INNOVATIVE APPROACHES TO MANAGING NETWORK RISK AND THREATS TO INFORMATION

Size: px
Start display at page:

Download "INNOVATIVE APPROACHES TO MANAGING NETWORK RISK AND THREATS TO INFORMATION"

Transcription

1 Safe INNOVATIVE APPROACHES TO House SITUATION MANAGING NETWORK RISK AND THREATS TO INFORMATION PROVISIONING NETWORK security today amidst the ever-present if not mounting threat to information is both a challenge and a conundrum. Given the business-critical personality of corporate data and the plethora of threats to it, the challenge is obvious. The conundrum arises from the fact that if adequate money is spent on a well-planned, endto-end security solution, nothing happens. There are no security breaches, no denials of service, and no unwelcome visitors prowling around data stores. While security is strategic and essential, it is not a core competence in many organizations. Given their druthers, corporate executives would rather see valuable IT staff talent directed at building and enriching systems that contribute directly to the business, increasing revenues, or enabling new ventures. Many, if not most, organizations have not budgeted accurately for security, notes Christopher T. Baumrucker, principal architect with Callisma Inc., an SBC company, and provider of SBC PremierSERV SM Consulting Services. Security spending is viewed widely as a cost period. And often unless there is a clear track record of problems, it is hard to get money for secu- Meeting and Beating the Network Security Threat Deployable Solutions Security requirements factor the needs of business units, regulations & best practices Network design is driven by the demands of the business it must be adaptable & secure Holistic security is integral to the network, not bolted on Network Security Challenges Security Management Users demand a consistent authentication experience Security expertise is scarce & expensive Security & network personnel are not always in sync Prevention/Protection You cannot protect apps & data without securing the network Patchwork security creates vulnerabilities that are difficult to identify Full cycle security is required: assess, detect, respond & prevent ANALYSIS: As CIO, it is your responsibility to articulate to senior management the true business value of investing in an end-to-end information security strategy. After all, you, more than anyone else, are best positioned to appraise the value of the information you need to protect, information that could prove extremely costly if it gets into the wrong hands. But as CIO, you are also acutely aware of today's IT budgetary realities. And those realities mean that very few companies today can meet the information security challenge on their own. Fortunately, there is plenty of help, as this special white paper will show. 1

2 rity staff and other security spending needs. Part of the challenge of getting senior management to spend adequately on security lies in the nature of information itself. As security experts attest, information is perhaps the only corporate asset that has two values: one when you have it and another when someone else like a hacker has it. All too often managers don t pay enough attention to security needs until after some damage is done, says Dustin Dykes, a senior analyst at Callisma. Organizations have got to get out of reactionary mode and into a more proactive state where managed security services come into play. You have to take a good look at the security services providers. They have tremendous knowledge of discrete security challenges. And they have great information on how you can get back up and running when there is a problem. Looking sharp at Astaris Astute, forward-thinking companies seeking to secure vital data while directing valuable IT resources toward strategic projects are heeding the advice of Dykes and others. At St. Louis-based Astaris LLC, a leading supplier of phosphorus chemicals, the mission of the IT organization is to be an integral if not strategic part of the organization, not simply perceived as a cost center. We strive to enable our business efforts by giving managers exactly the data they need, and to help connect with our partners and customers in the most meaningful ways, says Charles Mitchell, IT director of operations and support. So our staff has to know the business processes as well as anyone. To accomplish such a lofty goal, Mitchell s team needs to be free from the shackles of IT routine in order to focus on strategic projects. That means outsourcing the parts of IT operations that, while vital, are not considered integral to the company s core businesses. Continued on page 3 > > > > Outsource This Q&A WITH SECURITY EVANGELIST BRENT HUSTON Brent Huston is CEO and security evangelist of Microsolved Inc. The Columbus, Ohio-based company provides security consulting to organizations that own and operate some of the largest networks in the world, as well as networks with some of the most sensitive data online. Q: What are the important changes/trends in intrusion detection systems (IDS) that have taken place recently? The move to consolidate information such as alerts and trends and filtering that data through software is certainly big. This has led to IDS implementations that have begun to produce action item data instead of the many false positives that plagued IDS for so long. Many organizations are now correlating their IDS alerts with vulnerability assessment data and are able to create prioritization of the output! That makes for a much more usable set of data from the IDS and helps keep security teams focused on the real issues, while minimizing the time and resources they spend chasing ghosts. I believe that such timely and accurate information is the only way that IDS tools achieve any kind of ROI. Their history, as a family of tools, has certainly been shady at best when looked at through the lens of ROI. Q: What are the pros and cons of outsourcing IDS services? This is probably the most common question I get asked about IDS and the answer is pretty complex. IDS outsourcing done properly makes for a wonderfully useful security tool, but on the other hand, IDS outsourcing done wrong can be a painful, costly, frustrating, and maybe even dangerous undertaking. The best advice is to first choose the right vendor. Do the hard work in this regard by checking references, and search the Internet for customer experiences. Then, use good contracts. Make sure the SLA [service-level agreement] establishes the parameters of your expected performance and that the agreement outlines penalties for noncompliance with those terms. The positive aspects of outsourcing IDS include the following: Organizations don t have to build expertise in-house for the management and operation of the IDS deployment Hopefully, the provider is doing the filtering and turning the output into action item data (this is the really Continued on page 3 > > > > 2

3 Safe Continued from page 2 Astaris turned to SBC companies for a variety of security and network services, including network security and firewall support, as well as other data services. Cost, as well as the ability to group several services with one provider, were the chief drivers for going with the SBC family of companies. Value greater than pure cost But cost will only go so far in this world, notes Mitchell. What s the value of a low price on network security if you get hacked? We have found SBC companies to be very reliable, very dependable. We are treated like a company 20 times our size. We get our problems resolved very quickly, and by highly qualified individuals. But perhaps the biggest benefit of these managed services is the ability of Mitchell and his staff to focus their resources directly on improving the business of Astaris, cementing the idea that IT at Astaris is truly strategic. We re not focused on fire fighting, concludes Mitchell. We re providing real value to the business. According to Callisma s Dykes, companies such as Astaris have discovered that managed security services can and do provide an improved security posture at a reduced total cost of ownership. The advantages offered by security service providers include: Round-the-clock monitoring, which is often beyond the means of all but the largest of enterprises A holistic view of the client s needs with respect to global security trends A built-in workaround to the fiefdoms and internal politics that can get in the way of adequate security provisioning Economies of scale Invaluable experience gained by working with multiple clients across a variety of business types and vertical markets Freeing up internal IT staff to Huston Continued from page 2 hard part of managing IDS) Organizations don t have to maintain monitoring staff to watch the IDS consoles But the downside of outsourcing IDS can be: Many vendors are not doing IDS right or even well Many vendors miss alerts that may be important to the organization Alerting must be clearly defined, or it often fails to work as desired Q: When might it make sense to outsource firewall management? The best answer is when an organization does not want to build and maintain the expertise to manage the firewall(s) in-house. The other time it makes sense is when firewall management would fall under the same person who manages the network. This specific issue is often viewed as an audit finding waiting to happen. Many auditors want to see firewall and security tool management separated from the network management folks kind of a someone is watching the watchers approach. Firewall monitoring and management has come a long way in the last couple of years. It has stabilized and is becoming more affordable and producing better deliverables for customers. Just like IDS, though, you have to carefully research the vendors involved and use good, clear contracts that establish your expectations and provide penalties for noncompliance. Q: Given the importance of looking at security holistically or as an end-to-end solution rather than a series of spot solutions, how does a selective outsourcing strategy fit in? Outsourcing just makes sense. No one can be good at everything. It makes sense to outsource the time- and resource-heavy pieces to companies that can leverage the same process and expertise across many organizations. Ultimately, the ROI for these outsourcing arrangements is that you don t have to carry the staff and maintain their currency with attack trends and such a very expensive undertaking for a medium-sized staff. Q: With all the changes that have impacted telecom security services providers in recent years, what characteristics should users seek in a vendor when considering a partner to whom they may outsource security services? The most important and compelling thing to remember is that the right vendors are out there. Don t be afraid to ask for sanitized deliverables as examples. Vendors should be able to provide you with detailed methodologies for how they handle security incidents and how their notification processes work. You should also ask them how they have their networks audited and tested for security issues. If a company is storing some of your most sensitive data, they should have a response and detailed explanation of the steps they take to safeguard your information from attackers. So the bottom line is, ask questions, listen to their answers, and verify what they say to be true by talking to their clients as provided by them and by asking online about client experiences. You may just find a great partner, or save yourself from a nightmare. 3

4 Losses by Type of Computer Security Incident Total Losses for 2004 $141,496,560 Sabotage $871,000 System penetration $901,500 Web site defacement $958,100 Misuse of public Web application $2,747,000 Telecom fraud $3,997,500 Unauthorized access $4,278,205 Laptop theft $6,734,500 Financial fraud $7,670,500 Abuse of wireless network $10,159,250 Insider Net abuse $10,601,055 Theft of proprietary info $11,460,000 Denial of service $26,064,050 $55,053,900 Virus 0 10M 20M 30M 40M 50M 60M The actual losses sustained are higher, possibly twice as high, because the CSI/FBI survey also found that nearly 50% of security breaches went unreported, largely out of fear of public reaction. CSI/FBI 2004 Computer Crime and Security Survey Source: Computer Security Institute 2004: 494 respondents focus on strategic projects A time- and experience-tested set of security best practices Security service providers have also proven to be a wellspring of innovation. For example, in the area of intrusion detection systems (IDS), some providers are making significant strides not only to detect intrusions but to actually prevent them before they happen. Let s face it, once the bad guys are in, they can do a lot of damage even before they are detected, says Baumrucker. First Victoria National Bank Three years ago one innovative and venerable bank put its faith and trust in the hands of a service provider, and has never looked back. True to the independent spirit that characterizes Texas, the Victoria-based First Victoria National Bank (FVNB) first opened its doors in 1867, and still operates as an independent bank. With 10 branches in the state, the $825 million bank has essentially the same data security needs as do its big city cousins. What the bank doesn t have is a city-sized IT staff. One key piece of FVNB s security strategy is its IDS to keep the bad guys away from vital bank data. The bank s lone network engineer could not focus solely on security because his duties also included overall network administration and monitoring, as well as building out the network to accommodate growth. And with growth being a key element of FVNB s efforts, the bank couldn t afford to overlook important security elements, such as its IDS. We looked outside for help and found we had plenty of choices for security assistance, says Steve Tarro, senior vice president/data services manager and the person ultimately responsible for virtually any IT matter at the bank. We had a preexisting relationship with SBC companies, including provisioning our data lines and phone lines. We really liked what they proposed for our IDS. For one thing, SBC companies operated throughout all areas where Victoria Bank is likely to expand. For another, Tarro really liked what he saw about the security staff at the SBC family of companies. It s just a very strong staff, and it includes a lot of former military folks with significant experience securing sensitive systems, Tarro recalls. They were all high-level professionals that deal exclusively with the intrusion detection issue. How well has the SBC companies IDS worked out for the bank since its installation? For one thing, the system completely thwarted the intentional intrusion efforts of a vendor the bank hired to try to penetrate the IDS. The IDS shut them down hard, says Tarro. In addition to keeping the data thugs at bay, the SBC companies IDS services also free up Tarro s lean-and-mean IT staff to focus on more strategic work. The staff doesn t have to bother with IDS logs. Instead, they view simple reports on an exception basis, responding to those security items that require action, but not the small stuff, says Tarro. The bank also outsources its firewall services to the SBC family of companies, which the firm got up and running within weeks of being selected for the job, he adds. 4

5 Americas and Worldwide Security Service Spending Forecast ($M) CAGR (%) Americas 20.2 Worldwide ,000 10,000 15,000 20,000 25,000 30,000 Source: IDC, 2004 Convergence ups the ante For user organizations like Victoria National Bank and others, one of today s realities is the impact of convergence on the network. After being talked about for years, convergence or the melding of voice and data networks into a cohesive entity is fast becoming reality. As a result, companies have to scrutinize security strategies more closely than ever because a network failure caused by a major security breach would impact operations to a catastrophic degree, given the pervasiveness of the network. If a worm or hacker takes down the data network, it can take down a lot more, such as the network that controls building operations, for example, notes Callisma s Dykes. This can create real safety issues initially, and possibly significant liability issues down the road. Non-IT executives need to see security in this kind of light today. But before committing to any comprehensive security plan, it is missionessential to first come to some agreement and understanding internally about the value of the data and information an organization is trying to protect. You ve got to arrive at a way of estimating the full value of information assets, then spend accordingly to protect them, advises Baumrucker. One problem, however, is that internal politics and fiefdoms can sometimes cloud this process. For that reason, some companies have begun working with security services providers to assist in this value appraisal process. You need some checks and balances in virtually all aspects of security-related work, says Dykes. Managed service providers don t come in with any political agendas. They just want to get the job done and keep the customer happy. A changed regulatory environment If there is one factor in today s business environment that is forcing business executives to take a closer look at information security, it is the changes in the regulatory climate. Federal information and privacy mandates such as the Patriot Act, Sarbanes-Oxley, the Health Insurance Portability and Accountability Act (HIPAA), and others demand that information resources meet certain minimum standards both to protect personal information and to keep businesses fully accountable to the public and to regulators. These kinds of regulations have pushed security into the boardroom, notes Baumrucker. Few organizations have much breadth of experience in dealing with the complexity of these requirements. But service providers have been dealing with them a lot, and their experience can be brought to bear on developing the most cost-efficient means of dealing with these regulations while not imposing heavily on internal IT staff. Ultimately, each organization must set its own security course in what is arguably the most dynamic business environment ever. If nothing else, service providers such as SBC companies can knock off as much as onethird of the cost users would pay if they handled all security matters internally, given the costs of buying hardware, maintaining software, and training and supporting a security staff. But beyond pure expense, users such as Victoria Bank and Astaris have found a silver lining to outsourcing security, and that has been the freeing up of vital staff to focus on advancing the business securely. This document is the property of SBC Communications and/or its affiliates, is confidential, and is intended solely for internal use. Any other use of this document, including retention, dissemination, forwarding, printing, or copying, is strictly prohibited. 5

AUTOMATED PENETRATION TESTING PRODUCTS

AUTOMATED PENETRATION TESTING PRODUCTS AUTOMATED PENETRATION TESTING PRODUCTS Justification and Return on Investment (ROI) EXECUTIVE SUMMARY This paper will help you justify the need for an automated penetration testing product and demonstrate

More information

I D C E X E C U T I V E B R I E F

I D C E X E C U T I V E B R I E F Global Headquarters: 5 Speen Street Framingham, MA 01701 USA P.508.872.8200 F.508.935.4015 www.idc.com I D C E X E C U T I V E B R I E F P e netration Testing: Taking the Guesswork Out of Vulnerability

More information

HIPAA MYTHS: DON T ALWAYS BELIEVE WHAT YOU HEAR. Chris Apgar, CISSP

HIPAA MYTHS: DON T ALWAYS BELIEVE WHAT YOU HEAR. Chris Apgar, CISSP HIPAA MYTHS: DON T ALWAYS BELIEVE WHAT YOU HEAR Chris Apgar, CISSP 2015 OVERVIEW Missed Regulatory Requirements Common HIPAA Privacy Myths Common HIPAA Security Myths Other Related Myths Finding the Right

More information

case study Core Security Technologies Summary Introductory Overview ORGANIZATION: PROJECT NAME:

case study Core Security Technologies Summary Introductory Overview ORGANIZATION: PROJECT NAME: The Computerworld Honors Program Summary developed the first comprehensive penetration testing product for accurately identifying and exploiting specific network vulnerabilities. Until recently, organizations

More information

Securing Critical Information Assets: A Business Case for Managed Security Services

Securing Critical Information Assets: A Business Case for Managed Security Services White Paper Securing Critical Information Assets: A Business Case for Managed Security Services Business solutions through information technology Entire contents 2004 by CGI Group Inc. All rights reserved.

More information

Best Practices for Building a Security Operations Center

Best Practices for Building a Security Operations Center OPERATIONS SECURITY Best Practices for Building a Security Operations Center Diana Kelley and Ron Moritz If one cannot effectively manage the growing volume of security events flooding the enterprise,

More information

AUTOMATED PENETRATION TESTING PRODUCTS

AUTOMATED PENETRATION TESTING PRODUCTS AUTOMATED PENETRATION TESTING PRODUCTS Justification and Return on Investment (ROI) EXECUTIVE SUMMARY This paper will help you justify the need for automated penetration testing software and demonstrate

More information

Computer Crime & Security Survey

Computer Crime & Security Survey 4 th Japan & US Computer Crime & Security Survey Katsuya Uchida Professor, Ph. D. Institute of Information Security uchida@iisec.ac.jp Graduate School of Information Security 1 Respondents by Number of

More information

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE THE CHALLENGE: SECURE THE OPEN AIR Wirelesss communication lets you take your business wherever your customers,

More information

INTEGRATING THE TWO WORLDS OF PHYSICAL AND LOGICAL SECURITY

INTEGRATING THE TWO WORLDS OF PHYSICAL AND LOGICAL SECURITY A White Paper Author: Guy Huntington, President, Huntington Ventures Ltd. Date: February 20, 2009 1 Integrating the Two Worlds of Physical and Logical Security Guy Huntington, Huntington Ventures Ltd.

More information

Cyber Security and Information Assurance Controls Prevention and Reaction NOVEMBER 2013

Cyber Security and Information Assurance Controls Prevention and Reaction NOVEMBER 2013 Cyber Security and Information Assurance Controls Prevention and Reaction 1 About Enterprise Risk Management Capabilities Cyber Security Risk Management Information Assurance Strategic Governance Regulatory

More information

WHAT ARE THE BENEFITS OF OUTSOURCING NETWORK SECURITY?

WHAT ARE THE BENEFITS OF OUTSOURCING NETWORK SECURITY? WHAT ARE THE BENEFITS OF OUTSOURCING NETWORK SECURITY? Contents Introduction.... 3 What Types of Network Security Services are Available?... 4 Penetration Testing and Vulnerability Assessment... 4 Cyber

More information

WHITE PAPER. Attack the Attacker HOW A MANAGED SECURITY SERVICE IMPROVES EFFICIENCY AND SAVES COST

WHITE PAPER. Attack the Attacker HOW A MANAGED SECURITY SERVICE IMPROVES EFFICIENCY AND SAVES COST WHITE PAPER Attack the Attacker HOW A MANAGED SECURITY SERVICE IMPROVES EFFICIENCY AND SAVES COST Table of Contents THE SECURITY MAZE... 3 THE CHALLENGE... 4 THE IMPORTANCE OF MONITORING.... 6 RAPID INCIDENT

More information

Information Security: A Perspective for Higher Education

Information Security: A Perspective for Higher Education Information Security: A Perspective for Higher Education A By Introduction On a well-known hacker website, individuals charged students $2,100 to hack into university and college computers for the purpose

More information

HIPAA Myths. WEDI Regional Affiliates. Chris Apgar, CISSP Apgar & Associates

HIPAA Myths. WEDI Regional Affiliates. Chris Apgar, CISSP Apgar & Associates HIPAA Myths WEDI Regional Affiliates Chris Apgar, CISSP Apgar & Associates Overview Missed Regulatory Requirements Common HIPAA Privacy Myths Common HIPAA Security Myths Other Related Myths Finding the

More information

A Return On Investment from Computer Security Technology

A Return On Investment from Computer Security Technology A Return On Investment from Computer Security Technology 16th Annual Computer Security Applications Conference December 11-15, 2000 Gregory B. White, Ph.D. VP Professional Services SecureLogix Corporation

More information

Preemptive security solutions for healthcare

Preemptive security solutions for healthcare Helping to secure critical healthcare infrastructure from internal and external IT threats, ensuring business continuity and supporting compliance requirements. Preemptive security solutions for healthcare

More information

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE THE CHALLENGE: SECURE THE OPEN AIR Wirelesss communication lets you take your business wherever your customers,

More information

Security Information Management (SIM)

Security Information Management (SIM) 1. A few general security slides 2. What is a SIM and why is it needed 3. What are the features and functions of a SIM 4. SIM evaluation criteria 5. First Q&A 6. SIM Case Studies 7. Final Q&A Brian T.

More information

HIPAA Security Alert

HIPAA Security Alert Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information

More information

CLOUD, SCHMOUD: CAN YOU SAY YOUR DATA S SAFE?

CLOUD, SCHMOUD: CAN YOU SAY YOUR DATA S SAFE? CLOUD, SCHMOUD: CAN YOU SAY YOUR DATA S SAFE? 2 HEY, YOU, IT S NOT ABOUT CLOUD OR NO CLOUD There s a whole lot of talk today about the security of data in the cloud. In short, everyone s wondering, Is

More information

How to Justify Your Security Assessment Budget

How to Justify Your Security Assessment Budget 2BWhite Paper How to Justify Your Security Assessment Budget Building a Business Case For Penetration Testing WHITE PAPER Introduction Penetration testing has been established as a standard security practice

More information

Leveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs

Leveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs IBM Global Technology Services Leveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs Achieving a secure government

More information

Fraud Solution for Financial Services

Fraud Solution for Financial Services Fraud Solution for Financial Services Transforming Fraud Detection and Prevention in Banks and Financial Services In the digital age, the implications of financial crime against banks and other financial

More information

1. Thwart attacks on your network.

1. Thwart attacks on your network. An IDPS can secure your enterprise, track regulatory compliance, enforce security policies and save money. 10 Reasons to Deploy an Intrusion Detection and Prevention System Intrusion Detection Systems

More information

Data Security Incident Response Plan. [Insert Organization Name]

Data Security Incident Response Plan. [Insert Organization Name] Data Security Incident Response Plan Dated: [Month] & [Year] [Insert Organization Name] 1 Introduction Purpose This data security incident response plan provides the framework to respond to a security

More information

MAXIMUM PROTECTION, MINIMUM DOWNTIME

MAXIMUM PROTECTION, MINIMUM DOWNTIME MANAGED SERVICES MAXIMUM PROTECTION, MINIMUM DOWNTIME Get peace of mind with proactive IT support Designed to protect your business, save you money and give you peace of mind, Talon Managed Services is

More information

Computer Crime & Security Survey

Computer Crime & Security Survey 3 rd Japan & US Computer Crime & Security Survey Katsuya Uchida Associate Professor Institute of Information Security uchidak@gol.com Graduate School of Information Security Intentionally blank Respondents

More information

What Is A Security Program? How Do I Build A Successful Program?

What Is A Security Program? How Do I Build A Successful Program? What Is A Security Program? How Do I Build A Successful Program? White Paper A Security Program is like building a house, the standards provide you with a list of parts needed to build the house and a

More information

OVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii

OVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii The Office of the Auditor General has conducted a procedural review of the State Data Center (Data Center), a part of the Arizona Strategic Enterprise Technology (ASET) Division within the Arizona Department

More information

GETTING PHYSICAL WITH NETWORK SECURITY WHITE PAPER

GETTING PHYSICAL WITH NETWORK SECURITY WHITE PAPER GETTING PHYSICAL WITH NETWORK SECURITY WHITE PAPER Molex Premise Networks EXECUTIVE SUMMARY This article discusses IT security, which is a well documented and widely discussed issue. However, despite the

More information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1

More information

Selecting a Law Firm Cloud Provider: Questions to Ask and Ethical/Security Concerns

Selecting a Law Firm Cloud Provider: Questions to Ask and Ethical/Security Concerns Selecting a Law Firm Cloud Provider: Questions to Ask and Ethical/Security Concerns by Sharon D. Nelson, Esq. and John W. Simek 2013 Sensei Enterprises, Inc. It seems like everybody is talking about the

More information

The PCI Dilemma. COPYRIGHT 2009. TecForte

The PCI Dilemma. COPYRIGHT 2009. TecForte The PCI Dilemma Today, all service providers and retailers that process, store or transmit cardholder data have a legislated responsibility to protect that data. As such, they must comply with a diverse

More information

Top 10 Reasons for Using Disk-based Online Server Backup and Recovery

Top 10 Reasons for Using Disk-based Online Server Backup and Recovery ADVISORY Top 10 Reasons for Using Disk-based Online Server Backup and Recovery INTRODUCTION Backup of vital company information is critical to a company s survival, no matter what size the company. Recent

More information

Seamless Mobile Security for Network Operators. Build a secure foundation for winning new wireless services revenue.

Seamless Mobile Security for Network Operators. Build a secure foundation for winning new wireless services revenue. Seamless Mobile Security for Network Operators Build a secure foundation for winning new wireless services revenue. New wireless services drive revenues. Faced with the dual challenges of increasing revenues

More information

IBM Global Small and Medium Business. Keep Your IT Infrastructure and Assets Secure

IBM Global Small and Medium Business. Keep Your IT Infrastructure and Assets Secure IBM Global Small and Medium Business Keep Your IT Infrastructure and Assets Secure Contents 2 Executive overview 4 Monitor IT infrastructure to prevent malicious threats 5 Protect IT assets and information

More information

The Impact of HIPAA and HITECH

The Impact of HIPAA and HITECH The Health Insurance Portability & Accountability Act (HIPAA), enacted 8/21/96, was created to protect the use, storage and transmission of patients healthcare information. This protects all forms of patients

More information

The Credit Research Foundation. Disaster Recovery and Business Continuity. Of Your E-mail, Credit & A/R System. An Occasional Paper February 2003

The Credit Research Foundation. Disaster Recovery and Business Continuity. Of Your E-mail, Credit & A/R System. An Occasional Paper February 2003 Disaster Recovery and Business Continuity Of Your E-mail, Credit & A/R System Executive Summary The Credit Research Foundation An Occasional Paper February 2003 Since September 11, 2001, 67% of the 229

More information

Data-Centric Security. New imperatives for a new age of data

Data-Centric Security. New imperatives for a new age of data Data-Centric Security New imperatives for a new age of data Out-maneuvered, outnumbered, outgunned Things are not going well. The phones have gotten smarter, the data s gotten bigger, and your teams and

More information

Security Services. A Solution for Providing BPM of Security Services within the Enterprise Environment.

Security Services. A Solution for Providing BPM of Security Services within the Enterprise Environment. Security Services A Solution for Providing BPM of Security Services within the Enterprise Environment. First steps towards Next Generations Operations (OPS) to drive Gross Margin Dear security colleagues,

More information

Patrick Gray Principal Security Strategist DATA SECURITY CHALLENGES IN THE ALL TOO PUBLIC AND NOT SO PRIVATE SECTORS

Patrick Gray Principal Security Strategist DATA SECURITY CHALLENGES IN THE ALL TOO PUBLIC AND NOT SO PRIVATE SECTORS Patrick Gray Principal Security Strategist DATA SECURITY CHALLENGES IN THE ALL TOO PUBLIC AND NOT SO PRIVATE SECTORS I want you to take home four points Understand Educate Collaborate Prepare It s a great

More information

5 DEADLY MISTAKES THAT BUSINESS OWNERS MAKE WITH THEIR COMPUTER NETWORKS AND HOW TO PROTECT YOUR BUSINESS

5 DEADLY MISTAKES THAT BUSINESS OWNERS MAKE WITH THEIR COMPUTER NETWORKS AND HOW TO PROTECT YOUR BUSINESS 5 DEADLY MISTAKES THAT BUSINESS OWNERS MAKE WITH THEIR COMPUTER NETWORKS AND HOW TO PROTECT YOUR BUSINESS 1 Introduction As small and mid-sized companies rely more heavily on their computer networks to

More information

Application Security in the Software Development Lifecycle

Application Security in the Software Development Lifecycle Application Security in the Software Development Lifecycle Issues, Challenges and Solutions www.quotium.com 1/15 Table of Contents EXECUTIVE SUMMARY... 3 INTRODUCTION... 4 IMPACT OF SECURITY BREACHES TO

More information

Cisco SAFE: A Security Reference Architecture

Cisco SAFE: A Security Reference Architecture Cisco SAFE: A Security Reference Architecture The Changing Network and Security Landscape The past several years have seen tremendous changes in the network, both in the kinds of devices being deployed

More information

Managing the Unpredictable Human Element of Cybersecurity

Managing the Unpredictable Human Element of Cybersecurity CONTINUOUS MONITORING Managing the Unpredictable Human Element of Cybersecurity A WHITE PAPER PRESENTED BY: May 2014 PREPARED BY MARKET CONNECTIONS, INC. 14555 AVION PARKWAY, SUITE 125 CHANTILLY, VA 20151

More information

Payment Card Industry Data Security Standard

Payment Card Industry Data Security Standard Symantec Managed Security Services support for IT compliance Solution Overview: Symantec Managed Services Overviewview The (PCI DSS) was developed to facilitate the broad adoption of consistent data security

More information

Whitepaper. Best Practices for Securing Your Backup Data. BOSaNOVA Phone: 866-865-5250 Email: info@theq3.com Web: www.theq3.com

Whitepaper. Best Practices for Securing Your Backup Data. BOSaNOVA Phone: 866-865-5250 Email: info@theq3.com Web: www.theq3.com Whitepaper Best Practices for Securing Your Backup Data BOSaNOVA Phone: 866-865-5250 Email: info@theq3.com Web: www.theq3.com DATA PROTECTION CHALLENGE Encryption, the process of scrambling information

More information

Everything You Always Wanted to Know About Log Management But Were Afraid to Ask. August 21, 2013

Everything You Always Wanted to Know About Log Management But Were Afraid to Ask. August 21, 2013 Everything You Always Wanted to Know About Log Management But Were Afraid to Ask August 21, 2013 Logging and Log Management Logging and Log Management The authoritative Guide to Understanding the Concepts

More information

Managing IT Security with Penetration Testing

Managing IT Security with Penetration Testing Managing IT Security with Penetration Testing Introduction Adequately protecting an organization s information assets is a business imperative one that requires a comprehensive, structured approach to

More information

Security Information Lifecycle

Security Information Lifecycle Security Information Lifecycle By Eric Ogren Security Analyst, April 2006 Copyright 2006. The, Inc. All Rights Reserved. Table of Contents Executive Summary...2 Figure 1... 2 The Compliance Climate...4

More information

HIPAA Myths. WEDI Member Town Hall. Chris Apgar, CISSP Apgar & Associates

HIPAA Myths. WEDI Member Town Hall. Chris Apgar, CISSP Apgar & Associates HIPAA Myths WEDI Member Town Hall Chris Apgar, CISSP Apgar & Associates Overview Missed Regulatory Requirements Common HIPAA Privacy Myths Common HIPAA Security Myths Other Related Myths Finding the Right

More information

Cyberprivacy and Cybersecurity for Health Data

Cyberprivacy and Cybersecurity for Health Data Experience the commitment Cyberprivacy and Cybersecurity for Health Data Building confidence in health systems Providing better health care quality at lower cost will be the key aim of all health economies

More information

Why You Need to Test All Your Cloud, Mobile and Web Applications

Why You Need to Test All Your Cloud, Mobile and Web Applications Why You Need to Test All Your Cloud, Introduction In a recent survey of security executives, more than 70 percent of respondents acknowledged that they are performing vulnerability tests on fewer than

More information

A Database Security Management White Paper: Securing the Information Business Relies On. November 2004

A Database Security Management White Paper: Securing the Information Business Relies On. November 2004 A Database Security Management White Paper: Securing the Information Business Relies On November 2004 IPLocks, Inc. 441-A W. Trimble Road, San Jose, CA 95131 USA A Database Security Management White Paper:

More information

MANAGED SECURITY SERVICES (MSS)

MANAGED SECURITY SERVICES (MSS) MANAGED SECURITY SERVICES (MSS) The Cyber Security Initiative. Cybercrime is becoming an important factor for CIOs and IT professionals, but also for CFOs, compliance officers and business owners. The

More information

Cybersecurity: Protecting Your Business. March 11, 2015

Cybersecurity: Protecting Your Business. March 11, 2015 Cybersecurity: Protecting Your Business March 11, 2015 Grant Thornton. All LLP. rights All reserved. rights reserved. Agenda Introductions Presenters Cybersecurity Cybersecurity Trends Cybersecurity Attacks

More information

AB 1149 Compliance: Data Security Best Practices

AB 1149 Compliance: Data Security Best Practices AB 1149 Compliance: Data Security Best Practices 1 Table of Contents Executive Summary & Overview 3 Data Security Best Practices 4 About Aurora 10 2 Executive Summary & Overview: AB 1149 is a new California

More information

The Business Value of Managed Security Services

The Business Value of Managed Security Services The Business Value of Managed Security Services SilverSky 440 Wheelers Farm Road Suite 202 Milford CT 06461 silversky.com 2013 SilverSky P.2 The Business Value of Managed Security Services Contents Abstract...

More information

How Your Current IT Security System Might Be Leaving You Exposed TAKEAWAYS CHALLENGES WHITE PAPER

How Your Current IT Security System Might Be Leaving You Exposed TAKEAWAYS CHALLENGES WHITE PAPER WHITE PAPER CHALLENGES Protecting company systems and data from costly hacker intrusions Finding tools and training to affordably and effectively enhance IT security Building More Secure Companies (and

More information

Managed Security Services

Managed Security Services Managed Security Services 1 Table of Contents Possible Security Threats 3 ZSL s Security Services Model 4 Managed Security 4 Monitored Security 5 Self- Service Security 5 Professional Services 5 ZSL s

More information

TOP 3. Reasons to Give Insiders a Unified Identity

TOP 3. Reasons to Give Insiders a Unified Identity TOP 3 Reasons to Give Insiders a Unified Identity Although much publicity around computer security points to hackers and other outside attacks, insider threats can be particularly insidious and dangerous,

More information

WHITE PAPER BREACH, PRIVACY, AND CYBER COVERAGES: FACT AND FICTION CYBER COVERAGES

WHITE PAPER BREACH, PRIVACY, AND CYBER COVERAGES: FACT AND FICTION CYBER COVERAGES BREACH, PRIVACY, AND CYBER COVERAGES: FACT AND FICTION IDT911 1 DEFINITIONS 1. Cyber Programs - Focuses on services and systems related to technology and their use in business. Risks addressed include

More information

Three Attributes of Every Successful Merchant Services Program-20140604 1602-1

Three Attributes of Every Successful Merchant Services Program-20140604 1602-1 Three Attributes of Every Successful Merchant Services Program-20140604 1602-1 [Start of recorded material] [Starts Mid Sentence] thank everyone that s joined the call today. I know everybody is busy with

More information

It All Starts with Log Management:

It All Starts with Log Management: : Leveraging the Best in Database Security, Security Event Management and Change Management to Achieve Transparency LogLogic, Inc 110 Rose Orchard Way, Ste. 200 San Jose, CA 95134 United States US Toll

More information

MANAGED SECURITY SERVICES (MSS)

MANAGED SECURITY SERVICES (MSS) MANAGED SECURITY SERVICES (MSS) THE CYBER SECURITY INITIATIVE. Cybercrime is becoming an important factor for CIOs and IT professionals, but also for CFOs, compliance officers and business owners. The

More information

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable

More information

Neoscope www.neoscopeit.com 888.810.9077

Neoscope www.neoscopeit.com 888.810.9077 Your law firm depends on intelligence. But can you count on your technology? You may not be in the intelligence technology business, but it s probably impossible to imagine your practice without IT. Today,

More information

Belmont Savings Bank. Are there Hackers at the gate? 2013 Wolf & Company, P.C.

Belmont Savings Bank. Are there Hackers at the gate? 2013 Wolf & Company, P.C. Belmont Savings Bank Are there Hackers at the gate? 2013 Wolf & Company, P.C. MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2013 Wolf & Company, P.C. About Wolf & Company, P.C.

More information

Business Opportunity Enablement through Information Security Compliance

Business Opportunity Enablement through Information Security Compliance Level 3, 66 King Street Sydney NSW 2000 Australia Telephone +61 2 9290 4444 or 1300 922 923 Business Opportunity Enablement through Information Security Compliance Page No.1 Business Opportunity Enablement

More information

NETWORK SECURITY FOR SMALL AND MID-SIZE BUSINESSES

NETWORK SECURITY FOR SMALL AND MID-SIZE BUSINESSES NETWORK SECURITY FOR SMALL AND MID-SIZE BUSINESSES September, 2015 Derek E. Brink, CISSP, Vice President and Research Fellow IT Security and IT GRC Report Highlights p2 p4 p6 p7 SMBs need to adopt a strategy

More information

CONNECTED HEALTHCARE. Trends, Challenges & Solutions

CONNECTED HEALTHCARE. Trends, Challenges & Solutions CONNECTED HEALTHCARE Trends, Challenges & Solutions Trend > Remote monitoring and telemedicine are growing Digital technology for healthcare is accelerating. Changes are being driven by the digitization

More information

Assessing the strength of your security operating model

Assessing the strength of your security operating model www.pwc.com Assessing the strength of your security operating model May 2014 Assessing the strength of your security operating model Retail stores, software companies, the U.S. Federal Reserve it seems

More information

Cloud Computing; the GOOD, the BAD and the BEAUTIFUL

Cloud Computing; the GOOD, the BAD and the BEAUTIFUL Cloud Computing; the GOOD, the BAD and the BEAUTIFUL The quest for increased cost savings and reduced capital expenditures with comprehensive cloud solutions Executive summary Asking the hard dollar questions.

More information

Standard: Information Security Incident Management

Standard: Information Security Incident Management Standard: Information Security Incident Management Page 1 Executive Summary California State University Information Security Policy 8075.00 states security incidents involving loss, damage or misuse of

More information

Chapter 3 HIPAA Cost Considerations

Chapter 3 HIPAA Cost Considerations AU1953_C03.fm Page 23 Saturday, October 11, 2003 10:22 AM Chapter 3 HIPAA Cost Considerations Background Actual costs for HIPAA compliance will vary among covered entities (CEs) because of various factors

More information

How to navigate the world of managed services and outsourcing

How to navigate the world of managed services and outsourcing - How to navigate the world of managed services and outsourcing A publication of : Introduction 3-5 The State of the Cloud 6-10 Navigating the In-between 11-17 The Managed Services Edge 18-23 Getting your

More information

About MicroSolved, Inc. Company Profile, Experience, Capabilities and Differentiators

About MicroSolved, Inc. Company Profile, Experience, Capabilities and Differentiators About MicroSolved, Inc. Company Profile, Experience, Capabilities and Differentiators Profile MicroSolved, Inc. is an Ohio corporation with a Dun and Bradstreet number of 022904119. Since 1992, MSI has

More information

DEVELOPING A CYBERSECURITY POLICY ARCHITECTURE

DEVELOPING A CYBERSECURITY POLICY ARCHITECTURE TECHNICAL PROPOSAL DEVELOPING A CYBERSECURITY POLICY ARCHITECTURE A White Paper Sandy Bacik, CISSP, CISM, ISSMP, CGEIT July 2011 7/8/2011 II355868IRK ii Study of the Integration Cost of Wind and Solar

More information

Cyber Security. CYBER SECURITY presents a major challenge for businesses of all shapes and sizes. Leaders ignore it at their peril.

Cyber Security. CYBER SECURITY presents a major challenge for businesses of all shapes and sizes. Leaders ignore it at their peril. Cyber Security Personal and commercial information is the new commodity of choice for the virtual thief, argues Adrian Leppard, Commissioner for City of London Police, as he sets out the challenges facing

More information

Cloud Assurance: Ensuring Security and Compliance for your IT Environment

Cloud Assurance: Ensuring Security and Compliance for your IT Environment Cloud Assurance: Ensuring Security and Compliance for your IT Environment A large global enterprise has to deal with all sorts of potential threats: advanced persistent threats (APTs), phishing, malware

More information

To Outsource or not to Outsource: That is the Network Security Question

To Outsource or not to Outsource: That is the Network Security Question To Outsource or not to Outsource: That is the Network Security Question SilverSky 440 Wheelers Farm Road Suite 202 Milford CT 06461 silversky.com 2013 SilverSky Contents The Network Security Challenge...

More information

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4 WHITEPAPER Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4 An in-depth look at Payment Card Industry Data Security Standard Requirements 10, 11,

More information

Log Management How to Develop the Right Strategy for Business and Compliance. Log Management

Log Management How to Develop the Right Strategy for Business and Compliance. Log Management Log Management How to Develop the Right Strategy for Business and Compliance An Allstream / Dell SecureWorks White Paper 1 Table of contents Executive Summary 1 Current State of Log Monitoring 2 Five Steps

More information

HP and netforensics Security Information Management solutions. Business blueprint

HP and netforensics Security Information Management solutions. Business blueprint HP and netforensics Security Information Management solutions Business blueprint Executive Summary Every day there are new destructive cyber-threats and vulnerabilities that may limit your organization

More information

TOP REASONS WHY SIEM CAN T PROTECT YOUR DATA FROM INSIDER THREAT

TOP REASONS WHY SIEM CAN T PROTECT YOUR DATA FROM INSIDER THREAT TOP REASONS WHY SIEM CAN T PROTECT YOUR DATA FROM INSIDER THREAT Would you rather know the presumed status of the henhouse or have in-the-moment snapshots of the fox? If you prefer to use a traditional

More information

Webinar Transcript: Key Components of the Health Insurance Rating Process.

Webinar Transcript: Key Components of the Health Insurance Rating Process. Webinar Transcript: Key Components of the Health Insurance Rating Process. Ken Frino Group Vice President, JOHN WEBER: I m John Weber with the A.M. Best Company. Welcome to our webinar, Key Components

More information

BEST PRACTICES IN WEB CONFERENCING SECURITY. A Spire Research Report April 2003. By Pete Lindstrom, Research Director. Sponsored By: www.cisco.

BEST PRACTICES IN WEB CONFERENCING SECURITY. A Spire Research Report April 2003. By Pete Lindstrom, Research Director. Sponsored By: www.cisco. BEST PRACTICES IN WEB CONFERENCING SECURITY A Spire Research Report April 2003 By Pete Lindstrom, Research Director Sponsored By: www.cisco.com BEST PRACTICES IN WEB CONFERENCING SECURITY A Spire Research

More information

CSIS Security Research and Intelligence Research paper: Threats when using Online Social Networks - 5 month later Date: 19 th October 2007

CSIS Security Research and Intelligence Research paper: Threats when using Online Social Networks - 5 month later Date: 19 th October 2007 CSIS Security Research and Intelligence Research paper: Threats when using Online Social Networks - 5 month later Date: 19 th October 2007 Written by Dennis Rand rand@csis.dk http://www.csis.dk Table of

More information

Applying machine learning techniques to achieve resilient, accurate, high-speed malware detection

Applying machine learning techniques to achieve resilient, accurate, high-speed malware detection White Paper: Applying machine learning techniques to achieve resilient, accurate, high-speed malware detection Prepared by: Northrop Grumman Corporation Information Systems Sector Cyber Solutions Division

More information

Developing and Implementing a Strategy for Technology Deployment

Developing and Implementing a Strategy for Technology Deployment TechTrends Developing and Implementing a Strategy for Technology Deployment Successfully deploying information technology requires executive-level support, a structured decision-making process, and a strategy

More information

Product white paper. ROI and SIEM. How the RSA envision platform delivers an Industry-leading ROI

Product white paper. ROI and SIEM. How the RSA envision platform delivers an Industry-leading ROI Product white paper ROI and SIEM How the RSA envision platform delivers an Industry-leading ROI This paper examines the Return on Investment (ROI) that a quality security information & event management

More information

CORE INSIGHT ENTERPRISE: CSO USE CASES FOR ENTERPRISE SECURITY TESTING AND MEASUREMENT

CORE INSIGHT ENTERPRISE: CSO USE CASES FOR ENTERPRISE SECURITY TESTING AND MEASUREMENT CORE INSIGHT ENTERPRISE: CSO USE CASES FOR ENTERPRISE SECURITY TESTING AND MEASUREMENT How advancements in automated security testing software empower organizations to continuously measure information

More information

Roger s Cyber Security and Compliance Mini-Guide

Roger s Cyber Security and Compliance Mini-Guide Roger s Cyber Security and Compliance Mini-Guide A Mini Guide for Small and Medium Business and not for profit organisations. By Roger Smith Managed Service Provider and Cyber Security Coach R & I ICT

More information

White Paper. 1 800 FASTFILE / www.ironmountain.ca Page 1

White Paper. 1 800 FASTFILE / www.ironmountain.ca Page 1 White Paper LIVEVAULT Top 10 Reasons for Using Online Server Backup and Recovery Introduction Backup of vital company information is critical to a company s survival, no matter what size the company. Recent

More information

Datacenter Hosting. Scalable Technology and Insurance for Your Business. nsacom.com

Datacenter Hosting. Scalable Technology and Insurance for Your Business. nsacom.com Datacenter Hosting Scalable Technology and Insurance for Your Business nsacom.com Datacenter Hosting Scalable Technology and Insurance for Your Business Datacenter Hosting Gives You the Best of Both Worlds

More information

CSI/FBI 2000 COMPUTER CRIME AND SECURITY SURVEY

CSI/FBI 2000 COMPUTER CRIME AND SECURITY SURVEY CSI/FBI 00 COMPUTER CRIME AND SECURITY SURVEY Statement of intent This survey was conducted by the Computer Security Institute (CSI) in association with the San Francisco Computer Crime Squad of the Federal

More information