Cyber Security From The Front Lines
|
|
- Emma Harrell
- 8 years ago
- Views:
Transcription
1 Cyber Security From The Front Lines Glenn A Siriano October 2015
2 Agenda Setting the Context Business Considerations The Path Forward Q&A
3 Cyber Security Context
4 Cyber Has Become a Boardroom Conversation June 2011 Electronic transaction processing company target of Cyber attack. Global Payments reported that its servers housing personal information collected from merchants were attacked impacting between 1.5 million and 7 million customers. The company confirmed that expenses associated with the breach totaled more than $92 million including professional services fees, credit monitoring, identity protection insurance, fraud charges, and fines. Source: Bank Info Security July 2013 Hackers use malware over several year period to steal more than 160 million credit card numbers. Cyber attackers from Russia and Ukraine collaborated in a scheme to target major corporate networks including NASDAQ, Dow Jones, and Heartland Payment Systems and were able to steal more than 160 million credit card numbers between 2005 and In total, the separate and devious operations spanned the globe, resulting in at least $300 million in losses to companies and individuals. Source: NY Daily News January 2015 Anthem breach thought to impact between million customer records. The second-largest health-insurer reported that hackers compromised its network using a stolen password to access a database containing personal information from current and former customers. Initial estimates indicate the breach could result in more than $100 million in financial consequences. Source: C-Net
5 Cyber Risk Perfect Storm Growing Threat Level Bad Actors have evolved, Retail is 5 th worst sector and 75% of data loss incidents in Retail are hacking related (2012)* Changing Technology Landscape Consumerization of IT, Cloud and eroding perimeter Compliance Pressure Compliant does not necessarily mean sustainably (cyber) resilient * KPMG s 2012 Data Loss Barometer; a global insight into lost and stolen information.
6 Major market forces for Cyber in 2015 and Beyond Every day increasingly sophisticated and intelligent attackers are targeting the crown jewel information assets of organizations. Business impacts include lost revenues, operational disruption, remediation costs, claims and fines. Smarter attackers with more resources, better tooling, and advanced goals. EVOLVING THREAT ACTORS Drumbeat of fear, uncertainty, and doubt especially about embedded systems / industrial control systems. Total information security spending is expected to reach $76.9bn in 2015 (source: Gartner). Marketing departments have taken note. CHANGING IT DELIVERY MODELS TOP CYBER RISKS IN 2015 HEIGHTENED MEDIA COVERAGE New IT capabilities from BYOD to cloud to big data have serious impact on the security controls we need and can use. INCREDIBLE VENDOR CLAIMS Our top security risk: misallocation of scarce resources both time and money.!
7 2015 Cyber by the Numbers: Audit Committee Research and KPMG AC Focus Area 55% of Audit Committee respondents feel that they should devote more time or significantly more time on Cyber for their agenda Cyber Oversight 50% of Boards have assigned Cyber oversight responsibilities to the Full Board or Audit Committee Organizations with structured leadership and strategy reduce average per record cost of a breach by $6.59/record lost) Brand Damage Loss of customer data can result in reputational risk and organizational brand damage (Companies average $3.32 million in brand damage per breach) Training & Awareness Organizations must invest in Cyber training and awareness for All employees, including C-Level Executives. It only takes One employee opening an attachment to open the door for cyber criminals
8 Improving Oversight of Cyber is No Longer Leading Practice It s Required Over recent years many global organizations have been victims of cybercrime. Investors, governments, and global regulators are increasingly challenging board members to actively demonstrate diligence in this area. Regulators expect personal information to be protected and systems to be resilient to both accidents and deliberate attacks. Potential impacts and possible implications for the board Intellectual property losses including patented and trademarked material, client lists and commercially sensitive data Reputational losses causing your market value to decline; loss of goodwill and confidence by customers and suppliers Penalties, which may be legal or regulatory fines such as regulatory fines, e.g., for data privacy breaches, and customer and contractual compensation, for delays Property losses of stock or information leading to delays or failure to deliver Time lost due to investigating the losses, keeping shareholders advised and supporting regulatory authorities (financial, fiscal, and legal) Administrative resource to correct the impact such as restoring client confidence, communications to authorities, replacing property, and restoring the organization business to its previous levels
9 Typical Key Drivers of Cyber Mergers and acquisitions Launch of new services Complex regulatory requirements Big Data Technology automation Consumer trust and brand protection Third party management
10 Integrity Approach People Threats Compliance Governance Process Personal Cyber Defined Technology Data Confusion in the Market Forensic Privacy Disaster Compliance Business Issue Complexity Value Theft Criticality Data Loss Reporting & Metrics Transformation Technology Availability Challenge Insecurity Board-Level Issue Security Global Competitive Advantage Confidentiality Financial Loss Complexity Evolving Threat Intelligence Dynamic Breach Top of Mind Security Information Risk Business Resilience Cybersecurity Vulnerability KPMG Cyber Services Strategic Cyber Security and Information Protection Services Risk-based protection of information in alignment with its value to the organization Information that is available to the business in the right way, at the right time, and to the right people Breach Response & Investigation Services A streamlined approach to accessible, protected Information
11 Business Considerations
12 Top Industry Issues/Challenges Market trends Continued increase in regulations and regulatory enforcement (with greater global cooperation) across all industries Increased expectations of technology and offshore resources to increase the efficiency and effectiveness of delivery Cost pressures coupled with regulatory pressure to standardize technology and processes across disparate parts of the organization. The rising external threat is demanding a proactive intelligence based approach to anticipating and reacting to the external threat. Regulator focus and recent media attention on insider based incidents have increased attention on insider threat. Regulators and Boards have demanded accountability across all lines of defense with the need for centralized ownership of Cyber within the second line of defense Market trends The explosion of data across the organization, especially in unstructured data stores has demanded a refined approach to identification and protection of critical data across the enterprise. Managing identity across the enterprise continues to be a common regulatory and audit finding. Risk is increased with the influx of temporary and contingent work-force. Some, with elevated or privileged levels of access.
13 Emerging Cyber Risks Insider Threats: Data loss caused by negligent or malicious actions of authorized internal users. Data security incidents can be caused by employees or contingent workers with data access as a result of negligent behavior or malicious acts. Additionally, given the transient nature of the contingent workforce, it also presents challenges to help ensure the data stays within the organization upon individual s departure. Data Proliferation: An expanding data footprint increases the risk of data loss or disclosure. As we have seen in most of financial services institutions unstructured data represents a large percentage of the total data within the environment. Because of the heavy business reliance on data analytics and the mobilization of data across various devices and platforms, multiple copies of data are being generated. Since there are limited options to control unstructured data access, unstructured data represents serious risks to data confidentiality, integrity, and availability. New & Emerging Technology: Adopting new technology introduces potential vulnerabilities. As more business is conducted online to improve customer experience, and IT plans to leverage cloud services, mobile technologies and technology outsourcing to provide services that offer flexibility, scalability, and achieve cost savings, these initiatives can lead to new risks to organization s overall information security posture. Cyber Attacks & Malware: Business operations and connectivity opens infrastructure to risks. As the business seek to provide customers with more timely and accurate data, expanded offerings and programs, more interfaces, and more opportunities for access to information, perimeter and access control standards should be in line with the level of data criticality and confidentiality.
14 Regulatory Developments and Priorities Payment Card Industry (PCI) Standard Updates Increasing Supervision by the Office of the Comptroller of the Currency (OCC) Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment In April 2015, the PCI Security Standards Council released v3.1 of it Data Security Standard (DSS) in response to several high-profile vulnerabilities related to the Secure Sockets Layer (SSL) protocol (i.e., POODLE, Heartbleed, BERserk, FREAK, Logjam, RC4, etc.). As a result, SSL and early versions of the Transport Layer Security (TLS) protocol are no longer considered to be strong cryptography and cannot be used as a security control after June 30, Comptroller of the Currency Thomas J. Curry recently referred to cyber threats as the foremost risk facing banks today and one of the major, if not the major, risk facing businesses of all sorts. 1 In the OCC s 2015 Semiannual Risk Perspective, cyber threats and operational risk (i.e., information security, data protection, and third-party risk management) were listed as top supervisory priorities for community and midsize banks over the next 12 months. In the summer of 2014, the FFIEC piloted a cybersecurity examination work program that focused on cybersecurity inherent risk and preparedness and emphasized the need for information sharing. Drawing on the results of this pilot, the FFIEC released a Cybersecurity Assessment Tool in June 2015 to help banks evaluate their cybersecurity inherent risk profile and determine their level of cybersecurity maturity. 1 Remarks by Thomas J. Curry Comptroller of the Currency Before the New England Council Boston, Massachusetts July 24, 2015
15 Regulatory Focus Areas and Industry Activities Regulatory Focus Areas Industry Activities Evaluation of Cybersecurity Inherent Risk Top-Down Enterprise Risk Assessments Enterprise Risk Management and Oversight Cybersecurity Assessments and Benchmarking Threat Intelligence and Collaboration Refresh Information Governance Model Data Classification and Risk-Based Controls External Dependency and Vendor Risk Management Cyber Incident Management and Resilience (BCP/DR) Revamp Identity Management and Access Control Review Impact of Emerging Technology (Cloud, Social Media, etc.) and Products Enhance Application Security/SDLC Integration Data and Network Protection Practices Enhance Data & Information Protection Payment System and Data Hardening Information Sharing Cloud Security Social Engineering and Insider Threats Application Security Data Loss Prevention (DLP) Privileged Access Management Improve Security Monitoring and Incident Management Participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC) Infrastructure Obsolescence Management Develop and Revise Policy & Standards Maintain an Effective End-User Awareness Program Change Management Improve Third-Party Vendor Security Assessment Program
16 The Path Forward
17 Cyber as Cost-Efficient Risk Management At the heart of KPMG s approach to Cyber Security is the objective of helping clients maximize the value of their cyber security investment. Information Risk becomes Business Advantage Security as an IT Cost Technology platform centric Bottom-line focused Driven by IT Automation focused Success measured by timely deployment of technology Technology is always the answer Poor ROI from many programs Starts with data (report on what I have, not what I need) Security as a Business Investment Target operating model centric Strategically aligned with business objectives Business led Process focused Value added service delivery Success measured by achieving business value Technology is one enabler of transformation Considers the security needs within the larger technology portfolio Analytics enabled Reduce time to value
18 Comprehensive View to Cyber Maturity Six Key Aspects of Cyber Cyber maturity address the following: Key domain layers Leadership and Governance Layer Describes how Boards and Executive Management demonstrate due diligence, ownership, and effective management of risk. People Layer Describes the level and integration of a security culture that empowers and helps ensure the right people, skills, culture, and knowledge. Business Continuity Layer Describes preparations for a security event and ability to prevent or lessen the impact through successful crisis and stakeholder management. Operations and Technology Layer The level of control measures implemented to address identified risks and reduce the impact of compromise. Information Risk Management Layer Details the approach to achieve thorough and effective risk management of information throughout the organization and its delivery and supply partners. Legal and Compliance Layer Meeting regulatory and compliance obligations as relevant.
19 The Result End-to-End Cyber Protection PREVENT DETECT RESPOND IMPROVE The approach is designed to be simple and effective, and most importantly, aligned with business needs. KPMG has aligned how we deliver our core cyber services accordingly: Helps the company understand how to align their cyber agenda with their dynamic business and compliance priorities. Helps the business maintain their cyber agenda as business and technology programs evolve, providing greater visibility and understanding of changing risks. Helps the company effectively and efficiently respond to cyber Incidents and conduct forensic analysis and detailed investigations. Helps the company build and improve their programs and processes, supported by the right organization and technology, to improve their cyber agenda. Attributes: Prevention STRATEGY AND GOVERNANCE Comprehensive in breadth (Target Operating Model) Benefits driven from strategy through execution Information driven approach CYBER DEFENSE Attributes: Detection End-to-end configuration Security Operations and Monitoring Security analytics DIGITAL RESPONSE SERVICES Attributes: Response Digital evidence preservation and cyber investigations services Post-Breach analysis and mitigation Aligned with business priorities and compliance needs TRANSFORMATION Attributes: Improvement Informed by technology strategy Long-term engagement delivery Business Outcome Focused
20 High-level board oversight questions Based on our board outreach and education programs, these are the three most common questions at the executive management and board levels today: 1. What are the new cybersecurity threats and risks and how do they affect our organization? 2. Is our organization s cybersecurity program ready to meet the challenges of today s (and tomorrow s) cyber threat landscape? KPMG s Global Cyber Maturity Framework Domains Board Engagement & Oversight 3. What key risk indicators should I be reviewing at the executive management and board levels to perform effective risk management in this area? We designed a Global Cyber Maturity Framework specifically to assist organizations in addressing these critical questions by combining the most relevant aspects of international cybersecurity frameworks (e.g., NIST, ISO, AU35, ANSI, SANS, etc.).
21 Cyber risk management A framework for exercising oversight responsibility LEGAL AND COM PLIANCE Regulatory and international certification standards as relevant LEADERSHIP AND GOVERNANCE Management demonstrating due diligence, ownership, and effective management of risk OPERATIONS AND TECHNOLOGY The level of control measures implemented to address identified risks and reduce the impact of compromise Board Engagement & Oversight HUM AN FACTORS The level and integration of a security culture that empowers and helps to ensure the right people, skills, culture, and know ledge BUSINESS CONTINUITY AND CRISIS M ANAGEM ENT Preparations for a security event and ability to prevent or reduce the impact through successful crisis and stakeholder management INFORMATION RISK MANAGEMENT The approach to achieve thorough and effective risk management of information throughout the organization and its delivery and supply partners
22 Information Risk Mgmt Human Factors Leadership and Governance Board oversight and engagement summary Key performance indicators How Should the Board Engage? How Does the Board Gain Comfort? (Key Performance Indicators) Understand governance structure and meet team Review output of capability assessment Review and approve strategy and funding Participate in general board education Request periodic updates of program Security spend as a percent of overall IT budget Capability maturity review output Certifications w ithin key leadership positions Number of board education sessions (frequency) Set the tone for the culture Review patterns/trends of personnel issues Understand training & awareness protocols Percentage of employee/contractors attending training Trends related to cyber from whistleblower or ethics Understand risk management approach and risk Review and approve risk tolerance Understand third-party supplier program Review and question program metrics Risk Assessment output / linkage to ERM program Risk tolerance measures and metrics Number of high risk third-party suppliers and review Review metric output (see other sections)
23 Legal & Compliance Operations & Business Continuity Board oversight and engagement summary Key performance indicators How Should the Board Engage? How Does the Board Gain Comfort? (Key Performance Indicators) Understand current response capability Review status of overall plan maturity M eet w ith communications personnel Participate in table-top exercises Number of mission critical business processes with Number of table top exercises (frequency) and results Understand current maturity of control Review relevancy of selected control Review relevant incident trend metrics Meet with CIO or equivalent to understand and information technology trends Percentage of crown-jewel assets included in Risk rating of security vulnerabilities (considering asset Cyber incident trends metrics Understand regulatory landscape impacting Clarify audit committee requirements for Review litigating inventory trends Review and approve cyber insurance Open regulatory and/or litigation matters Cyber insurance policy benchmarking with peer
24 Thank you Presentation by Glenn Siriano KPMG LLP
25 2015 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International.
Cyber Security Risks for Banking Institutions.
Cyber Security Risks for Banking Institutions. September 8, 2014 1 Administrative CPE regulations require that online participants take part in online questions Must respond to a minimum of four questions
More informationConnecting the dots: A proactive approach to cybersecurity oversight in the boardroom. kpmg.bm
Connecting the dots: A proactive approach to cybersecurity oversight in the boardroom kpmg.bm Connecting the dots: A proactive approach to cybersecurity oversight in the boardroom 1 Connecting the dots:
More informationTen Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder
Ten Questions Your Board Should be asking about Cyber Security Eric M. Wright, Shareholder Eric Wright, CPA, CITP Started my career with Schneider Downs in 1983. Responsible for all IT audit and system
More informationCybersecurity The role of Internal Audit
Cybersecurity The role of Internal Audit Cyber risk High on the agenda Audit committees and board members are seeing cybersecurity as a top risk, underscored by recent headlines and increased government
More informationwww.pwc.com The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v8 2-25-14
www.pwc.com The data breach lifecycle: From prevention to response IAPP global privacy summit (4:30-5:30) Draft v8 2-25-14 Common Myths 1. You have not been hacked. 2. Cyber security is about keeping the
More informationThe Changing IT Risk Landscape Understanding and managing existing and emerging risks
The Changing IT Risk Landscape Understanding and managing existing and emerging risks IIA @ Noon Kareem Sadek Senior Manager, Deloitte Canada Chris Close Senior Manager, Deloitte Canada December 2, 2015
More informationRemarks by. Thomas J. Curry. Comptroller of the Currency. Before the. Chicago. November 7, 2014
Remarks by Thomas J. Curry Comptroller of the Currency Before the 10 th Annual Community Bankers Symposium Chicago November 7, 2014 Good morning, it s a pleasure to be here today and to have this opportunity
More informationHow To Transform It Risk Management
The transformation of IT Risk Management kpmg.com The transformation of IT Risk Management The role of IT Risk Management Scope of IT risk management Examples of IT risk areas of focus How KPMG can help
More informationRemarks by Thomas J. Curry Comptroller of the Currency Before the New England Council Boston, Massachusetts May 16, 2014
Remarks by Thomas J. Curry Comptroller of the Currency Before the New England Council Boston, Massachusetts May 16, 2014 It s a pleasure to be with you back home in Boston. I was here just six weeks ago
More informationManaging cyber risks with insurance
www.pwc.com.tr/cybersecurity Managing cyber risks with insurance Key factors to consider when evaluating how cyber insurance can enhance your security program June 2014 Managing cyber risks to sensitive
More informationBy: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015
Community Bank Auditors Group Cybersecurity What you need to do now June 9, 2015 By: Gerald Gagne MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2015 Wolf & Company, P.C. Cybersecurity
More informationExperience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.
Experience the commitment WHITE PAPER Information Security Continuous Monitoring Charting the Right Course May 2014 cgi.com 2014 CGI GROUP INC. During the last few months of 2013, six federal agencies
More informationFFIEC Cybersecurity Assessment Tool
Overview In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed the Cybersecurity Tool (), on behalf of its members,
More informationVendor Risk Management Financial Organizations
Webinar Series Vendor Risk Management Financial Organizations Bob Justus Chief Security Officer Allgress Randy Potts Managing Consultant FishNet Security Bob Justus Chief Security Officer, Allgress Current
More informationWhite Paper Achieving GLBA Compliance through Security Information Management. White Paper / GLBA
White Paper Achieving GLBA Compliance through Security Information Management White Paper / GLBA Contents Executive Summary... 1 Introduction: Brief Overview of GLBA... 1 The GLBA Challenge: Securing Financial
More informationASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES
ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES Leonard Levy PricewaterhouseCoopers LLP Session ID: SEC-W03 Session Classification: Intermediate Agenda The opportunity Assuming
More informationCyber security: everybody s imperative. A guide for the C-suite and boards on guarding against cyber risks
Cyber security: everybody s imperative A guide for the C-suite and boards on guarding against cyber risks Secure Enhance risk-prioritized controls to protect against known and emerging threats, and comply
More informationManaging Cyber Risk through Insurance
Managing Cyber Risk through Insurance Eric Lowenstein Aon Risk Solutions This presentation has been prepared for the Actuaries Institute 2015 ASTIN and AFIR/ERM Colloquium. The Institute Council wishes
More informationAccess is power. Access management may be an untapped element in a hospital s cybersecurity plan. January 2016. kpmg.com
Access is power Access management may be an untapped element in a hospital s cybersecurity plan January 2016 kpmg.com Introduction Patient data is a valuable asset. Having timely access is critical for
More informationNine recommendations for alternative funds battling cyber crime. kpmg.ca/cybersecurity
Nine recommendations for alternative funds battling cyber crime kpmg.ca/cybersecurity Cyber criminals steal user names and passwords and use it to conduct financial trading activity illicitly. Hackers
More informationMANAGING Cybersecurity Risk AND DISCLOSURE OBLIGATIONS
MANAGING Cybersecurity Risk AND DISCLOSURE OBLIGATIONS RRD Donnelley SEC Hot Topics Institute May 21, 2014 1 MANAGING CYBERSECURITY RISK AND DISCLOSURE OBLIGATIONS Patrick J. Schultheis Partner Wilson
More informationEd McMurray, CISA, CISSP, CTGA CoNetrix
Ed McMurray, CISA, CISSP, CTGA CoNetrix AGENDA Introduction Cybersecurity Recent News Regulatory Statements NIST Cybersecurity Framework FFIEC Cybersecurity Assessment Questions Information Security Stats
More informationCYBER SECURITY DASHBOARD: MONITOR, ANALYSE AND TAKE CONTROL OF CYBER SECURITY
CYBER SECURITY DASHBOARD: MONITOR, ANALYSE AND TAKE CONTROL OF CYBER SECURITY INTRODUCTION Information security has evolved. As the landscape of threats increases and cyber security 1 management becomes
More informationCyber security: Are consumer companies up to the challenge?
Cyber security: Are consumer companies up to the challenge? 1 Cyber security: Are consumer companies up to the challenge? A survey of webcast participants kpmg.com 1 Cyber security: Are consumer companies
More informationA NEW APPROACH TO CYBER SECURITY
A NEW APPROACH TO CYBER SECURITY We believe cyber security should be about what you can do not what you can t. DRIVEN BY BUSINESS ASPIRATIONS We work with you to move your business forward. Positively
More informationMitigating and managing cyber risk: ten issues to consider
Mitigating and managing cyber risk: ten issues to consider The board of directors is responsible for managing and mitigating risk exposure. A recent study conducted by the Ponemon Institute 1 revealed
More informationERM Symposium April 2009. Moderator Nancy Bennett
ERM Symposium April 2009 RI4-Implementing a Comprehensive Privacy Program John Kelly Joseph Nocera Moderator Nancy Bennett Data & Identity Theft: Keeping sensitive data out of the wrong hands Presented
More informationCYBERSECURITY IN FINANCIAL SERVICES POINT OF VIEW CHALLENGE 1 REGULATORY COMPLIANCE ACROSS GEOGRAPHIES
POINT OF VIEW CYBERSECURITY IN FINANCIAL SERVICES Financial services institutions are globally challenged to keep pace with changing and covert cybersecurity threats while relying on traditional response
More informationwww.pwc.co.uk Cyber security Building confidence in your digital future
www.pwc.co.uk Cyber security Building confidence in your digital future November 2013 Contents 1 Confidence in your digital future 2 Our point of view 3 Building confidence 4 Our services Confidence in
More informationInto the cybersecurity breach
Into the cybersecurity breach Tim Sanouvong State Sector Cyber Risk Services Deloitte & Touche LLP April 3, 2015 Agenda Setting the stage Cyber risks in state governments Cyber attack vectors Preparing
More informationCyber Risks in the Boardroom
Cyber Risks in the Boardroom Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing Your Company to Identify, Mitigate and Respond to Risks in a Changing
More informationItaly. EY s Global Information Security Survey 2013
Italy EY s Global Information Security Survey 2013 EY s Global Information Security Survey 2013 This year s survey our 16th edition captures the responses of 1,909 C-suite and senior level IT and information
More informationInformation Technology
Information Technology Information Technology Session Structure Board of director actions Significant and emerging IT risks Practical questions Resources Compensating Controls at the Directorate Level
More informationWhite Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK. By James Christiansen, VP, Information Risk Management
White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK By James Christiansen, VP, Information Management Executive Summary The Common Story of a Third-Party Data Breach It begins with a story in the newspaper.
More informationHow to Protect Sensitive Corporate Data against Security Vulnerabilities of Your Vendors
How to Protect Sensitive Corporate Data against Security Vulnerabilities of Your Vendors July 2014 Executive Summary Data breaches cost organizations millions and sometimes even billions of dollars in
More informationCyber Security. The changing landscape. Financial Sector. March 4-5, 2014
Cyber Security Discussioni The changing landscape 2nd Information Security Workshop for Financial Sector March 4-5, 2014 Agenda Agenda How vulnerable is the banking sector Closer look at the security threat
More informationFFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors
Overview for Chief Executive Officers and Boards of Directors In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed
More informationwww.pwc.com Cybersecurity and Privacy Hot Topics 2015
www.pwc.com Cybersecurity and Privacy Hot Topics 2015 Table of Contents Cybersecurity and Privacy Incidents are on the rise Executives and Boards are focused on Emerging Risks Banking & Capital Markets
More information08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview
Data protection and compliance In the cloud and in your data center 1 November 2013 Agenda 1 Introduction 2 Data protection overview 3 Understanding the cloud 4 Where do I start? 5 Wrap-up Page 2 Data
More informationWhat Directors need to know about Cybersecurity?
What Directors need to know about Cybersecurity? W HAT I S C YBERSECURITY? PRESENTED BY: UTAH BANKERS ASSOCIATION AND JON WALDMAN PARTNER, SENIOR IS CONSULTANT - SBS 1 Contact Information Jon Waldman Partner,
More informationCybersecurity: What CFO s Need to Know
Cybersecurity: What CFO s Need to Know William J. Nowik, CISA, CISSP, QSA PCIP MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2014 Wolf & Company, P.C. Today s Agenda Introduction
More informationState of Security Survey GLOBAL FINDINGS
2011 State of Security Survey GLOBAL FINDINGS CONTENTS Introduction... 4 Methodology... 6 Finding 1: Cybersecurity is important to business... 8 Finding 2: The drivers of security are changing... 10 Finding
More informationPACB One-Day Cybersecurity Workshop
PACB One-Day Cybersecurity Workshop WHAT IS CYBERSECURITY? PRESENTED BY: JON WALDMAN, SBS CISA, CRISC 1 Contact Information Jon Waldman Partner, Senior IS Consultant CISA, CRISC Masters of Info Assurance
More information2015 CEO & Board University Cybersecurity on the Rise. Matthew J. Putvinski, CPA, CISA, CISSP
2015 CEO & Board University Cybersecurity on the Rise Matthew J. Putvinski, CPA, CISA, CISSP MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2011 Wolf & Company, P.C. About Wolf
More informationEnterprise Risk Management & Information Technology
Enterprise Risk Management & Information Technology Presented by Scott Perry and Gary Ross Slalom Consulting, San Francisco Agenda Introductions Session Objectives Overview of Enterprise Risk Management
More informationInternal audit of cybersecurity. Presentation to the Atlanta IIA Chapter January 2015
Internal audit of cybersecurity Presentation to the Atlanta IIA Chapter January 2015 Agenda Executive summary Why is this topic important? Cyber attacks: increasing complexity arket insights: What are
More informationWhite Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI
White Paper Achieving PCI Data Security Standard Compliance through Security Information Management White Paper / PCI Contents Executive Summary... 1 Introduction: Brief Overview of PCI...1 The PCI Challenge:
More informationFINRA Publishes its 2015 Report on Cybersecurity Practices
Securities Litigation & Enforcement Client Service Group and Data Privacy & Security Team To: Our Clients and Friends February 12, 2015 FINRA Publishes its 2015 Report on Cybersecurity Practices On February
More informationICBA Summary of FFIEC Cybersecurity Assessment Tool
ICBA Summary of FFIEC Cybersecurity Assessment Tool July 2015 Contact: Jeremy Dalpiaz Assistant Vice President Cyber Security and Data Security Policy Jeremy.Dalpiaz@icba.org www.icba.org ICBA Summary
More informationOctober 24, 2014. Mitigating Legal and Business Risks of Cyber Breaches
October 24, 2014 Mitigating Legal and Business Risks of Cyber Breaches AGENDA Introductions Cyber Threat Landscape Cyber Risk Mitigation Strategies 1 Introductions 2 Introductions To Be Confirmed Title
More informationCyber Resilience Implementing the Right Strategy. Grant Brown Security specialist, CISSP @TheGrantBrown
Cyber Resilience Implementing the Right Strategy Grant Brown specialist, CISSP @TheGrantBrown 1 2 Network + Technology + Customers = $$ 3 Perfect Storm? 1) Increase in Bandwidth (extended reach) 2) Available
More informationWhite Paper on Financial Industry Regulatory Climate
White Paper on Financial Industry Regulatory Climate According to a 2014 report on threats to the financial services sector, 45% of financial services organizations polled had suffered economic crime during
More informationStrategies for assessing cloud security
IBM Global Technology Services Thought Leadership White Paper November 2010 Strategies for assessing cloud security 2 Securing the cloud: from strategy development to ongoing assessment Executive summary
More informationCYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility
CYBER SECURITY AND RISK MANAGEMENT An Executive level responsibility Cyberspace poses risks as well as opportunities Cyber security risks are a constantly evolving threat to an organisation s ability to
More informationVENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium
1 VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium 2 Agenda Introduction Vendor Management what is? Available Guidance Vendor Management
More informationClick to edit Master title style
EVOLUTION OF CYBERSECURITY Click to edit Master title style IDENTIFYING BEST PRACTICES PHILIP DIEKHOFF, IT RISK SERVICES TECHNOLOGY THE DARK SIDE AGENDA Defining cybersecurity Assessing your cybersecurity
More informationDefining the Gap: The Cybersecurity Governance Study
Defining the Gap: The Cybersecurity Governance Study Sponsored by Fidelis Cybersecurity Independently conducted by Ponemon Institute LLC Publication Date: June 2015 Ponemon Institute Research Report Defining
More informationCybersecurity and internal audit. August 15, 2014
Cybersecurity and internal audit August 15, 2014 arket insights: what we are seeing so far? 60% of organizations see increased risk from using social networking, cloud computing and personal mobile devices
More informationCyber Security - What Would a Breach Really Mean for your Business?
Cyber Security - What Would a Breach Really Mean for your Business? August 2014 v1.0 As the internet has become increasingly important across every aspect of business, the risks posed by breaches to cyber
More informationTHE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS
THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS Read the Marsh Risk Management Research Briefing: Cyber Risks Extend Beyond Data and Privacy Exposures To access the report, visit www.marsh.com.
More informationExecutive Summary 3. Snowden and Retail Breaches Influencing Security Strategies 3. Attackers are on the Inside Protect Your Privileges 3
GLOBAL ADVANCED THREAT LANDSCAPE SURVEY 2014 TABLE OF CONTENTS Executive Summary 3 Snowden and Retail Breaches Influencing Security Strategies 3 Attackers are on the Inside Protect Your Privileges 3 Third-Party
More informationCompliance Management, made easy
Compliance Management, made easy LOGPOINT SECURING BUSINESS ASSETS SECURING BUSINESS ASSETS LogPoint 5.1: Protecting your data, intellectual property and your company Log and Compliance Management in one
More informationCYBER SECURITY, A GROWING CIO PRIORITY
www.wipro.com CYBER SECURITY, A GROWING CIO PRIORITY Bivin John Verghese, Practitioner - Managed Security Services, Wipro Ltd. Contents 03 ------------------------------------- Abstract 03 -------------------------------------
More informationAnswering your cybersecurity questions The need for continued action
www.pwc.com/cybersecurity Answering your cybersecurity questions The need for continued action January 2014 Boards and executives keeping a sustained focus on cybersecurity do more than protect the business:
More informationCIP Supply Chain Risk Management (RM15 14 000) Statement of Jacob S. Olcott Vice President, BitSight Technologies January 28, 2016
CIP Supply Chain Risk Management (RM15 14 000) Statement of Jacob S. Olcott Vice President, BitSight Technologies January 28, 2016 My name is Jacob Olcott and I am pleased to share some observations on
More informationOCIE Technology Controls Program
OCIE Technology Controls Program Cybersecurity Update Chris Hetner Cybersecurity Lead, OCIE/TCP 212-336-5546 Introduction (Role, Disclaimer, Background and Speech Topics) SEC Cybersecurity Program Overview
More informationCyber Security: Confronting the Threat
09 Cyber Security: Confronting the Threat Cyber Security: Confronting the Threat 09 In Short Cyber Threat Awareness and Preparedness Active Testing Likelihood of Attack Privacy Breaches 9% 67% Only 9%
More informationKeynote Speech. Beth Dugan Deputy Comptroller for Operational Risk. The Clearing House s First Operational Risk Colloquium
Keynote Speech by Beth Dugan Deputy Comptroller for Operational Risk at The Clearing House s First Operational Risk Colloquium February 11, 2015 Washington, D.C. Thank you. It s an honor to be invited
More informationCGI Cyber Risk Advisory and Management Services for Insurers
CGI Cyber Risk Advisory and Management Services for Insurers Minimizing Cyber Risks cgi.com 3 As organizations seek to create value in today s highly interconnected world, they inherently increase their
More informationCybersecurity. Regional and Community Banks. Inherent Risks and Preparedness. www.bostonfed.org
Cybersecurity Inherent Risks and Preparedness Regional and Community Banks www.bostonfed.org Disclaimer The opinions expressed in this presentation are intended for informational purposes, and are not
More informationMaintaining PCI-DSS compliance. Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com
Maintaining PCI-DSS compliance Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com Sessione di Studio Milano, 21 Febbraio 2013 Agenda 1 Maintaining PCI-DSS compliance
More informationCybersecurity: Considerations for Internal Audit. IIA Atlanta Chapter Meeting January 9, 2015
Cybersecurity: Considerations for Internal Audit IIA Atlanta Chapter Meeting January 9, 2015 Agenda Key Risks Incorporating Internal Audit Resources for Internal Auditors Questions 2 Key Risks 3 4 Key
More informationTime Is Not On Our Side!
An audit sets the baseline. Restricting The next steps Authenticating help prevent, Tracking detect, and User Access? respond. It is rare for a few days to pass without news of a security breach affecting
More informationWhite Paper Achieving HIPAA Compliance through Security Information Management. White Paper / HIPAA
White Paper Achieving HIPAA Compliance through Security Information Management White Paper / HIPAA Contents Executive Summary... 1 Introduction: Brief Overview of HIPAA... 1 The HIPAA Challenge: Protecting
More informationRisk Considerations for Internal Audit
Risk Considerations for Internal Audit Cecile Galvez, Deloitte & Touche LLP Enterprise Risk Services Director Traci Mizoguchi, Deloitte & Touche LLP Enterprise Risk Services Senior Manager February 2013
More informationAddressing Cyber Risk Building robust cyber governance
Addressing Cyber Risk Building robust cyber governance Mike Maddison Partner Head of Cyber Risk Services The future of security The business environment is changing The IT environment is changing The cyber
More informationBig Data, Big Risk, Big Rewards. Hussein Syed
Big Data, Big Risk, Big Rewards Hussein Syed Discussion Topics Information Security in healthcare Cyber Security Big Data Security Security and Privacy concerns Security and Privacy Governance Big Data
More informationWhere insights lead Cybersecurity and the role of internal audit: An urgent call to action
Where insights lead Cybersecurity and the role of internal audit: An urgent call to action The threat from cyberattacks is significant and continuously evolving. One estimate suggests that cybercrime could
More informationRisky Business. Is Your Cybersecurity in Cruise Control? ISACA Austin Chapter Meeting May 5, 2015
Risky Business Is Your Cybersecurity in Cruise Control? ISACA Austin Chapter Meeting May 5, 2015 What We ll Cover About Me Background The threat Risks to your organization What your organization can/should
More informationThe NIST Cybersecurity Framework
View the online version at http://us.practicallaw.com/5-599-6825 The NIST Cybersecurity Framework RICHARD RAYSMAN, HOLLAND & KNIGHT LLP AND JOHN ROGERS, BOOZ ALLEN HAMILTON A Practice Note discussing the
More informationCyber Security and the Board of Directors
Helping clients build operational capability in cyber security. A DELTA RISK VIEWPOINT Cyber Security and the Board of Directors An essential responsibility in financial services About Delta Risk is a
More informationCybersecurity and the Threat to Your Company
Why is BIG Data Important? March 2012 1 Cybersecurity and the Threat to Your Company A Navint Partners White Paper September 2014 www.navint.com Cyber Security and the threat to your company September
More informationAddress C-level Cybersecurity issues to enable and secure Digital transformation
Home Overview Challenges Global Resource Growth Impacting Industries Address C-level Cybersecurity issues to enable and secure Digital transformation We support cybersecurity transformations with assessments,
More informationCompliance Risk Management Survey A Point of View
FINANCIAL SERVICES Compliance Risk Management Survey A Point of View July 2014 kpmg.com Compliance Risk Management Survey A Point of View 3 Introduction As the financial crisis unfolded, regulators looked
More informationDefending Against Data Beaches: Internal Controls for Cybersecurity
Defending Against Data Beaches: Internal Controls for Cybersecurity Presented by: Michael Walter, Managing Director and Chris Manning, Associate Director Protiviti Atlanta Office Agenda Defining Cybersecurity
More informationIT Risk Management: Guide to Software Risk Assessments and Audits
IT Risk Management: Guide to Software Risk Assessments and Audits Contents Overview... 3 Executive Summary... 3 Software: Today s Biggest Security Risk... 4 How Software Risk Enters the Enterprise... 5
More informationCyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft
Cyber Security and Privacy Services Working in partnership with you to protect your organisation from cyber security threats and data theft 2 Cyber Security and Privacy Services What drives your security
More informationVENDOR MANAGEMENT. General Overview
VENDOR MANAGEMENT General Overview With many organizations outsourcing services to other third-party entities, the issue of vendor management has become a noted topic in today s business world. Vendor
More informationFostering Incident Response and Digital Forensics Research
Fostering Incident Response and Digital Forensics Research Bruce J. Nikkel bruce.nikkel@ubs.com September 8, 2014 Abstract This article highlights different incident response topics with a focus on digital
More informationMEMORANDUM. Date: October 28, 2013. Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance
MEMORANDUM Date: October 28, 2013 To: Federally Regulated Financial Institutions Subject: Guidance The increasing frequency and sophistication of recent cyber-attacks has resulted in an elevated risk profile
More informationwww.pwc.com Third Party Risk Management 12 April 2012
www.pwc.com Third Party Risk Management 12 April 2012 Agenda 1. Introductions 2. Drivers of Increased Focus on Third Parties 3. Governance 4. Third Party Risks and Scope 5. Third Party Risk Profiling 6.
More informationPayment Card Industry Data Security Standard
Symantec Managed Security Services support for IT compliance Solution Overview: Symantec Managed Services Overviewview The (PCI DSS) was developed to facilitate the broad adoption of consistent data security
More informationTESTIMONY OF VALERIE ABEND SENIOR CRITICAL INFRASTRUCTURE OFFICER OFFICE OF THE COMPTROLLER OF THE CURRENCY. Before the
For Release Upon Delivery 10:00 a.m., December 10, 2014 TESTIMONY OF VALERIE ABEND SENIOR CRITICAL INFRASTRUCTURE OFFICER OFFICE OF THE COMPTROLLER OF THE CURRENCY Before the COMMITTEE ON BANKING, HOUSING,
More informationJOB ANNOUNCEMENT. Chief Security Officer, Cheniere Energy, Inc.
JOB ANNOUNCEMENT Chief Security Officer, Cheniere Energy, Inc. Position Overview The Vice President and Chief Security Risk Officer (CSRO) reports to the Chairman, Chief Executive Officer and President
More informationINFOCUS. Five Questions to Guide Cybersecurity Risk Management BY EARL CRANE
promontory.com INFOCUS JUNE 3, 2015 BY EARL CRANE Five Questions to Guide Cybersecurity Risk Management The quick transformation of cybersecurity risk management from obscure specialty to top-of-thehouse
More informationImplement security solutions that help protect your IT systems and facilitate your On Demand Business initiatives.
Security solutions To support your business objectives Implement security solutions that help protect your IT systems and facilitate your On Demand Business initiatives. For an On Demand Business, security
More informationRetail Security: Enabling Retail Business Innovation with Threat-Centric Security.
Retail Security: Enabling Retail Business Innovation with Threat-Centric Security. 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco public information. (1110R) 1 In the past
More informationCybersecurity Workshop
Cybersecurity Workshop February 10, 2015 E. Andrew Keeney, Esq. Kaufman & Canoles, P.C. E. Andrew Keeney, Esq. Kaufman & Canoles, P.C. 150 West Main Street, Suite 2100 Norfolk, VA 23510 (757) 624-3153
More information