Building Best Practices for Effective Monitoring of a Third Party s Incident Event Management Program. A Shared Assessments Briefing Paper

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Building Best Practices for Effective Monitoring of a Third Party s Incident Event Management Program. A Shared Assessments Briefing Paper"

Transcription

1 Building Best Practices for Effective Monitoring of a Third Party s Incident Event Management Program A Shared Assessments Briefing Paper

2 Abstract Just 43% of incident management professionals report their organization has a formalized incident management plan and only 9% deem their program to be very effective. 1 In addition, coordinated and active vendor involvement is generally not part of an outsourcing organization s program, even when a plan is in place. As vendors account for a significant portion of breached data, incident costs, and reputational damage, they must begin to play an active role in response planning, preparation, execution, and remediation. This paper outlines a best practices model of incident event management program creation that directly involves third party providers. Shared Assessments has examined and outlined best practice processes for outsourcing companies. The result is a robust reference tool and practical third party risk assessment and monitoring recommendations for each phase of incident event management (pre, during, and post incident). A methodology and step-by-step guideline for third party incident event management planning, policies, and procedures are presented, which can be tailored to each relationship depending on vendor type. The supplemental assessment guide published here will help organizations to: 1. Be better prepared against the now-inevitable possibility of an incident. 2. Have a coherent, coordinated plan for managing third party incident control, reporting, and remediation. Issue Landscape There is an increasing mandate for organizations to know their vendors and apply industry standards for operational, financial, and information security related risks to all outsourced vendors and their sub-vendors. The SANS Institute reports a myriad of issues that negatively affect incident event management professionals in their efforts to establish an effective program. A primary barrier identified is the lack of time to review and practice hands-on walkthroughs and mock exercises that test incident response procedures. Other significant issues include: Definitions of the term incident are often too broad and vary by service type, which places strain on incident management teams. 2 Term use spans the gamut: network breaches; malicious software; unauthorized access/ removal of sensitive data from both internal and external sources; loss of intellectual property through misuse, theft, or loss; possible compromise of insecure or fourth party data repositories; and interruption of services through network disruption due to software issues all of which can have catastrophic ramifications. Most organizations report that they lack formal collection techniques and analysis surrounding threat intelligence just 31% attempt to perform attacker attribution as part of organizational incident analysis. This prevents identification of the root cause (control lapse or newly evolved breach path) and proactive information sharing, further thwarting capacity building efforts both within the organization and within the incident response field. In response, these professionals are seeking to improve organizational analysis and reporting capacity by focusing on use of Security Information and Event Management (SIEM) tools. Scoping and remediation are the calibration points most targeted by the 68% of SANS respondents who report their main focus to be SIEM tool improvements. 3 Risk Management Approach Recommendations: Implications for Practice Effective third party due diligence demands a higher level of review than is presently being performed. It requires a more proactive approach and a thorough review of the risks involved in outsourcing each type of service to a vendor, as well as the possible disruption of service that could result from an incident. 1 Incident Response: How to Fight Back: A SANS Survey Torres, A. SANS Institute InfoSec Reading Room. August Sponsored by AccessData, AlienVault, Arbor Networks, Bit9 + Carbon Black, HP, and McAfee/Intel Security. 2 NIST defines an event as any observable occurrence in a system or network and a computer security incident as a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices. Computer Security Incident Handling Guide NIST SP r2. August, Incident Response: How to Fight Back: A SANS Survey Torres, A. SANS Institute InfoSec Reading Room. August Sponsored by AccessData, AlienVault, Arbor Networks, Bit9 + Carbon Black, HP, and McAfee/Intel Security Shared Assessments Program. All rights reserved. 2

3 To be effective, organizations must begin to determine and address the key questions for establishing best practices, which include designating the area within the corporate structure responsible for building a coherent pre-incident plan and the area responsible for understanding root causes when they do occur. The latter is particularly important, since trust can be compromised during the incident. Determining best use of staff involves considering and validating at both the internal and vendor levels: 1. The need for an incident response team. 2. The types of expertise that team carries. 3. The documentation of each team member s roles and responsibilities. Organizations should set the goal of validating three interrelated segments of incident event management: 1. Pre-incident preparation (planning and testing). 2. Incident response that executes the plan and holds to its integrity. 3. An active response to lessons learned and retention. The following graphic shows a comprehensive overview of an incident process lifecycle that includes process repeatability. The preliminary best practices guide below was designed during this project. It leverages each of the phases and interrelated segments identified above. This outline can be utilized by organizations as a quick how to guide for effective third party incident event management. Pre Incident Framework Processes - Preparation Related Concerns for Best Practice Define Incident Types 1. Identify incident types by severity (e.g., loss of control of hard copy records vs. cyber breach). 2. Weight incident type by severity. 3. Define and weight incident handling priorities by type: Protect (human life and information). Collect (analysis of event). Prevent (damage to systems, restore). 4. Declare what response should be used based on severity rating. Does data loss require notification? 2015 Shared Assessments Program. All rights reserved. 3

4 Pre Incident Framework Processes - Preparation Related Concerns for Best Practice Planning Contract Development Evaluate Framework Controls Incident Policies and Procedures Incident Response Team Definition 1. Determine industry best practices. 2. Determine what controls are in place. 3. Be proactive on both vendor and outsourcing organization sides re: forensics investigations. 4. Develop standard of who/when/ how soon to notify, including backup protocol and information required. 5. Determine what scribe/tool rules will be used. 6. Establish an investigation playbook. 1. Set guidelines based on requirements. 2. Ensure contract includes: Service oriented architecture(s). 24x7 service level agreement(s) (SLAs). Legal representation. Cybersecurity insurance. Vendors MUST notify by incident type; specify time frame. No-fault/no-fear clause. Business continuity plan. Clearly defined escalation processes. Annual assessment allowance. Define limits of data access. 1. Define types of data and relative risk (e.g., regulated/unregulated, physical data, etc.). 2. Define potential root causes. 1. Evaluate whether third party has the people, process and technology in place to fulfill scoped requirements. 2. Determine if type of vendor insurance is appropriate to outsourcing need. 3. Meet with vendors often (monthly). 1. Define roles and responsibilities. 2. Identify incident coordinator/ quarterback and backup coordinator protocol. 3. Identify POC for data owner: IT/ legal/communications. 4. Outsourcing company should be notifying party. What is the plan? Documented/undocumented? How mature is the plan? Is it being tested and how (e.g., simulated forensics investigations)? Lessons learned from testing? How often is the plan updated? Is data shared appropriate to need? Identify prior breaches/handling by vendor? Escalation processes should be tied to industry standards. Understand vendor s standard contract needs. How to promote information sharing? How will execution be evaluated? Where can data owner step in during incident? What are consequences of failure to perform (including penalties/ termination)? Are there monitoring, control logs, evidence? Pen testing - are they performed regularly internally and externally; at what intervals; are they performed by credentialed pen testers? Which party is responsible for cybersecurity insurance and/or costs associated with investigation and/or damages? Can a repeatable incident response process be demonstrated? Structured/unstructured? Ad hoc/best practice? What is the plan? What should it include? When was last simulated incident response test? Select team by inventory and role. Regulatory requirements may determine notification channel/ medium Shared Assessments Program. All rights reserved. 4

5 Pre Incident Framework Processes - Preparation Related Concerns for Best Practice Crisis Management Planning 1. Identify stakeholders/escalation points: Internal (board of directors/it security/risk teams/hr/public relations/privacy/legal). Third party. 24x7 SLAs responding to data owner. Regulatory notification POC. Law enforcement. Customers. Internet/social media threat detection. Cyber insurance. Notification and credit monitoring. Investigation/ client protections. Is there a board of director s risk committee? Does the primary have contracts with the third party to ensure notification? During Incident Identification Containment Notification (if applicable) Framework Processes Identification/ Containment Eradication Recovery 1. Run pre-established plan: incident identification, escalation, investigation, and classification. 2. Determine under what classification the incident falls (use PHI/PII definition from Shared Assessments SIG). 3. Document/store incident information once scenario becomes critical (as defined based on pre-incident weighted severity by type). 1. Monitor tasks with third party. 2. Reduce impact. 3. Receive vendor containment reports. 4. Revise as necessary. 5. Suspend information sharing, if needed. 1. Reporting based on incident categories. 2. If appropriate, contact local, state, or federal law enforcement. Maintain internal/external communications. Related Concerns for Best Practice Follow pre-determined workflows by incident type based on predetermined severity of event by type. What detective controls are used to identify an incident and reduce its impact? What does each stage of the incident lifecycle process reveal? Is information collected and preserved that facilitates event forensic analysis? Was system damage prevented? Acquire, preserve, secure and document evidence, as appropriate. How do you make decisions if the vendor has deviated from their plan? What/when do you need to report to the CEO? Consider connection implications (direct/indirect). When should an incident be reported? What type of notification channels are used? How can you best maintain information sharing with external stakeholders? B2B or B2C? 2015 Shared Assessments Program. All rights reserved. 5

6 During Incident Eradication and Recovery Framework Processes Identification/ Containment Eradication Recovery 1. Remove the cause. 2. Acquire, preserve, secure and document evidence as appropriate for incident type and severity (for litigation, prosecution, regulatory review. 3. Monitoring. 4. Continue documenting due dilligence. Related Concerns for Best Practice Ensure systems/processes were recovered. Validate that the recovery action implemented by third party remains in place. Post-Incident Business Resumption Remediation Management Post-Incident Contract Response Framework Processes Lessons Learned 1. Follow plan definitions for return to normal ops. 2. Confirm normal function. Vendor and outsourcing company s response: 1. Document lessons learned and apply them. 2. Update policies and procedures per identified gaps. 3. Update incident response processes to reflect findings. 4. Recording and trending analysis of incidents and outcomes in the vendor population. 5. Review viability issues surrounding the vendor. 6. Update relevant contract language and/or terminate contract. 7. Update roles and responsibilities to involve the correct people in the process(es). 8. Include media reported incidents in future testing. 9. Education of consumers and retraining of staff. 10. Ensure continued dialogue with vendor. 1. Perform analysis to determine the root cause of incident. 2. Wind down, off boarding. 3. Rebuild trust. 4. Contract termination (if appropriate). Related Concerns for Best Practice How do we know we are not sending good data into a still-broken process? Hold and document a lessonslearned meeting. How was the incident recognized? Were the correct people involved in each process? Did communications channels work as designed? Was the vendor correctly rated as a critical vendor? When gaps are identified with a provider s plan, what corrective actionable measures are established to remediate these issues? How is this monitored? Do we need to add additional resources? Was the vendor properly scoped/ tiered? Was an unknown fourth party involved? What controls failed to protect sensitive information and systems? Did the data breach impact organizational trust to the point of requiring contract exit? Determine if vendor diversity is warranted to add resiliency to process(es) Shared Assessments Program. All rights reserved. 6

7 Post-Incident Post-Incident Evaluation Framework Processes Lessons Learned 1. Data ownership, destruction, and return. 2. Ongoing monitoring. 3. Post-incident client support. 4. In case of identity theft, provide credit monitoring, as per contract. 5. Financial evaluation of incident cost. 6. Recover breach costs (insurance, third party, legal). 7. Determine any cost gaps for future coverage. 8. Meet with vendors often (monthly). Related Concerns for Best Practice Ensure systems/processes were recovered. Validate third party recovery action remains in place. How are we communicating to clients impacted? Is this communication a shared responsibility? Do outsourcing company contracts require revisions? Return on Investment/Benefits of Best Practice Use This risk management guide provides a clean, consistent methodology for the assessment of incident preparedness, incident management, and post incident recovery. The assessment best practices guidance tool can be utilized: 1. To create a robust assessment process of third party vendors. 2. To build an effective third party incident event management program. Benefits that organizations may expect from using the guide as a tool include: Improved maturity in an organization s program. A defined means for protecting data, consumers, and the outsourcing relationship. Improved outcomes through a higher level of preparation. Raised awareness through development of best practices issues on this topic. Defined effective mechanisms for incident resolution and/or remediation. Conclusion This project has provided a guide organizations can use to understand and evaluate the best approach to assessing third party incident event management programs and using the information garnered through the preparation, assessment, management, and mitigation processes. When conducting due diligence around a third party s plan, it is critical to ensure that: A mature response process is intact. Key internal/external stakeholders are recognized. Points of escalation and notification are established and set well in advance of a potential incident or cyberattack. It is also important to ensure that the program is running as intended, remediation is performed in a timely fashion to close control gaps, and lessons are integrated into the program at the conclusion of the incident. The Shared Assessments Program will continue to enhance guidance in the area to better interpret what controls constitute sufficiency for data being accessed and transmitted and to inform use of a maturity driven model as a possible option in the 2016 Standardized Information Gathering (SIG) questionnaire ( bundle/). Other items under consideration during that process will include the feasibility and use of vendor diversity and ongoing monitoring as a best practice to add resiliency to incident response processes. This work will serve to bring a higher level of agreement on best practices among top-level management and inform the evolution of each industry s standards surrounding incident response and management across enterprises Shared Assessments Program. All rights reserved. 7

8 About the Shared Assessments Program The Shared Assessments Program is the trusted source in third-party risk management, with resources to effectively manage the critical components of the vendor risk management lifecycle; creating efficiencies and lowering costs for all participants; kept current with regulations, industry standards and guidelines, and the current threat environment; adopted globally across a broad range of industries both by service providers and their customers. Through membership and use of the Shared Assessments Program Tools (the Shared Assessments Agreed Upon Procedures (AUP), Standardized Information Gathering (SIG) questionnaire, and Vendor Risk Management Maturity Model (VRMMM)), Shared Assessments offers companies and their service providers a faster, more efficient and less costly means of conducting rigorous assessments of controls for IT and data security, privacy and business continuity. The Shared Assessments Program is managed by The Santa Fe Group ( a strategic consulting company based in Santa Fe, New Mexico. Thank You to Our Contributors We d like to thank the Shared Assessments SIG Committee for being champions for our ongoing work in the Shared Assessments Program. Their assistance and expertise is invaluable and serves all of our members, and their respective industries. Our SIG Committee members and Shared Assessments contributors are: Jonathan E. Dambrot, CEO, Prevalent, Inc., Shared Assessments Steering Committee Chair 2015, Shared Assessments SIG Committee Chair Brenda Ferraro, Director of Global Security, Aetna, Shared Assessments Steering Committee member. Rocco Grillo, Managing Director & Global Incident Response & Forensics Investigations, Protiviti, Shared Assessments Steering Committee member. Andrew Hout, 3rd Party Risk & Compliance, Prevalent, Inc. Ted Julian, Vice President, Product Management & Co-Founder, Resilient Systems. Dina Letteri, Corporate Information Security Senior Associate, New York Life Insurance Company. Tanya Montrose, Risk Manager, PCI Compliance, FIS, Shared Assessments Steering Committee member. Shared Assessments staff contributors: Angela Dogan, Senior Project Manager, The Santa Fe Group and Shared Assessments Program. Sarah Perry, Senior Marketing Manager, The Santa Fe Group and Shared Assessments Program. Marya Roddis, Senior Consultant, The Santa Fe Group and Shared Assessments Program Shared Assessments Program. All rights reserved. 8

CISM Certified Information Security Manager

CISM Certified Information Security Manager CISM Certified Information Security Manager Firebrand Custom Designed Courseware Chapter 4 Information Security Incident Management Exam Relevance Ensure that the CISM candidate Establish an effective

More information

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES Leonard Levy PricewaterhouseCoopers LLP Session ID: SEC-W03 Session Classification: Intermediate Agenda The opportunity Assuming

More information

Navigating the Waters of Incident Response and Recovery

Navigating the Waters of Incident Response and Recovery Navigating the Waters of Incident Response and Recovery Lee Kim, Esq. Tucker Arensberg, P.C. CERT Symposium: Cyber Security Incident Management for Health Information Exchanges June 26, 2013 2013 Lee Kim

More information

White Paper on Financial Institution Vendor Management

White Paper on Financial Institution Vendor Management White Paper on Financial Institution Vendor Management Virtually every organization in the modern economy relies to some extent on third-party vendors that facilitate business operations in a wide variety

More information

Cybersecurity The role of Internal Audit

Cybersecurity The role of Internal Audit Cybersecurity The role of Internal Audit Cyber risk High on the agenda Audit committees and board members are seeing cybersecurity as a top risk, underscored by recent headlines and increased government

More information

Cyber Incident Response

Cyber Incident Response State Capitol P.O. Box 2062 Albany, NY 12220-0062 www.its.ny.gov New York State Information Technology Standard IT Standard: Cyber Incident Response No: NYS-S13-005 Updated: 03/20/2015 Issued By: NYS ITS

More information

2014 Vendor Risk Management Benchmark Study

2014 Vendor Risk Management Benchmark Study 2014 Vendor Risk Management Benchmark Study Introduction/Executive Summary You can have all the security in the world inside your company s four walls, but all it takes is a compromise at one third-party

More information

GEARS Cyber-Security Services

GEARS Cyber-Security Services Florida Department of Management Services Division of State Purchasing Table of Contents Introduction... 1 About GEARS... 2 1. Pre-Incident Services... 3 1.1 Incident Response Agreements... 3 1.2 Assessments

More information

Cyber Security Incident Handling Policy. Information Technology Services Center (ITSC) of The Hong Kong University of Science and Technology

Cyber Security Incident Handling Policy. Information Technology Services Center (ITSC) of The Hong Kong University of Science and Technology Cyber Security Incident Handling Policy Information Technology Services Center (ITSC) of The Hong Kong University of Science and Technology Date: Oct 9, 2015 i Document Control Document Owner Classification

More information

Third-Party Cybersecurity and Data Loss Prevention

Third-Party Cybersecurity and Data Loss Prevention Third-Party Cybersecurity and Data Loss Prevention SESSION ID: DSP-W04A Brad Keller Sr. Vice President Santa Fe Group Jonathan Dambrot, CISSP CEO, Co-Founder Prevalent Networks 3rd Party Risk Management

More information

The PNC Financial Services Group, Inc. Business Continuity Program

The PNC Financial Services Group, Inc. Business Continuity Program The PNC Financial Services Group, Inc. Business Continuity Program subsidiaries) 1 Content Overview A. Introduction Page 3 B. Governance Model Page 4 C. Program Components Page 4 Business Impact Analysis

More information

Shared Assessments Program Case Study

Shared Assessments Program Case Study Shared Assessments Program Case Study A Collaborative Approach to Onsite Assessments Using the Shared Assessments AUP, the Standardized Testing Procedures for Onsite Assessments April 2015 Background About

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

NIST Cybersecurity Framework & A Tale of Two Criticalities

NIST Cybersecurity Framework & A Tale of Two Criticalities NIST Cybersecurity Framework & A Tale of Two Criticalities Vendor Management & Incident Response Presented by: John H Rogers, CISSP Advisory Services Practice Manager john.rogers@sagedatasecurity.com Presented

More information

Auditing your institution's cybersecurity incident/breach response plan. Baker Tilly Virchow Krause, LLP

Auditing your institution's cybersecurity incident/breach response plan. Baker Tilly Virchow Krause, LLP Auditing your institution's cybersecurity incident/breach response plan Objectives > Provide an overview of incident/breach response plans and their intended benefits > Describe regulatory/legal requirements

More information

Click to edit Master title style

Click to edit Master title style EVOLUTION OF CYBERSECURITY Click to edit Master title style IDENTIFYING BEST PRACTICES PHILIP DIEKHOFF, IT RISK SERVICES TECHNOLOGY THE DARK SIDE AGENDA Defining cybersecurity Assessing your cybersecurity

More information

Logging In: Auditing Cybersecurity in an Unsecure World

Logging In: Auditing Cybersecurity in an Unsecure World About This Course Logging In: Auditing Cybersecurity in an Unsecure World Course Description $5.4 million that s the average cost of a data breach to a U.S.-based company. It s no surprise, then, that

More information

FINRA Publishes its 2015 Report on Cybersecurity Practices

FINRA Publishes its 2015 Report on Cybersecurity Practices Securities Litigation & Enforcement Client Service Group and Data Privacy & Security Team To: Our Clients and Friends February 12, 2015 FINRA Publishes its 2015 Report on Cybersecurity Practices On February

More information

IT Security Incident Management Policies and Practices

IT Security Incident Management Policies and Practices IT Security Incident Management Policies and Practices Information Technology Services Center (ITSC) of The Hong Kong University of Science and Technology Date: Feb 6, 2015 i Document Control Document

More information

ITL BULLETIN FOR SEPTEMBER 2012 REVISED GUIDE HELPS ORGANIZATIONS HANDLE SECURITY-RELATED INCIDENTS

ITL BULLETIN FOR SEPTEMBER 2012 REVISED GUIDE HELPS ORGANIZATIONS HANDLE SECURITY-RELATED INCIDENTS ITL BULLETIN FOR SEPTEMBER 2012 REVISED GUIDE HELPS ORGANIZATIONS HANDLE SECURITY-RELATED INCIDENTS Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute

More information

State Agency Cyber Security Survey v 3.4 2 October 2014. State Agency Cybersecurity Survey v 3.4

State Agency Cyber Security Survey v 3.4 2 October 2014. State Agency Cybersecurity Survey v 3.4 State Agency Cybersecurity Survey v 3.4 The purpose of this survey is to identify your agencies current capabilities with respect to information systems/cyber security and any challenges and/or successes

More information

Anatomy of a Breach: A case study in how to protect your organization. Presented By Greg Sparrow

Anatomy of a Breach: A case study in how to protect your organization. Presented By Greg Sparrow Anatomy of a Breach: A case study in how to protect your organization Presented By Greg Sparrow Agenda Background & Threat landscape Breach: A Case Study Incident Response Best Practices Lessons Learned

More information

Security. Security consulting and Integration: Definition and Deliverables. Introduction

Security. Security consulting and Integration: Definition and Deliverables. Introduction Security Security Introduction Businesses today need to defend themselves against an evolving set of threats, from malicious software to other vulnerabilities introduced by newly converged voice and data

More information

CRR Supplemental Resource Guide. Volume 5. Incident Management. Version 1.1

CRR Supplemental Resource Guide. Volume 5. Incident Management. Version 1.1 CRR Supplemental Resource Guide Volume 5 Incident Management Version 1.1 Copyright 2016 Carnegie Mellon University This material is based upon work funded and supported by Department of Homeland Security

More information

MEMORANDUM. Date: October 28, 2013. Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance

MEMORANDUM. Date: October 28, 2013. Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance MEMORANDUM Date: October 28, 2013 To: Federally Regulated Financial Institutions Subject: Guidance The increasing frequency and sophistication of recent cyber-attacks has resulted in an elevated risk profile

More information

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder Ten Questions Your Board Should be asking about Cyber Security Eric M. Wright, Shareholder Eric Wright, CPA, CITP Started my career with Schneider Downs in 1983. Responsible for all IT audit and system

More information

www.pwc.com Business Resiliency Business Continuity Management - January 14, 2014

www.pwc.com Business Resiliency Business Continuity Management - January 14, 2014 www.pwc.com Business Resiliency Business Continuity Management - January 14, 2014 Agenda Key Definitions Risks Business Continuity Management Program BCM Capability Assessment Process BCM Value Proposition

More information

Vendor Management. Outsourcing Technology Services

Vendor Management. Outsourcing Technology Services Vendor Management Outsourcing Technology Services Objectives Board and Senior Management Responsibilities Risk Management Program Risk Assessment Service Provider Selection Contracts Ongoing Monitoring

More information

Into the cybersecurity breach

Into the cybersecurity breach Into the cybersecurity breach Tim Sanouvong State Sector Cyber Risk Services Deloitte & Touche LLP April 3, 2015 Agenda Setting the stage Cyber risks in state governments Cyber attack vectors Preparing

More information

Best Practices in Incident Response. SF ISACA April 1 st 2009. Kieran Norton, Senior Manager Deloitte & Touch LLP

Best Practices in Incident Response. SF ISACA April 1 st 2009. Kieran Norton, Senior Manager Deloitte & Touch LLP Best Practices in Incident Response SF ISACA April 1 st 2009 Kieran Norton, Senior Manager Deloitte & Touch LLP Current Landscape What Large scale breaches and losses involving credit card data and PII

More information

The PNC Financial Services Group, Inc. Business Continuity Program

The PNC Financial Services Group, Inc. Business Continuity Program The PNC Financial Services Group, Inc. Business Continuity Program 1 Content Overview A. Introduction Page 3 B. Governance Model Page 4 C. Program Components Page 4 Business Impact Analysis (BIA) Page

More information

VENDOR MANAGEMENT. General Overview

VENDOR MANAGEMENT. General Overview VENDOR MANAGEMENT General Overview With many organizations outsourcing services to other third-party entities, the issue of vendor management has become a noted topic in today s business world. Vendor

More information

Cybersecurity: What CFO s Need to Know

Cybersecurity: What CFO s Need to Know Cybersecurity: What CFO s Need to Know William J. Nowik, CISA, CISSP, QSA PCIP MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2014 Wolf & Company, P.C. Today s Agenda Introduction

More information

08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview

08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview Data protection and compliance In the cloud and in your data center 1 November 2013 Agenda 1 Introduction 2 Data protection overview 3 Understanding the cloud 4 Where do I start? 5 Wrap-up Page 2 Data

More information

Applying IBM Security solutions to the NIST Cybersecurity Framework

Applying IBM Security solutions to the NIST Cybersecurity Framework IBM Software Thought Leadership White Paper August 2014 Applying IBM Security solutions to the NIST Cybersecurity Framework Help avoid gaps in security and compliance coverage as threats and business requirements

More information

2015 Vendor Risk Management Benchmark Study. The Shared Assessments Program and Protiviti Examine the Maturity of Vendor Risk Management

2015 Vendor Risk Management Benchmark Study. The Shared Assessments Program and Protiviti Examine the Maturity of Vendor Risk Management 2015 Vendor Risk Management Benchmark Study The Shared Assessments Program and Protiviti Examine the Maturity of Vendor Risk Management INTRODUCTION/EXECUTIVE SUMMARY MANY ORGANIZATIONS ARE NOT PREPARED

More information

CONTENTS. Introduction Page 2. Scope.Page 2. Policy Statements Pages 2-3. Major IT Security Incidents Defined... Page 3

CONTENTS. Introduction Page 2. Scope.Page 2. Policy Statements Pages 2-3. Major IT Security Incidents Defined... Page 3 POLICY TITLE: Policy POLICY #: CIO-ITSecurity 09.1 Initial Draft By - Position / Date: D. D. Badger - Dir. PMO /March-2010 Initial Draft reviewed by ITSC/June 12-2010 Approved By / Date: Final Draft reviewed

More information

Data Security Incident Response Plan. [Insert Organization Name]

Data Security Incident Response Plan. [Insert Organization Name] Data Security Incident Response Plan Dated: [Month] & [Year] [Insert Organization Name] 1 Introduction Purpose This data security incident response plan provides the framework to respond to a security

More information

Federal Financial Institutions Examination Council FFIEC BCP. Business Continuity Planning FEBRUARY 2015 IT EXAMINATION H ANDBOOK

Federal Financial Institutions Examination Council FFIEC BCP. Business Continuity Planning FEBRUARY 2015 IT EXAMINATION H ANDBOOK Federal Financial Institutions Examination Council FFIEC Business Continuity Planning BCP FEBRUARY 2015 IT EXAMINATION H ANDBOOK Table of Contents Introduction 1 Board and Senior Management Responsibilities

More information

Rogers Insurance Client Presentation

Rogers Insurance Client Presentation Rogers Insurance Client Presentation Network Security and Privacy Breach Insurance Presented by Matthew Davies Director Professional, Media & Cyber Liability Chubb Insurance Company of Canada mdavies@chubb.com

More information

THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS

THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS Read the Marsh Risk Management Research Briefing: Cyber Risks Extend Beyond Data and Privacy Exposures To access the report, visit www.marsh.com.

More information

O N L I N E I N C I D E N T R E S P O N S E C O M M U N I T Y

O N L I N E I N C I D E N T R E S P O N S E C O M M U N I T Y Automate Response Congratulations on selecting IncidentResponse.com to retrieve your custom incident response workflow guide. This guide has been created especially for you for use in within your security

More information

NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT

NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT OVERVIEW The National Institute of Standards of Technology Framework for Improving Critical Infrastructure Cybersecurity (The NIST Framework) is a

More information

Cloud Computing: Legal Risks and Best Practices

Cloud Computing: Legal Risks and Best Practices Cloud Computing: Legal Risks and Best Practices A Bennett Jones Presentation Toronto, Ontario Lisa Abe-Oldenburg, Partner Bennett Jones LLP November 7, 2012 Introduction Security and Data Privacy Recent

More information

COMPUTER SECURITY INCIDENT RESPONSE POLICY

COMPUTER SECURITY INCIDENT RESPONSE POLICY COMPUTER SECURITY INCIDENT RESPONSE POLICY 1 Overview The Federal Information Security Management Act (FISMA) of 2002 requires Federal agencies to establish computer security incident response capabilities.

More information

Business Continuity and Disaster Recovery Planning

Business Continuity and Disaster Recovery Planning Business Continuity and Disaster Recovery Planning Jennifer Brandt, CISA A p r i l 16, 2015 HISTORY OF STINNETT & ASSOCIATES Stinnett & Associates (Stinnett) is a professional advisory firm offering services

More information

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015 Community Bank Auditors Group Cybersecurity What you need to do now June 9, 2015 By: Gerald Gagne MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2015 Wolf & Company, P.C. Cybersecurity

More information

Information Technology Policy

Information Technology Policy ITP Number ITP-SEC024 Category Security Contact RA-ITCentral@pa.gov Information Technology Policy IT Security Incident Policy Effective Date August 2, 2012 Supersedes Scheduled Review Annual 1. Purpose

More information

www.sharedassessments.org 2015 The Shared Assessments Program - All Rights Reserved 2

www.sharedassessments.org 2015 The Shared Assessments Program - All Rights Reserved 2 The Significance of Information Security and Privacy Controls on Law Firms as Third Party Service Providers and Collaborative Opportunities for Resolution April 2015 Abstract As regulators increase pressure

More information

Cybersecurity Issues for Community Banks

Cybersecurity Issues for Community Banks Eastern Massachusetts Compliance Network Cybersecurity Issues for Community Banks Copyright 2014 by K&L Gates LLP. All rights reserved. Sean P. Mahoney sean.mahoney@klgates.com K&L Gates LLP State Street

More information

NIST Cybersecurity Framework Overview

NIST Cybersecurity Framework Overview NIST Cybersecurity Framework Overview Executive Order 13636 Improving Critical Infrastructure Cybersecurity 2nd ENISA International Conference on Cyber Crisis Cooperation and Exercises Executive Order

More information

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors Overview for Chief Executive Officers and Boards of Directors In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed

More information

www.pwc.com Third Party Risk Management 12 April 2012

www.pwc.com Third Party Risk Management 12 April 2012 www.pwc.com Third Party Risk Management 12 April 2012 Agenda 1. Introductions 2. Drivers of Increased Focus on Third Parties 3. Governance 4. Third Party Risks and Scope 5. Third Party Risk Profiling 6.

More information

Managing Cyber Threats Risk Management & Insurance Solutions. Presented by: Douglas R. Jones, CPCU, ARM Senior Vice President & Principal

Managing Cyber Threats Risk Management & Insurance Solutions. Presented by: Douglas R. Jones, CPCU, ARM Senior Vice President & Principal Managing Cyber Threats Risk Management & Insurance Solutions Presented by: Douglas R. Jones, CPCU, ARM Senior Vice President & Principal Overview Recent Trends and Loss Exposures Risk Management Strategies

More information

IT AUDIT WHO WE ARE. Current Trends and Top Risks of 2015 10/9/2015. Eric Vyverberg. Randy Armknecht. David Kupinski

IT AUDIT WHO WE ARE. Current Trends and Top Risks of 2015 10/9/2015. Eric Vyverberg. Randy Armknecht. David Kupinski IT AUDIT Current Trends and Top Risks of 2015 2 02 Eric Vyverberg WHO WE ARE David Kupinski Randy Armknecht Associate Director Internal Audit Protiviti 317.510.4661 eric.vyverberg@protiviti.com Managing

More information

Information security controls. Briefing for clients on Experian information security controls

Information security controls. Briefing for clients on Experian information security controls Information security controls Briefing for clients on Experian information security controls Introduction Security sits at the core of Experian s operations. The vast majority of modern organisations face

More information

Information Security Services

Information Security Services Information Security Services Information Security In 2013, Symantec reported a 62% increase in data breaches over 2012. These data breaches had tremendous impacts on many companies, resulting in intellectual

More information

Considerations for Outsourcing Records Storage to the Cloud

Considerations for Outsourcing Records Storage to the Cloud Considerations for Outsourcing Records Storage to the Cloud 2 Table of Contents PART I: Identifying the Challenges 1.0 Are we even allowed to move the records? 2.0 Maintaining Legal Control 3.0 From Storage

More information

Standard: Information Security Incident Management

Standard: Information Security Incident Management Standard: Information Security Incident Management Page 1 Executive Summary California State University Information Security Policy 8075.00 states security incidents involving loss, damage or misuse of

More information

Business Continuity Planning and Disaster Recovery Planning

Business Continuity Planning and Disaster Recovery Planning 4 Business Continuity Planning and Disaster Recovery Planning Basic Concepts 1. Business Continuity Management: Business Continuity means maintaining the uninterrupted availability of all key business

More information

Customer-Facing Information Security Policy

Customer-Facing Information Security Policy Customer-Facing Information Security Policy Global Security Office (GSO) Version 2.6 Last Updated: 03/23/2015 Symantec Corporation Table of Contents Compliance Framework... 1 High-Level Information Security

More information

Cyber Security Auditing for Credit Unions. ACUIA Fall Meeting October 7-9, 2015

Cyber Security Auditing for Credit Unions. ACUIA Fall Meeting October 7-9, 2015 Cyber Security Auditing for Credit Unions ACUIA Fall Meeting October 7-9, 2015 Topics Introduction Cyber Security Auditing Program Discuss an effective and compliant Cyber Security Auditing Program from

More information

Cybercrime and Regulatory Priorities for Cybersecurity

Cybercrime and Regulatory Priorities for Cybersecurity NRS Technology and Communication Compliance Forum Cybercrime and Regulatory Priorities for Cybersecurity Copyright 2014 by K&L Gates LLP. All rights reserved. Sean P. Mahoney sean.mahoney@klgates.com K&L

More information

Business Continuity Planning for Risk Reduction

Business Continuity Planning for Risk Reduction Business Continuity Planning for Risk Reduction Ion PLUMB ionplumb@yahoo.com Andreea ZAMFIR zamfir_andreea_ileana@yahoo.com Delia TUDOR tudordelia@yahoo.com Faculty of Management Academy of Economic Studies

More information

www.pwc.com The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v8 2-25-14

www.pwc.com The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v8 2-25-14 www.pwc.com The data breach lifecycle: From prevention to response IAPP global privacy summit (4:30-5:30) Draft v8 2-25-14 Common Myths 1. You have not been hacked. 2. Cyber security is about keeping the

More information

Cyber Threat Intelligence Move to an intelligencedriven cybersecurity model

Cyber Threat Intelligence Move to an intelligencedriven cybersecurity model Cyber Threat Intelligence Move to an intelligencedriven cybersecurity model Stéphane Hurtaud Partner Governance Risk & Compliance Deloitte Laurent De La Vaissière Director Governance Risk & Compliance

More information

Ed McMurray, CISA, CISSP, CTGA CoNetrix

Ed McMurray, CISA, CISSP, CTGA CoNetrix Ed McMurray, CISA, CISSP, CTGA CoNetrix AGENDA Introduction Cybersecurity Recent News Regulatory Statements NIST Cybersecurity Framework FFIEC Cybersecurity Assessment Questions Information Security Stats

More information

Cyber and Data Risk What Keeps You Up at Night?

Cyber and Data Risk What Keeps You Up at Night? Legal Counsel to the Financial Services Industry Cyber and Data Risk What Keeps You Up at Night? December 10, 2014 Introduction & Overview Today s Discussion: Evolving nature of data and privacy risks

More information

Best Practices in ICS Security for Device Manufacturers. A Wurldtech White Paper

Best Practices in ICS Security for Device Manufacturers. A Wurldtech White Paper Best Practices in ICS Security for Device Manufacturers A Wurldtech White Paper No part of this document may be distributed, reproduced or posted without the express written permission of Wurldtech Security

More information

Italy. EY s Global Information Security Survey 2013

Italy. EY s Global Information Security Survey 2013 Italy EY s Global Information Security Survey 2013 EY s Global Information Security Survey 2013 This year s survey our 16th edition captures the responses of 1,909 C-suite and senior level IT and information

More information

North American Electric Reliability Corporation (NERC) Cyber Security Standard

North American Electric Reliability Corporation (NERC) Cyber Security Standard North American Electric Reliability Corporation (NERC) Cyber Security Standard Symantec Managed Security Services Support for CIP Compliance Overviewview The North American Electric Reliability Corporation

More information

Information Security Incident Management Guidelines

Information Security Incident Management Guidelines Information Security Incident Management Guidelines INFORMATION TECHNOLOGY SECURITY SERVICES http://safecomputing.umich.edu Version #1.0, June 21, 2006 Copyright 2006 by The Regents of The University of

More information

2015 CEO & Board University Cybersecurity on the Rise. Matthew J. Putvinski, CPA, CISA, CISSP

2015 CEO & Board University Cybersecurity on the Rise. Matthew J. Putvinski, CPA, CISA, CISSP 2015 CEO & Board University Cybersecurity on the Rise Matthew J. Putvinski, CPA, CISA, CISSP MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2011 Wolf & Company, P.C. About Wolf

More information

Defending Against Data Beaches: Internal Controls for Cybersecurity

Defending Against Data Beaches: Internal Controls for Cybersecurity Defending Against Data Beaches: Internal Controls for Cybersecurity Presented by: Michael Walter, Managing Director and Chris Manning, Associate Director Protiviti Atlanta Office Agenda Defining Cybersecurity

More information

Principles of Information Security, Fourth Edition. Chapter 12 Information Security Maintenance

Principles of Information Security, Fourth Edition. Chapter 12 Information Security Maintenance Principles of Information Security, Fourth Edition Chapter 12 Information Security Maintenance Learning Objectives Upon completion of this material, you should be able to: Discuss the need for ongoing

More information

DUUS Information Technology (IT) Incident Management Standard

DUUS Information Technology (IT) Incident Management Standard DUUS Information Technology (IT) Incident Management Standard Issue Date: October 1, 2013 Effective Date: October 1,2013 Revised Date: Number: DHHS-2013-001-E 1.0 Purpose and Objectives Computer systems

More information

Microsoft s Compliance Framework for Online Services

Microsoft s Compliance Framework for Online Services Microsoft s Compliance Framework for Online Services Online Services Security and Compliance Executive summary Contents Executive summary 1 The changing landscape for online services compliance 4 How Microsoft

More information

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the

More information

DATA BREACH RESPONSE READINESS Is Your Organization Prepared?

DATA BREACH RESPONSE READINESS Is Your Organization Prepared? March 30, 2015 DATA BREACH RESPONSE READINESS Is Your Organization Prepared? Peter Sloan Pete Enko Jeff Jensen Deborah Juhnke The data security imperatives of Prevention, Detection, and Response do not

More information

Implementing a Framework

Implementing a Framework Implementing a Framework 44th Tennessee Higher Education Information Technology Symposium 2015 Greg Jackson Cyber Security Analyst Dynetics Inc. Information Systems Assessment Services (ISAS) www.dynetics.com

More information

Bridging the data gap in the insurance industry. Cyber crisis management: Readiness, response, and recovery

Bridging the data gap in the insurance industry. Cyber crisis management: Readiness, response, and recovery Bridging the data gap in the insurance industry Cyber crisis management: Readiness, response, and recovery Readiness, response, and recovery Hacked devices, crashed websites, breached networks, denials

More information

Credit Union Liability with Third-Party Processors

Credit Union Liability with Third-Party Processors World Council of Credit Unions Annual Conference Credit Union Liability with Third-Party Processors Andrew (Andy) Poprawa CEO, Deposit Insurance Corporation of Ontario Canada 1 Credit Union Liability with

More information

Address C-level Cybersecurity issues to enable and secure Digital transformation

Address C-level Cybersecurity issues to enable and secure Digital transformation Home Overview Challenges Global Resource Growth Impacting Industries Address C-level Cybersecurity issues to enable and secure Digital transformation We support cybersecurity transformations with assessments,

More information

BUSINESS CONTINUITY PLANNING

BUSINESS CONTINUITY PLANNING Policy 8.3.2 Business Responsible Party: President s Office BUSINESS CONTINUITY PLANNING Overview The UT Health Science Center at San Antonio (Health Science Center) is committed to its employees, students,

More information

The CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II).

The CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II). Page 1 of 7 The CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II). Domain I provides a solid foundation for the governance of

More information

FFIEC Cybersecurity Assessment Tool

FFIEC Cybersecurity Assessment Tool Overview In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed the Cybersecurity Tool (), on behalf of its members,

More information

Using the HITRUST CSF to Assess Cybersecurity Preparedness 1 of 6

Using the HITRUST CSF to Assess Cybersecurity Preparedness 1 of 6 to Assess Cybersecurity Preparedness 1 of 6 Introduction Long before the signing in February 2013 of the White House Executive Order Improving Critical Infrastructure Cybersecurity, HITRUST recognized

More information

Enterprise Security Tactical Plan

Enterprise Security Tactical Plan Enterprise Security Tactical Plan Fiscal Years 2011 2012 (July 1, 2010 to June 30, 2012) Prepared By: State Chief Information Security Officer The Information Security Council State of Minnesota Enterprise

More information

ICBA Summary of FFIEC Cybersecurity Assessment Tool

ICBA Summary of FFIEC Cybersecurity Assessment Tool ICBA Summary of FFIEC Cybersecurity Assessment Tool July 2015 Contact: Jeremy Dalpiaz Assistant Vice President Cyber Security and Data Security Policy Jeremy.Dalpiaz@icba.org www.icba.org ICBA Summary

More information

Business Continuity and Disaster Planning

Business Continuity and Disaster Planning WHITE PAPER Business Continuity and Disaster Planning A guide to preparing for the unexpected Robert Drewniak Director, Strategic & Advisory Services Disasters are not always the result of high winds and

More information

Protecting against cyber threats and security breaches

Protecting against cyber threats and security breaches Protecting against cyber threats and security breaches IBM APT Survival Kit Alberto Benavente Martínez abenaventem@es.ibm.com IBM Security Services Jun 11, 2015 (Madrid, Spain) 12015 IBM Corporation So

More information

CYBERSECURITY: Is Your Business Ready?

CYBERSECURITY: Is Your Business Ready? CYBERSECURITY: Is Your Business Ready? Cybersecurity: Is your business ready? Cyber risk is just like any other corporate risk and it must be managed from the top. An organization will spend time monitoring

More information

Department of Management Services. Request for Information

Department of Management Services. Request for Information Department of Management Services Request for Information Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services September 3, 2015 Submitted By: Carlos Henley

More information

JOB ANNOUNCEMENT. Chief Security Officer, Cheniere Energy, Inc.

JOB ANNOUNCEMENT. Chief Security Officer, Cheniere Energy, Inc. JOB ANNOUNCEMENT Chief Security Officer, Cheniere Energy, Inc. Position Overview The Vice President and Chief Security Risk Officer (CSRO) reports to the Chairman, Chief Executive Officer and President

More information

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/ 287-1808

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/ 287-1808 cover_comp_01 9/9/02 5:01 PM Page 1 For further information, please contact: The President s Critical Infrastructure Protection Board Office of Energy Assurance U.S. Department of Energy 202/ 287-1808

More information

INCIDENT RESPONSE CHECKLIST

INCIDENT RESPONSE CHECKLIST INCIDENT RESPONSE CHECKLIST The purpose of this checklist is to provide clients of Kivu Consulting, Inc. with guidance in the initial stages of an actual or possible data breach. Clients are encouraged

More information

R345, Information Technology Resource Security 1

R345, Information Technology Resource Security 1 R345, Information Technology Resource Security 1 R345-1. Purpose: To provide policy to secure the private sensitive information of faculty, staff, patients, students, and others affiliated with USHE institutions,

More information

Federal Financial Institutions Examination Council FFIEC. Business Continuity Planning BCP MARCH 2003 MARCH 2008 IT EXAMINATION

Federal Financial Institutions Examination Council FFIEC. Business Continuity Planning BCP MARCH 2003 MARCH 2008 IT EXAMINATION Federal Financial Institutions Examination Council FFIEC Business Continuity Planning MARCH 2003 MARCH 2008 BCP IT EXAMINATION H ANDBOOK TABLE OF CONTENTS INTRODUCTION... 1 BOARD AND SENIOR MANAGEMENT

More information

Business Continuity Planning 101. +1 610 768-4120 (800) 634-2016 www.strohlsystems.com info@strohlsystems.com

Business Continuity Planning 101. +1 610 768-4120 (800) 634-2016 www.strohlsystems.com info@strohlsystems.com Business Continuity Planning 101 Presentation Overview What is business continuity planning Plan Development Plan Testing Plan Maintenance Future advancements in BCP Question & Answer What is a Disaster?

More information

CYBER & PRIVACY LIABILITY INSURANCE GUIDE

CYBER & PRIVACY LIABILITY INSURANCE GUIDE CYBER & PRIVACY LIABILITY INSURANCE GUIDE 01110000 01110010 011010010111011001100001 01100 01110000 01110010 011010010111011001100001 0110 Author Gamelah Palagonia, Founder CIPM, CIPT, CIPP/US, CIPP/G,

More information