Agenda. Cyber Security: Potential Threats Impacting Organizations 1/6/2015. January 10, 2015 Scott Petree

Size: px
Start display at page:

Download "Agenda. Cyber Security: Potential Threats Impacting Organizations 1/6/2015. January 10, 2015 Scott Petree"

Transcription

1 Cyber Security: Potential Threats Impacting Organizations January 10, 2015 Scott Petree Agenda 2 Data Security Trends Root Causes of Cyber Attacks How Can We Fix This? Secure Infrastructure User Awareness Client Assurance/Vendor Management Cloud Computing Mobile Devices 1

2 Web Site New Communications Verizon Data Breach Investigations Report 4 Verizon Data Breach Investigations Report 2

3 2014 Verizon Data Breach Investigations Report 5 Verizon Data Breach Investigations Report 2014 Verizon Data Breach Investigations Report 6 # of incidents by industry # of incidents with confirmed data loss Verizon Data Breach Investigations Report 3

4 2014 Verizon Data Breach Investigations Report 7 Verizon Data Breach Investigations Report Real-Life Examples 8 June 30, 2014 Butler University Indianapolis, Indiana Butler University in Indianapolis Indiana informed students, staff and alumni of a data breach to their system. Over 160,000 individuals may have been affected when hackers may have accessed their personal information. The school officials have discovered that the information exposed included birthdates, Social Security numbers and bank account information of approximately 163,000 students, faculty and staff, alumni, and prospective students who never enrolled in classes at Butler. In a letter sent to those affected, the university has said that "someone hacked the school's network sometime between November 2013 and May 2014" 4

5 Real-Life Examples 9 July 11, 2014 University of Illinois, Chicago Chicago, Illinois The University Illinois Chicago (UIC) notified former students of a data breach. "A website security breach made two College of Business Administration documents a roster from a Special Topics in Accounting course and an advising list for all junior and senior accounting majors". Personal information was exposed, including Social Security numbers. The university has not stated how many students were affected, and the breach is currently under investigation. Real-Life Examples 10 October 1, 2014 Provo City School District Provo, Utah The Provo City School District notified employees of a "phishing" attack Monday September 29, 2014 which allowed access to employees accounts. Some employee accounts contained files that may have had personally identifiable information. Currently the school district is investigating the breach and notifying those affected. 5

6 97% of Breaches Were Avoidable* 11 Most victims aren t overpowered by unknowable and unstoppable attacks. For the most part, we know them well enough and we also know how to stop them. *Verizon Data Breach Investigations Report WHAT CAUSES A BREACH? Weak Infrastructure Weak design (firewalls, wireless routers) Weak user authentication (users, passwords) Encryption (VPN, secure portals) Out-dated (patch management/anti-virus) Lack of periodic testing User Ignorance/Poor Judgment Weak user passwords Social media Phishing attacks Not staying current with security trends Third-Party Vendors Weak due diligence Ongoing breach notification Annual breach confirmation Technology Advances Mobile devices Cloud computing/public portals 12 Secure Network Infrastructure Best Practices to Help Prevent a Breach 1. Data Classification Public and Confidential (Sensitive/Private) 2. Perimeter Security - Firewalls, IDS/IPS 3. Wireless Security SSID, Encryption, Default Password 4. Authentication Users & Passwords 5. Encryption - Connectivity & Storage 6. Anti-virus 7. Patch Management 8. Remote Access 9. Network Monitoring 10.Annual Testing External & Internal Penetration Testing 6

7 User Access Management 13 Full-time employees Part-time employees and contractors Consultants and vendors Customers Visitors Ad hoc vs. formal repeatable process Single sign-on User IDs/passwords Use of technology (tokens, firewalls, access points, encryption, etc.) Need to know basis/able to perform job responsibilities Segregation of duties Administrative access Super-user access Internet vs. corporate system access Only when an issue is noted User access logs Annual review of access Proactive review of user activity Real-time monitoring of unauthorized access or use of information systems User Security Awareness 14 Strong password practices Device security Accessing from public places Sharing data to outside parties Use of mobile technology Use of online portals Security awareness training I m flattered, really I am. But you probably shouldn t use my name as your password. Example: DATA BREACH 7

8 Security Awareness Training 15 Timing Content Information security policies/procedures Understanding passwords Detecting phishing s Recognizing unauthorized visitors Wireless hotspots Reporting Security Awareness Posters 16 8

9 Vendor Due Diligence 17 Due Diligence Existence and corporate history, strategy, and reputation References, qualifications, backgrounds, and reputations of company principals, including criminal background checks Financial status, including reviews of audited financial statements Technology and systems architecture Internal controls environment, security history, and audit coverage (SOC Reports) Policies vs. procedures Legal complaints, litigation, or regulatory actions Insurance coverage Ability to meet disaster recovery and business continuity requirements Breach Notification Contract language should include breach notification requirement (i.e. if there is a breach at the third-party, it needs to notify the organization within 48 hours) Annual confirmation of breaches by CEO or other C-level executive at the vendor Cloud Computing 18 Choosing a Cloud Vendor Internal controls at cloud provider Secure connections/encryption User account management Segregated rooms/storage Shared servers vs. dedicated servers Locations of your data Data ownership Cost of switch vendors Other third-parties involved Service Organization Controls (SOC) reports Independent network security/ penetration testing (ask for summary report) Web application testing (if applicable) Mobile Applications Network Infrastructure 9

10 Mobile Devices 19 Device Security Physical security of device Passwords not pins Enable auto lock Secure /calendar (including sync) Keep Bluetooth devices to nondiscoverable (will not impact authenticated connections) Remote wipe Failed attempts lock/wipe Secure backup data on mobile device Keep all system/applications patches up-to-date Keep apps version current Encryption Passwords enable native encryption Encrypted transmission Memory encryption Encrypted transmission Mobile Device Management Great way to manage company owned devices 20 Plante Moran s Information Security Framework Different organizations view information security differently. Some of the differences are related to varied risk and threat profiles impacting an organization based on factors such as industry, location, products/services, etc. Other differences are related to management s view of security based on its experience with prior security incidents. 10

11 Top 5 Take Aways 21 Breaches Occur Across all Industries Losses Financial and Non Financial (IP, Data Privacy, and Compliance) Security in Layers End User Security Awareness & Training Vendor Management Data Breaches Thank You! 22 SCOTT PETREE Manager Network Security Management Consulting Services Southfield, Michigan scott.petree@plantemoran.com 11

2 0 1 4 F G F O A A N N U A L C O N F E R E N C E

2 0 1 4 F G F O A A N N U A L C O N F E R E N C E I T G OV E R NANCE 2 0 1 4 F G F O A A N N U A L C O N F E R E N C E RAJ PATEL Plante Moran 248.223.3428 raj.patel@plantemoran.com This presentation will discuss current threats faced by public institutions,

More information

Cyber Security Pr o t e c t i n g y o u r b a n k a g a i n s t d a t a b r e a c h e s

Cyber Security Pr o t e c t i n g y o u r b a n k a g a i n s t d a t a b r e a c h e s Cyber Security Pr o t e c t i n g y o u r b a n k a g a i n s t d a t a b r e a c h e s 1 Agenda Data Security Trends Root causes of Cyber Attacks How can we fix this? Secure Infrastructure Security Practices

More information

How To Protect Yourself From A Hacker Attack

How To Protect Yourself From A Hacker Attack Cybersecurity Demystified: Information Technology Security Trends Joe Oleksak, Plante Moran Agenda Data Security Trends Example Attacks Industry Examples An Answer 1 Who Are The Victims? Targets - victims

More information

Cyber Security. Moderator: Marla J. Kreindler, Partner, Morgan, Lewis & Bockius LLP

Cyber Security. Moderator: Marla J. Kreindler, Partner, Morgan, Lewis & Bockius LLP Cyber Security Moderator: Marla J. Kreindler, Partner, Morgan, Lewis & Bockius LLP Speakers: Keith Overly, Executive Director, Ohio Deferred Compensation Program Raj Patel, Partner, Plante & Moran, PLLC

More information

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225

More information

It Won t Happen To Me! A Network and PCI Security Webinar Presented By FMS and VendorSafe

It Won t Happen To Me! A Network and PCI Security Webinar Presented By FMS and VendorSafe It Won t Happen To Me! A Network and PCI Security Webinar Presented By FMS and VendorSafe Agenda Who Is VendorSafe Technologies? It Won t Happen to Me! PCI DSS Overview The VendorSafe Solution Questions

More information

Cyber Security, Fraud and Corporate Account Takeovers LBA Bank Counsel Conference December 2014

Cyber Security, Fraud and Corporate Account Takeovers LBA Bank Counsel Conference December 2014 Cyber Security, Fraud and Corporate Account Takeovers LBA Bank Counsel Conference December 2014 Lisa D. Traina, CPA, CITP, CGMA Lisa Traina utilizes her 30+ years of experience as a CPA, CITP and CGMA

More information

by: Scott Baranowski Community Bank Auditors Group Best Practices in Auditing Record Retention, Safeguarding Paper Documents, GLBA and Privacy

by: Scott Baranowski Community Bank Auditors Group Best Practices in Auditing Record Retention, Safeguarding Paper Documents, GLBA and Privacy Community Bank Auditors Group Best Practices in Auditing Record Retention, Safeguarding Paper Documents, GLBA and Privacy June 10, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT

More information

Supplier Information Security Addendum for GE Restricted Data

Supplier Information Security Addendum for GE Restricted Data Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,

More information

Virginia Government Finance Officers Association Spring Conference May 28, 2014. Cloud Security 101

Virginia Government Finance Officers Association Spring Conference May 28, 2014. Cloud Security 101 Virginia Government Finance Officers Association Spring Conference May 28, 2014 Cloud Security 101 Presenters: John Montoro, RealTime Accounting Solutions Ted Brown, Network Alliance Presenters John Montoro

More information

Been in technology for 22 years Westinghouse Senior Manager at Clifton Gunderson-7th largest CPA and consulting firm in the U. S. Partner / Director

Been in technology for 22 years Westinghouse Senior Manager at Clifton Gunderson-7th largest CPA and consulting firm in the U. S. Partner / Director Been in technology for 22 years Westinghouse Senior Manager at Clifton Gunderson-7th largest CPA and consulting firm in the U. S. Partner / Director in Kenneally and Company s technology consulting practice

More information

Cyber Self Assessment

Cyber Self Assessment Cyber Self Assessment According to Protecting Personal Information A Guide for Business 1 a sound data security plan is built on five key principles: 1. Take stock. Know what personal information you have

More information

APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST

APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST Application Name: Vendor Name: Briefly describe the purpose of the application. Include an overview of the application architecture, and identify the data

More information

3rd Party Assurance & Information Governance 2014-2016 outlook IIA Ireland Annual Conference 2014. Straightforward Security and Compliance

3rd Party Assurance & Information Governance 2014-2016 outlook IIA Ireland Annual Conference 2014. Straightforward Security and Compliance 3rd Party Assurance & Information Governance 2014-2016 outlook IIA Ireland Annual Conference 2014 Continuous Education Services (elearning/workshops) Compliance Management Portals Information Security

More information

IIABSC 2015 - Spring Conference

IIABSC 2015 - Spring Conference IIABSC 2015 - Spring Conference Cyber Security With enough time, anyone can be hacked. There is no solution that will completely protect you from hackers. March 11, 2015 Chris Joye, Security + 1 2 Cyber

More information

Small Business IT Risk Assessment

Small Business IT Risk Assessment Small Business IT Risk Assessment Company name: Completed by: Date: Where Do I Begin? A risk assessment is an important step in protecting your customers, employees, and your business, and well as complying

More information

Five keys to a more secure data environment

Five keys to a more secure data environment Five keys to a more secure data environment A holistic approach to data infrastructure security Compliance professionals know better than anyone how compromised data can lead to financial and reputational

More information

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table BAE Systems PCI Essentail PCI Requirements Coverage Summary Table Introduction BAE Systems PCI Essential solution can help your company significantly reduce the costs and complexity of meeting PCI compliance

More information

Building The Human Firewall. Andy Sawyer, CISM, C CISO Director of Security Locke Lord

Building The Human Firewall. Andy Sawyer, CISM, C CISO Director of Security Locke Lord Building The Human Firewall Andy Sawyer, CISM, C CISO Director of Security Locke Lord Confidentiality, Integrity, Availability Benchmarks of Cybersecurity: Confidentiality Information is protected against

More information

Best Practices For Department Server and Enterprise System Checklist

Best Practices For Department Server and Enterprise System Checklist Best Practices For Department Server and Enterprise System Checklist INSTRUCTIONS Information Best Practices are guidelines used to ensure an adequate level of protection for Information Technology (IT)

More information

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION Information security is a critical issue for institutions of higher education (IHE). IHE face issues of risk, liability, business continuity,

More information

10 Smart Ideas for. Keeping Data Safe. From Hackers

10 Smart Ideas for. Keeping Data Safe. From Hackers 0100101001001010010001010010101001010101001000000100101001010101010010101010010100 0100101001001010010001010010101001010101001000000100101001010101010010101010010100000 0100101001001010010001010010101001010101001000000100101001010101010010101010010100000

More information

A Practical Approach to Network Vulnerability Assessment AN AUDITOR S PERSPECTIVE BRYAN MILLER, IT DIRECTOR JOHN KEILLOR, CPA, AUDIT PARTNER

A Practical Approach to Network Vulnerability Assessment AN AUDITOR S PERSPECTIVE BRYAN MILLER, IT DIRECTOR JOHN KEILLOR, CPA, AUDIT PARTNER A Practical Approach to Network Vulnerability Assessment AN AUDITOR S PERSPECTIVE BRYAN MILLER, IT DIRECTOR JOHN KEILLOR, CPA, AUDIT PARTNER 1 Agenda Audits Articles/Examples Classify Your Data IT Control

More information

Information Security @ Blue Valley Schools FEBRUARY 2015

Information Security @ Blue Valley Schools FEBRUARY 2015 Information Security @ Blue Valley Schools FEBRUARY 2015 Student Data Privacy & Security Blue Valley is committed to providing an education beyond expectations to each of our students. To support that

More information

Network and Security Controls

Network and Security Controls Network and Security Controls State Of Arizona Office Of The Auditor General Phil Hanus IT Controls Webinar Series Part I Overview of IT Controls and Best Practices Part II Identifying Users and Limiting

More information

PCI Requirements Coverage Summary Table

PCI Requirements Coverage Summary Table StillSecure PCI Complete Managed PCI Compliance Solution PCI Requirements Coverage Summary Table January 2013 Table of Contents Introduction... 2 Coverage assumptions for PCI Complete deployments... 2

More information

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4 WHITEPAPER Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4 An in-depth look at Payment Card Industry Data Security Standard Requirements 10, 11,

More information

The Evolution of Data Breaches

The Evolution of Data Breaches The Evolution of Data Breaches 2015 Data Privacy & Security Summit June 29, 2015 Mark Shelhart Incident Response & Forensics Retail Data Security recent victims The Largest Cyber Risks to your Organization

More information

Client Security Risk Assessment Questionnaire

Client Security Risk Assessment Questionnaire Select the appropriate answer from the drop down in the column, and provide a brief description in the section. 1 Do you have a member of your organization with dedicated information security duties? 2

More information

White Paper September 2013 By Peer1 and CompliancePoint www.peer1.com. PCI DSS Compliance Clarity Out of Complexity

White Paper September 2013 By Peer1 and CompliancePoint www.peer1.com. PCI DSS Compliance Clarity Out of Complexity White Paper September 2013 By Peer1 and CompliancePoint www.peer1.com PCI DSS Compliance Clarity Out of Complexity Table of Contents Introduction 1 Businesses are losing customer data 1 Customers are learning

More information

Securing the Service Desk in the Cloud

Securing the Service Desk in the Cloud TECHNICAL WHITE PAPER Securing the Service Desk in the Cloud BMC s Security Strategy for ITSM in the SaaS Environment Introduction Faced with a growing number of regulatory, corporate, and industry requirements,

More information

Logging In: Auditing Cybersecurity in an Unsecure World

Logging In: Auditing Cybersecurity in an Unsecure World About This Course Logging In: Auditing Cybersecurity in an Unsecure World Course Description $5.4 million that s the average cost of a data breach to a U.S.-based company. It s no surprise, then, that

More information

SUPPLIER SECURITY STANDARD

SUPPLIER SECURITY STANDARD SUPPLIER SECURITY STANDARD OWNER: LEVEL 3 COMMUNICATIONS AUTHOR: LEVEL 3 GLOBAL SECURITY AUTHORIZER: DALE DREW, CSO CURRENT RELEASE: 12/09/2014 Purpose: The purpose of this Level 3 Supplier Security Standard

More information

Case Study: Security Implementation for a Non-Profit Hospital

Case Study: Security Implementation for a Non-Profit Hospital Case Study: Security Implementation for a Non-Profit Hospital The Story Security Challenges and Analysis The Case The Clone Solution The Results The Story About the hospital A private, not-for-profit hospital

More information

AUDIT TAX SYSTEMS ADVISORY

AUDIT TAX SYSTEMS ADVISORY AUDIT TAX SYSTEMS ADVISORY Presented by: Jim Rumph Introduction JIM RUMPH, CISA Systems Manager Jim is a graduate of the University of Georgia with a Bachelor of Business Administration in Accounting and

More information

Information Security Services

Information Security Services Information Security Services Information Security In 2013, Symantec reported a 62% increase in data breaches over 2012. These data breaches had tremendous impacts on many companies, resulting in intellectual

More information

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015 Community Bank Auditors Group Cybersecurity What you need to do now June 9, 2015 By: Gerald Gagne MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2015 Wolf & Company, P.C. Cybersecurity

More information

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

REGULATIONS FOR THE SECURITY OF INTERNET BANKING REGULATIONS FOR THE SECURITY OF INTERNET BANKING PAYMENT SYSTEMS DEPARTMENT STATE BANK OF PAKISTAN Table of Contents PREFACE... 3 DEFINITIONS... 4 1. SCOPE OF THE REGULATIONS... 6 2. INTERNET BANKING SECURITY

More information

BMC s Security Strategy for ITSM in the SaaS Environment

BMC s Security Strategy for ITSM in the SaaS Environment BMC s Security Strategy for ITSM in the SaaS Environment TABLE OF CONTENTS Introduction... 3 Data Security... 4 Secure Backup... 6 Administrative Access... 6 Patching Processes... 6 Security Certifications...

More information

How to Practice Safely in an era of Cybercrime and Privacy Fears

How to Practice Safely in an era of Cybercrime and Privacy Fears How to Practice Safely in an era of Cybercrime and Privacy Fears Christina Harbridge INFORMATION PROTECTION SPECIALIST Information Security The practice of defending information from unauthorised access,

More information

BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports

BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports Building a Security Operation Center Agenda: Auditing Your Network Environment Selecting Effective Security

More information

Small Business Cybersecurity Dos and Don ts. Helping Businesses Grow and Succeed For Over 30 Years. September 25, 2015 Dover Downs

Small Business Cybersecurity Dos and Don ts. Helping Businesses Grow and Succeed For Over 30 Years. September 25, 2015 Dover Downs Small Business Cybersecurity Dos and Don ts September 25, 2015 Dover Downs Helping Businesses Grow and Succeed For Over 30 Years Statistics 2 Results from the Cybersecurity Readiness Survey 25% of Respondents

More information

Security Threat Risk Assessment: the final key piece of the PIA puzzle

Security Threat Risk Assessment: the final key piece of the PIA puzzle Security Threat Risk Assessment: the final key piece of the PIA puzzle Curtis Kore, Information Security Analyst Angela Swan, Director, Information Security Agenda Introduction Current issues The value

More information

Media Shuttle s Defense-in- Depth Security Strategy

Media Shuttle s Defense-in- Depth Security Strategy Media Shuttle s Defense-in- Depth Security Strategy Introduction When you are in the midst of the creative flow and tedious editorial process of a big project, the security of your files as they pass among

More information

Work With Genesis Insurance Company

Work With Genesis Insurance Company IN F O R M AT ION TEC HNOLOGY (IT ) SECURIT Y AT GEN ES I S security peace of mind You re covered. Access Control Application Security Business Continuity and Disaster Recovery Planning Cryptography Information

More information

Cyber Security. An Executive Imperative for Business Owners. 77 Westport Plaza, St. Louis, MO 63416 p 314.439.4700 f 314.439.4799

Cyber Security. An Executive Imperative for Business Owners. 77 Westport Plaza, St. Louis, MO 63416 p 314.439.4700 f 314.439.4799 Cyber Security An Executive Imperative for Business Owners SSE Network Services www.ssenetwork.com 77 Westport Plaza, St. Louis, MO 63416 p 314.439.4700 f 314.439.4799 Pretecht SM by SSE predicts and remedies

More information

Checklist for HIPAA/HITECH Compliance Best Practices for Healthcare Information Security

Checklist for HIPAA/HITECH Compliance Best Practices for Healthcare Information Security Checklist for HIPAA/HITECH Compliance Best Practices for Healthcare Information Security Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) For Daily Compliance & Security Tips, Follow ecfirst @ Agenda Review the

More information

PCI DSS Requirements - Security Controls and Processes

PCI DSS Requirements - Security Controls and Processes 1. Build and maintain a secure network 1.1 Establish firewall and router configuration standards that formalize testing whenever configurations change; that identify all connections to cardholder data

More information

Network/Cyber Security

Network/Cyber Security Network/Cyber Security SCAMPS Annual Meeting 2015 Joe Howland,VC3 Source: http://www.information-age.com/technology/security/123458891/how-7-year-old-girl-hacked-public-wi-fi-network-10-minutes Security

More information

Critical Controls for Cyber Security. www.infogistic.com

Critical Controls for Cyber Security. www.infogistic.com Critical Controls for Cyber Security www.infogistic.com Understanding Risk Asset Threat Vulnerability Managing Risks Systematic Approach for Managing Risks Identify, characterize threats Assess the vulnerability

More information

Network Security Policy

Network Security Policy Network Security Policy I. PURPOSE Attacks and security incidents constitute a risk to the University's academic mission. The loss or corruption of data or unauthorized disclosure of information on campus

More information

THE BLUENOSE SECURITY FRAMEWORK

THE BLUENOSE SECURITY FRAMEWORK THE BLUENOSE SECURITY FRAMEWORK Bluenose Analytics, Inc. All rights reserved TABLE OF CONTENTS Bluenose Analytics, Inc. Security Whitepaper ISO 27001/27002 / 1 The Four Pillars of Our Security Program

More information

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst. 2010. Page 1 of 7 www.ecfirst.com

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst. 2010. Page 1 of 7 www.ecfirst.com Policy/Procedure Description PCI DSS Policies Install and Maintain a Firewall Configuration to Protect Cardholder Data Establish Firewall and Router Configuration Standards Build a Firewall Configuration

More information

Securely Yours LLC IT Hot Topics. Sajay Rai, CPA, CISSP, CISM sajayrai@securelyyoursllc.com

Securely Yours LLC IT Hot Topics. Sajay Rai, CPA, CISSP, CISM sajayrai@securelyyoursllc.com Securely Yours LLC IT Hot Topics Sajay Rai, CPA, CISSP, CISM sajayrai@securelyyoursllc.com Contents Background Top Security Topics What auditors must know? What auditors must do? Next Steps [Image Info]

More information

Lessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd

Lessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd Lessons Learned from Recent HIPAA and Big Data Breaches Briar Andresen Katie Ilten Ann Ladd Recent health care breaches Breach reports to OCR as of February 2015 1,144 breaches involving 500 or more individual

More information

NATIONAL CYBER SECURITY AWARENESS MONTH

NATIONAL CYBER SECURITY AWARENESS MONTH NATIONAL CYBER SECURITY AWARENESS MONTH Tip 1: Security is everyone s responsibility. Develop an awareness framework that challenges, educates and empowers your customers and employees to be part of the

More information

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems Course: Information Security Management in e-governance Day 1 Session 5: Securing Data and Operating systems Agenda Introduction to information, data and database systems Information security risks surrounding

More information

Italy. EY s Global Information Security Survey 2013

Italy. EY s Global Information Security Survey 2013 Italy EY s Global Information Security Survey 2013 EY s Global Information Security Survey 2013 This year s survey our 16th edition captures the responses of 1,909 C-suite and senior level IT and information

More information

Network & Information Security Policy

Network & Information Security Policy Policy Version: 2.1 Approved: 02/20/2015 Effective: 03/02/2015 Table of Contents I. Purpose................... 1 II. Scope.................... 1 III. Roles and Responsibilities............. 1 IV. Risk

More information

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011 Nationwide Review of CMS s HIPAA Oversight Brian C. Johnson, CPA, CISA Wednesday, January 19, 2011 1 WHAT I DO Manage Region IV IT Audit and Advance Audit Technique Staff (AATS) IT Audit consists of 8

More information

Mobile security and your EMR. Presented by: Shawn Tester & Allen Cornwall

Mobile security and your EMR. Presented by: Shawn Tester & Allen Cornwall Mobile security and your EMR Presented by: Shawn Tester & Allen Cornwall Date: October 14, 2011 Overview General Security Challenges & best practices Mobile EMR interfaces - EMR Access - Today & Future

More information

Top Five Data Security Trends Impacting Franchise Operators. Payment System Risk September 29, 2009

Top Five Data Security Trends Impacting Franchise Operators. Payment System Risk September 29, 2009 Top Five Data Security Trends Impacting Franchise Operators Payment System Risk September 29, 2009 Top Five Data Security Trends Agenda Data Security Environment Compromise Overview and Attack Methods

More information

Security Controls What Works. Southside Virginia Community College: Security Awareness

Security Controls What Works. Southside Virginia Community College: Security Awareness Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction

More information

HIPAA Compliance for Mobile Healthcare. Peter J. Haigh, FHIMSS Verizon peter.haigh@verizon.com

HIPAA Compliance for Mobile Healthcare. Peter J. Haigh, FHIMSS Verizon peter.haigh@verizon.com HIPAA Compliance for Mobile Healthcare Peter J. Haigh, FHIMSS Verizon peter.haigh@verizon.com Comply or Context - Privacy & Security under HIPAA Privacy is what you have already promised to do, since 4/14/2003

More information

Security & Compliance, Sikich LLP

Security & Compliance, Sikich LLP Mark Shelhart, CFI, CISSP, QSA Security & Compliance, Sikich LLP 1. Credit card breaches 2. Disgruntled IT, bad leaver 3. Personal records breach 4. Vendor network connections (and contracts) 5. Everything

More information

Managing IT Security with Penetration Testing

Managing IT Security with Penetration Testing Managing IT Security with Penetration Testing Introduction Adequately protecting an organization s information assets is a business imperative one that requires a comprehensive, structured approach to

More information

Internet threats: steps to security for your small business

Internet threats: steps to security for your small business Internet threats: 7 steps to security for your small business Proactive solutions for small businesses A restaurant offers free WiFi to its patrons. The controller of an accounting firm receives a confidential

More information

Name: Position held: Company Name: Is your organisation ISO27001 accredited:

Name: Position held: Company Name: Is your organisation ISO27001 accredited: Third Party Information Security Questionnaire This questionnaire is to be completed by the system administrator and by the third party hosting company if a separate company is used. Name: Position held:

More information

New PCI Standards Enhance Security of Cardholder Data

New PCI Standards Enhance Security of Cardholder Data December 2013 New PCI Standards Enhance Security of Cardholder Data By Angela K. Hipsher, CISA, QSA, Jeff A. Palgon, CPA, CISSP, QSA, and Craig D. Sullivan, CPA, CISA, QSA Payment cards a favorite target

More information

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review. 1. Obtain previous workpapers/audit reports. FIREWALL CHECKLIST Pre Audit Checklist 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review. 3. Obtain current network diagrams

More information

TASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices

TASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security

More information

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things. What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things. AGENDA Current State of Information Security Data Breach Statics Data Breach Case Studies Why current

More information

How to Secure Your Environment

How to Secure Your Environment End Point Security How to Secure Your Environment Learning Objectives Define Endpoint Security Describe most common endpoints of data leakage Identify most common security gaps Preview solutions to bridge

More information

Data Breaches and Cyber Risks

Data Breaches and Cyber Risks Data Breaches and Cyber Risks Carolinas Credit Union League Leadership Conference Presented by: Ken Otsuka Business Protection Risk Management CUNA Mutual Group CUNA Mutual Group Proprietary Reproduction,

More information

University of Pittsburgh Security Assessment Questionnaire (v1.5)

University of Pittsburgh Security Assessment Questionnaire (v1.5) Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.5) Directions and Instructions for completing this assessment The answers provided

More information

External Supplier Control Requirements

External Supplier Control Requirements External Supplier Control s Cyber Security For Suppliers Categorised as Low Cyber Risk 1. Asset Protection and System Configuration Barclays Data and the assets or systems storing or processing it must

More information

OCR LEVEL 3 CAMBRIDGE TECHNICAL

OCR LEVEL 3 CAMBRIDGE TECHNICAL Cambridge TECHNICALS OCR LEVEL 3 CAMBRIDGE TECHNICAL CERTIFICATE/DIPLOMA IN IT NETWORKED SYSTEMS SECURITY J/601/7332 LEVEL 3 UNIT 28 GUIDED LEARNING HOURS: 60 UNIT CREDIT VALUE: 10 NETWORKED SYSTEMS SECURITY

More information

PCI Requirements Coverage Summary Table

PCI Requirements Coverage Summary Table StillSecure PCI Complete Managed PCI Compliance Solution PCI Requirements Coverage Summary Table December 2011 Table of Contents Introduction... 2 Coverage assumptions for PCI Complete deployments... 2

More information

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable

More information

The Protection Mission a constant endeavor

The Protection Mission a constant endeavor a constant endeavor The IT Protection Mission a constant endeavor As businesses become more and more dependent on IT, IT must face a higher bar for preparedness Cyber preparedness is the process of ensuring

More information

Designing a security policy to protect your automation solution

Designing a security policy to protect your automation solution Designing a security policy to protect your automation solution September 2009 / White paper by Dan DesRuisseaux 1 Contents Executive Summary... p 3 Introduction... p 4 Security Guidelines... p 7 Conclusion...

More information

Impact of Data Breaches

Impact of Data Breaches Research Note Impact of Data Breaches By: Divya Yadav Copyright 2014, ASA Institute for Risk & Innovation Applicable Sectors: IT, Retail Keywords: Hacking, Cyber security, Data breach, Malware Abstract:

More information

IT Security Risks & Trends

IT Security Risks & Trends IT Security Risks & Trends Key Threats to All Businesses 1 1 What do the following have in common? Catholic church parish Hospice Collection agency Main Street newspaper stand Electrical contractor Health

More information

Introduction to Cyber Security / Information Security

Introduction to Cyber Security / Information Security Introduction to Cyber Security / Information Security Syllabus for Introduction to Cyber Security / Information Security program * for students of University of Pune is given below. The program will be

More information

KEY STEPS FOLLOWING A DATA BREACH

KEY STEPS FOLLOWING A DATA BREACH KEY STEPS FOLLOWING A DATA BREACH Introduction This document provides key recommended steps to be taken following the discovery of a data breach. The document does not constitute an exhaustive guideline,

More information

Central Agency for Information Technology

Central Agency for Information Technology Central Agency for Information Technology Kuwait National IT Governance Framework Information Security Agenda 1 Manage security policy 2 Information security management system procedure Agenda 3 Manage

More information

whitepaper 4 Best Practices for Building PCI DSS Compliant Networks

whitepaper 4 Best Practices for Building PCI DSS Compliant Networks 4 Best Practices for Building PCI DSS Compliant Networks Cardholder data is a lucrative and tempting target for cyber criminals. Recent highly publicized accounts of hackers breaching trusted retailers

More information

1B1 SECURITY RESPONSIBILITY

1B1 SECURITY RESPONSIBILITY (ITSP-1) SECURITY MANAGEMENT 1A. Policy Statement District management and IT staff will plan, deploy and monitor IT security mechanisms, policies, procedures, and technologies necessary to prevent disclosure,

More information

plantemoran.com What School Personnel Administrators Need to know

plantemoran.com What School Personnel Administrators Need to know plantemoran.com Data Security and Privacy What School Personnel Administrators Need to know Tomorrow s Headline Let s hope not District posts confidential data online (Tech News, May 18, 2007) In one of

More information

Information Security: A Perspective for Higher Education

Information Security: A Perspective for Higher Education Information Security: A Perspective for Higher Education A By Introduction On a well-known hacker website, individuals charged students $2,100 to hack into university and college computers for the purpose

More information

AGENDA HIP Ho AA w i rivacy d The B reach Happen? I P nc AA Secu dent R rit esp y o nse Corrective Action Plan What We Learned ACRONYMS USED

AGENDA HIP Ho AA w i rivacy d The B reach Happen? I P nc AA Secu dent R rit esp y o nse Corrective Action Plan What We Learned ACRONYMS USED Michael Almvig Skagit County Information Services Director 1 AGENDA 1 2 HIPAA How Did Privacy The Breach Happen? HIPAA Incident Security Response 3 Corrective Action Plan 4 What We Learned Questions? ACRONYMS

More information

Mobile Medical Devices and BYOD: Latest Legal Threat for Providers

Mobile Medical Devices and BYOD: Latest Legal Threat for Providers Presenting a live 90-minute webinar with interactive Q&A Mobile Medical Devices and BYOD: Latest Legal Threat for Providers Developing a Comprehensive Usage Strategy to Safeguard Health Information and

More information

SBA Cybersecurity for Small Businesses. 1.1 Introduction. 1.2 Course Objectives. 1.3 Course Topics

SBA Cybersecurity for Small Businesses. 1.1 Introduction. 1.2 Course Objectives. 1.3 Course Topics SBA Cybersecurity for Small Businesses 1.1 Introduction Welcome to SBA s online training course: Cybersecurity for Small Businesses. SBA s Office of Entrepreneurship Education provides this self-paced

More information

Information Technology General Controls And Best Practices

Information Technology General Controls And Best Practices Paul M. Perry, FHFMA, CITP, CPA Alabama CyberNow Conference April 5, 2016 Information Technology General Controls And Best Practices 1. IT General Controls - Why? 2. IT General Control Objectives 3. Documentation

More information

A practical guide to IT security

A practical guide to IT security Data protection A practical guide to IT security Ideal for the small business The Data Protection Act states that appropriate technical and organisational measures shall be taken against unauthorised or

More information

ONLINE BANKING SECURITY TIPS FOR OUR BUSINESS CLIENTS

ONLINE BANKING SECURITY TIPS FOR OUR BUSINESS CLIENTS $ ONLINE BANKING SECURITY TIPS FOR OUR BUSINESS CLIENTS Boston Private Bank & Trust Company takes great care to safeguard the security of your Online Banking transactions. In addition to our robust security

More information

Cybersecurity: What CFO s Need to Know

Cybersecurity: What CFO s Need to Know Cybersecurity: What CFO s Need to Know William J. Nowik, CISA, CISSP, QSA PCIP MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2014 Wolf & Company, P.C. Today s Agenda Introduction

More information

What Data? I m A Trucking Company!

What Data? I m A Trucking Company! What Data? I m A Trucking Company! Presented by: Marc C. Tucker 434 Fayetteville Street, Suite 2800 Raleigh, NC, 27601 919.755.8713 marc.tucker@smithmoorelaw.com Presented by: Rob D. Moseley, Jr. 2 West

More information

External Supplier Control Requirements

External Supplier Control Requirements External Supplier Control Requirements Cyber Security For Suppliers Categorised as High Cyber Risk Cyber Security Requirement Description Why this is important 1. Asset Protection and System Configuration

More information

1 Purpose... 2. 2 Scope... 2. 3 Roles and Responsibilities... 2. 4 Physical & Environmental Security... 3. 5 Access Control to the Network...

1 Purpose... 2. 2 Scope... 2. 3 Roles and Responsibilities... 2. 4 Physical & Environmental Security... 3. 5 Access Control to the Network... Contents 1 Purpose... 2 2 Scope... 2 3 Roles and Responsibilities... 2 4 Physical & Environmental Security... 3 5 Access Control to the Network... 3 6 Firewall Standards... 4 7 Wired network... 5 8 Wireless

More information