Five Steps to Managing Business Associate (BA) Risk. James Christiansen, Optiv Vice President, Information Risk Management, Office of the CISO
|
|
- Kristin Malone
- 7 years ago
- Views:
Transcription
1 Five Steps to Managing Business Associate (BA) Risk James Christiansen, Optiv Vice President, Information Risk Management, Office of the CISO
2 Conflict of Interest James Christiansen, BS, MBA Has no real or apparent conflicts of interest to report.
3 Five Steps to Managing Business Associate (BA) Risk Welcome We are using a polling session today. Please answer the following question using your HIMSS application or SMS message as instructed below Are you enjoying HIMSS so far? 1) Yes 2) No 3
4 Agenda The Risk of Business Associates Reducing the Inherent Risk of BAs Understanding Business Associate Risk Defining the Types of Risk of BAs Managing Business Associate Risk Matching Security Assessment Level to Risk Changing the Paradigm Standardized and Automation of Assessments by Type of Service Key Points: Begin due diligence on critical business associates immediately Evaluate your risk inventory and assign risk tiers based on best practices Start slow Get quick wins Create a tiered program to evaluate risk based on inherent risk Manage a remediation plan to address deficient controls Provide a robust reporting program for executive team and regulators THINK DIFFERENTLY! 4
5 Learning Objectives Define the different types of business associate risk Discuss the process for managing business associate risk Identify inherent risk in the business Appraise the inherent risk with the required regulatory controls Apply business associate audits matching the level of due-diligence to the inherent risk 5
6 Realizing the Value of Health IT Electronic Secure Data Healthcare information is under attack. It has more value and longer shelf life than credit card data Business Associates are often the weak link in the healthcare ecosystem and targeted by attackers 6
7 Did we do a recent security review? Do we have insurance to cover the costs? The Beginning of a Bad Day Do we outsource to this Business Associate? Have we contacted our regulators? Have we been contacted by the media? CEO reads in the news that a major Business Associate provider had a security breach Are we prepared to respond to the media, our customers and the board of directors? HIMSS 2016
8 Common Industry Challenge Growing Problem Sheer Volume Costly Due-Diligence Global Regulatory Requirements Data and Privacy Security Breaches Fiduciary Board - Top of Mind Current Practice Costly Manual On-Site Audits Duplication of Efforts No Standard of Due Care No Trusted Assessor 8
9 Business Associate Targeted Attacks Trusted Insider Outsourcer Supplier with Trusted Access Business Associate Attacks Your Business Service Provider Target of Opportunity Breach a major supplier and you gain access to multiple companies data Global Problem A supplier anywhere in the world can be the cause of, or suffer from a security breach Economic Conditions Increased outsourcing and financial stress on business associate can lower defenses HIMSS
10 Exploiting the Trusted Business Associate Business Associate or INSIDER Capture Login Credentials Non-critical Servers THE ATTACKER S TARGET Sensitive Servers Use Credentials to Gain Access Escalate Privileges Lateral Movement ACTORS and METHODS: = Hacktivists Criminal Orgs State Sponsored HIMSS
11 Business Associate Breaches The Cost of a Breach at an External Party is Higher than an Internal Breach (2) Responding is more complex and time consuming 51 % of All Breaches Come from external parties (1) You are not in control of the response or communications (1) Source: Key findings from The Global State of Information Security Survey 2014, PWC, CSO Magazine (2) 2014 Cost of Data Breach Study: Global Analysis, Ponemon Institute, May
12 Understanding the Risks
13 Planning, Managing and Reporting Planning Steps to take to understand the inherent risk in the Business Associate relationship Managing How to effectively manage the residual risk of your Business Associate Reporting Reporting on Business Associate risk management process 13
14 Business Associate Risk Management Maturity Development of high-level scope and inventory (program adoption) Assessments on new relationships that leverage generic controls framework Assessments tailored to risk tier Managed remediation process Assessment depth/breadth appropriate for due-diligence required Validation and tracking of remediation Scope focused on full spectrum of BAs Predictive intelligence Manage to SLAs and future viability Source: Optiv Third-Party Program Blueprint 14
15 BA Cyber Risk Monitoring Level 1 Information From External BA Sites Use web information as indicator on level of control maturity Threat Intelligence Financial Data Level 2 Direct Interaction with BA People Process Technology Maturity of security program; people, process and technology Risk Reports Level 3 Direct Interaction with Technology Use technology to scan system configuration and controls Social Data Economic Data 15
16 Business Associate Contracts Restrictions on Outsourcing Security Safeguards Security Service Level Agreement Right to Audit Breach Notification Exit Strategy Indemnification, Cyber Insurance, etc. HIMSS 2016
17 Business Associate Risk Process Regulatory or Contract Exposure - Data Exposure - Business Process Exposure - Financial Strength - Geopolitical / Country Risk - Breach History or Indication - Standardized - Service Type, Size and Complexity 3 - HIPAA/STAR 1 Monitoring and Reporting Relationship Risk What Are They Doing for Us? 2 Business Profile Risk Who Are They? - Electronic Validation - Onsite Validation 4 - Control Evidence 5 - Changes in Relationship - Changes in Business - Changes in Controls 5 Control Validation 4 How Are They Protecting the Information? 3
18 Relationship Exposure Inventory The First Question: What data of ours was breached? Relationship Exposure Inventory Risk Registry Maintain a relationship list (type and quantity) Relationship Creep Due diligence is performed during the first contract Relationship grows over time Increased liability without updating the risk exposure metrics 18
19 Business Profile Risk Purpose: Who is The Business Associate? Understand the Risk of Doing Business With Business Associate Financial Strength/Credit Risk Regulatory Oversight Geopolitical/Economic Risk Business Risk Breach History, Crime, Legal Suit Most often performed outside of Information Security 19
20 Mapping Risk Tiers Tier 1 Tier 2 Tier 3 Relationship Risk Strategic Risk Reputational Risk Transaction Risk Compliance Risk Data Privacy Risk Business Profile Risk Credit Risk Country Risk Other Risks High Medium Low High Medium Low $$$$ $$$$ $$$ High Medium Low High Medium Low $$$$$ $$$$ $$$ High Medium Low High Medium Low 20
21 Risk Tiers Based on Inherent Risk Inherent Risk is a Function of Relationship and Profile Risk Match the Level of Due Diligence to Inherent Risk Tier 1 Strategic accounts (high revenue dependence) Regulatory/contract requirements High reputation risk Trusted relationships Tier 2 Lower volume with no or minimal sensitive data Lower revenue risk Business operations risk Some business profile risk Tier 3 No sensitive data Minimal reputation risk Minimal or no revenue dependence Trusted relationship with low-level access HIMSS
22 Business Associate Risk Current Situation HIPPA Final Rule - Omnibus Perform a HIPPA Risk Assessment to determine risks to PHI and identify additional security measures that should be implemented to better protect PHI Business Associates are directly liable for compliance with HIPPA Security Rule Subcontractors must be included Average Enterprise Has 1000s of Business Associates 1.5% - 2% 6% - 8% 90% - 95% Tier 1 Tier 2 Tier 3 22 HIMSS
23 Control Assessments Standardized Assessments Match Due-Diligence to Risk and Type of Service Full Assessment - Large Full Assessment - Light Cloud Computing Application Development Call Center Small Office Single Person Office No Ambiguity How You Ask Questions is as Important as What You Ask 23
24 Validating IT Controls Onsite Business Associate Validation Costly and Time Prohibitive SSAE16 SOC 2 A SSAE16 SOC 2 provides information pertaining to the IT controls that has been certified by an accredited firm Tip: Make sure the scope match the services being provided. Business Associate Breach Intelligence Service that monitors for bad traffic on the internet 24
25 Polling Question Is a SSAE16 SOC 2 Type 2 good enough? 1) Yes 2) No 3) For BA s with minimal risk 25
26 Tier 1 Due Diligence Tier 1 Assessments Self Attest of Controls Validate (not a complete list) Security policies Fully Validated Incident response plan and procedures Detection & Monitoring Systems (e.g. SIEM, SOC) Business continuity/disaster recovery plan and test results Vulnerability management procedures and sample reports Security awareness, training and completion log Last independent security assessment - status of high risks Physical security Tip: Multiple sites and outsourcing by Business Associate significantly increases level of effort 26
27 Tier 2 and 3 Assessments Tier 2 Assessments Partially Validated Self Attest of Controls Electronic Validation Policies Threat Management Access Management Penetration Tests Vulnerability Management Endpoint Management Tier 3 Assessments Self Attest of Controls Review Responses Random Audit 27
28 Remediation Plan Business Associate Not Meeting Required Standards Does control deficiency impact services? Provide Business Associate list of required improvements and dates Business Associate will: Commit Require additional time Reject Remediation plan agreed upon improvements Trigger follow-up 28
29 Business Associate Due Diligence Process Review Risk Inventory Ensure Proper Changes Implemented Determine the Appropriate Risk Tier Review Results and Negotiate Remediation Plan Have Business Associate Complete Self-Attest Control Validation Dependent on Tier Level 29
30 Changing the Paradigm Inefficient, Cost Prohibitive and Sheer Volume Performing assessments - Often only small percentage assessed Responding to 100 s of risk assessments are disruptive takes incredible resources Time For a Change! A standard set standard set of criteria that serves 90% of the needs Gather the information once and share many Automate the process of audits and remediation 30
31 Polling Question Would you be willing to use a service that provides validated assessments using a standard criteria if it meant significantly less cost, move coverage and higher quality? 1) Yes 2) No 31
32 Realizing the Value of Health IT Within Three Months, You Should: Begin due diligence on critical business associates Evaluate your risk inventory and assign risk tier 90 Days Start slow Get quick wins Beyond Three Months, Establish: + 90 Days A tiered program to A remediation plan evaluate risk to address deficient Reporting program controls 32
33 Questions?
HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?
HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What? Introduction This material is designed to answer some of the commonly asked questions by business associates and other organizations
More informationDodging Breaches from Dodgy Vendors: Tackling Vendor Risk Management in Healthcare
Dodging Breaches from Dodgy Vendors: Tackling Vendor Risk Management in Healthcare Strengthening Cybersecurity Defenders #ISC2Congress Healthcare and Security "Information Security is simply a personal
More informationWhite Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK. By James Christiansen, VP, Information Risk Management
White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK By James Christiansen, VP, Information Management Executive Summary The Common Story of a Third-Party Data Breach It begins with a story in the newspaper.
More informationThe Role of Security Monitoring & SIEM in Risk Management
The Role of Security Monitoring & SIEM in Risk Management Jeff Kopec, MS, CISSP Cyber Security Architect Oakwood Healthcare Jeff Bell, CISSP, GSLC, CPHIMS, ACHE Director, IT Security & Risk Services CareTech
More informationHITRUST CSF Assurance Program
HITRUST CSF Assurance Program Simplifying the information protection of healthcare data 1 May 2015 2015 HITRUST LLC, Frisco, TX. All Rights Reserved Table of Contents Background CSF Assurance Program Overview
More informationReducing Cyber Risk in Your Organization
Reducing Cyber Risk in Your Organization White Paper 2016 The First Step to Reducing Cyber Risk Understanding Your Cyber Assets With nearly 80,000 cyber security incidents worldwide in 2014 and more than
More informationMEMORANDUM. Date: October 28, 2013. Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance
MEMORANDUM Date: October 28, 2013 To: Federally Regulated Financial Institutions Subject: Guidance The increasing frequency and sophistication of recent cyber-attacks has resulted in an elevated risk profile
More informationVENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium
1 VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium 2 Agenda Introduction Vendor Management what is? Available Guidance Vendor Management
More informationIdentifying and Managing Third Party Data Security Risk
Identifying and Managing Third Party Data Security Risk Legal Counsel to the Financial Services Industry Digital Commerce & Payments Series Webinar April 29, 2015 1 Introduction & Overview Today s discussion:
More informationPast vs. Present: Third Party Risk
Past vs. Present: Third Party Risk Kevin O Sullivan and Hicham Chahine 3 rd Party Risk, Crowe Horwath LLP April 30th, 2015 Agenda Drivers pushing Third Party Risk Past vs. Present Events and Trends Vendor
More informationCybersecurity The role of Internal Audit
Cybersecurity The role of Internal Audit Cyber risk High on the agenda Audit committees and board members are seeing cybersecurity as a top risk, underscored by recent headlines and increased government
More informationwww.pwc.com Third Party Risk Management 12 April 2012
www.pwc.com Third Party Risk Management 12 April 2012 Agenda 1. Introductions 2. Drivers of Increased Focus on Third Parties 3. Governance 4. Third Party Risks and Scope 5. Third Party Risk Profiling 6.
More informationFFIEC Cybersecurity Assessment Tool
Overview In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed the Cybersecurity Tool (), on behalf of its members,
More informationInformation Technology
Information Technology Information Technology Session Structure Board of director actions Significant and emerging IT risks Practical questions Resources Compensating Controls at the Directorate Level
More informationThird-Party Cybersecurity and Data Loss Prevention
Third-Party Cybersecurity and Data Loss Prevention SESSION ID: DSP-W04A Brad Keller Sr. Vice President Santa Fe Group Jonathan Dambrot, CISSP CEO, Co-Founder Prevalent Networks 3rd Party Risk Management
More informationNine Network Considerations in the New HIPAA Landscape
Guide Nine Network Considerations in the New HIPAA Landscape The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Omnibus Final Rule, released January 2013, introduced some significant
More informationVendor Management Challenges and Solutions for HIPAA Compliance. Jim Sandford Vice President, Coalfire
Vendor Management Challenges and Solutions for HIPAA Compliance Jim Sandford Vice President, Coalfire Housekeeping You may submit questions throughout the webinar using the question area in the control
More informationRogers Insurance Client Presentation
Rogers Insurance Client Presentation Network Security and Privacy Breach Insurance Presented by Matthew Davies Director Professional, Media & Cyber Liability Chubb Insurance Company of Canada mdavies@chubb.com
More informationItaly. EY s Global Information Security Survey 2013
Italy EY s Global Information Security Survey 2013 EY s Global Information Security Survey 2013 This year s survey our 16th edition captures the responses of 1,909 C-suite and senior level IT and information
More informationRisky Business. Is Your Cybersecurity in Cruise Control? ISACA Austin Chapter Meeting May 5, 2015
Risky Business Is Your Cybersecurity in Cruise Control? ISACA Austin Chapter Meeting May 5, 2015 What We ll Cover About Me Background The threat Risks to your organization What your organization can/should
More informationOctober 24, 2014. Mitigating Legal and Business Risks of Cyber Breaches
October 24, 2014 Mitigating Legal and Business Risks of Cyber Breaches AGENDA Introductions Cyber Threat Landscape Cyber Risk Mitigation Strategies 1 Introductions 2 Introductions To Be Confirmed Title
More informationDESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE
DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the
More informationWhite Paper September 2013 By Peer1 and CompliancePoint www.peer1.com. PCI DSS Compliance Clarity Out of Complexity
White Paper September 2013 By Peer1 and CompliancePoint www.peer1.com PCI DSS Compliance Clarity Out of Complexity Table of Contents Introduction 1 Businesses are losing customer data 1 Customers are learning
More informationAddressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense
A Trend Micro Whitepaper I February 2016 Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense How Trend Micro Deep Security Can Help: A Mapping to the SANS Top 20 Critical
More information3 rd -party Security Risk Assessment
3 rd -party Security Risk Assessment Understanding Supplier Chain Risks. Presented by: Nasser Fattah CISSP, CISM, CISA, CGEIT Email: nasser.fattah@gmail.com Linkedin: www.linkedin.com/in/nasserfattah April
More informationwww.pwc.co.uk Cyber security Building confidence in your digital future
www.pwc.co.uk Cyber security Building confidence in your digital future November 2013 Contents 1 Confidence in your digital future 2 Our point of view 3 Building confidence 4 Our services Confidence in
More informationCompliance Guide ISO 27002. Compliance Guide. September 2015. Contents. Introduction 1. Detailed Controls Mapping 2.
ISO 27002 Compliance Guide September 2015 Contents Compliance Guide 01 02 03 Introduction 1 Detailed Controls Mapping 2 About Rapid7 7 01 INTRODUCTION If you re looking for a comprehensive, global framework
More informationEnterprise Security Tactical Plan
Enterprise Security Tactical Plan Fiscal Years 2011 2012 (July 1, 2010 to June 30, 2012) Prepared By: State Chief Information Security Officer The Information Security Council State of Minnesota Enterprise
More informationBOARD OF GOVERNORS MEETING JUNE 25, 2014
CYBER RISK UPDATE BOARD OF GOVERNORS MEETING JUNE 25, 2014 EXECUTIVE SUMMARY Cyber risk has become a major threat to organizations around the world, as highlighted in several well-publicized data breaches
More informationSecurityMetrics Business Associate HIPAA compliance program
SecurityMetrics Business Associate HIPAA compliance program IS YOUR PHI SAFE? Business associates help your business succeed, but are they a liability? When your BAs are not HIPAA compliant, your business
More informationVendor Risk Management Financial Organizations
Webinar Series Vendor Risk Management Financial Organizations Bob Justus Chief Security Officer Allgress Randy Potts Managing Consultant FishNet Security Bob Justus Chief Security Officer, Allgress Current
More informationCyber Threat Intelligence and Incident Coordination Center (C 3 ) Protecting the Healthcare Industry from Cyber Attacks
Cyber Threat Intelligence and Incident Coordination Center (C 3 ) Protecting the Healthcare Industry from Cyber Attacks July 2014 Cyber Threat Intelligence and Incident Coordination Center: Protecting
More informationCYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility
CYBER SECURITY AND RISK MANAGEMENT An Executive level responsibility Cyberspace poses risks as well as opportunities Cyber security risks are a constantly evolving threat to an organisation s ability to
More informationBy: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015
Community Bank Auditors Group Cybersecurity What you need to do now June 9, 2015 By: Gerald Gagne MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2015 Wolf & Company, P.C. Cybersecurity
More informationDefending Against Data Beaches: Internal Controls for Cybersecurity
Defending Against Data Beaches: Internal Controls for Cybersecurity Presented by: Michael Walter, Managing Director and Chris Manning, Associate Director Protiviti Atlanta Office Agenda Defining Cybersecurity
More informationAccenture Intelligent Security for the Digital Enterprise. Archer s important role in solving today's pressing security challenges
Accenture Intelligent Security for the Digital Enterprise Archer s important role in solving today's pressing security challenges The opportunity to improve cyber security has never been greater 229 2,287
More informationServices. Cybersecurity. Capgemini & Sogeti. Guiding enterprises and government through digital transformation while keeping them secure
Home Secure digital transformation SMACT Advise, Protect & Monitor Why Capgemini & Sogeti? In safe hands Capgemini & Sogeti Cybersecurity Services Guiding enterprises and government through digital transformation
More informationCybersecurity and internal audit. August 15, 2014
Cybersecurity and internal audit August 15, 2014 arket insights: what we are seeing so far? 60% of organizations see increased risk from using social networking, cloud computing and personal mobile devices
More informationTO: Chief Executive Officers of National Banks, Federal Branches and Data-Processing Centers, Department and Division Heads, and Examining Personnel
AL 2000 12 O OCC ADVISORY LETTER Comptroller of the Currency Administrator of National Banks Subject: Risk Management of Outsourcing Technology Services TO: Chief Executive Officers of National Banks,
More informationCORL Dodging Breaches from Dodgy Vendors
CORL Dodging Breaches from Dodgy Vendors Tackling Vendor Security Risk Management in Healthcare Introductions Cliff Baker 20 Years of Healthcare Security experience PricewaterhouseCoopers, HITRUST, Meditology
More informationCYBER SECURITY SERVICES PWNED
CYBER SECURITY SERVICES PWNED Jens Thonke Capital Market Day 16 Sept 2015 1 AGENDA Cyber Security Services in brief Market overview and key trends Offering and channels Competition Enabling growth Performance
More informationAdopting a Cybersecurity Framework for Governance and Risk Management
The American Hospital Association s Center for Healthcare Governance 2015 Fall Symposium Adopting a Cybersecurity Framework for Governance and Risk Management Jim Giordano Vice Chairman & Chair of Finance
More informationIntroduction. Jason Lawrence, MSISA, CISSP, CISA Manager, EY Advanced Security Center Atlanta, Georgia jason.lawrence@ey.com Twitter: @ethical_infosec
Introduction Jason Lawrence, MSISA, CISSP, CISA Manager, EY Advanced Security Center Atlanta, Georgia jason.lawrence@ey.com Twitter: @ethical_infosec More than 20 years of experience in cybersecurity specializing
More informationWhat can HITRUST do for me?
What can HITRUST do for me? Dr. Bryan Cline CISO & VP, CSF Development & Implementation Bryan.Cline@HITRUSTalliance.net Jason Taule Chief Security & Privacy Officer Jason.Taule@FEIsystems.com Introduction
More informationAnatomy of a Cloud Computing Data Breach
Anatomy of a Cloud Computing Data Breach Sheryl Falk Mike Olive ACC Houston Chapter ITPEC Practice Group September 18, 2014 1 Agenda Ø Cloud 101 Welcome to Cloud Computing Ø Cloud Agreement Considerations
More informationHIPAA Compliance Evaluation Report
Jun29,2016 HIPAA Compliance Evaluation Report Custom HIPAA Risk Evaluation provided for: OF Date of Report 10/13/2014 Findings Each section of the pie chart represents the HIPAA compliance risk determinations
More informationRisk Management of Outsourced Technology Services. November 28, 2000
Risk Management of Outsourced Technology Services November 28, 2000 Purpose and Background This statement focuses on the risk management process of identifying, measuring, monitoring, and controlling the
More informationI D C A N A L Y S T C O N N E C T I O N
I D C A N A L Y S T C O N N E C T I O N Robert Westervelt Research Manager, Security Products T h e R o l e a nd Value of Continuous Security M o nitoring August 2015 Continuous security monitoring (CSM)
More informationState Agency Cyber Security Survey v 3.4 2 October 2014. State Agency Cybersecurity Survey v 3.4
State Agency Cybersecurity Survey v 3.4 The purpose of this survey is to identify your agencies current capabilities with respect to information systems/cyber security and any challenges and/or successes
More informationPenetration Testing. I.T. Security Specialists. Penetration Testing 1
Penetration I.T. Security Specialists ing 1 about us At Caretower, we help businesses to identify vulnerabilities within their security systems and provide an action plan to help prevent security breaches
More informationNine recommendations for alternative funds battling cyber crime. kpmg.ca/cybersecurity
Nine recommendations for alternative funds battling cyber crime kpmg.ca/cybersecurity Cyber criminals steal user names and passwords and use it to conduct financial trading activity illicitly. Hackers
More informationFEDERAL HOUSING FINANCE AGENCY ADVISORY BULLETIN AB 2014-05. Cyber Risk Management Guidance. Purpose
FEDERAL HOUSING FINANCE AGENCY ADVISORY BULLETIN AB 2014-05 Cyber Risk Management Guidance Purpose This advisory bulletin provides Federal Housing Finance Agency (FHFA) guidance on cyber risk management.
More informationOverview of Topics Covered
How to Effectively Collaborate with Cloud Providers Agenda Overview of Topics Covered Agenda Evolution of the Cloud Comparison of Private vs. Public Clouds Other Regulatory Frameworks Similar to HIPAA
More informationVendor Management Compliance Top 10 Things Regulators Expect
Vendor Management Compliance Top 10 Things Regulators Expect Peter Davey, AAP VP & Director, Enterprise Payments, CapitalOne Pamela T. Rodriguez, AAP, CIA, CISA EVP, Risk Management & Education, EastPay
More informationManaging Cyber Threats Risk Management & Insurance Solutions. Presented by: Douglas R. Jones, CPCU, ARM Senior Vice President & Principal
Managing Cyber Threats Risk Management & Insurance Solutions Presented by: Douglas R. Jones, CPCU, ARM Senior Vice President & Principal Overview Recent Trends and Loss Exposures Risk Management Strategies
More informationPassword Management Evaluation Guide for Businesses
Password Management Evaluation Guide for Businesses White Paper 2016 Executive Summary Passwords and the need for effective password management are at the heart of the rise in costly data breaches. Various
More informationInformation Security Services
Information Security Services Information Security In 2013, Symantec reported a 62% increase in data breaches over 2012. These data breaches had tremendous impacts on many companies, resulting in intellectual
More informationTen Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder
Ten Questions Your Board Should be asking about Cyber Security Eric M. Wright, Shareholder Eric Wright, CPA, CITP Started my career with Schneider Downs in 1983. Responsible for all IT audit and system
More informationCyber security: Are consumer companies up to the challenge?
Cyber security: Are consumer companies up to the challenge? 1 Cyber security: Are consumer companies up to the challenge? A survey of webcast participants kpmg.com 1 Cyber security: Are consumer companies
More informationKLC Consulting, Inc. All Rights Reserved. 1 THIRD PARTY (VENDOR) SECURITY RISK MANAGEMENT
1 THIRD PARTY (VENDOR) SECURITY RISK MANAGEMENT About Kyle Lai 2 Kyle Lai, CIPP/G/US, CISSP, CISA, CSSLP, BSI Cert. ISO 27001 LA President of KLC Consulting, Inc. Over 20 years in IT and Security Security
More informationSecuring Patient Portals. What You Need to Know to Comply With HIPAA Omnibus and Meaningful Use
Securing Patient Portals What You Need to Know to Comply With HIPAA Omnibus and Meaningful Use September 2013 Table of Contents Abstract... 3 The Carrot and the Stick: Incentives and Penalties for Securing
More informationSecurity Overview. BlackBerry Corporate Infrastructure
Security Overview BlackBerry Corporate Infrastructure Published: 2015-04-23 SWD-20150423095908892 Contents Introduction... 5 History... 6 BlackBerry policies...7 Security organizations...8 Corporate Security
More informationContinuous Network Monitoring
Continuous Network Monitoring Eliminate periodic assessment processes that expose security and compliance programs to failure Continuous Network Monitoring Continuous network monitoring and assessment
More informationIT AUDIT WHO WE ARE. Current Trends and Top Risks of 2015 10/9/2015. Eric Vyverberg. Randy Armknecht. David Kupinski
IT AUDIT Current Trends and Top Risks of 2015 2 02 Eric Vyverberg WHO WE ARE David Kupinski Randy Armknecht Associate Director Internal Audit Protiviti 317.510.4661 eric.vyverberg@protiviti.com Managing
More informationIs Your Company Ready for a Big Data Breach?
Is Your Company Ready for a Big Data Breach? The Second Annual Study on Data Breach Preparedness Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication
More informationPayment Card Industry Data Security Standard
Symantec Managed Security Services support for IT compliance Solution Overview: Symantec Managed Services Overviewview The (PCI DSS) was developed to facilitate the broad adoption of consistent data security
More informationKeeping watch over your best business interests.
Keeping watch over your best business interests. 0101010 1010101 0101010 1010101 IT Security Services Regulatory Compliance Services IT Audit Services Forensic Services Risk Management Services Attestation
More informationCORE INSIGHT ENTERPRISE: CSO USE CASES FOR ENTERPRISE SECURITY TESTING AND MEASUREMENT
CORE INSIGHT ENTERPRISE: CSO USE CASES FOR ENTERPRISE SECURITY TESTING AND MEASUREMENT How advancements in automated security testing software empower organizations to continuously measure information
More informationCyber Security. Moderator: Marla J. Kreindler, Partner, Morgan, Lewis & Bockius LLP
Cyber Security Moderator: Marla J. Kreindler, Partner, Morgan, Lewis & Bockius LLP Speakers: Keith Overly, Executive Director, Ohio Deferred Compensation Program Raj Patel, Partner, Plante & Moran, PLLC
More information2 0 1 4 F G F O A A N N U A L C O N F E R E N C E
I T G OV E R NANCE 2 0 1 4 F G F O A A N N U A L C O N F E R E N C E RAJ PATEL Plante Moran 248.223.3428 raj.patel@plantemoran.com This presentation will discuss current threats faced by public institutions,
More informationWhite Paper on Financial Institution Vendor Management
White Paper on Financial Institution Vendor Management Virtually every organization in the modern economy relies to some extent on third-party vendors that facilitate business operations in a wide variety
More informationAre You Ready for an OCR Audit? Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS. What would you do? Session Objectives
Are You Ready for an OCR Audit? Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS What would you do? Your organization received a certified letter sent from the Office for Civil Rights (OCR)
More informationSECURITY RISK MANAGEMENT
SECURITY RISK MANAGEMENT ISACA Atlanta Chapter, Geek Week August 20, 2013 Scott Ritchie, Manager, HA&W Information Assurance Services Scott Ritchie CISSP, CISA, PCI QSA, ISO 27001 Auditor Manager, HA&W
More informationAnalyzing Security for Retailers An analysis of what retailers can do to improve their network security
Analyzing Security for Retailers An analysis of what retailers can do to improve their network security Clone Systems Business Security Intelligence Properly Secure Every Business Network Executive Summary
More informationManaging cyber risks with insurance
www.pwc.com.tr/cybersecurity Managing cyber risks with insurance Key factors to consider when evaluating how cyber insurance can enhance your security program June 2014 Managing cyber risks to sensitive
More informationAddress C-level Cybersecurity issues to enable and secure Digital transformation
Home Overview Challenges Global Resource Growth Impacting Industries Address C-level Cybersecurity issues to enable and secure Digital transformation We support cybersecurity transformations with assessments,
More informationData Security: Fight Insider Threats & Protect Your Sensitive Data
Data Security: Fight Insider Threats & Protect Your Sensitive Data Marco Ercolani Agenda Data is challenging to secure A look at security incidents Cost of a Data Breach Data Governance and Security Understand
More informationReady for an OCR Audit? Will you pass or fail an OCR security audit? Tom Walsh, CISSP
Ready for an OCR Audit? Will you pass or fail an OCR security audit? Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS What would you do? You receive a phone call from your CEO. They just received
More informationCybersecurity Strategic Consulting
Home Overview Challenges Global Resource Growth Impacting Industries Why Capgemini Capgemini & Sogeti Cybersecurity Strategic Consulting Enabling business ambitions, resilience and cost efficiency with
More informationMitigating and managing cyber risk: ten issues to consider
Mitigating and managing cyber risk: ten issues to consider The board of directors is responsible for managing and mitigating risk exposure. A recent study conducted by the Ponemon Institute 1 revealed
More informationSymantec Residency and Managed Services
Symantec Residency and Managed Services Flexible options for staff augmentation and IT out-tasking Symantec Global Services Confidence in a connected world. Symantec Residency and Managed Services provide
More informationSecurity Metrics to Manage Change: Which Matter, Which Can Be Measured?
Security Metrics to Manage Change: Which Matter, Which Can Be Measured? Sponsored by FireMon Independently conducted by Ponemon Institute LLC Publication Date: April 2014 2 Security Metrics to Manage Change:
More informationHIPAA in the Cloud How to Effectively Collaborate with Cloud Providers
How to Effectively Collaborate with Cloud Providers Agenda Overview of Topics Covered Agenda Evolution of the Cloud Comparison of Private vs. Public Clouds Other Regulatory Frameworks Similar to HIPAA
More informationIMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE
IMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE Solution Brief SUMMARY New security threats demand a new approach to security management. Security teams need a security analytics architecture that can handle
More information115 th Annual Convention
115 th Annual Convention Date: Saturday, October 12, 2013 Time: 11:00 am 12:00 pm Location: The Walt Disney World Swan and Dolphin Resort, Southern Hemisphere Salon 4-5 Title: Activity Type: Speaker: Data
More informationNine Steps to Smart Security for Small Businesses
Nine Steps to Smart Security for Small Businesses by David Lacey Co-Founder, Jericho Forum Courtesy of TABLE OF CONTENTS INTRODUCTION... 1 WHY SHOULD I BOTHER?... 1 AREN T FIREWALLS AND ANTI-VIRUS ENOUGH?...
More informationIndustrial Cyber Security Risk Manager. Proactively Monitor, Measure and Manage Industrial Cyber Security Risk
Industrial Cyber Security Risk Manager Proactively Monitor, Measure and Manage Industrial Cyber Security Risk Industrial Attacks Continue to Increase in Frequency & Sophistication Today, industrial organizations
More informationData Breach and Senior Living Communities May 29, 2015
Data Breach and Senior Living Communities May 29, 2015 Todays Objectives: 1. Discuss Current Data Breach Trends & Issues 2. Understanding Why The Senior Living Industry May Be A Target 3. Data Breach Costs
More informationWhite Paper THE FOUR ATTACK VECTORS TO PREVENT OR DETECT RETAILER BREACHES. By James Christiansen, VP, Information Risk Management
White Paper THE FOUR ATTACK VECTORS TO PREVENT OR DETECT RETAILER BREACHES By James Christiansen, VP, Information Risk Management Executive Summary Security breaches in the retail sector are becoming more
More informationIDENTIFYING VENDOR RISK THE CRITICAL FIRST STEP IN CREATING AN EFFECTIVE VENDOR RISK MANAGEMENT PROGRAM
IDENTIFYING VENDOR RISK THE CRITICAL FIRST STEP IN CREATING AN EFFECTIVE VENDOR RISK MANAGEMENT PROGRAM HEADQUARTERS 33 Bradford Street Concord, MA 01742 PHONE: 978-451-7655 THE CRITICAL FIRST STEP IN
More informationPrivacy and Security requirements, OCR HIPAA Audits and the New Audit Protocol
Privacy and Security requirements, OCR HIPAA Audits and the New Audit Protocol 1 Learning Objectives Understand Privacy and Security Requirements Understand the new OCR audit protocol Learn how to prepare
More informationXerox Litigation Services. In the Cybersecurity Hot Seat: How Law Firms are Optimizing Security While Reducing Cost and Risk
Xerox Litigation Services In the Cybersecurity Hot Seat: How Law Firms are Optimizing Security While Reducing Cost and Risk Your Highest Priority is also Your Greatest Challenge Data breaches are not just
More informationVirginia Government Finance Officers Association Spring Conference May 28, 2014. Cloud Security 101
Virginia Government Finance Officers Association Spring Conference May 28, 2014 Cloud Security 101 Presenters: John Montoro, RealTime Accounting Solutions Ted Brown, Network Alliance Presenters John Montoro
More informationIntrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks
Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks Dale Peterson Director, Network Security Practice Digital Bond, Inc. 1580 Sawgrass Corporate Parkway, Suite 130 Sunrise, FL 33323
More informationVendor Management Compliance Top 10 Things Regulators Expect
Vendor Management Compliance Top 10 Things Regulators Expect Paul M. Phillips, CFA Attorney, Adams and Reese Pamela T. Rodriguez, AAP, CIA, CISA EVP, Risk Management & Education, EastPay 2014 EastPay.
More informationINFORMATION SECURITY TESTING
INFORMATION SECURITY TESTING SERVICE DESCRIPTION Penetration testing identifies potential weaknesses in a technical infrastructure and provides a level of assurance in the security of that infrastructure.
More informationCredit Union Liability with Third-Party Processors
World Council of Credit Unions Annual Conference Credit Union Liability with Third-Party Processors Andrew (Andy) Poprawa CEO, Deposit Insurance Corporation of Ontario Canada 1 Credit Union Liability with
More informationSeven Things To Consider When Evaluating Privileged Account Security Solutions
Seven Things To Consider When Evaluating Privileged Account Security Solutions Contents Introduction 1 Seven questions to ask every privileged account security provider 4 1. Is the solution really secure?
More informationCYBER SECURITY Cyber Security for Canadian Directors in the Wake of Ashley Madison
CYBER SECURITY Cyber Security for Canadian Directors in the Wake of Ashley Madison Gary Solway* Bennett Jones LLP The August release of the purported names and other details of over 35 million customers
More information