How to get from laws to technical requirements
|
|
- Prosper Greene
- 8 years ago
- Views:
Transcription
1 How to get from laws to technical requirements And how the OPM hack relates technology, policy, and law June 30, 2015 Isaac Potoczny-Jones
2 Galois, Inc. Overview Outline! OPM Breach What s it all about How cybersecurity policy becomes technical requirements Recent cybersecurity bills that came through congress What are the challenges for all these laws Page 2
3 OPM Hack Page 3
4 Galois, Inc. Overview OPM Breach What happened! March 2014: Chinese hackers attack OPM but it was Thwarted November 2014: OIG says, as they ve said before, that OPM is insecure and doesn t use multi-factor authentication December 2014: Discovery of Chinese hackers breach of KeyPoint Passwords to OPM network stolen December 2014: Chinese hackers breach OPM At some point: OPM updates its security and monitoring tools April 2015: OPM discover the December breaches June 2015: FBI Director Corney says 18 million people are affected Page 4
5 Galois, Inc. Overview OPM Breach What was disclosed! Job title and sensitivity Social security numbers of the applicant and their family members Current and prior names, addresses, and phone numbers Physical description and possibly fingerprints School history and graduation information Employment history and employer contact information List of friends, relatives, and associates with their contact information Details on current and former spouses and marital status Details on children and their addresses Mental health diagnosis and treatment history Police and court records Drug and alcohol habits Details on bankruptcy, debt delinquencies, and liens Page 5
6 Galois, Inc. Overview OPM Breach What s the impact! This was the most significant breach of federal networks in U.S. history Rep. Michael McCaul, Chairman - House Homeland Security Committee Targeting people who have access to sensitive information Blackmail Stealing credentials Identity theft Punishment of foreign contacts Page 6
7 Galois, Inc. Overview OPM Breach Predictability! The OPM Office of Inspector General analyzed their security in major systems are not considered secure enough to exist No agency-wide configuration management No comprehensive inventory of servers, databases, network devices No vulnerability scanning program Known vulnerabilities are not fixed Multi-factor authentication not in place No consequences for these failures Also, for other reports: Agency had no IT security staff until 2013 Data not encrypted 20 year old COBOL systems Page 7
8 How a law becomes a technical requirement Page 8
9 Galois, Inc. Overview FISMA! How a law becomes a technical requirement! 2002 The Federal Information Security Management Act (FISMA) FISMA Says: OMB gets to provide oversight Each federal agency must implement cybersecurity standards NIST gets to set the technical security standard that defines the law Page 9
10 Galois, Inc. Overview So NIST Creates the RMF! The Risk Management Framework Often known as NIST Page 10
11 Galois, Inc. Overview NIST RMF Summary! Page 11
12 Galois, Inc. How Overview NIST RMF Works An Example! Let s say you have a very sensitive database of personal information STEP 1: Determine how sensitive it is There s a doc for that: FIPS 199 Low, Moderate, or High Page 12
13 Galois, Inc. Overview How much impact to loss of C.I.A.?! Low = Limited Degraded mission Minor damage Minor financial loss Minor harm to ppl Moderate = Serious Significant mission impact Significant damage Significant financial loss Significant harm to ppl But not loss of life High = Severe or Catastrophic Can t perform mission Major damage Major financial loss Severe harm to ppl Loss of life or life threatening injuries Page 13
14 Galois, Inc. Overview Impact: What does OIG say?! High = Severe or Catastrophic Can t perform mission Major damage Major financial loss Severe harm to ppl Loss of life or life threatening injuries Page 14
15 Galois, Select Inc. Overview Security Controls NIST ! A huge and impressive collection of security mitigations Ranked by Low, Moderate, High. Page 15
16 Galois, Inc. Overview Example Control Selection! Multi-Factor Authentication! IA-2 Identification and Authentication The system uniquely identifies and authenticates users Enhancements: (1) MFA for network access for privileged accounts (2) MFA for network access for non-privilege accounts (3) MFA for local access to privileged accounts (4) MFA for local access to non-privileged accounts Page 16
17 Galois, Security Inc. Overview Controls: What does OIG say?! OIG Audit: Multi-factor authentication is not required to access OPM systems Washington Post: "The breach of OPM s network occurred through the theft of login and password data for an employee of KeyPoint Government Solutions, an OPM contractor, sometime before last October, officials said." Page 17
18 Galois, Inc. Overview Authorization to Operate! If the authorizing official, after reviewing the authorization package deems that the risk to organizational operations and assets, individuals, other organizations, and the Nation is acceptable, an authorization to operate is issued for the information system Page 18
19 Galois, Inc. Overview Authorization: What does OIG say?! OIG Audit: Eleven major OPM information systems are operating without a valid Authorization. This represents a material weakness in the internal control structure of OPM s IT security program. Page 19
20 Galois, Inc. Overview OPM Hack - Summary! OPM holds the most personal imaginable information About millions of people With access to the most sensitive information in the world The law says that OPM should implement technical standards Including multi-factor authentication (MFA) OIG said in 2014 that they are insecure and didn t have MFA They knew their contractor credentials were breached in Dec They realized in March 2015 that their own networks were breached 18 million peoples security clearance data is stolen by a foreign nation Page 20
21 Cybersecurity Legislation Page 21
22 Galois, Cybersecurity Inc. Overview Bills: Types of legislation! Requirements to secure critical infrastructure Optional cyber threat information sharing Government -> Companies Companies -> Government Immunity for companies sharing information Limiting surveillance / hacking tools (CFAA, Wassenaar) Surveillance laws PATRIOT Act Requirements to inform customers of attacks Mandatory backdoors in consumer products Increased penalties for hacking Increased anti-piracy / intellectual property laws Page 22
23 Galois, Inc. Overview Recent Cybersecurity Bills! COICA (2010) - Combating Online Infringement and Counterfeits Act PIPA ( ) - PROTECT IP Act SECURE-IT (2012) - Strengthening and Enhancing Cybersecurity SOPA ( ) - Stop Online Piracy Act The one w/ big protests CISPA ( ) - Cyber Intelligence Sharing and Protection Act CISA (2014) - Cybersecurity Information Sharing Act Page 23
24 Galois, Inc. What s Overview the problem with these bills?! No laws proposed that require organizations to be secure Threat information sharing with the government is a privacy risk Any information-sharing legislation that lacks adequate privacy protections is not simply a cybersecurity bill, but a surveillance bill by another name - Senator Wyden Intellectual property shouldn t be considered a cybersecurity issue Page 24
25 Galois, Inc. Overview Cybersecurity Bills: Crystal Ball! Increased requirements to secure critical infrastructure Why? An administration priority; it s already required for contractors Optional cyber threat information sharing with limited immunity Why? Congress has been trying to pass this for years Limiting export and sale of 0-Days and Intrusion Software Why? Draft rules already passed PATRIOT Act bulk data collection expired May 31 But some provisions still in place Page 25
26 Users Protected from cyber attack, terrorists and illegal surveillance Access to legal security technology Industry held accountable Protect users from attackers Protect national security Legal framework for intercept Reelection Government Free sites, apps, content Personal info kept confidential Limited financial risk Personal info: Marketing Mediocre security: Costs Limit liability: Risk Hide attacks: Brand Protect users with crypto Resist regulation: Costs Maintain access to PII Industry Tension: Privacy vs. Profit Tension: Security vs. Surveillance Tension: Regulation vs. Growth Protect industry with law (e.g. CFAA, CISA) Protect users with regulation (e.g. HIPAA) Encryption challenges Backdoors for lawful intercept Protect national security interests User PII Botnets Intellectual property Identity theft Financial theft Other nations interests Espionage Cyber war Attackers
27 Galois, Inc. Overview Conclusions! The OPM hack is an enormous failure of policy, law, and technology Current cybersecurity laws are focused only on threat sharing It s not clear to me that real cybersecurity laws will help anyway We need to find a way to break the logjam of competing interests Page 27
28 Galois, Inc. Overview Thank you!! Isaac Potoczny-Jones Page 28
Thank You To Our Sponsors
Thank You To Our Sponsors Thank You To Our Sponsors Thank You To Our Sponsors Cybersecurity Panel Managing Risk in the Aerospace and Defense Industry Peter S. Chiou Principal Strategist and Business Development
More informationChairman Johnson, Ranking Member Carper, and Members of the committee:
UNITED STATES OFFICE OF PERSONNEL MANAGEMENT STATEMENT OF THE HONORABLE KATHERINE ARCHULETA DIRECTOR U.S. OFFICE OF PERSONNEL MANAGEMENT before the COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
More informationPOSTAL REGULATORY COMMISSION
POSTAL REGULATORY COMMISSION OFFICE OF INSPECTOR GENERAL FINAL REPORT INFORMATION SECURITY MANAGEMENT AND ACCESS CONTROL POLICIES Audit Report December 17, 2010 Table of Contents INTRODUCTION... 1 Background...1
More informationMyths and Facts about the Cyber Intelligence Sharing and Protection Act (CISPA)
Myths and Facts about the Cyber Intelligence Sharing and Protection Act (CISPA) MYTH: The cyber threat is being exaggerated. FACT: Cyber attacks are a huge threat to American lives, national security,
More informationU.S. Office of Personnel Management. Actions to Strengthen Cybersecurity and Protect Critical IT Systems
U.S. Office of Personnel Management Actions to Strengthen Cybersecurity and Protect Critical IT Systems June 2015 1 I. Introduction The recent intrusions into U.S. Office of Personnel Management (OPM)
More informationNATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL
NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION S COMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA)
More informationOffice of the Inspector General United States Office of Personnel Management. Statement of Michael R. Esser Assistant Inspector General for Audits
Office of the Inspector General United States Office of Personnel Management Statement of Michael R. Esser Assistant Inspector General for Audits before the Committee on Appropriations United States Senate
More informationUS Cyber Marathon. David Ambrose, Chief Security Officer and Chief Privacy Officer Bureau of the Fiscal Service U.S. Department of the Treasury
US Cyber Marathon David Ambrose, Chief Security Officer and Chief Privacy Officer Bureau of the Fiscal Service U.S. Department of the Treasury Context: US Government Scope/Scale 320M US citizens 4.1M Government
More informationOffice of Inspector General
DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Security Weaknesses Increase Risks to Critical United States Secret Service Database (Redacted) Notice: The Department of Homeland Security,
More informationEVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07
EVALUATION REPORT Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review March 13, 2015 REPORT NUMBER 15-07 EXECUTIVE SUMMARY Weaknesses Identified During the FY 2014
More informationNATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL
NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL FY 2015 INDEPENDENT EVALUATION OF THE EFFECTIVENESS OF NCUA S INFORMATION SECURITY PROGRAM UNDER THE FEDERAL INFORMATION SECURITY MODERNIZATION
More informationStatement of Danny Harris, Ph.D. Chief Information Officer U.S. Department of Education
Statement of Danny Harris, Ph.D. Chief Information Officer U.S. Department of Education Before the U.S. House Oversight and Government Reform Committee Hearing on Agency Compliance with the Federal Information
More informationGAO. INFORMATION SECURITY Persistent Weaknesses Highlight Need for Further Improvement
GAO For Release on Delivery Expected at time 1:00 p.m. EDT Thursday, April 19, 2007 United States Government Accountability Office Testimony Before the Subcommittee on Emerging Threats, Cybersecurity,
More informationCybersecurity and Data Breach: Mitigating Risk and How Government Policymakers Approach These Critical Issues
Cybersecurity and Data Breach: Mitigating Risk and How Government Policymakers Approach These Critical Issues Todd Bertoson Daniel Gibb Erin Sheppard Principal Senior Managing Associate Counsel todd.bertoson@dentons.com
More informationReducing Cyber Risk in Your Organization
Reducing Cyber Risk in Your Organization White Paper 2016 The First Step to Reducing Cyber Risk Understanding Your Cyber Assets With nearly 80,000 cyber security incidents worldwide in 2014 and more than
More informationInformation Security for Managers
Fiscal Year 2015 Information Security for Managers Introduction Information Security Overview Enterprise Performance Life Cycle Enterprise Performance Life Cycle and the Risk Management Framework Categorize
More informationVirginia Joint Commission on Technology and Science. Cybersecurity Legislation
Virginia Joint Commission on Technology and Science Cybersecurity Legislation Pending Legislation Widespread agreement of need for legislation Three approaches CISPA Cybersecurity Act of 2012 SECURE IT
More informationSECURITY WEAKNESSES IN DOT S COMMON OPERATING ENVIRONMENT EXPOSE ITS SYSTEMS AND DATA TO COMPROMISE
FOR OFFICIAL USE ONLY SECURITY WEAKNESSES IN DOT S COMMON OPERATING ENVIRONMENT EXPOSE ITS SYSTEMS AND DATA TO COMPROMISE Department of Transportation Report No. FI-2013-123 Date Issued: September 10,
More informationI ve been breached! Now what?
I ve been breached! Now what? THE AFTERMATH OF A BREACH & STEPS TO REDUCE RISK The number of data breaches in the United States in 2014 hit a record high. And 2015 is not looking any better. There have
More informationI. U.S. Government Privacy Laws
I. U.S. Government Privacy Laws A. Privacy Definitions and Principles a. Privacy Definitions i. Privacy and personally identifiable information (PII) b. Privacy Basics Definition of PII 1. Office of Management
More informationINADEQUATE SECURITY PRACTICES EXPOSE KEY NASA NETWORK TO CYBER ATTACK
MARCH 28, 2011 AUDIT REPORT OFFICE OF AUDITS INADEQUATE SECURITY PRACTICES EXPOSE KEY NASA NETWORK TO CYBER ATTACK OFFICE OF INSPECTOR GENERAL National Aeronautics and Space Administration REPORT NO. IG-11-017
More informationU.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL
U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL FINAL REPORT: U.S. Election Assistance Commission Compliance with the Requirements of the Federal Information Security Management Act Fiscal
More informationJOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015
JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015 The following consists of the joint explanatory statement to accompany the Cybersecurity Act of 2015. This joint explanatory statement
More informationFinal Audit Report -- CAUTION --
U.S. OFFICE OF PERSONNEL MANAGEMENT OFFICE OF THE INSPECTOR GENERAL OFFICE OF AUDITS Final Audit Report Audit of the Information Technology Security Controls of the U.S. Office of Personnel Management
More informationClients Legal Needs in HIPAA Security Compliance
Clients Legal Needs in HIPAA Security Compliance Robyn A. Meinhardt, JD, RN FOLEY & LARDNER LLP 2004 Preserving Attorney-Client Privilege and Work Product Protections 1 Relevance to Security Compliance
More informationCompliance Risk Management IT Governance Assurance
Compliance Risk Management IT Governance Assurance Solutions That Matter Introduction to Federal Information Security Management Act (FISMA) Without proper safeguards, federal agencies computer systems
More informationU.S. Department of Energy Office of Inspector General Office of Audits and Inspections
U.S. Department of Energy Office of Inspector General Office of Audits and Inspections Audit Report The Department's Configuration Management of Non-Financial Systems OAS-M-12-02 February 2012 Department
More informationOFFICE OF THE INSPECTOR GENERAL SOCIAL SECURITY ADMINISTRATION
OFFICE OF THE INSPECTOR GENERAL SOCIAL SECURITY ADMINISTRATION CONTRACTOR SECURITY OF THE SOCIAL SECURITY ADMINISTRATION S HOMELAND SECURITY PRESIDENTIAL DIRECTIVE 12 CREDENTIALS June 2012 A-14-11-11106
More informationFERPA: Data & Transport Security Best Practices
FERPA: Data & Transport Security Best Practices April 2013 Mike Tassey Privacy Technical Assistance Center FERPA and Data Security Unlike HIPAA and other similar federal regulations, FERPA does not require
More informationU.S. Department of Energy Office of Inspector General Office of Audits and Inspections. Evaluation Report
U.S. Department of Energy Office of Inspector General Office of Audits and Inspections Evaluation Report The Department's Unclassified Cyber Security Program 2011 DOE/IG-0856 October 2011 Department of
More informationCloud Assessments. Federal Computer Security Managers Forum. John Connor, IT Security Specialist, OISM, NIST. Meeting.
Cloud Assessments SaaS Email Working Group John Connor, IT Security Specialist, OISM, NIST Meeting August, 2015 Background Photo - JILA strontium atomic clock (a joint institute of NIST and the University
More informationHEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY CONTROLS
Department of Health and Human Services OFFICE OF INSPECTOR GENERAL HEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY
More informationEvaluation Report. Weaknesses Identified During the FY 2013 Federal Information Security Management Act Review. April 30, 2014 Report Number 14-12
Evaluation Report Weaknesses Identified During the FY 2013 Federal Information Security Management Act Review April 30, 2014 Report Number 14-12 U.S. Small Business Administration Office of Inspector General
More informationSCAC Annual Conference. Cybersecurity Demystified
SCAC Annual Conference Cybersecurity Demystified Me Thomas Scott SC Deputy Chief Information Security Officer PMP, CISSP, CISA, GSLC, FEMA COOP Practitioner Tscott@admin.sc.gov 803-896-6395 What is Cyber
More informationCybersecurity and Hospitals. What Hospital Trustees Need to Know About Managing Cybersecurity Risk and Response
Cybersecurity and Hospitals What Hospital Trustees Need to Know About Managing Cybersecurity Risk and Response This resources was prepared exclusively for American Hospital Association members by Mary
More informationWhat are you trying to secure against Cyber Attack?
Cybersecurity Legal Landscape Bonnie Harrington Executive Counsel EHS and Product Safety & Cybersecurity GE Energy Management Imagination at work. What are you trying to secure against Cyber Attack? Personally
More informationAudit Report. The Social Security Administration s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013
Audit Report The Social Security Administration s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013 A-14-13-13086 November 2013 MEMORANDUM Date: November 26,
More informationMiddle Class Economics: Cybersecurity Updated August 7, 2015
Middle Class Economics: Cybersecurity Updated August 7, 2015 The President's 2016 Budget is designed to bring middle class economics into the 21st Century. This Budget shows what we can do if we invest
More informationU.S. Department of Energy Office of Inspector General Office of Audits & Inspections. Evaluation Report
U.S. Department of Energy Office of Inspector General Office of Audits & Inspections Evaluation Report The Department's Unclassified Cyber Security Program - 2012 DOE/IG-0877 November 2012 MEMORANDUM FOR
More informationOffice of Inspector General
Office of Inspector General DEPARTMENT OF HOMELAND SECURITY U.S. Department of Homeland Security Washington, DC 20528 Office of Inspector General Security Weaknesses Increase Risks to Critical DHS Databases
More informationSummary of the State of Security
Summary of the State of Security Tram Jewett, CISA CliftonLarsonAllen LLP Virginia GFOA Annual Spring Conference, 2016 1 1 Summary of the State of Security Tram Jewett, MS., CISA, 11 years IT audit and
More informationData Breaches in the Government Sector. A Rapid7 Research Report
Data Breaches in the Government Sector A Rapid7 Research Report Summary of Report Across all industries, data breaches and the protection of business-critical data remain a top concern. While the government
More informationIBM Internet Security Systems October 2007. FISMA Compliance A Holistic Approach to FISMA and Information Security
IBM Internet Security Systems October 2007 FISMA Compliance A Holistic Approach to FISMA and Information Security Page 1 Contents 1 Executive Summary 1 FISMA Overview 3 Agency Challenges 4 The IBM ISS
More informationProtecting What Matters Most. Terry Ray Chief Product Strategist Trending Technologies Session 11
Protecting What Matters Most Terry Ray Chief Product Strategist Trending Technologies Session 11 Cyber attacks are bad and getting Significant economic Stock price fell by 14% Impacted profits by 46% Total
More informationEric Hess, CEO, KeyPoint Government Solutions OPM Data Breach: Part II House Committee on Oversight and Government Reform June 24, 2015
Eric Hess, CEO, KeyPoint Government Solutions OPM Data Breach: Part II House Committee on Oversight and Government Reform June 24, 2015 Chairman Chaffetz, Ranking Member Cummings, and Members of the Committee,
More informationFiscal Year 2007 Federal Information Security Management Act Report
OFFICE OF INSPECTOR GENERAL Special Report Catalyst for Improving the Environment Fiscal Year 2007 Federal Information Security Management Act Report Status of EPA s Computer Security Program Report No.
More informationGAO INFORMATION SECURITY. FBI Needs to Address Weaknesses in Critical Network
GAO United States Government Accountability Office Report to the Honorable F. James Sensenbrenner Jr., House of Representatives April 2007 INFORMATION SECURITY FBI Needs to Address Weaknesses in Critical
More informationUsing the HITRUST CSF to Assess Cybersecurity Preparedness 1 of 6
to Assess Cybersecurity Preparedness 1 of 6 Introduction Long before the signing in February 2013 of the White House Executive Order Improving Critical Infrastructure Cybersecurity, HITRUST recognized
More informationMission Assurance and Security Services
Mission Assurance and Security Services Dan Galik, Chief Federation of Tax Administrators Computer Security Officer Conference March 2007 Security, privacy and emergency preparedness issues are front page
More informationHIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS
Department of Health and Human Services OFFICE OF INSPECTOR GENERAL HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS AT STATE MEDICAID AGENCIES Inquiries
More informationU.S. OFFICE OF PERSONNEL MANAGEMENT OFFICE OF THE INSPECTOR GENERAL OFFICE OF AUDITS. Final Audit Report
U.S. OFFICE OF PERSONNEL MANAGEMENT OFFICE OF THE INSPECTOR GENERAL OFFICE OF AUDITS Final Audit Report Audit of the Information Technology Security Controls of the U.S. Office of Personnel Management
More informationTHE 411 ON CYBERSECURITY, INFORMATION SHARING AND PRIVACY
THE 411 ON CYBERSECURITY, INFORMATION SHARING AND PRIVACY DISCLAIMER Views expressed in this presentation are not necessarily those of our respective Departments Any answers to questions are our own opinions
More informationTestimony of. Before the United States House of Representatives Committee on Oversight and Government Reform And the Committee on Homeland Security
Testimony of Dr. Phyllis Schneck Deputy Under Secretary for Cybersecurity and Communications National Protection and Programs Directorate United States Department of Homeland Security Before the United
More informationHealth Insurance Exchange/Marketplace Privacy and Security Issues
Health Insurance Exchange/Marketplace Privacy and Security Issues Twenty-Second National HIPAA Summit Elizabeth A. Ferrell McKenna Long & Aldridge LLP February 6, 2014 mckennalong.com ACA Exchange System
More information10 Smart Ideas for. Keeping Data Safe. From Hackers
0100101001001010010001010010101001010101001000000100101001010101010010101010010100 0100101001001010010001010010101001010101001000000100101001010101010010101010010100000 0100101001001010010001010010101001010101001000000100101001010101010010101010010100000
More informationCybercrime: risks, penalties and prevention
Cybercrime: risks, penalties and prevention Cyber attacks have been appearing in the news with increased frequency and recent victims of cybercrime have included well-known companies such as Sony, LinkedIn,
More informationInformation Security and Risk Management
Information Security and Risk Management COSO and COBIT Standards and Requirements Page 1 Topics Information Security Industry Standards and COBIT Framework Relation to COSO Internal Control Risk Management
More informationHow To Audit The National Security System
U.S. OFFICE OF PERSONNEL MANAGEMENT OFFICE OF THE INSPECTOR GENERAL OFFICE OF AUDITS Final Audit Report Federal Information Security Modernization Act Audit FY 2015 Report Number 4A-CI-00-15-011 November
More informationTen Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder
Ten Questions Your Board Should be asking about Cyber Security Eric M. Wright, Shareholder Eric Wright, CPA, CITP Started my career with Schneider Downs in 1983. Responsible for all IT audit and system
More informationHow To Write A National Cybersecurity Act
ROCKEFELLER SNOWE CYBERSECURITY ACT SUBSTITUTE AMENDMENT FOR S.773 March 17, 2010 BACKGROUND & WHY THIS LEGISLATION IS IMPORTANT: Our nation is at risk. The networks that American families and businesses
More informationStandards for Security Categorization of Federal Information and Information Systems
FIPS PUB 199 FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION Standards for Security Categorization of Federal Information and Information Systems Computer Security Division Information Technology
More informationVA Office of Inspector General
VA Office of Inspector General OFFICE OF AUDITS & EVALUATIONS Department of Veterans Affairs Federal Information Security Management Act Audit for Fiscal Year 2013 May 29, 2014 13-01391-72 ACRONYMS AND
More informationFiscal Year 2014 Federal Information Security Management Act Report: Status of EPA s Computer Security Program
U.S. ENVIRONMENTAL PROTECTION AGENCY OFFICE OF INSPECTOR GENERAL Information Technology Fiscal Year 2014 Federal Information Security Management Act Report: Status of EPA s Computer Security Program Report.
More informationCybersecurity Primer
Cybersecurity Primer August 15, 2014 National Journal Presentation Credits Producer: David Stauffer Director: Jessica Guzik Cybersecurity: Key Terms Cybersecurity Information security applied to computers
More informationCybersecurity Executive Order
Cybersecurity Executive Order February 14, 2013 Michael DuBose, Kroll Advisory Solutions Gerald J. Ferguson, BakerHostetler Jason Straight, Kroll Advisory Solutions Theodore J. Kobus III, BakerHostetler
More informationCybersecurity: Protecting Your Business. March 11, 2015
Cybersecurity: Protecting Your Business March 11, 2015 Grant Thornton. All LLP. rights All reserved. rights reserved. Agenda Introductions Presenters Cybersecurity Cybersecurity Trends Cybersecurity Attacks
More informationFinal Audit Report. Report No. 4A-CI-OO-12-014
U.S. OFFICE OF PERSONNEL MANAGEMENT OFFICE OF THE INSPECTOR GENERAL OFFICE OF AUDITS Final Audit Report Subject: AUDIT OF THE INFORMATION TECHNOLOGY SECURITY CONTROLS OF THE U.S. OFFICE OF PERSONNEL MANAGEMENT'S
More informationWhat s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.
What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things. AGENDA Current State of Information Security Data Breach Statics Data Breach Case Studies Why current
More informationHIPAA Security Rule Compliance
HIPAA Security Rule Compliance Caryn Reiker MAXIS360 HIPAA Security Rule Compliance what is it and why you should be concerned about it Table of Contents About HIPAA... 2 Who Must Comply... 2 The HIPAA
More informationLogging In: Auditing Cybersecurity in an Unsecure World
About This Course Logging In: Auditing Cybersecurity in an Unsecure World Course Description $5.4 million that s the average cost of a data breach to a U.S.-based company. It s no surprise, then, that
More informationINFORMATION SECURITY Department of Education and Other Federal Agencies Need to Better Implement Controls
United States Government Accountability Office Testimony Before the Committee on Oversight and Government Reform, House of Representatives For Release on Delivery Expected at 10:00 a.m. ET Tuesday, November
More informationCYBER SECURITY A L E G A L P E R S P E C T I V E
A L E G A L P E R S P E C T I V E T H O M A S G. S C H R O E T E R A S S O C I A T E G E N E R A L C O U N S E L P O R T O F H O U S T O N A U T H O R I T Y DISCLAIMER! This presentation: does not include
More informationPresentation for : The New England Board of Higher Education. Hot Topics in IT Security and Data Privacy
Presentation for : The New England Board of Higher Education Hot Topics in IT Security and Data Privacy October 22, 2010 Rocco Grillo, CISSP Managing Director Protiviti Inc. Quote of the Day "It takes
More informationSECTION-BY-SECTION. Section 1. Short Title. The short title of the bill is the Cybersecurity Act of 2012.
SECTION-BY-SECTION Section 1. Short Title. The short title of the bill is the Cybersecurity Act of 2012. Section 2. Definitions. Section 2 defines terms including commercial information technology product,
More informationCybersecurity for Nonprofits: How to Protect Your Organization's Data While Still Fulfilling Your Mission. June 25, 2015
Cybersecurity for Nonprofits: How to Protect Your Organization's Data While Still Fulfilling Your Mission June 25, 2015 1 Your Panelists Kenneth L. Chernof Partner, Litigation, Arnold & Porter LLP Nicholas
More informationINTERNATIONAL TRADE ADMINISTRATION Improvements Are Needed to Strengthen ITA s Information Technology Security Program
INTERNATIONAL TRADE ADMINISTRATION Improvements Are Needed to Strengthen ITA s Information Technology Security Program FINAL REPORT NO. OIG-12-037-A SEPTEMBER 27, 2012 U.S. Department of Commerce Office
More informationCompliance and Industry Regulations
Compliance and Industry Regulations Table of Contents Introduction...1 Executive Summary...1 General Federal Regulations and Oversight Agencies...1 Agency or Industry Specific Regulations...2 Hierarchy
More informationInformation Security Policy
Information Security Policy Steve R. Hutchens, CISSP EDS, Global Leader, Homeland Security Agenda Security Architecture Threats and Vulnerabilities Design Considerations Information Security Policy Current
More informationAB 1149 Compliance: Data Security Best Practices
AB 1149 Compliance: Data Security Best Practices 1 Table of Contents Executive Summary & Overview 3 Data Security Best Practices 4 About Aurora 10 2 Executive Summary & Overview: AB 1149 is a new California
More informationBy: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015
Community Bank Auditors Group Cybersecurity What you need to do now June 9, 2015 By: Gerald Gagne MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2015 Wolf & Company, P.C. Cybersecurity
More informationHow-To Guide: Cyber Security. Content Provided by
How-To Guide: Cyber Security Content Provided by Who needs cyber security? Businesses that have, use, or support computers, smartphones, email, websites, social media, or cloudbased services. Businesses
More informationThe Senior Executive s Role in Cybersecurity. By: Andrew Serwin and Ron Plesco.
The Senior Executive s Role in Cybersecurity. By: Andrew Serwin and Ron Plesco. 1 Calling All CEOs Are You Ready to Defend the Battlefield of the 21st Century? It is not the norm for corporations to be
More informationU.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL
U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL FINAL REPORT: U.S. ELECTION ASSISTANCE COMMISSION EVALUATION OF COMPLIANCE WITH THE REQUIREMENTS OF THE FEDERAL INFORMATION SECURITY MANAGEMENT
More informationPublic Law 113 283 113th Congress An Act
PUBLIC LAW 113 283 DEC. 18, 2014 128 STAT. 3073 Public Law 113 283 113th Congress An Act To amend chapter 35 of title 44, United States Code, to provide for reform to Federal information security. Be it
More informationHIPAA Security Alert
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
More informationSmithsonian Enterprises
Smithsonian Enterprises Audit of the Effectiveness of the Information Security Program Table of Contents I. Introduction... 1 II. Background... 2 III. Results of Audit... 3 Finding #1: Needed Improvement
More informationAddressing Cyber Threats Multi-Factor Authentication for Privileged User Accounts
Addressing Cyber Threats Multi-Factor Authentication for Privileged User Accounts Contents 3 Introduction 4 Multi-factor authentication for privileged users 7 What other measures should agencies consider?
More informationSMITHSONIAN INSTITUTION
SMITHSONIAN INSTITUTION FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2012 INDEPENDENT EVALUATION REPORT TABLE OF CONTENTS PURPOSE 1 BACKGROUND 1 OBJECTIVES, SCOPE, AND METHODOLOGY 2 SUMMARY OF RESULTS
More informationHow To Check If Nasa Can Protect Itself From Hackers
SEPTEMBER 16, 2010 AUDIT REPORT OFFICE OF AUDITS REVIEW OF NASA S MANAGEMENT AND OVERSIGHT OF ITS INFORMATION TECHNOLOGY SECURITY PROGRAM OFFICE OF INSPECTOR GENERAL National Aeronautics and Space Administration
More informationAudit of the Board s Information Security Program
Board of Governors of the Federal Reserve System Audit of the Board s Information Security Program Office of Inspector General November 2011 November 14, 2011 Board of Governors of the Federal Reserve
More informationUnderstanding the Business Risk
AAPA Cybersecurity Seminar Andaz Savannah Hotel March 11, 2015 10:30 am Noon Understanding the Business Risk Presenter: Joshua Gold, Esq. (212) 278-1886 jgold@andersonkill.com Disclaimer The views expressed
More informationReport of Evaluation OFFICE OF INSPECTOR GENERAL. OIG 2014 Evaluation of the Farm Credit OIG 2014 Administration s. Management Act.
OFFICE OF INSPECTOR GENERAL Report of Evaluation OIG 2014 Evaluation of the Farm Credit OIG 2014 Administration s Evaluation of the Farm Compliance Credit Administration s with the Federal Information
More informationIT Compliance Volume II
The Essentials Series IT Compliance Volume II sponsored by by Rebecca Herold Addressing Web-Based Access and Authentication Challenges by Rebecca Herold, CISSP, CISM, CISA, FLMI February 2007 Incidents
More informationCYBER-SURVEILLANCE BILL SET TO MOVE TO SENATE FLOOR
CYBER-SURVEILLANCE BILL SET TO MOVE TO SENATE FLOOR July 28, 2015 The Senate is expected to consider the Cybersecurity Information Sharing Act (CISA, S. 754 1 ) on the Senate floor soon. The bill was marked
More informationSECURING YOUR SMALL BUSINESS. Principles of information security and risk management
SECURING YOUR SMALL BUSINESS Principles of information security and risk management The challenge Information is one of the most valuable assets of any organization public or private, large or small and
More informationChapter 1: Information Security Fundamentals. Security+ Guide to Network Security Fundamentals Second Edition
Chapter 1: Information Security Fundamentals Fundamentals Second Edition Objectives Identify the challenges for information security Define information security Explain the importance of information security
More informationFREQUENTLY ASKED QUESTIONS
FREQUENTLY ASKED QUESTIONS Continuous Monitoring 1. What is continuous monitoring? Continuous monitoring is one of six steps in the Risk Management Framework (RMF) described in NIST Special Publication
More informationCYBERSECURITY Recent Data Breaches Illustrate Need for Strong Controls across Federal Agencies
United States Government Accountability Office Testimony before the Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies, Committee on Homeland Security, House of Representatives
More informationAUDIT TAX SYSTEMS ADVISORY
AUDIT TAX SYSTEMS ADVISORY Presented by: Jim Rumph Introduction JIM RUMPH, CISA Systems Manager Jim is a graduate of the University of Georgia with a Bachelor of Business Administration in Accounting and
More information