been hacked. 2. Cyber security is about keeping the

More information

CYBER SECURITY GUIDANCE

CYBER SECURITY GUIDANCE CYBER SECURITY GUIDANCE With the pervasiveness of information technology (IT) and cyber networks systems in nearly every aspect of society, effectively securing the Nation s critical infrastructure requires

More information

NATIONAL STRATEGY FOR GLOBAL SUPPLY CHAIN SECURITY

NATIONAL STRATEGY FOR GLOBAL SUPPLY CHAIN SECURITY NATIONAL STRATEGY FOR GLOBAL SUPPLY CHAIN SECURITY JANUARY 2012 Table of Contents Executive Summary 1 Introduction 2 Our Strategic Goals 2 Our Strategic Approach 3 The Path Forward 5 Conclusion 6 Executive

More information

ISO? ISO? ISO? LTD ISO?

ISO? ISO? ISO? LTD ISO? Property NetProtect 360 SM and NetProtect Essential SM Which one is right for your client? Do your clients Use e-mail? Rely on networks, computers and electronic data to conduct business? Browse the Internet

More information

Final Draft/Pre-Decisional/Do Not Cite. Forging a Common Understanding for Critical Infrastructure. Shared Narrative

Final Draft/Pre-Decisional/Do Not Cite. Forging a Common Understanding for Critical Infrastructure. Shared Narrative Final Draft/Pre-Decisional/Do Not Cite Forging a Common Understanding for Critical Infrastructure Shared Narrative March 2014 1 Forging a Common Understanding for Critical Infrastructure The following

More information

Rogers Insurance Client Presentation

Rogers Insurance Client Presentation Rogers Insurance Client Presentation Network Security and Privacy Breach Insurance Presented by Matthew Davies Director Professional, Media & Cyber Liability Chubb Insurance Company of Canada mdavies@chubb.com

More information

Critical Infrastructure Security and Resilience

Critical Infrastructure Security and Resilience U.S. Department of Homeland Security in partnership with the National Coordination Office for Space-Based Positioning, Navigation and Timing Critical Infrastructure Security and Resilience International

More information

Harmful Interference into Satellite Telecommunications by Cyber Attack

Harmful Interference into Satellite Telecommunications by Cyber Attack Kobe and QM Symposium on International Law "Diversity of Transnational Criminal Justice" Harmful Interference into Satellite Telecommunications by Cyber Attack 10 April 2015 Yuri Takaya Research Fellow/Lecturer,

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

2 Gabi Siboni, 1 Senior Research Fellow and Director,

2 Gabi Siboni, 1 Senior Research Fellow and Director, Cyber Security Build-up of India s National Force 2 Gabi Siboni, 1 Senior Research Fellow and Director, Military and Strategic Affairs and Cyber Security Programs, Institute for National Security Studies,

More information

CYBER SECURITY INFORMATION SHARING & COLLABORATION

CYBER SECURITY INFORMATION SHARING & COLLABORATION Corporate Information Security CYBER SECURITY INFORMATION SHARING & COLLABORATION David N. Saul Senior Vice President & Chief Scientist 28 June 2013 Discussion Flow The Evolving Threat Environment Drivers

More information

MEMORANDUM. Date: October 28, 2013. Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance

MEMORANDUM. Date: October 28, 2013. Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance MEMORANDUM Date: October 28, 2013 To: Federally Regulated Financial Institutions Subject: Guidance The increasing frequency and sophistication of recent cyber-attacks has resulted in an elevated risk profile

More information

Cyber intelligence exchange in business environment : a battle for trust and data

Cyber intelligence exchange in business environment : a battle for trust and data Cyber intelligence exchange in business environment : a battle for trust and data Experiences of a cyber threat information exchange research project and the need for public private collaboration Building

More information

Lessons from Defending Cyberspace

Lessons from Defending Cyberspace Lessons from Defending Cyberspace The Challenge of Addressing National Cyber Risk Andy Purdy Workshop on Cyber Security Center for American Studies, Christopher Newport College 10 28-2009 Cyber Threat

More information

Cyber Security Strategy for Germany

Cyber Security Strategy for Germany Cyber Security Strategy for Germany Contents Introduction 2 IT threat assessment 3 Framework conditions 4 Basic principles of the Cyber Security Strategy 4 Strategic objectives and measures 6 Sustainable

More information

THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS

THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS Read the Marsh Risk Management Research Briefing: Cyber Risks Extend Beyond Data and Privacy Exposures To access the report, visit www.marsh.com.

More information

ISO 27001 Controls and Objectives

ISO 27001 Controls and Objectives ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements

More information

Information Security Management System Policy

Information Security Management System Policy Information Security Management System Policy Public Version 3.3 Issued Document Name Owner P079A ISMS Security Policy Information Security Security Policies, Standards and Procedures emanate from the

More information

The Comprehensive National Cybersecurity Initiative

The Comprehensive National Cybersecurity Initiative The Comprehensive National Cybersecurity Initiative President Obama has identified cybersecurity as one of the most serious economic and national security challenges we face as a nation, but one that we

More information

2374-19. Joint ICTP-IAEA School of Nuclear Energy Management. 5-23 November 2012. Nuclear Security Fundamentals Module 9 topic 2

2374-19. Joint ICTP-IAEA School of Nuclear Energy Management. 5-23 November 2012. Nuclear Security Fundamentals Module 9 topic 2 2374-19 Joint ICTP-IAEA School of Nuclear Energy Management 5-23 November 2012 Nuclear Security Fundamentals Module 9 topic 2 EVANS Rhonda, IAEA Department of Nuclear Safety and Security Office of Nuclear

More information

Business-Facilitati on Steering Group APEC CYBERSECURITY STRATEGY

Business-Facilitati on Steering Group APEC CYBERSECURITY STRATEGY B APEC CYBERSECURITY STRATEGY Doc no: telwg26/ BFSG/22 Agenda item: Business-Facilitati on Steering Group Submitted by: USA delegation APEC CYBERSECURITY STRATEGY Contact: Joseph Richardson Email: richardsonjp@state.gov

More information

Cybersecurity y Managing g the Risks

Cybersecurity y Managing g the Risks Cybersecurity y Managing g the Risks Presented by: Steven L. Caponi Jennifer Daniels Gregory F. Linsin 99 Cybersecurity The Risks Are Real Perpetrators are as varied as their goals Organized Crime: seeking

More information

Business Continuity & Disaster Recovery

Business Continuity & Disaster Recovery Business Continuity & Disaster Recovery Safety First Quality Every Time 1 Business Continuity & Disaster Recovery Planning Who here has a formal Business Continuity & Disaster Recovery plan? The purpose

More information

Navigating the Waters of Incident Response and Recovery

Navigating the Waters of Incident Response and Recovery Navigating the Waters of Incident Response and Recovery Lee Kim, Esq. Tucker Arensberg, P.C. CERT Symposium: Cyber Security Incident Management for Health Information Exchanges June 26, 2013 2013 Lee Kim

More information

Information Security Policy

Information Security Policy Information Security Policy Steve R. Hutchens, CISSP EDS, Global Leader, Homeland Security Agenda Security Architecture Threats and Vulnerabilities Design Considerations Information Security Policy Current

More information

Government Decision No. 1139/2013 (21 March) on the National Cyber Security Strategy of Hungary

Government Decision No. 1139/2013 (21 March) on the National Cyber Security Strategy of Hungary Government Decision No. 1139/2013 (21 March) on the National Cyber Security Strategy of Hungary 1. The Government hereby approves the National Cyber Security Strategy of Hungary laid down in Annex No.

More information

Data breach! cyber and privacy risks. Brian Wright Michael Guidry Lloyd Guidry LLC

Data breach! cyber and privacy risks. Brian Wright Michael Guidry Lloyd Guidry LLC Data breach! cyber and privacy risks Brian Wright Michael Guidry Lloyd Guidry LLC Collaborative approach Objective: To develop your understanding of a data breach, and risk transfer options to help you

More information

EEI Business Continuity. Threat Scenario Project (TSP) April 4, 2012. EEI Threat Scenario Project

EEI Business Continuity. Threat Scenario Project (TSP) April 4, 2012. EEI Threat Scenario Project EEI Business Continuity Conference Threat Scenario (TSP) April 4, 2012 EEI Threat Scenario 1 Background EEI, working with a group of CIOs and Subject Matter Experts, conducted a survey with member companies

More information

Information Security Management System Information Security Policy

Information Security Management System Information Security Policy Management System Policy Version: 3.4 Issued Document Name: Owner: P079A - ISMS Security Policy Classification: Public Security Policies, Standards and Procedures emanate from the Policy which has been

More information

Legislative Language

Legislative Language Legislative Language SEC. 1. COORDINATION OF FEDERAL INFORMATION SECURITY POLICY. (a) IN GENERAL. Chapter 35 of title 44, United States Code, is amended by striking subchapters II and III and inserting

More information

Cloud Computing: Legal Risks and Best Practices

Cloud Computing: Legal Risks and Best Practices Cloud Computing: Legal Risks and Best Practices A Bennett Jones Presentation Toronto, Ontario Lisa Abe-Oldenburg, Partner Bennett Jones LLP November 7, 2012 Introduction Security and Data Privacy Recent

More information

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility CYBER SECURITY AND RISK MANAGEMENT An Executive level responsibility Cyberspace poses risks as well as opportunities Cyber security risks are a constantly evolving threat to an organisation s ability to

More information

Network security policy issues. Ilias Chantzos, Director EMEA & APJ NIS Summer School 2008, Crete, Greece

Network security policy issues. Ilias Chantzos, Director EMEA & APJ NIS Summer School 2008, Crete, Greece Network security policy issues Ilias Chantzos, Director EMEA & APJ NIS Summer School 2008, Crete, Greece 1 Sample Agenda Slide 1 The current threat landscape 2 IT security and policy leadership 3 The EU

More information

CYBER SECURITY STRATEGY OF THE CZECH REPUBLIC FOR THE 2011 2015 PERIOD

CYBER SECURITY STRATEGY OF THE CZECH REPUBLIC FOR THE 2011 2015 PERIOD CYBER SECURITY STRATEGY OF THE CZECH REPUBLIC FOR THE 2011 2015 PERIOD The 2011 2015 Cyber Security Strategy of the Czech Republic is linked to the Security Strategy of the Czech Republic and reflects

More information

Cybersecurity Information Sharing Legislation Protecting Cyber Networks Act (PCNA) National Cybersecurity Protection Advancement (NCPA) Act

Cybersecurity Information Sharing Legislation Protecting Cyber Networks Act (PCNA) National Cybersecurity Protection Advancement (NCPA) Act In a flurry of activity, the U.S. House of Representatives last week passed two cybersecurity information sharing bills. Both the House Intelligence Committee and the House Homeland Security Committee

More information

Information Assurance. and Critical Infrastructure Protection

Information Assurance. and Critical Infrastructure Protection Information Assurance and Critical Infrastructure Protection A Federal Perspective Information Assurance Presented by the Government Electronics and Information Technology Association 2001 Executive Summary

More information

MynxNet Broadband Terms and Conditions

MynxNet Broadband Terms and Conditions MynxNet Broadband Terms and Conditions Updated 10/12/15 Introduction These terms form the basis of the services provided by MynxNet (referred to as Mynx, Mynxnet, we, us, or our ) to yourself and your

More information

Cybersecurity for Nonprofits: How to Protect Your Organization's Data While Still Fulfilling Your Mission. June 25, 2015

Cybersecurity for Nonprofits: How to Protect Your Organization's Data While Still Fulfilling Your Mission. June 25, 2015 Cybersecurity for Nonprofits: How to Protect Your Organization's Data While Still Fulfilling Your Mission June 25, 2015 1 Your Panelists Kenneth L. Chernof Partner, Litigation, Arnold & Porter LLP Nicholas

More information

APIP - Cyber Liability Insurance Coverages, Limits, and FAQ

APIP - Cyber Liability Insurance Coverages, Limits, and FAQ APIP - Cyber Liability Insurance Coverages, Limits, and FAQ The state of Washington purchases property insurance from Alliant Insurance Services through the Alliant Property Insurance Program (APIP). APIP

More information

Law & Ethics, Policies & Guidelines, and Security Awareness

Law & Ethics, Policies & Guidelines, and Security Awareness Law & Ethics, Policies & Guidelines, and Security Awareness Modifications by Prof. Dong Xuan and Adam C. Champion Principles of Information Security, 5th Edition 1 Learning Objectives Upon completion of

More information

1 Cyberspace and Security

1 Cyberspace and Security 1 Cyberspace and Security 1 Paper by Deputy Secretary of Defense William J. Lynn, Defending a New Domain: The Pentagon s Cyber Strategy, Foreign Affairs (Sep Oct 2010). In addition, an annual report by

More information

CYBER RISK SECURITY, NETWORK & PRIVACY

CYBER RISK SECURITY, NETWORK & PRIVACY CYBER RISK SECURITY, NETWORK & PRIVACY CYBER SECURITY, NETWORK & PRIVACY In the ever-evolving technological landscape in which we live, our lives are dominated by technology. The development and widespread

More information

Attachment A. Identification of Risks/Cybersecurity Governance

Attachment A. Identification of Risks/Cybersecurity Governance Attachment A Identification of Risks/Cybersecurity Governance 1. For each of the following practices employed by the Firm for management of information security assets, please provide the month and year

More information

Summary of CIP Version 5 Standards

Summary of CIP Version 5 Standards Summary of CIP Version 5 Standards In Version 5 of the Critical Infrastructure Protection ( CIP ) Reliability Standards ( CIP Version 5 Standards ), the existing versions of CIP-002 through CIP-009 have

More information

Cyber Liability Insurance Data Security, Privacy and Multimedia Protection

Cyber Liability Insurance Data Security, Privacy and Multimedia Protection Page 1 of 5 Cyber Liability Insurance Data Security, Privacy and Multimedia Protection What is a Cyber Risk? Technology is advancing at such an alarming rate and business is more and more reliant on IT

More information

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015 Community Bank Auditors Group Cybersecurity What you need to do now June 9, 2015 By: Gerald Gagne MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2015 Wolf & Company, P.C. Cybersecurity

More information

To improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes.

To improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes. BAG15121 Discussion Draft S.L.C. 114TH CONGRESS 1ST SESSION S. XXXX To improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes.

More information

APPROPRIATE USE OF INFORMATION POLICY 3511 TECHNOLOGY RESOURCES ADOPTED: 06/17/08 PAGE 1 of 5

APPROPRIATE USE OF INFORMATION POLICY 3511 TECHNOLOGY RESOURCES ADOPTED: 06/17/08 PAGE 1 of 5 PAGE 1 of 5 PURPOSE Triton College s computer and information network is a continually growing and changing resource supporting thousands of users and systems. These resources are vital for the fulfillment

More information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1

More information

H. R. 5005 11 SEC. 201. DIRECTORATE FOR INFORMATION ANALYSIS AND INFRA STRUCTURE PROTECTION.

H. R. 5005 11 SEC. 201. DIRECTORATE FOR INFORMATION ANALYSIS AND INFRA STRUCTURE PROTECTION. H. R. 5005 11 (d) OTHER OFFICERS. To assist the Secretary in the performance of the Secretary s functions, there are the following officers, appointed by the President: (1) A Director of the Secret Service.

More information

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES TECHNICAL COMMITTEE OF THE INTERNATIONAL ORGANIZATION OF SECURITIES COMMISSIONS FEBRUARY 2005 Preamble The IOSCO Technical Committee

More information

www.bonddickinson.com Cyber Risks October 2014 2

www.bonddickinson.com Cyber Risks October 2014 2 www.bonddickinson.com Cyber Risks October 2014 2 Why this emerging sector matters Justin Tivey Legal Director T: +44(0)845 415 8128 E: justin.tivey The government estimates that the current cost of cyber-crime

More information

THE WHITE HOUSE. Office of the Press Secretary. For Immediate Release February 12, 2013. February 12, 2013

THE WHITE HOUSE. Office of the Press Secretary. For Immediate Release February 12, 2013. February 12, 2013 THE WHITE HOUSE Office of the Press Secretary For Immediate Release February 12, 2013 February 12, 2013 PRESIDENTIAL POLICY DIRECTIVE/PPD-21 SUBJECT: Critical Infrastructure Security and Resilience The

More information

Information security due diligence

Information security due diligence web applications and websites W A T S O N H A L L Watson Hall Ltd London 020 7183 3710 Edinburgh 0131 510 2001 info@watsonhall.com www.watsonhall.com Identifying information security risk for web applications

More information

DATA BREACH COVERAGE

DATA BREACH COVERAGE THIS ENDORSEMENT CHANGES THE POLICY. PLEASE READ THIS CAREFULLY. DATA BREACH COVERAGE SCHEDULE OF COVERAGE LIMITS Coverage Limits of Insurance Data Breach Coverage $50,000 Legal Expense Coverage $5,000

More information

No. 33 February 19, 2013. The President

No. 33 February 19, 2013. The President Vol. 78 Tuesday, No. 33 February 19, 2013 Part III The President Executive Order 13636 Improving Critical Infrastructure Cybersecurity VerDate Mar2010 17:57 Feb 15, 2013 Jkt 229001 PO 00000 Frm 00001

More information

ISO27001 Controls and Objectives

ISO27001 Controls and Objectives Introduction This reference document for the University of Birmingham lists the control objectives, specific controls and background information, as given in Annex A to ISO/IEC 27001:2005. As such, the

More information

Cyber Security Strategy

Cyber Security Strategy NEW ZEALAND S Cyber Security Strategy 2015 A secure, resilient and prosperous online New Zealand Ministerial Foreword The internet and technology have become a fundamental element in our lives. We use

More information

Information Security Law: Control of Digital Assets.

Information Security Law: Control of Digital Assets. Brochure More information from http://www.researchandmarkets.com/reports/2128523/ Information Security Law: Control of Digital Assets. Description: For most organizations, an effective information security

More information

Cyber and data Policy wording

Cyber and data Policy wording Please read the schedule to see whether Breach costs, Cyber business interruption, Hacker damage, Cyber extortion, Privacy protection or Media liability are covered by this section. The General terms and

More information

Cyber Risks Management. Nikos Georgopoulos, MBA, cyrm Cyber Risks Advisor

Cyber Risks Management. Nikos Georgopoulos, MBA, cyrm Cyber Risks Advisor Cyber Risks Management Nikos Georgopoulos, MBA, cyrm Cyber Risks Advisor 1 Contents Corporate Assets Data Breach Costs Time from Earliest Evidence of Compromise to Discovery of Compromise The Data Protection

More information

University of Pittsburgh Security Assessment Questionnaire (v1.5)

University of Pittsburgh Security Assessment Questionnaire (v1.5) Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.5) Directions and Instructions for completing this assessment The answers provided

More information

A Community Position paper on. Law of CyberWar. Paul Shaw. 12 October 2013. Author note

A Community Position paper on. Law of CyberWar. Paul Shaw. 12 October 2013. Author note A Community Position paper on Law of CyberWar Paul Shaw 12 October 2013 Author note This law and cyberwar paper / quasi-treatise was originally written for a course in a CISO certification curriculum,

More information

Cybercrimes: A Multidisciplinary Analysis

Cybercrimes: A Multidisciplinary Analysis Sumit Ghosh Elliot Turrini Editors Cybercrimes: A Multidisciplinary Analysis fyj Springer Part I Introducing Cybercrimes 1 A Pragmatic, Experiential Definition of Computer Crimes 3 1.1 Introducing Computer

More information

Industry. Cyber Security. Information Sharing at the Technical Level. Guidelines

Industry. Cyber Security. Information Sharing at the Technical Level. Guidelines NATO Communications and Information Agency (NCI Agency) - Industry Cyber Security Information Sharing at the Technical Level Guidelines Effective date: 28 March 2014 Revision No: Rev 1 Change History Revision

More information

Coverage is subject to a Deductible

Coverage is subject to a Deductible Frank Cowan Company Limited 75 Main Street North, Princeton, ON N0J 1V0 Phone: 519-458-4331 Fax: 519-458-4366 Toll Free: 1-800-265-4000 www.frankcowan.com CYBER RISK INSURANCE DETAILED APPLICATION Notes:

More information

Legislative Language

Legislative Language Legislative Language SECTION 1. DEPARTMENT OF HOMELAND SECURITY CYBERSECURITY AUTHORITY. Title II of the Homeland Security Act of 2002 (6 U.S.C. 121 et seq.) is amended (a) in section 201(c) by striking

More information

Cyber/ Network Security. FINEX Global

Cyber/ Network Security. FINEX Global Cyber/ Network Security FINEX Global ABOUT US >> We are one of the largest insurance brokers in the world >> We have over 180 years of history and experience in insurance; we currently operate in over

More information

DIVISION N CYBERSECURITY ACT OF 2015

DIVISION N CYBERSECURITY ACT OF 2015 H. R. 2029 694 DIVISION N CYBERSECURITY ACT OF 2015 SEC. 1. SHORT TITLE; TABLE OF CONTENTS. (a) SHORT TITLE. This division may be cited as the Cybersecurity Act of 2015. (b) TABLE OF CONTENTS. The table

More information

Internet Safety and Security: Strategies for Building an Internet Safety Wall

Internet Safety and Security: Strategies for Building an Internet Safety Wall Internet Safety and Security: Strategies for Building an Internet Safety Wall Sylvanus A. EHIKIOYA, PhD Director, New Media & Information Security Nigerian Communications Commission Abuja, NIGERIA Internet

More information

Actions and Recommendations (A/R) Summary

Actions and Recommendations (A/R) Summary Actions and Recommendations (A/R) Summary Priority I: A National Cyberspace Security Response System A/R 1-1: DHS will create a single point-ofcontact for the federal government s interaction with industry

More information

Cyber Risks in the Boardroom

Cyber Risks in the Boardroom Cyber Risks in the Boardroom Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing Your Company to Identify, Mitigate and Respond to Risks in a Changing

More information

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder Ten Questions Your Board Should be asking about Cyber Security Eric M. Wright, Shareholder Eric Wright, CPA, CITP Started my career with Schneider Downs in 1983. Responsible for all IT audit and system

More information

Data breach, cyber and privacy risks. Brian Wright Lloyd Wright Consultants Ltd

Data breach, cyber and privacy risks. Brian Wright Lloyd Wright Consultants Ltd Data breach, cyber and privacy risks Brian Wright Lloyd Wright Consultants Ltd Contents Data definitions and facts Understanding how a breach occurs How insurance can help to manage potential exposures

More information

Logging In: Auditing Cybersecurity in an Unsecure World

Logging In: Auditing Cybersecurity in an Unsecure World About This Course Logging In: Auditing Cybersecurity in an Unsecure World Course Description $5.4 million that s the average cost of a data breach to a U.S.-based company. It s no surprise, then, that

More information

U. S. Attorney Office Northern District of Texas March 2013

U. S. Attorney Office Northern District of Texas March 2013 U. S. Attorney Office Northern District of Texas March 2013 What Is Cybercrime? Hacking DDOS attacks Domain name hijacking Malware Other computer related offenses, i.e. computer and internet used to facilitate

More information

London LAWN Terms of Service

London LAWN Terms of Service London LAWN Terms of Service 1. GENERAL This WiFi Service is an Internet access service provided by Downtown London in partnership with Turnstyle Solutions which provides you with access to the Internet

More information

Remote Deposit Service Terms and Conditions Personal and Business Accounts

Remote Deposit Service Terms and Conditions Personal and Business Accounts Remote Deposit Service Terms and Conditions Personal and Business Accounts In this Agreement, the words you and your mean the member who enrolls or uses the services described in this Agreement. The words

More information

Cyber Exposure for Credit Unions

Cyber Exposure for Credit Unions Cyber Exposure for Credit Unions What it is and how to protect yourself L O C K T O N 2 0 1 2 www.lockton.com Add Cyber Title Exposure Here Overview #1 financial risk for Credit Unions Average cost of

More information

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist, CISSP @TheGrantBrown

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist, CISSP @TheGrantBrown Cyber Resilience Implementing the Right Strategy Grant Brown specialist, CISSP @TheGrantBrown 1 2 Network + Technology + Customers = $$ 3 Perfect Storm? 1) Increase in Bandwidth (extended reach) 2) Available

More information

Certification for Information System Security Professional (CISSP)

Certification for Information System Security Professional (CISSP) Certification for Information System Security Professional (CISSP) The Art of Service Copyright Notice of rights All rights reserved. No part of this book may be reproduced or transmitted in any form by

More information

Indiana University of Pennsylvania Information Assurance Guidelines. Approved by the Technology Utilities Council 27-SEP-2002

Indiana University of Pennsylvania Information Assurance Guidelines. Approved by the Technology Utilities Council 27-SEP-2002 Indiana University of Pennsylvania Information Assurance Guidelines Approved by the Technology Utilities Council 27-SEP-2002 1 Purpose... 2 1.1 Introduction... 2 1.1.1 General Information...2 1.1.2 Objectives...

More information

BSA GLOBAL CYBERSECURITY FRAMEWORK

BSA GLOBAL CYBERSECURITY FRAMEWORK 2010 BSA GLOBAL CYBERSECURITY FRAMEWORK BSA GLOBAL CYBERSECURITY FRAMEWORK Over the last 20 years, consumers, businesses and governments 1 around the world have moved online to conduct business, and access

More information

Presidency of the Council of Ministers THE NATIONAL PLAN FOR CYBERSPACE PROTECTION AND ICT SECURITY

Presidency of the Council of Ministers THE NATIONAL PLAN FOR CYBERSPACE PROTECTION AND ICT SECURITY Presidency of the Council of Ministers THE NATIONAL PLAN FOR CYBERSPACE PROTECTION AND ICT SECURITY December 2013 Presidency of the Council of Ministers THE NATIONAL PLAN FOR CYBERSPACE PROTECTION AND

More information

working group on foreign policy and grand strategy

working group on foreign policy and grand strategy A GRAND STRATEGY ESSAY Managing the Cyber Security Threat by Abraham Sofaer Working Group on Foreign Policy and Grand Strategy www.hoover.org/taskforces/foreign-policy Cyber insecurity is now well established

More information

BUDGET LETTER 05-03 PEER-TO-PEER FILE SHARING 4841.1, 4841.2, EXECUTIVE ORDER S-16-04

BUDGET LETTER 05-03 PEER-TO-PEER FILE SHARING 4841.1, 4841.2, EXECUTIVE ORDER S-16-04 BUDGET LETTER SUBJECT: PEER-TO-PEER FILE SHARING REFERENCES: STATE ADMINISTRATIVE MANUAL SECTIONS 4819.2, 4840.4, 4841.1, 4841.2, EXECUTIVE ORDER S-16-04 NUMBER: 05-03 DATE ISSUED: March 7, 2005 SUPERSEDES:

More information

State of Michigan Department of Technology, Management & Budget. Acceptable Use of Information Technology (former Ad Guide 1460.

State of Michigan Department of Technology, Management & Budget. Acceptable Use of Information Technology (former Ad Guide 1460. Subject: Authoritative Policy: Procedure Number: Distribution: Purpose: Acceptable Use of Information Technology (former Ad Guide 1460.00) Standard Number 1340.00 Information Technology Information Security

More information

What Data? I m A Trucking Company!

What Data? I m A Trucking Company! What Data? I m A Trucking Company! Presented by: Marc C. Tucker 434 Fayetteville Street, Suite 2800 Raleigh, NC, 27601 919.755.8713 marc.tucker@smithmoorelaw.com Presented by: Rob D. Moseley, Jr. 2 West

More information

Myths and Facts about the Cyber Intelligence Sharing and Protection Act (CISPA)

Myths and Facts about the Cyber Intelligence Sharing and Protection Act (CISPA) Myths and Facts about the Cyber Intelligence Sharing and Protection Act (CISPA) MYTH: The cyber threat is being exaggerated. FACT: Cyber attacks are a huge threat to American lives, national security,

More information