10/21/2015. Jacqueline Harris, CPM, CCIM Director of Training & Administration Digital Realty

Transcription

1 Friday, October 23, 2015 Jacqueline Harris, CPM, CCIM Director of Training & Administration Digital Realty Kevin Bodell Systems and Infrastructure Manager City Creek Reserve, Inc. Smart Chick Megan Orser Smart Apartment Solutions Prevent What is the risk? What is your exposure? Prepare What can you do to prepare for the inevitable? What practical approaches can you take to minimize exposure? Respond How do you minimize the impact to business as usual when it does happen? How do you mitigate risk once it s happened? 1

2 Mitigation, Prevention, and Planning Identify Information Assets Examples would be computers, phones, servers, fax machines, paper, flash drives/removable media, etc. A good rule of thumb is that if it contains client or business proprietary data, then it should be considered an information asset Mitigation, Prevention, and Planning Classify Information Assets Data Classification, and Policy around Use. Assets that contain client information or proprietary company information would obviously have the highest level of importance while assets that contain company marketing information might be given a low classification. Data Classification Level 1 Level 2 Level 3 Level 4 Data that may be freely disclosed with the public. Example: Contact information, price lists Internal data that is not meant for public disclosure. Example: Sales contest rules, organizational charts Sensitive internal data that if disclosed could negatively affect operations. Highly sensitive corporate and customer data that if disclosed could put the organization at financial or legal risk. Example: Contracts Example: Employee social with third-party security numbers, suppliers, employee customer credit card reviews numbers 2

3 Risk of Information Assets Determine the level of risk you are willing to accept. Apply controls to manage the risks. Network, Computer, and Access Controls Require employees to use unique, non shared accounts with strong passwords to access their computers, the corporate network, and and mobile devices. Computer passwords to expire every 90 days. Ensure data governance policy are applied appropriately, and where possible use dynamic access control. Clear desk clear screen policy - When employees leave their work computer, they should lock, or sign off their account to prevent an unauthorized user from accessing. You can setup a password protected screensaver that will activate after 10 minutes in case the employee forgets to sign out. In addition ensure that employees do not leave sensitive printed information on their desks unattended. Mobile computing Password protect all mobile devices and ensure remote wipe is enables for employee mobile phones if the phones are used for company data, or . Physical Access Controls If you keep network servers on your company premises, then ensure they are encrypted and kept behind locked doors at a minimum. Limit employee access to servers. The type of corporate data you store on your company premises will have a direct impact on the type of physical access controls required. If the data is sensitive, then consider enhanced access security such as biometric, video cameras, third party security monitoring, etc. Many of these controls can be put in place rather inexpensively. If you host your corporate networks at a remote third party facility, keep it local if possible, and tour the remote facilities to ensure they have the proper physical and environmental protections. 3

4 Review of Access Controls Review access controls on a monthly basis. Review both who has access and who has access it in the past thirty days. Step 3 Network and Personal Computer Security Controls Encryption Encrypt your corporate server, work computers, laptops, flash drives, etc., and even if they are stolen, the data will still be safe(r) from intrusion, and misuse. Anti-Virus/Anti-Spyware Make sure you have anti-virus software on all of your work computers, and keep them updated. Firewall and Internet Connection Your firewall should do more than just block ports. Quarterly or biannually external third-party scans of your vulnerabilities and fix any issues. Third party network security checks Consider having a externa Step 4 General security controls Visitor Policy Keep it simple but make sure it happens, and its understood by all employees. Social Engineering Employees always want to be helpful, but teach them when its not a good thing. Third party network security checks Consider having a external company perform a penetration test at least annualy on all computer/ data systems. Network and Computer Backups No matter what type of backup you are doing, get in the habit of doing it on a regular schedule either daily, weekly, or a combo of both. 4

5 What is covered or NOT covered? Paper files in additional to electronic files? Claims brought by government or regulators? Is encryption a requirement of the insured under the policy? How is the premium determined? Number of records maintained Level of protections/security in place on current systems What s in place to ward off breaches Policies/Procedures in place for access Respond CONSIDER THE NUMBERS Average Organizational Cost of a Data Breach $5.9 million Estimated Cost of a General Data Breach $201 per compromised record Identify source & stabilize Notify impacted parties Be detailed, consistent & diligent with your reporting Review business loss insurance Develop plan to protect the company brand Commence Customer Loyalty activities Implement protocols to prevent future breaches Be ready to adjust & adapt quickly as new threats arise Are You Sitting on a Cyber Security Bombshell?, Joseph Dobrian, JPM Sept/Oct 2015 Before and After Disaster Strikes: Developing An Emergency Procedures Manual, 4th Edition, 2012 IREM What You Should Know About Cybersecurity Insurance, IREM Blog October 15,