Proactive Log Management in Banking: Why it is important and what inhibits it By Van Symons, President, Clear Technologies, Inc.
|
|
- Conrad Riley
- 8 years ago
- Views:
Transcription
1 Executive Summary With annual industry expenditures for technology topping an estimated $30 billion, the banking industry clearly relies on technology to better serve customers. This dependence has continued to grow since the Internet and e-commerce exploded in the 1990s. The unintended consequence of this reliance on computers is exposure to data breaches. Why breaches occur? In speaking with customers and reviewing existing research, a majority of breaches in banking occur for three reasons: 1. Outsourced data 2. Hacking is a lucrative business 3. Employee retribution Why should the banking industry care? The banking industry should be particularly interested in mitigating data breaches because: 1. It costs a lot to fix 2. Brand Blemish 3. Intellectual Property 4. Regulations/Laws 5. Mandates 6. Standards/Controls Attenuate breach impacts. Because it typically takes attackers days to get into a company s network and steal data, a recent Verizon RISK and U.S. Secret Service Data Breach Investigations Report recommended that IT should constantly monitor server activity and red-flag any suspicious activity. The best method to vigilantly monitor devices and applications is to monitor their logs. As a result, since the banking industry heavily relies on technology to serve customers, monitoring log data or log management for devices, servers, and applications is too important of a task to be overlooked. The causes of log management lapses. Despite log management being a great first-line of defense against a data breach, analyzing logs is seldom adequately performed. In order to ensure adherence to laws and mollify ramifications, banking IT executives must first understand the human factors that inhibit this important task: 1. Most people dislike tedious work. 2. No time to ensure uptime; no time to prevent downtime. 3. NAH : Not Affected Here. The Real Solution. Log data management is too important of a task to be overlooked. A great way to help to counteract these three behavioral issues is to provide your IT staff with the right solution to their problem in order to resolve your problem
2 With annual industry expenditures for technology topping an estimated $30 billion, the banking industry clearly relies on technology to better serve customers. This dependence has continued to grow since the Internet and e-commerce exploded in the 1990s. Exposure to computer systems vulnerabilities has also grown at an alarming rate as attackers strive to identify and make the most of vulnerabilities. Consequently, computers are attacked and compromised on a daily basis. A recent Verizon RISK and U.S. Secret Service Data Breach Investigations Report stated that servers and applications comprise 50% of all breached assets. These attacks steal personal identities, bring down an entire network, disable the online presence of businesses, or eliminate sensitive information that is critical for personal or business purposes. One security survey noted how in 1997, 37% of respondents reported a breach. A 2009 report by the Ponemon Institute, a privacy management research firm, reported a figure of 85%. Banks are especially susceptible. Over the past several years, Virginia s DHS system, TJX, Heartland Payment Systems, Google, and T-Mobile have been adversely affected by breaches. The Heartland Payment Systems breach had a ripple effect that exposed customer credit card details at over 675 regional banks. Interestingly, since the breach, six of the banks have, according to the FDIC, failed (1st Pacific Bank of California, Columbia River Bank, Prosperan Bank, Rainier Pacific Bank, Sun West Bank, and TierOne Bank). Why Breaches Occur? In speaking with customers and reviewing existing research, a majority of breaches occur in banking for three reasons: the increase of outsourced data, hacking is a lucrative business, and employee retribution. Outsourced Data. Increasingly, cost conscious companies in the banking industry are outsourcing work to achieve economies of scale. The unintended consequence, as stated by the 2010 Ponemon study is that 42% of all breach cases involved third party mistakes. Data breaches involving outsourced data to third parties, especially when the third party is offshore, are most costly. The per capita cost for data breaches involving third parties is $217 versus $194, more than a $21 difference, according to Ponemon. The per capita cost of a data breach involving a negligent insider or a systems glitch averages $154 and $166, respectively. Hacking is a lucrative business. In November 2008, the Atlanta-based U.S. payment processing division for Royal Bank of Scotland, RBS Worldpay network, was infiltrated by hackers. The hackers obtained unauthorized access and were then able to - 2 -
3 reengineer personal identification numbers from a data feed, and defeat the credit card processing system's encryption. In half a day, the hackers stole over $9 million. Hackers utilize multiple methods to obtain sensitive information including, stealing computers, combing through sensitive lost documents, brute force attacks, and viruses. According to the Internet Security Threat Report published by Symantec in April 2009, attackers released Trojan horses, viruses, and worms at a record pace in 2008, primarily targeting computer users confidential information, in particular their online banking account credentials. Symantec documented a record of 1.6 million instances of malicious code on the Web in 2008, about one million more than Twenty four percent of all cases in Ponemon s 2010 study involved a malicious or criminal attack that resulted in the loss or theft of personal information. Moreover, two types of data most often compromised is credit card information (54% of all breaches) and bank account information (32% of all breaches) according to the Verizon RISK and U.S. Secret Service Data Breach Investigations Report. Employee retribution. In 2008, the Bank of New York breach made national headlines. In the second quarter of 2010, the New York Country District Attorney's Office stated that a computer technician formerly employed as a contractor at the headquarters of the Bank of New York was to blame. Over an eight year period, the culprit stole personal identifying information of 2,000 bank employees and organized thefts of more than $1.1 million from various organizations, including charities and nonprofit organizations. The Identity Theft Resource Center, a San Diego based nonprofit, found that of the roughly 250 data breaches publicly reported in the United States between January 1 and June 12, 2008, victims blamed the largest share of incidents on theft by employees (18.4 %). This year, the 2010 Data Breach Investigations Report by Verizon RISK and the U.S. Secret Service, 48% of data breaches across all industries were caused by insiders. Why Should I care? In recent years, banks have paid increasing attention to IT security. This is understandable given the sheer amount of information now in digital form. A recent InformationWeek Analytics survey revealed that 75% of its executive level respondents (among all industries) stated that information security is among its highest priorities. Some reasons include it costs a lot to fix, diffuses the strength of a brand, places intellectual property at risk, and has initiated widespread regulation, mandates, and control standards
4 It costs a lot to fix. Executives are focused on information security because of the accompanying liability costs of the ever-increasing volume of corporate and personal information theft. In certain cases, these events result in costly lawsuits with much of the fees being paid to litigation service firms to sift through inaccessible, unorganized volumes of data. According to the American Banker s Association some of the biggest costs associated with a breach are those from reissuing credit and debit cards, covering fraudulent charges from stolen card numbers, and closing accounts placed at risk. In other cases, companies incur the expense of setting up credit monitoring services for customers affected by the breach. According to the latest Ponemon Institute study, the cost per compromised customer record is $204 and the average total cost of a data breach is $6.75 million, which is up by 44% since The Internet Crime Complaint Center, a partnership of the FBI, the National White Collar Crime Center, and Bureau of Justice Assistance, reported that the number of complaints from victims of cyber crime rose by almost a third since The total number reached 275,284, amounting to $265 million in money lost. Research shows data breaches involving malicious or criminal acts are much more expensive than incidents resulting from negligence or systems glitch ($154 and $166 per record, respectively). The per capita cost of a data breach involving a malicious or criminal act averages $215. In instances where a bank issued cards affected by a breach, these costs can mount quickly, and the bank ends up bearing all of the costs itself. Brand blemish. Next, executives are focused on information security in order to preserve brand value. For years, Business Week/InterBrand has published their yearly findings on the top 100 Brands. Because stability is one of the factors for determining a brand s value, one can assume that a customer will be doubtful of the stability of a brand that cannot protect their information. John Watkins, the former SVP of online services at Wachovia (now Wells Fargo), echoes this sentiment, "Data breaches and any type of security concern in the online space affect customer confidence We're concerned that customers will lose confidence if we can't provide them with a good feeling that they are safe online. It's about trust." Building trust is especially needed in the already negative-publicity prone banking industry. For the second year in a row, banks experienced a significant increase in complaints coinciding with 140 bank failures in 2009, said the Better Business Bureau (BBB). Trust in the financial sector is already extremely low and the dramatic increase in BBB complaints against banks reflects the growing discord between consumers and the industry. As a result, the banking industry has been through what marketing experts call brand image turmoil in the aftermath of the financial meltdown
5 Because the banking industry understands that consumer perceptions of trust are important, this year banks have increased their advertising budgets to offset the negative publicity and to rebuild consumer trust. One example is Citizens Banks latest campaign, Good Banking is Good Citizenship. Warren Zafrin, a partner with KPMG sums it up best, "Over time, security will be a differentiator for banks. It's about trust security really goes beyond preventing data breaches to enhancing relationships. Intellectual property. Because superior intellectual property leads to service differentiation, executives view it as a key asset that, in the midst of hard economic times, ensures revenue, market share, and long-term profitable growth. An intellectual property breach can include unauthorized access, copying, disclosure or use of client information, trade secrets, copyrighted materials, ongoing research, strategy, M&A plans, and other such information. Bradford Newman, the leader of the International Employee Mobility and Trade Secrets practice at the law firm Paul Hastings Janofsky & Walker LLP, states, Most banks do have good data security practices. But to recover that data from the thousands of employees across the globe is a new risk companies first have to ask themselves what their trade secrets are, where the most at-risk secrets lie, and, in connection with the recent layoffs, how they can reduce the risk of disclosure and maximize the chance of recovering the data." As such, protecting intellectual property is essential for any organization. Regulations/Laws. The current system for regulating and supervising financial institutions is complex. According to the FDIC, This complicated regulatory structure came about because financial regulation has been responsive to several traditional themes in U.S. history. Among them are a distrust of concentrations of financial power, including a concentration of regulatory power; a preference for market competition; and a belief that certain sectors of the economy should be ensured access to credit, a belief that has led to a multiplicity of niche providers of credit. The nation s complex regulatory structure was designed to deal with all of these sometimes conflicting objectives. Although many of the newer laws have focused on consumer protection, a number of others have addressed issues of regulation and supervision related to concerns about safety and soundness. As such, banks in the United States are obligated to reduce operational risk, the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events, by monitoring systems and procedures to detect actual and attempted attacks on or intrusions into customer information systems by the following laws: - 5 -
6 1. Section 216 of the Fair and Accurate Credit Transactions Act (2003) (FACT Act) - must provide for the identification, detection, and response to patterns, practices, or specific activities known as red flags that could indicate identity theft. Within banks, this requirement can only be sufficiently met through monitoring. 2. Section 501(b) of the Gramm-Leach-Bliley Act (1999) states that a bank should manage and control risk by monitoring systems and procedures to detect actual and attempted attacks on or intrusions into customer information systems both internally and with service providers and is the all encompassing successor to the following: a. Section 39 of the Federal Deposit Insurance Act b. Code of Federal Regulations: Title 12: Banks and Banking - Code of Federal Regulations, Part 30, Appendix B c. Code of Federal Regulations: Title 12: Banks and Banking - Code of Federal Regulations, Part 208, Appendix D-2 d. Code of Federal Regulations: Title 12: Banks and Banking - Code of Federal Regulations, Part 225, Subpart J, Appendix F e. Code of Federal Regulations: Title 12: Banks and Banking - Code of Federal Regulations, Part 263, Subpart I, Appendix D-1 f. Code of Federal Regulations: Title 12: Banks and Banking - Code of Federal Regulations, Part 364, Appendix B g. Code of Federal Regulations: Title 12: Banks and Banking - Code of Federal Regulations, Part 570, Appendix h. Code of Federal Regulations Title 12 (Banks and Banking) 3. USA Patriot Act (2001). Although this Act does not directly ask an organization to monitor, it increases the ability of law enforcement agencies to search telephone, communications, medical, financial, and other records. As a result, log management is necessary for compliance. 4. Sarbanes-Oxley Act (2002). The formal name of this act is the Public Company Accounting Reform and Investor Protection Act of This act requires the boards, accounting firms, and management of publicly traded firms to adhere to a higher set of financial recording and reporting standards. The reporting requirements can only be sufficiently met through monitoring. 5. California Senate Bill California Senate Bill 1386 was introduced in July The bill was the first attempt by a state legislature to address the problem of identity theft by introducing stiff disclosure requirements for businesses and government agencies that experience security breaches that might contain the personal information of California residents. Implied in the bill is that in order to be to assess compliance, an organization should monitor their devices and applications regularly to adhere to the following, "Notice must be given to any resident of California whose PI is or is reasonably believed to have been - 6 -
7 acquired by an unauthorized person." Notice must be given in "most expedient time possible" and "without unreasonable delay" subject to certain provisions that define what reasonable is for your organization. Mandates. Mandates by the Basel Committee on Banking Supervision (Basel II) and Payment Card Industry Data Security Standard (PCI-DSS) all seek to manage risk. Basel II. Basel II improved on Basel I, first enacted in the 1980s, by offering more complex models for calculating regulatory capital in order to make risky investments, such as the subprime mortgage market in which higher risks assets are moved to unregulated parts of holding companies. In addition to safeguarding bank solvency while protecting the international financial system, Basel II also strives to reduce operational risks. However, the Basel Committee on Banking Supervision recognizes that operational risk is a term that has a variety of meanings and therefore, for internal purposes, banks are permitted to adopt their own definitions of operational risk, provided the minimum elements in the Committee's definition are included. Through compliance, banks are assured that they hold sufficient capital reserves for the risk they expose the bank to through its lending and investment practices. PCI-DSS. Payment Card Industry Data Security Standard (PCI DSS), PCI DSS require that adequate activity logs are produced, there is restricted access to logs, and that logs are reviewed daily, all of which are encompassed in the following guidelines: 10.5 Secure audit trail so they cannot be altered Access to audit trails must be limited to READ access. If audit trails can be altered outside of the application, monitoring controls should be implemented via file-integrity monitoring tools as required in DSS Alteration of audit trails should be investigated for propriety Review logs for all system components at least daily. Log reviews must include those servers that perform security functions such as IDS and VPN. The American Bankers Association (ABA). The ABA is the largest banking trade association representing all categories of banking institutions, including community, regional, and money center banks. Although they do not have a mandate, the ABA supports data security legislation and regulatory policy that creates a uniform standard for data security across all types of businesses. Standards/Controls. Standards like the Control Objectives for IT (COBIT), the ISO standard for Security Management, and the NIST Standards all seek to manage risk. COBIT. The Control Objectives for Information and related Technology (COBIT) is based on a plan-build-run-monitor framework and is a comprehensive set of IT management best practices managed by the IT Governance Institute (ITGI). The - 7 -
8 best practices are divided into four domains (Plan, Build, Run and Monitor) and 34 high-level processes. It relies on understanding the inter-relationship between technologies across the enterprise, real-time understanding of risks, impacts, and operational variables. Its goal is instill vigilance through monitoring. ISO27001/2. ISO27001/2 is based on a plan-do-check-act framework and is derived from the ISO 17799, ISO27001 and 2 (together known as ISO27001/2) were renumbered in 2007 to conform to the ISO family numbering scheme. ISO27001/2 are a widely accepted international standard for information security that was established by the International Standards Organization and offers a broad set of best practices for information security controls across organizations of any type and assists all organizations - commercial, governmental or nonprofit - in the process of managing information security. ISO 27001/2 a standard that offers oversight over individual security controls. These controls call for the monitoring and analysis of data generated by all systems including IT infrastructure, network appliances and security solutions throughout the enterprise. The framework is comprised of twelve security clauses that include 39 security categories with hundreds of control objectives overall. Its goal is mitigate risk through active vigilance. Mortgage Bankers Association (MBA). The MBA is a national association that represents the real estate finance industry and includes more than 3,000 mortgage companies, mortgage brokers, commercial banks, thrifts, life insurance companies, and others in the mortgage lending field. Their Board of Directors Technology Steering Committee (BoDTech) released a comprehensive approach to information assurance, which analyzes three critical areas of information assurance: legislative and regulatory, audit practices, and security standards and framework. The model was created specifically so that mortgage firms could establish a comprehensive set of processes that would cover the requirements of the many compliance programs. The goal of the model is to provide a way for the mortgage industry to assure that information, data, applications, and processes are in place to protect a firm, its operations and its customers. The policy and architecture step, takes deeper dive into a firm's operating environment. It addresses audit practices, including monitoring of devices and application. NIST Standards. The National Institute of Standards and Technology is a US federal technology agency that develops and promotes measurement, standards, and technology and relies on functional area framework of management, operational, and technical safeguards. Most banks have adopted this control framework. The specific log management control outlined with NIST standards rests within the AU-6 Audit Monitoring, Analysis, and Reporting control. In a nutshell, the control states an organization should report indications of inappropriate or unusual activity to an organization official and be aware of change in risk to organizational operations
9 Their control enhancements category serves to distill the broad goals set forth by AU-6, the NIST recommends: 1. An organization s information system must first integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities. 2. An organization s auditable data needs to be integrated, centralized, robust, and be able to thoroughly analyze data from multiple devices. 3. An organization should correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity. Statement on Auditing Standards No. 70 (SAS 70). SAS 70 was developed by the American Institute of Certified Public Accountants to provide guidance to organizations that provide third-party services and defines the standards an auditor must employ in order to assess their internal controls. It is an internationally-recognized standard that reviews all levels of technology service providers over a six-month period for business practices, communication, internal procedures and security. The SAS 70 report guidance articulates the requirements for assessing four items: the fair presentation of management's description of controls, the suitability of the design of management's controls, whether the controls are in place as of a specified date, and whether the controls operated with sufficient effectiveness to determine that management's control objectives were achieved. This standard applies to banks (usually publically traded) that rely on hosted data centers, and third party processors, to provide outsourcing services that affect the operation of the bank. The Solution? Attenuate breach impacts. A recent Verizon RISK and U.S. Secret Service Data Breach Investigations Report recommended that IT staff should constantly monitor server activity and red-flag any suspicious activity because it typically takes criminals days to get into a company s network and steal data. The best method to vigilantly monitor each device and applications is to monitor their logs. Therefore, monitoring log data or log management for devices, servers, and applications is too important of a task to be overlooked because it acts as a great first-line of defense against a data breach. The Problem with the Solution. Why IT puts us at risk. At one of our recent customer visits, an IT executive was sharing his ongoing frustration with log management and analysis. To complicate matters, he stated that the laws, regulations, and mandates on companies of all sizes have made analyzing logs a necessity. He shared that although his company had both the human and technology assets to perform the - 9 -
10 analysis; his team could not, in a repetitive and timely manner, because of the difficulty in performing the task. Despite his frustration, we probed further to find out what drives this complexity. We were surprised to learn that three factors influence why log management and analysis is not performed: it is tedious, time consuming, too abstract to tend to. No one likes tedious work. Most IT personnel are as generalized as being task versus people-oriented. Even so, they do not like to perform brainless tasks. Log management falls into that category as an IT person would have to pour through reams of data and somehow correlate and weight each security risk, which is a truly tedious task. No time to ensure uptime; no time to prevent downtime. On any given day, they are performing multiple tasks that stretch their skills to the limit. Already overworked, one IT administrator stated that he is responsible for maintaining a service level of 98% for his 900 users, and maintaining/reviewing log data. But, he is only merited based on his service level performance. Consequently, he seldom manages and reviews his logs and hopes that an incident will not bring down his system. NAH. We've all heard the phrase "NIH", not invented here. However, with IT staff, we constantly witness a belief system of NAH", not affected here. Because of the limited time and multiple demands placed on an IT staff, many are forced to hope and believe for the best. One IT analyst confided to us he hoped to never have a breach since a breach would cost about $25,000 an hour in lost productivity and ontime delivery performance. The real solution. Log data management is too important of a task to be overlooked. In order to ensure adherence to laws and potential costs, IT executives must first understand, address, and resolve the human factors that inhibit this important task. A great way to help to counteract these three behavioral issues is to provide your IT staff with the right solution to their problem in order to resolve your problem
GALLAGHER CYBER LIABILITY PRACTICE. Tailored Solutions for Cyber Liability and Professional Liability
GALLAGHER CYBER LIABILITY PRACTICE Tailored Solutions for Cyber Liability and Professional Liability Are you exposed to cyber risk? Like nearly every other business, you have probably capitalized on the
More informationFile Integrity Monitoring: A Critical Piece in the Security Puzzle. Challenges and Solutions
File Integrity Monitoring Challenges and Solutions Introduction (TOC page) A key component to any information security program is awareness of data breaches, and yet every day, hackers are using malware
More informationNetwork Security & Privacy Landscape
Network Security & Privacy Landscape Presented By: Greg Garijanian Senior Underwriter Professional Liability 1 Agenda Network Security Overview -Latest Threats - Exposure Trends - Regulations Case Studies
More informationUnderstanding Professional Liability Insurance
Understanding Professional Liability Insurance Definition Professional liability is more commonly known as errors & omissions (E&O) and is a form of liability insurance that helps protect professional
More informationA Database Security Management White Paper: Securing the Information Business Relies On. November 2004
A Database Security Management White Paper: Securing the Information Business Relies On November 2004 IPLocks, Inc. 441-A W. Trimble Road, San Jose, CA 95131 USA A Database Security Management White Paper:
More informationData breach! cyber and privacy risks. Brian Wright Michael Guidry Lloyd Guidry LLC
Data breach! cyber and privacy risks Brian Wright Michael Guidry Lloyd Guidry LLC Collaborative approach Objective: To develop your understanding of a data breach, and risk transfer options to help you
More informationReducing Risk. Raising Expectations. CyberRisk and Professional Liability
Reducing Risk. Raising Expectations. CyberRisk and Professional Liability Are you exposed to CyberRisk? Like nearly every other business, you have likely capitalized on the advancements in technology today
More informationPCI Compliance for Healthcare
PCI Compliance for Healthcare Best practices for securing payment card data In just five years, criminal attacks on healthcare organizations are up by a stunning 125%. 1 Why are these data breaches happening?
More informationData security: A growing liability threat
Data security: A growing liability threat Data security breaches occur with alarming frequency in today s technology-laden world. Even a comparatively moderate breach can cost a company millions of dollars
More informationRISK MANAGEMENT PROGRAM THAT WORKS FOUR KEYS TO CREATING A VENDOR. HEADQUARTERS 33 Bradford Street Concord, MA 01742 PHONE: 978-451-7655
FOUR KEYS TO CREATING A VENDOR RISK MANAGEMENT PROGRAM THAT WORKS HEADQUARTERS 33 Bradford Street Concord, MA 01742 PHONE: 978-451-7655 FOUR KEYS TO CREATING A VENDOR RISK MANAGEMENT PROGRAM THAT WORKS
More informationData breach, cyber and privacy risks. Brian Wright Lloyd Wright Consultants Ltd
Data breach, cyber and privacy risks Brian Wright Lloyd Wright Consultants Ltd Contents Data definitions and facts Understanding how a breach occurs How insurance can help to manage potential exposures
More informationWhite Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK. By James Christiansen, VP, Information Risk Management
White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK By James Christiansen, VP, Information Management Executive Summary The Common Story of a Third-Party Data Breach It begins with a story in the newspaper.
More informationMitigating and managing cyber risk: ten issues to consider
Mitigating and managing cyber risk: ten issues to consider The board of directors is responsible for managing and mitigating risk exposure. A recent study conducted by the Ponemon Institute 1 revealed
More informationCybersecurity and the Threat to Your Company
Why is BIG Data Important? March 2012 1 Cybersecurity and the Threat to Your Company A Navint Partners White Paper September 2014 www.navint.com Cyber Security and the threat to your company September
More informationCyber Liability. What School Districts Need to Know
Cyber Liability What School Districts Need to Know Data Breaches Growing In Number Between January 1, 2008 and April 4, 2012 314,216,842 reported records containing sensitive personal information have
More informationWHITE PAPER KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST PROTECTING THE PROTECTOR
KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST Protecting Identities. Enhancing Reputations. IDT911 1 DATA BREACHES AND SUBSEQUENT IDENTITY THEFT AND FRAUD THREATEN YOUR ORGANIZATION
More informationSINGAPORE HEALTHCARE ENTERPRISE RISK MANAGEMENT CONGRESS 2014 - Data Breach : The Emerging Threat to Healthcare Industry
SINGAPORE HEALTHCARE ENTERPRISE RISK MANAGEMENT CONGRESS 2014 - Data Breach : The Emerging Threat to Healthcare Industry DATA BREACH A FICTIONAL CASE STUDY THE FIRST SIGNS OF TROUBLE Friday, 5.20 pm :
More informationAlienVault for Regulatory Compliance
AlienVault for Regulatory Compliance Overview of Regulatory Compliance in Information Security As computers and networks have become more important in society they and the information they contain have
More informationVENDOR MANAGEMENT. General Overview
VENDOR MANAGEMENT General Overview With many organizations outsourcing services to other third-party entities, the issue of vendor management has become a noted topic in today s business world. Vendor
More informationManaging Your Cyber & Data Risk 2010 NTA Convention Montreal, Quebec
Managing Your Cyber & Data Risk 2010 NTA Convention Montreal, Quebec Jeremy Ong Divisional Vice-President Great American Insurance Company November 13, 2010 1 Agenda Overview of data breach statistics
More informationData Security Breaches: Learn more about two new regulations and how to help reduce your risks
Data Security Breaches: Learn more about two new regulations and how to help reduce your risks By Susan Salpeter, Vice President, Zurich Healthcare Risk Management News stories about data security breaches
More informationReduce Your Breach Risk: File Integrity Monitoring for PCI Compliance and Data Security
Reduce Your Breach Risk: File Integrity Monitoring for PCI Compliance and Data Security A key capability of any information security program is the ability to rapidly detect and help correct data breaches.
More informationMay 14, 2015. Statement for the Record. On behalf of the. American Bankers Association. Consumer Bankers Association
Statement for the Record On behalf of the American Bankers Association Consumer Bankers Association Credit Union National Association Independent Community Bankers of America National Association of Federal
More informationPresentation for : The New England Board of Higher Education. Hot Topics in IT Security and Data Privacy
Presentation for : The New England Board of Higher Education Hot Topics in IT Security and Data Privacy October 22, 2010 Rocco Grillo, CISSP Managing Director Protiviti Inc. Quote of the Day "It takes
More informationSelf-Service SOX Auditing With S3 Control
Self-Service SOX Auditing With S3 Control The Sarbanes-Oxley Act (SOX), passed by the US Congress in 2002, represents a fundamental shift in corporate governance norms. As corporations come to terms with
More informationWhitepaper. Best Practices for Securing Your Backup Data. BOSaNOVA Phone: 866-865-5250 Email: info@theq3.com Web: www.theq3.com
Whitepaper Best Practices for Securing Your Backup Data BOSaNOVA Phone: 866-865-5250 Email: info@theq3.com Web: www.theq3.com DATA PROTECTION CHALLENGE Encryption, the process of scrambling information
More informationManaged Intrusion, Detection, & Prevention Services (MIDPS) Why E-mail Sorting Solutions? Why ProtectPoint?
Managed Intrusion, Detection, & Prevention Services (MIDPS) Why E-mail Sorting Solutions? Why ProtectPoint? Why? Focused on Managed Intrusion Security Superior-Architected Hardened Technology Security
More informationCyber Risks in the Boardroom
Cyber Risks in the Boardroom Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing Your Company to Identify, Mitigate and Respond to Risks in a Changing
More informationWhite Paper on Financial Industry Regulatory Climate
White Paper on Financial Industry Regulatory Climate According to a 2014 report on threats to the financial services sector, 45% of financial services organizations polled had suffered economic crime during
More informationImpact of Data Breaches
Research Note Impact of Data Breaches By: Divya Yadav Copyright 2014, ASA Institute for Risk & Innovation Applicable Sectors: IT, Retail Keywords: Hacking, Cyber security, Data breach, Malware Abstract:
More informationSeamless Mobile Security for Network Operators. Build a secure foundation for winning new wireless services revenue.
Seamless Mobile Security for Network Operators Build a secure foundation for winning new wireless services revenue. New wireless services drive revenues. Faced with the dual challenges of increasing revenues
More informationISO/IEC 27002:2013 WHITEPAPER. When Recognition Matters
When Recognition Matters WHITEPAPER ISO/IEC 27002:2013 INFORMATION TECHNOLOGY - SECURITY TECHNIQUES CODE OF PRACTICE FOR INFORMATION SECURITY CONTROLS www.pecb.com CONTENT 3 4 5 6 6 7 7 7 7 8 8 8 9 9 9
More informationcyber invasions cyber risk insurance AFP Exchange
Cyber Risk With cyber invasions now a common place occurrence, insurance coverage isn t found in your liability policy. So many different types of computer invasions exist, but there is cyber risk insurance
More informationCyberprivacy and Cybersecurity for Health Data
Experience the commitment Cyberprivacy and Cybersecurity for Health Data Building confidence in health systems Providing better health care quality at lower cost will be the key aim of all health economies
More informationHow To Protect Your Data From Theft
Understanding the Effectiveness of a Data Protection Program IIA: Almost Free Seminar 21 June 2011 Agenda Data protection overview Case studies Ernst & Young s point of view Understanding the effectiveness
More informationPrivacy Rights Clearing House
10/13/15 Cybersecurity in Education What you face as educational organizations How to Identify, Monitor and Protect Presented by Jamie Gershon Sr. Vice President Education Practice Group 1 Privacy Rights
More informationACE Advantage PRIVACY & NETWORK SECURITY
ACE Advantage PRIVACY & NETWORK SECURITY SUPPLEMENTAL APPLICATION COMPLETE THIS APPLICATION ONLY IF REQUESTING COVERAGE FOR PRIVACY LIABILITY AND/OR NETWORK SECURITY LIABILITY COVERAGE. Please submit with
More informationNetwork Security & Privacy Landscape
Network Security & Privacy Landscape Presented By: Pam Townley, AVP / Eastern Zonal Manager AIG Professional Liability Division Jennifer Bolling, Account Executive Gallagher Management Liability Division
More informationWHITE PAPER. Preventing Wireless Data Breaches in Retail
WHITE PAPER Preventing Wireless Data Breaches in Retail Preventing Wireless Data Breaches in Retail The introduction of wireless technologies in retail has created a new avenue for data breaches, circumventing
More informationSecuring OS Legacy Systems Alexander Rau
Securing OS Legacy Systems Alexander Rau National Information Security Strategist Sample Agenda 1 Today s IT Challenges 2 Popular OS End of Support & Challenges for IT 3 How to protect Legacy OS systems
More informationDesign of Database Security Policy In Enterprise Systems
Design of Database Security Policy In Enterprise Systems by Krishna R Singitam Database Architect Page 1 of 10 Table of Contents 1. Abstract... 3 2. Introduction... 3 2.1. Understanding the Necessity of
More informationInformation Security and Risk Management
Information Security and Risk Management COSO and COBIT Standards and Requirements Page 1 Topics Information Security Industry Standards and COBIT Framework Relation to COSO Internal Control Risk Management
More informationAN INFORMATION GOVERNANCE BEST
SMALL BUSINESS ID THEFT AND FRAUD AN INFORMATION GOVERNANCE BEST PRACTICES GUIDE FOR SMALL BUSINESS IT IS NOT A MATTER OF IF BUT WHEN AN INTRUSION WILL BE ATTEMPTED ON YOUR BUSINESS COMPUTER SYSTEM IN
More informationAUGUST 28, 2013 INFORMATION TECHNOLOGY INCIDENT RESPONSE PLAN. 1250 Siskiyou Boulevard Ashland OR 97520
AUGUST 28, 2013 INFORMATION TECHNOLOGY INCIDENT RESPONSE PLAN 1250 Siskiyou Boulevard Ashland OR 97520 Revision History Revision Change Date 1.0 Initial Incident Response Plan 8/28/2013 Official copies
More informationPrivacy and Data Breach Protection Modular application form
Instructions The Hiscox Technology, Privacy and Cyber Portfolio Policy may be purchased on an a-la-carte basis. Some organizations may require coverage for their technology errors and omissions, while
More informationIT SECURITY RISKS SURVEY 2014: A BUSINESS APPROACH TO MANAGING DATA SECURITY THREATS
IT SECURITY RISKS SURVEY 2014: A BUSINESS APPROACH TO MANAGING DATA SECURITY THREATS Contents Introduction... 2 Key figures... 3 Methodology... 4 Concerns and priorities of IT managers: data comes first...
More informationCybersecurity: Protecting Your Business. March 11, 2015
Cybersecurity: Protecting Your Business March 11, 2015 Grant Thornton. All LLP. rights All reserved. rights reserved. Agenda Introductions Presenters Cybersecurity Cybersecurity Trends Cybersecurity Attacks
More informationTHE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS
THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS Read the Marsh Risk Management Research Briefing: Cyber Risks Extend Beyond Data and Privacy Exposures To access the report, visit www.marsh.com.
More informationApplying LT Auditor+ to Address Regulatory Compliance Issues
Applying LT Auditor+ to Address Regulatory Compliance Issues An Executive White Paper By BLUE LANCE, Inc. BLUE LANCE INC. www.bluelance.com 713.255.4800 info@bluelance.com In today s business environments,
More informationCase 2:13-cv-01887-ES-JAD Document 282-1 Filed 12/09/15 Page 1 of 18 PageID: 4861 THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF NEW JERSEY
Case 2:13-cv-01887-ES-JAD Document 282-1 Filed 12/09/15 Page 1 of 18 PageID: 4861 THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF NEW JERSEY Federal Trade Commission, Plaintiff, v. Wyndham Worldwide
More informationIs Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution
Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication Date: March 2013 Ponemon Institute Research Report
More informationNine recommendations for alternative funds battling cyber crime. kpmg.ca/cybersecurity
Nine recommendations for alternative funds battling cyber crime kpmg.ca/cybersecurity Cyber criminals steal user names and passwords and use it to conduct financial trading activity illicitly. Hackers
More informationAnatomy of a Hotel Breach
Page 1 of 6 Anatomy of a Hotel Breach Written by Sandy B. Garfinkel Monday, 09 June 2014 15:22 Like 0 Tweet 0 0 Data breach incidents have dominated the news in 2014, and they are only becoming more frequent
More informationFIGHTING FRAUD: IMPROVING INFORMATION SECURITY TESTIMONY OF JOHN J. BRADY VICE PRESIDENT, MERCHANT FRAUD CONTROL MASTERCARD INTERNATIONAL
FIGHTING FRAUD: IMPROVING INFORMATION SECURITY TESTIMONY OF JOHN J. BRADY VICE PRESIDENT, MERCHANT FRAUD CONTROL MASTERCARD INTERNATIONAL Before the Subcommittee on Financial Institutions and Consumer
More informationSecurity. Tiffany Trent-Abram VP, Global Product Management. November 6 th, 2015. One Connection - A World of Opportunities
One Connection - A World of Opportunities Security Tiffany Trent-Abram VP, Global Product Management November 6 th, 2015 2015 TNS Inc. All Rights Reserved. Bringing Global Credibility and History TNS Specializes
More informationManaging data security and privacy risk of third-party vendors
Managing data security and privacy risk of third-party vendors The use of third-party vendors for key business functions is here to stay. Routine sharing of critical information assets, including protected
More informationIs Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution
Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication Date: April 2013 Ponemon Institute Research Report
More informationThe Future of Data Breach Risk Management Response and Recovery. The Cybersecurity Forum April 14, 2016
The Future of Data Breach Risk Management Response and Recovery Increasing electronic product life and reliability The Cybersecurity Forum April 14, 2016 Today s Topics About Merchants Information Solutions,
More informationI ve been breached! Now what?
I ve been breached! Now what? THE AFTERMATH OF A BREACH & STEPS TO REDUCE RISK The number of data breaches in the United States in 2014 hit a record high. And 2015 is not looking any better. There have
More informationPayment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.
Payment Card Industry Data Security Standard Training Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc. March 27, 2012 Agenda Check-In 9:00-9:30 PCI Intro and History
More informationensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster
Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)
More informationTOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series
TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE ebook Series 2 Headlines have been written, fines have been issued and companies around the world have been challenged to find the resources, time and capital
More informationCompliance and Industry Regulations
Compliance and Industry Regulations Table of Contents Introduction...1 Executive Summary...1 General Federal Regulations and Oversight Agencies...1 Agency or Industry Specific Regulations...2 Hierarchy
More informationGAO. INFORMATION SECURITY Persistent Weaknesses Highlight Need for Further Improvement
GAO For Release on Delivery Expected at time 1:00 p.m. EDT Thursday, April 19, 2007 United States Government Accountability Office Testimony Before the Subcommittee on Emerging Threats, Cybersecurity,
More informationWhite Paper Achieving GLBA Compliance through Security Information Management. White Paper / GLBA
White Paper Achieving GLBA Compliance through Security Information Management White Paper / GLBA Contents Executive Summary... 1 Introduction: Brief Overview of GLBA... 1 The GLBA Challenge: Securing Financial
More informationHow to Protect Sensitive Corporate Data against Security Vulnerabilities of Your Vendors
How to Protect Sensitive Corporate Data against Security Vulnerabilities of Your Vendors July 2014 Executive Summary Data breaches cost organizations millions and sometimes even billions of dollars in
More informationwww.bonddickinson.com Cyber Risks October 2014 2
www.bonddickinson.com Cyber Risks October 2014 2 Why this emerging sector matters Justin Tivey Legal Director T: +44(0)845 415 8128 E: justin.tivey The government estimates that the current cost of cyber-crime
More informationThe 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance
Date: 07/19/2011 The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance PCI and HIPAA Compliance Defined Understand
More informationData Breach Cost. Risks, costs and mitigation strategies for data breaches
Data Breach Cost Risks, costs and mitigation strategies for data breaches Tim Stapleton, CIPP/US Deputy Global Head of Professional Liability Zurich General Insurance Data Breaches: Greater frequency,
More informationPrepared testimony of W. Joseph Majka Head of Fraud Control and Investigations Visa Inc.
Prepared testimony of W. Joseph Majka Head of Fraud Control and Investigations Visa Inc. Before the Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology of the House Committee on
More informationAttachment A. Identification of Risks/Cybersecurity Governance
Attachment A Identification of Risks/Cybersecurity Governance 1. For each of the following practices employed by the Firm for management of information security assets, please provide the month and year
More informationCyber Risks in Italian market
Cyber Risks in Italian market Milano, 01.10.2014 Forum Ri&Assicurativo Gianmarco Capannini Agenda 1 Cyber Risk - USA 2 Cyber Risk Europe experience trends Market size and trends Market size and trends
More informationGUIDANCE FOR MANAGING THIRD-PARTY RISK
GUIDANCE FOR MANAGING THIRD-PARTY RISK Introduction An institution s board of directors and senior management are ultimately responsible for managing activities conducted through third-party relationships,
More informationReal-Time Security for Active Directory
Real-Time Security for Active Directory Contents The Need to Monitor and Control Change... 3 Reducing Risk and Standardizing Controls... 3 Integrating Change Monitoring... 4 Policy Compliance... 4 The
More informationAchieving Regulatory Compliance through Security Information Management
www.netforensics.com NETFORENSICS WHITE PAPER Achieving Regulatory Compliance through Security Information Management Contents Executive Summary The Compliance Challenge Common Requirements of Regulations
More informationPreemptive security solutions for healthcare
Helping to secure critical healthcare infrastructure from internal and external IT threats, ensuring business continuity and supporting compliance requirements. Preemptive security solutions for healthcare
More informationCYBER RISK SECURITY, NETWORK & PRIVACY
CYBER RISK SECURITY, NETWORK & PRIVACY CYBER SECURITY, NETWORK & PRIVACY In the ever-evolving technological landscape in which we live, our lives are dominated by technology. The development and widespread
More informationAddressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst
ESG Brief Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst Abstract: APTs first came on the scene in 2010, creating a wave
More informationCyber/ Network Security. FINEX Global
Cyber/ Network Security FINEX Global ABOUT US >> We are one of the largest insurance brokers in the world >> We have over 180 years of history and experience in insurance; we currently operate in over
More informationEnterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006
Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,
More informationPCI Solution for Retail: Addressing Compliance and Security Best Practices
PCI Solution for Retail: Addressing Compliance and Security Best Practices Executive Summary The Payment Card Industry (PCI) Data Security Standard has been revised to address an evolving risk environment
More informationMortgage Fraud at Financial Institutions: Prevention and Response. By: Travis P. Nelson 1
Mortgage Fraud at Financial Institutions: Prevention and Response By: Travis P. Nelson 1 Over the last year law enforcement and regulatory agencies have been inundated with reports of mortgage fraud, occurring
More informationPayment Card Industry Data Security Standard
Symantec Managed Security Services support for IT compliance Solution Overview: Symantec Managed Services Overviewview The (PCI DSS) was developed to facilitate the broad adoption of consistent data security
More informationApplication Security in the Software Development Lifecycle
Application Security in the Software Development Lifecycle Issues, Challenges and Solutions www.quotium.com 1/15 Table of Contents EXECUTIVE SUMMARY... 3 INTRODUCTION... 4 IMPACT OF SECURITY BREACHES TO
More informationManaging Cyber Security as a Business Risk: Cyber Insurance in the Digital Age
Managing Cyber Security as a Business Risk: Cyber Insurance in the Digital Age Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication Date: August 2013
More informationANATOMY of a DATA BREACH DISASTER. Avoiding a Cyber Catastrophe. June, 2011. Sponsored by:
ANATOMY of a DATA BREACH DISASTER Avoiding a Cyber Catastrophe June, 2011 Sponsored by: ANATOMY of a DATA BREACH DISASTER Avoiding a Cyber Catastrophe An Advisen Special Report Sponsored by Chartis Security
More informationLog Management How to Develop the Right Strategy for Business and Compliance. Log Management
Log Management How to Develop the Right Strategy for Business and Compliance An Allstream / Dell SecureWorks White Paper 1 Table of contents Executive Summary 1 Current State of Log Monitoring 2 Five Steps
More informationCybernetic Global Intelligence. Service Information Package
Cybernetic Global Intelligence Service Information Package / 2015 Content Who we are Our mission Message from the CEO Our services 01 02 02 03 Managed Security Services Penetration Testing Security Audit
More informationAnalyzing Security for Retailers An analysis of what retailers can do to improve their network security
Analyzing Security for Retailers An analysis of what retailers can do to improve their network security Clone Systems Business Security Intelligence Properly Secure Every Business Network Executive Summary
More informationQuestions and Answers About the Identity Theft Red Flag Requirements
Questions and Answers About the Identity Theft Red Flag Requirements 1. Who is covered by the new Identity Theft Regulations? The Identity Theft Regulations consist of three different sets of requirements,
More informationAIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE
AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE THE CHALLENGE: SECURE THE OPEN AIR Wirelesss communication lets you take your business wherever your customers,
More informationRisky Business. Is Your Cybersecurity in Cruise Control? ISACA Austin Chapter Meeting May 5, 2015
Risky Business Is Your Cybersecurity in Cruise Control? ISACA Austin Chapter Meeting May 5, 2015 What We ll Cover About Me Background The threat Risks to your organization What your organization can/should
More informationData Security Incident Response Plan. [Insert Organization Name]
Data Security Incident Response Plan Dated: [Month] & [Year] [Insert Organization Name] 1 Introduction Purpose This data security incident response plan provides the framework to respond to a security
More informationDEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER
DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND Introduction > New security threats are emerging all the time, from new forms of malware and web application exploits that target
More informationSHARING BEST PRACTICES IN INFORMATION SECURITY PREVENTION TIPS & RESPONSE TECHNIQUES
SHARING BEST PRACTICES IN INFORMATION SECURITY PREVENTION TIPS & RESPONSE TECHNIQUES 2 On June 3, 2009, Plante & Moran attended the Midwest Technology Leaders (MTL) Conference, an event that brings together
More informationNetwork Security: Policies and Guidelines for Effective Network Management
Network Security: Policies and Guidelines for Effective Network Management Department of Electrical and Computer Engineering, Federal University of Technology, Minna, Nigeria. jgkolo@gmail.com, usdauda@gmail.com
More informationCyber Risk: Global Warning? by Cinzia Altomare, Gen Re
Cyber Risk: Global Warning? by Cinzia Altomare, Gen Re Global Warning It is a matter of time before there is a major cyber attackon the global financial system and the public needs to invest heavily in
More informationDefending Against Data Beaches: Internal Controls for Cybersecurity
Defending Against Data Beaches: Internal Controls for Cybersecurity Presented by: Michael Walter, Managing Director and Chris Manning, Associate Director Protiviti Atlanta Office Agenda Defining Cybersecurity
More informationWhite Paper Achieving SOX Compliance through Security Information Management. White Paper / SOX
White Paper Achieving SOX Compliance through Security Information Management White Paper / SOX Contents Executive Summary... 1 Introduction: Brief Overview of SOX... 1 The SOX Challenge: Improving the
More informationPrivacy Liability & Data Breach Management Nikos Georgopoulos Cyber Risks Advisor cyrm October 2014
Privacy Liability & Data Breach Management Nikos Georgopoulos Cyber Risks Advisor cyrm October 2014 Nikos Georgopoulos Privacy Liability & Data Breach Management wwww.privacyrisksadvisors.com October 2014
More information