State of South Carolina Policy Guidance and Training
|
|
- Alexander Booker
- 2 years ago
- Views:
Transcription
1 State of South Carolina Policy Guidance and Training Policy Workshop All Agencies Human Resource (HR) and Security Awareness July 2014
2 Agenda Questions & Follow-Up Open Questions Policy Workshop Overview & Timeline Policy Overview: HR and Security Awareness Policy Risk Assessment Framework & HR and Security Awareness Policy Next Steps 2
3 Questions & Follow-Up 3
4 Policy Workshop Q&As The following questions were raised during the Mobile Security policy workshop for All Agencies: Question #1: Based on the requirements from the mobile security policy, does DIS have a recommendation for whether agencies can use a BYOD (Bring Your Own Device) approach? Answer #1: Policy does not explicitly prohibit BYOD. Each agency should make a determination whether it can adequately protect business data on user devices through a combination of policy, awareness, and technical means. Question #2: Building off the previous question, does DIS have a recommendation for whether agencies can use web mail, especially on personal devices? Answer #2: Policy does not explicitly prohibit BYOD. Each agency should make a determination whether it can adequately protect business data on user devices through a combination of policy, awareness, and technical means. 4
5 Policy Workshop Q&As The following questions were raised during the Mobile Security policy workshop for All Agencies: Question #3: Can we (as an agency) have separate policies for mobile devices and removable media? Answer #3: Agencies should apply security controls for removable electronic media (e.g. flash drives) similar to their controls for all magnetic or optical media (e.g. tapes, recorded CDs). Mobile devices will require additional protections due to their data processing and transmission capabilities. Protections for all of these types of devices may be documented together or separately, as the agency prefers. 5
6 Open Questions? 6
7 Policy Workshops Overview & Timeline 7
8 Activities Agencies TO DOs Policy Workshop: Timeline January DRAFT For Discussion Purposes Only Objective: Conduct bi-weekly policy workshops with selected agencies to review information security policies, address implementation challenges, risks and assist on gap analysis and action plans with the Agency-designated policy champions. March April May June July August April Policy: Policies: Policies: Policies: Policies: Policy: Asset Management Data Protection & Privacy Access Control Information System Acquisition, Development, Maintenance Threat and Vulnerability Management Business Continuity Management IT Risk Strategy Mobile Security HR & Security Awareness Physical & Environmental Security Facilitate bi-weekly Agency group workshops Review statewide policies Address key policy implementation challenges Conduct mini-gap analysis Discuss policy implementation plans Review Statewide policies and conduct mini-gap analysis Actively participate in breakout groups to discuss gaps and implementation challenges Identify remediation strategies and policy implementation plans 8
9 Policy Overview: HR and Security Awareness Policy 9
10 HR and Security Awareness: Key Requirements Human Resource Compliance Personnel Security Policy, Personnel Screening and Third-Party Personnel Security Agency shall define security roles and responsibilities for employees, contractors, and third party users. Agency shall conduct background verification checks on all candidates for employment, including contractors and third party users. Personnel Termination and Transfer All agency documents, property and materials in a terminated or transferred employee s possession or control shall be returned to the agency. 10
11 HR and Security Awareness: Key Requirements Security Awareness Training Role-Based Security Training All updates in organizational policies and procedures shall be accompanied by appropriate awareness training for all employees, contractors and third party users related to their job function. Training shall be accompanied by an assessment procedure to determine comprehension of key cyber security concepts and procedures. User access to information assets and systems will only be authorized to those who have passed their cyber security awareness training and are up to date with all subsequent learnings. 11
12 HR and Security Awareness: Key Requirements Security Awareness Training Testing, Training, and Monitoring Agency shall appoint a cyber-security awareness training coordinator, responsible for managing training content, schedules and user training completion status. The training coordinator, along with the Agency CISO/security manager role shall review training content on an annual basis such that it aligns with the State of South Carolina policies. 12
13 Risk Assessment Framework & HR and Security Awareness Policy 13
14 Risk Assessment Framework The Risk Assessment Framework, based on the National Institute of Standards and Technology (NIST ), was used as the basis to assess risk across the State Agencies using the fifteen (15) security domains (noted below): 14
15 HR and Security Awareness Policy: Risks & Remediation Strategies Risk assessments conducted with State Agencies uncovered a number of risks in environments with inadequately implemented Access Control Policy and procedures. Remediation strategies were created to help Agencies address gaps and implement necessary safeguards. Examples Overall Risks Identified Gaps Remediation Strategies 15 Lack of information security training Inappropriate access to information systems for terminated employees An ongoing information security awareness and training program does not exist within many agencies to train employees on the proper methods to protect sensitive data. Agencies do not provide risk designation for the positions/ designations. Many agencies do not have a defined process for terminations of contractors/ third parties. Many agencies have not established a formalized security training curriculum. Expand scope and frequency of the existing information security awareness and training program. Provide focused security training for employees based on role/ responsibility. Expand scope and measurement of the existing information security awareness and training program Develop a streamlined procedure to ensure contractors/ third party terminations occur in a timely manner. Develop a formalized information security training program for users which includes courses on information security and privacy.
16 HR and Security Awareness Policy: Challenges & Remediation Strategies for All Agencies DRAFT For Discussion Purposes Only Sample Challenges Examples Potential Solutions Role based security training Changing the security culture Generic and Role Specific Trainings: Provide generic security training to all employees (like SANS trainings etc.) Provide on-the-job trainings and role-specific trainings to the employees based on the role of the employee during recruitment, promotion or transfer. Certification requirements based on the level or designation of the employee (like CISSP for ISO, CCNA for Network Managers etc.,) Provide generic security awareness training to all employees, security seminars and conferences to change the security culture. Develop multiple methods used to drive the same security topic (e.g. trainings, posters, slogans, newsletters, , etc.) Provide tangible examples for employees to relate new security requirements to daily tasks (e.g. hard-paper with PII/FTI data). 16
17 Next Steps 17
18 Next Steps 1. Develop or update Agency s InfoSec policies to align with published State policies 2. Conduct Policy Gap Analysis 3. Develop Policy Implementation Plan of Action 4. Develop processes to enable the implementation of InfoSec Policies 5. Promote Agency-wide InfoSec policies awareness 6. Coordinate with DIS on training and guidance 18
State of South Carolina Policy Guidance and Training
State of South Carolina Policy Guidance and Training Policy Workshop All Agency Mobile Security July 2014 Agenda Questions & Follow-Up Policy Workshop Overview & Timeline Policy Overview: Mobile Security
State of South Carolina Policy Guidance and Training
DRAFT For Discussion Purposes Only State of South Carolina Policy Guidance and Training Policy Workshop All Agencies Information Systems (IS) Acquisitions, Development, and Maintenance Policy April/May
State of South Carolina Policy Guidance and Training
State of South Carolina Policy Guidance and Training Policy Workshop Small Agency Threat and Vulnerability Management Policy May 2014 Agenda Questions & Follow-Up Policy Workshop Overview & Timeline Policy
State of South Carolina Policy Guidance and Training
State of South Carolina Policy Guidance and Training Policy Workshop All Agencies Business Continuity Management Policy June 2014 Agenda Questions & Follow-Up Policy Workshop Overview & Timeline Policy
State of South Carolina Policy Guidance and Training
State of South Carolina Policy Guidance and Training Policy Workshop All Agency IT Risk Strategy June 2014 Agenda Questions & Follow-Up Policy Workshop Overview & Timeline Policy Overview: IT Risk Strategy
DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Human Resource (HR) and Security Awareness v1.0 September 25, 2013
DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Human Resource (HR) and Security Awareness v1.0 September 25, 2013 Revision History Update this table every time a new edition of the
State of South Carolina Policy Guidance and Training
State of South Carolina Policy Guidance and Training Policy Workshop All Agency Access Control Policy April 2014 Agenda Questions & Follow-Up Policy Overview: Access Control Policy Risk Assessment Framework
DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy IT Risk Strategy V0.1 April 21, 2014
DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy IT Risk Strategy V0.1 April 21, 2014 Revision History Update this table every time a new edition of the document is published Date Authored
DIVISION OF INFORMATION SECURITY (DIS)
DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Information Systems Acquisitions, Development, and Maintenance v1.0 October 15, 2013 Revision History Update this table every time a new
An Overview of Information Security Frameworks. Presented to TIF September 25, 2013
An Overview of Information Security Frameworks Presented to TIF September 25, 2013 What is a framework? A framework helps define an approach to implementing, maintaining, monitoring, and improving information
Logging In: Auditing Cybersecurity in an Unsecure World
About This Course Logging In: Auditing Cybersecurity in an Unsecure World Course Description $5.4 million that s the average cost of a data breach to a U.S.-based company. It s no surprise, then, that
DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014
DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014 Revision History Update this table every time a new edition of the document is
Enhancing NASA Cyber Security Awareness From the C-Suite to the End-User
Enhancing NASA Cyber Security Awareness From the C-Suite to the End-User Valarie Burks Deputy Chief Information Officer, IT Security Division National Aeronautics and Space Administration (NASA) Agenda
NIST Cybersecurity Framework Sean Sweeney, Information Security Officer 5/20/2015
NIST Cybersecurity Framework Sean Sweeney, Information Security Officer 5/20/2015 Overview The University of Pittsburgh NIST Cybersecurity Framework Pitt NIST Cybersecurity Framework Program Wrap Up Questions
2015 Information Security Awareness Catalogue
Contents 2015 Catalogue Wolfpack Engagement Model 4 Campaign Drivers 6 Offerings 8 Approach 9 Engaging Content 10 Stakeholder Change Management 12 Bundles 13 Content 14 Grey Wolf -Track compliance with
INFORMATION PROCEDURE
INFORMATION PROCEDURE Information Security Awareness and Training Procedures Issued by the EPA Chief Information Officer, Pursuant to Delegation 1-19, dated 07/07/2005 INFORMATION SECURITY AWARENESS AND
Looking at the SANS 20 Critical Security Controls
Looking at the SANS 20 Critical Security Controls Mapping the SANS 20 to NIST 800-53 to ISO 27002 by Brad C. Johnson The SANS 20 Overview SANS has created the 20 Critical Security Controls as a way of
Technology Standard. Personnel Security Security Awareness and Training
Technology Standard Personnel Security Security Awareness and Training Version 2.0 Status: Updated 7/29/09 12/29/12 4/28/13 Contact: Coordinator of IT Network Security of LFCC PURPOSE Lord Fairfax Community
OFFICE OF ENTERPRISE TECHNOLOGY SERVICES QUARTERLY REPORT ON
OFFICE OF ENTERPRISE TECHNOLOGY SERVICES QUARTERLY REPORT ON PERIODIC INFORMATION SECURITY AND PENETRATION AUDITS OF THE EXECUTIVE BRANCH INFORMATION TECHNOLOGY SYSTEMS JULY 2016 SUBMITTED TO THE TWENTY-EIGHTH
Performing a Comprehensive Security Risk Assessment. Kate Borten, CISSP President, The Marblehead Group
Performing a Comprehensive Security Risk Assessment Kate Borten, CISSP President, The Marblehead Agenda Definitions Two Methodologies Self-Assessment Comprehensive Risk Assessment Practical Pointers Definitions
Cybersecurity@RTD Program Overview and 2015 Outlook
Cybersecurity@RTD Program Overview and 2015 Outlook Finance & Administration Committee Meeting February 10, 2015 Sheri Le, Manager of Cybersecurity RTD Information Technology Department of Finance & Administration
Compliance Services CONSULTING. Gap Analysis. Internal Audit
Compliance Services Gap Analysis The gap analysis is a fast track assessment to establish understanding on an organization s current capabilities. The purpose of this step is to evaluate the current capabilities
EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07
EVALUATION REPORT Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review March 13, 2015 REPORT NUMBER 15-07 EXECUTIVE SUMMARY Weaknesses Identified During the FY 2014
Information Security Management System (ISMS) Overview. Arhnel Klyde S. Terroza
Information Security Management System (ISMS) Overview Arhnel Klyde S. Terroza May 12, 2015 1 Arhnel Klyde S. Terroza CPA, CISA, CISM, CRISC, ISO 27001 Provisional Auditor Internal Auditor at Clarien Bank
State of South Carolina Initial Security Assessment
State of South Carolina Initial Security Assessment Deloitte & Touche LLP Date: May 1, 2013 Our services were performed in accordance with the Statement on Standards for Consulting Services that is issued
NIST Cybersecurity Framework Overview
NIST Cybersecurity Framework Overview Executive Order 13636 Improving Critical Infrastructure Cybersecurity 2nd ENISA International Conference on Cyber Crisis Cooperation and Exercises Executive Order
2011 2012 Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec.
The OCR Auditors are coming - Are you next? What to Expect and How to Prepare On June 10, 2011, the U.S. Department of Health and Human Services Office for Civil Rights ( OCR ) awarded KPMG a $9.2 million
Building Security In:
#CACyberSS2015 Building Security In: Intelligent Security Design, Development and Acquisition Steve Caimi Industry Solutions Specialist, US Public Sector Cybersecurity September 2015 A Little About Me
The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant
THE MARKET LEADER IN IT, SECURITY AND COMPLIANCE SERVICES FOR COMMUNITY FINANCIAL INSTITUTIONS The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant Agenda
Application for CISM Certification
Application for CISM Certification 4/2015 Requirements to Become a Certified Information Security Manager become a Certified Information Security Manager (CISM), an applicant must: 1. Score a passing grade
Voluntary Cybersecurity Initiatives in Critical Infrastructure. Nadya Bartol, CISSP, SGEIT, nadya.bartol@utc.org. 2014 Utilities Telecom Council
Voluntary Cybersecurity Initiatives in Critical Infrastructure Nadya Bartol, CISSP, SGEIT, nadya.bartol@utc.org 2014 Utilities Telecom Council Utility cybersecurity environment is full of collaborations
Network Security: Policies and Guidelines for Effective Network Management
Network Security: Policies and Guidelines for Effective Network Management Department of Electrical and Computer Engineering, Federal University of Technology, Minna, Nigeria. jgkolo@gmail.com, usdauda@gmail.com
PREPARED DIRECT TESTIMONY OF SCOTT KING ON BEHALF OF SOUTHERN CALIFORNIA GAS COMPANY
BEFORE THE PUBLIC UTILITIES COMMISSION OF THE STATE OF CALIFORNIA Application of SOUTHERN CALIFORNIA GAS COMPANY (U 0 G) for Review of its Safety Model Assessment Proceeding Pursuant to Decision 1-1-0.
Example Memorandum of Understanding
I. Purpose As part of the Community Building and Neighborhood Planning Program, a Memorandum (MOU) must be executed between the City of San Antonio Planning Department and the authorized representative
Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis
Information Security Risk Assessment Checklist A High-Level Tool to Assist USG Institutions with Risk Analysis Updated Oct 2008 Introduction Information security is an important issue for the University
Preparation for ISO 45001 OH&S Management Systems
Preparation for ISO 45001 OH&S Management Systems HEALTH & SAFETY MANAGEMENT QUALITY MANAGEMENT ACCESSIBILITY ENVIRONMENTAL MANAGEMENT ENERGY MANAGEMENT ISO 45001 TIMELINE ISO project committee ISO PC
Certified Identity and Access Manager (CIAM) Overview & Curriculum
Identity and access management (IAM) is the most important discipline of the information security field. It is the foundation of any information security program and one of the information security management
COPYRIGHTED MATERIAL. Contents. Acknowledgments Introduction
Contents Acknowledgments Introduction 1. Governance Overview How Do We Do It? What Do We 1 Get Out of It? 1.1 What Is It? 1 1.2 Back to Basics 2 1.3 Origins of Governance 3 1.4 Governance Definition 5
Healthcare Privacy and Security: Workforce Competency. #privacysummit. Sean Murphy CISSP, ISSMP, HCISPP March 7, 2014
Healthcare Privacy and Security: Workforce Competency Sean Murphy CISSP, ISSMP, HCISPP March 7, 2014 Agenda: State of healthcare information protection Current solutions and impact Special environment
Audit of the Department of State Information Security Program
UNITED STATES DEPARTMENT OF STATE AND THE BROADCASTING BOARD OF GOVERNORS OFFICE OF INSPECTOR GENERAL AUD-IT-15-17 Office of Audits October 2014 Audit of the Department of State Information Security Program
Cybersecurity Audit Why are we still Vulnerable? November 30, 2015
Cybersecurity Audit Why are we still Vulnerable? November 30, 2015 John R. Robles, CISA, CISM, CRISC www.johnrrobles.com jrobles@coqui.net 787-647-3961 John R. Robles- 787-647-3961 1 9/11-2001 The event
ISO IEC GAP ANALYSIS TOOL 7. ISMS MANAGEMENT REVIEW GAP ANALYSIS QUESTIONNAIRE
7.1 PERFORM MANAGEMENT REVIEWS 1 Do you carry out management reviews of your ISMS? 2 Does your management carry out management reviews of your ISMS at planned intervals? 3 Does your management carry out
JOB ANNOUNCEMENT. Chief Security Officer, Cheniere Energy, Inc.
JOB ANNOUNCEMENT Chief Security Officer, Cheniere Energy, Inc. Position Overview The Vice President and Chief Security Risk Officer (CSRO) reports to the Chairman, Chief Executive Officer and President
Vendor Risk Management Financial Organizations
Webinar Series Vendor Risk Management Financial Organizations Bob Justus Chief Security Officer Allgress Randy Potts Managing Consultant FishNet Security Bob Justus Chief Security Officer, Allgress Current
CASRO Digital Research Conference Data Security: Don t Risk Being the Weak Link
CASRO Digital Research Conference Data Security: Don t Risk Being the Weak Link Peter Milla CASRO Technical Consultant/CIRQ Technical Advisor peter@petermilla.com Background CASRO and Standards CASRO takes
The Changing IT Risk Landscape Understanding and managing existing and emerging risks
The Changing IT Risk Landscape Understanding and managing existing and emerging risks IIA @ Noon Kareem Sadek Senior Manager, Deloitte Canada Chris Close Senior Manager, Deloitte Canada December 2, 2015
FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors
Overview for Chief Executive Officers and Boards of Directors In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed
State Governments at Risk: Time to Move Forward
State Governments at Risk: Time to Move Forward National Conference of State Legislatures Executive Committee Meeting Minneapolis, Minnesota May 21, 2016 About NASCIO National association representing
Privacy Engineering Objectives and Risk Model - Discussion Deck. Objective-Based Design for Improving Privacy in Information Systems
Privacy Engineering Objectives and Risk Model - Discussion Deck Objective-Based Design for Improving Privacy in Information Systems Purpose and Scope This discussion deck describes initial draft components
Cybersecurity in the States 2012: Priorities, Issues and Trends
Cybersecurity in the States 2012: Priorities, Issues and Trends Commission on Maryland Cyber Security and Innovation June 8, 2012 Pam Walker, Director of Government Affairs National Association of State
Cyber-Security White Paper Final 1Q2013 Version. to HIT Commission Feb. 21, 2013
Cyber-Security White Paper Final 1Q2013 Version Recommended Priorities to HIT Commission Feb. 21, 2013 Background White Paper Origins June 2012 White paper development & security workshop Broad stakeholder
The Next Generation of Security Leaders
The Next Generation of Security Leaders In an increasingly complex cyber world, there is a growing need for information security leaders who possess the breadth and depth of expertise necessary to establish
NASA OFFICE OF INSPECTOR GENERAL
NASA OFFICE OF INSPECTOR GENERAL OFFICE OF AUDITS SUITE 8U71, 300 E ST SW WASHINGTON, D.C. 20546-0001 April 14, 2016 TO: SUBJECT: Renee P. Wynn Chief Information Officer Final Memorandum, Review of NASA
IT SECURITY EDUCATION AWARENESS TRAINING POLICY OCIO-6009-09 TABLE OF CONTENTS
OFFICE OF THE CHIEF INFORMATION OFFICER Date of Issuance: May 22, 2009 Effective Date: May 22, 2009 Review Date: Section I. PURPOSE II. AUTHORITY III. SCOPE IV. DEFINITIONS V. POLICY VI. RESPONSIBILITIES
NIST Cybersecurity Framework. ARC World Industry Forum 2014
NIST Cybersecurity Framework Vicky Yan Pillitteri NIST ARC World Industry Forum 2014 February 10-13, 2014 Orlando, FL Executive Order 13636 Improving Critical Infrastructure Cybersecurity It is the policy
Introduction to NICE Cybersecurity Workforce Framework
Introduction to NICE Cybersecurity Workforce Framework Jane Homeyer, Ph.D., Deputy ADNI/HC for Skills and Human Capital Data, ODNI Margaret Maxson, Director, National Cybersecurity Education Strategy,
Sempra Energy Utilities response Department of Commerce Inquiry on Cyber Security Incentives APR 29 2013
Sempra Energy Utilities response Department of Commerce Inquiry on Cyber Security Incentives APR 29 2013 Sempra Energy s gas and electric utilities collaborate with industry leaders and a wide range of
Personal Security Practices of the CAO
Personal Security Practices of the CAO 1. Do you forward your government email to your personal email account? 2. When is the last time you changed your Enterprise password? Within the last 60 days Within
Cybersecurity: The Legal, Legislative and Regulatory Outlook
Cybersecurity: The Legal, Legislative and Regulatory Outlook Jamie Barnett Rear Admiral USN (Retired) Co-Chair, Telecommunications Partner in Cybersecurity Practice Cybersecurity Impact and Costs Direct
Information Security Program Management Standard
State of California California Information Security Office Information Security Program Management Standard SIMM 5305-A September 2013 REVISION HISTORY REVISION DATE OF RELEASE OWNER SUMMARY OF CHANGES
Briefing Report: Improvements Needed in EPA s Information Security Program
U.S. ENVIRONMENTAL PROTECTION AGENCY OFFICE OF INSPECTOR GENERAL Briefing Report: Improvements Needed in EPA s Information Security Program Report No. 13-P-0257 May 13, 2013 Scan this mobile code to learn
Publication Number: Third Draft Special Publication 800 16 Revision 1. A Role Based Model for Federal Information Technology / Cyber Security Training
This (Second) DRAFT of Special Publication 800 16 Revision 1 document has been superceded by the following draft publication: Publication Number: Third Draft Special Publication 800 16 Revision 1 Title:
EPA Classification No.: CIO-2150.3-P-02.1 CIO Approval Date: 08/06/2012 CIO Transmittal No.: 12-003 Review Date: 08/06/2015
Issued by the EPA Chief Information Officer, Pursuant to Delegation 1-19, dated 07/07/2005 INFORMATION SECURITY INTERIM AWARENESS AND TRAINING PROCEDURES V3.1 JULY 18, 2012 1. PURPOSE The purpose of this
Business Associates and HIPAA
Business Associates and HIPAA What BAs need to know to comply with HIPAA privacy and security rules by Dom Nicastro White paper The lax days of complying with privacy and security laws are over for business
SECURE POWER SYSTEMS PROFESSIONALS (SPSP) PROJECT PHASE 3, FINAL REPORT: RECRUITING, SELECTING, AND DEVELOPING SECURE POWER SYSTEMS PROFESSIONALS
1 SECURE POWER SYSTEMS PROFESSIONALS (SPSP) PROJECT PHASE 3, FINAL REPORT: RECRUITING, SELECTING, AND DEVELOPING SECURE POWER SYSTEMS PROFESSIONALS Synopsis SPSP Project Overview Phase I Summary Phase
INFORMATION SECURITY California Maritime Academy
CSU The California State University Office of Audit and Advisory Services INFORMATION SECURITY California Maritime Academy Audit Report 14-54 April 8, 2015 Senior Director: Mike Caldera IT Audit Manager:
Where Do You Draw the Creepy Line? Privacy, Big Data Analytics and the Internet of Things
Where Do You Draw the Creepy Line? Privacy, Big Data Analytics and the Internet of Things aisa.org.a u aisa.org.a u Rebecca Herold, CEO The Privacy Professor 1 rebeccaherold@rebeccaherold.com Agenda Technology
Cybersecurity Framework. Executive Order 13636 Improving Critical Infrastructure Cybersecurity
Cybersecurity Framework Executive Order 13636 Improving Critical Infrastructure Cybersecurity National Institute of Standards and Technology (NIST) Mission To promote U.S. innovation and industrial competitiveness
HOW TO IMPLEMENT ISO 9001
HOW TO IMPLEMENT ISO 9001 CHECKLISTS 2015 Page 1 Overview of - Quality management systems What needs to be in place? Before you start your quality journey or your organization has decided to review what
Certified Information Security Manager (CISM)
Certified Information Security Manager (CISM) Course Introduction Course Introduction Domain 01 - Information Security Governance Lesson 1: Information Security Governance Overview Information Security
Payment Card Industry (PCI) Data Security Standard (DSS) Motorola PCI Security Assessment
Payment Card Industry (PCI) Data Security Standard (DSS) Motorola PCI Security Assessment Retail establishments have always been a favorite target of thieves and shoplifters, but today s worst criminals
IA Metrics Why And How To Measure Goodness Of Information Assurance
IA Metrics Why And How To Measure Goodness Of Information Assurance Nadya I. Bartol PSM Users Group Conference July 2005 Agenda! IA Metrics Overview! ISO/IEC 21827 (SSE-CMM) Overview! Applying IA metrics
U.S. Office of Personnel Management. Actions to Strengthen Cybersecurity and Protect Critical IT Systems
U.S. Office of Personnel Management Actions to Strengthen Cybersecurity and Protect Critical IT Systems June 2015 1 I. Introduction The recent intrusions into U.S. Office of Personnel Management (OPM)
Pathways to Empowered Security Leadership
Pathways to Empowered Security Leadership Meet BusinessX Major Retailer BusinessX doesn t have a CISO They just experienced a massive breach that cost millions and put the company in the public eye for
NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL
NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL FY 2015 INDEPENDENT EVALUATION OF THE EFFECTIVENESS OF NCUA S INFORMATION SECURITY PROGRAM UNDER THE FEDERAL INFORMATION SECURITY MODERNIZATION
How to use the National Cybersecurity Workforce Framework. Your Implementation Guide
How to use the National Cybersecurity Workforce Framework Your Implementation Guide A NATIONAL PROBLEM The Nation needs greater cybersecurity awareness. The US workforce lacks cybersecurity experts. Many
State of the States: IT Trends, Priorities and Issues
State of the States: IT Trends, Priorities and Issues OSC Financial Conference 2012 Doug Robinson, Executive Director National Association of State Chief Information Officers Fiscal recovery: budgets are
National Initiative for Cyber Security Education
2014/PPWE/SEM2/007 Agenda Item: 5 National Initiative for Cyber Security Education Submitted by: United States Women Business and Smart Technology Seminar Beijing, China 23 May 2014 NICE OVERVIEW Women
2014 Audit of the Board s Information Security Program
O FFICE OF I NSPECTOR GENERAL Audit Report 2014-IT-B-019 2014 Audit of the Board s Information Security Program November 14, 2014 B OARD OF G OVERNORS OF THE F EDERAL R ESERVE S YSTEM C ONSUMER FINANCIAL
State Governments at Risk: The Data Breach Reality
State Governments at Risk: The Data Breach Reality NCSL Legislative Summit August 5, 2015 Doug Robinson, Executive Director National Association of State Chief Information Officers (NASCIO) About NASCIO
Cybersecurity Risk Management Activities Instructions Fiscal Year 2015
Cybersecurity Risk Management Activities Instructions Fiscal Year 2015 An effective risk management program and compliance with the Federal Information Security Management Act (FISMA) requires the U.S.
RHODE ISLAND DEPARTMENT OF ENVIRONMENTAL MANAGEMENT. Office of Human Resources. 2000-2001 Program Work Plan Draft - August 1999
RHODE ISLAND DEPARTMENT OF ENVIRONMENTAL MANAGEMENT Office of Human Resources 2000-2001 Program Work Plan Draft - August 1999 I. Program Description: The Office of Human Resources performs all support
NIST Cybersecurity Framework & A Tale of Two Criticalities
NIST Cybersecurity Framework & A Tale of Two Criticalities Vendor Management & Incident Response Presented by: John H Rogers, CISSP Advisory Services Practice Manager john.rogers@sagedatasecurity.com Presented
Top 10 Baseline Cybersecurity Controls Banks Aren't Doing
Top 10 Baseline Cybersecurity Controls Banks Aren't Doing SECURE BANKING SOLUTIONS 1 Contact Information Chad Knutson President, SBS Institute Senior Information Security Consultant Masters in Information
Cyber Security Auditing for Credit Unions. ACUIA Fall Meeting October 7-9, 2015
Cyber Security Auditing for Credit Unions ACUIA Fall Meeting October 7-9, 2015 Topics Introduction Cyber Security Auditing Program Discuss an effective and compliant Cyber Security Auditing Program from
State of Information Security
State of Information Security Second Annual Assessment Study 2013 Table of Contents: Synopsis and Methodology _ page 2 A Snapshot of Participants _ page 2 Survey Findings _ page 5 Final Thoughts _ page
An Accelerated Pathway to Careers in Cybersecurity for Transitioning Veterans. NICE Annual Conference November 2015
An Accelerated Pathway to Careers in Cybersecurity for Transitioning Veterans NICE Annual Conference November 2015 Panelists David Brown, Director of CyberTalent at the SANS Institute, a new business unit
Privacy & Security Requirements: from EHRs to PHRs
Privacy & Security Requirements: from EHRs to PHRs Oct 28, 2010 Presented by André Carrington, P.Eng, CISSP, CISM, CISA, CIPP/C Director, Implementation, Privacy & Security, SPS Purpose As suggested by
Information Security @ Blue Valley Schools FEBRUARY 2015
Information Security @ Blue Valley Schools FEBRUARY 2015 Student Data Privacy & Security Blue Valley is committed to providing an education beyond expectations to each of our students. To support that
Vermont Information Technology Leaders
Vermont Information Technology Leaders HIPAA COMPLIANCE POLICIES AND PROCEDURES Policy Number: InfoSec 1 Policy Title: Information Privacy and Security Management Process IDENT INFOSEC1 Type of Document:
Missouri Student Information System Data Governance
Nicole R. Galloway, CPA Missouri State Auditor ELEMENTARY AND SECONDARY EDUCATION Missouri Student Information System Data Governance October 2015 http://auditor.mo.gov Report No. 2015-093 Nicole R. Galloway,
SECTION B DEFINITION, PURPOSE, INDEPENDENCE AND NATURE OF WORK OF INTERNAL AUDIT
SECTION B DEFINITION, PURPOSE, INDEPENDENCE AND NATURE OF WORK OF INTERNAL AUDIT Through CGIAR Financial Guideline No 3 Auditing Guidelines Manual the CGIAR has adopted the IIA Definition of internal auditing
The President issued an Executive Order Improving Critical Infrastructure Cybersecurity, on February 2013.
The President issued an Executive Order Improving Critical Infrastructure Cybersecurity, on February 2013. The Executive Order calls for the development of a voluntary risk based Cybersecurity Framework
Applying Framework to Mobile & BYOD
Applying Framework to Mobile & BYOD Framework for Improving Critical Infrastructure Cybersecurity National Association of Attorneys General Southern Region Meeting 13 March 2015 cyberframework@nist.gov
Guide for the Role and Responsibilities of an Information Security Officer Within State Government
Guide for the Role and Responsibilities of an Information Security Officer Within State Government Table of Contents Introduction 3 The ISO in State Government 4 Successful ISOs Necessary Skills and Abilities
Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015
Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015 OIG-16-A-03 November 12, 2015 All publicly available OIG reports (including
FREQUENTLY ASKED QUESTIONS
FREQUENTLY ASKED QUESTIONS Continuous Monitoring 1. What is continuous monitoring? Continuous monitoring is one of six steps in the Risk Management Framework (RMF) described in NIST Special Publication
Privacy Engineering & Assurance. The Emerging Engineering Discipline for implementing Privacy by Design
Privacy Engineering & Assurance The Emerging Engineering Discipline for implementing Privacy by Design 2014-09-08 Position Paper - 1 / 10 Nokia 2014 Contents 1 Introduction... 3 2 The Discipline... 4 3
Pennsylvania s Alignment & Implementation of the Call to Action
Pennsylvania s Alignment & Implementation of the Call to Action Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania eavakian@pa.gov 1. Establish a Governance