Protecting Your Business From Security Threats. Carl Cadregari, CISA, Executive Vice President Enterprise Risk Management Division The Bonadio Group
|
|
- Roderick Green
- 8 years ago
- Views:
Transcription
1 Protecting Your Business From Security Threats Carl Cadregari, CISA, Executive Vice President Enterprise Risk Management Division The Bonadio Group
2 Carl Cadregari, CISA, MCF - EVP, Practice Lead for Enterprise Risk Management Division, The Bonadio Group o o o Over 28 years of experience in information technology industry with a 16+ years of detailed IT/IS and regulatory compliance audit experience in FFIEC, NCUA, PCI DSS, SOX, SSAE16, FTC-314 (Gramm-Leach Bliley), HIPAA, HITECH, FISMA, FERPA, COSO, COBIT, ISO 17799/27002, and International Data Security and Privacy laws for companies ranging from $25M to $100B. Extensive background in controls auditing, practices definition, implementation of core audit services. Experienced in vulnerability and penetration assessment and auditing. Certified Information Systems Auditor (CISA), certified HIPAA Privacy and Security compliance assessor, IEEE Certified in Computer Forensics. Published articles on technology and information security including topics such as: The CIA Triad, Ethical Hacking, Document Retention, Cloud Computing and Data Breach Avoidance. 2
3 We Will Cover Why You Need Information Security 2015 Emerging Information Security Threats Cyber Fraud and the Insider Risk Management Role in Information Security What You Should Do Do It Now! What You Should Do Best Practices 3
4 Why Information Security 2015 Internet Security Report Savvy attackers are using increased levels of deception and, in some cases, hijacking companies own infrastructure and turning it against them 60 percent of all targeted attacks struck small- and medium-sized organizations Organizations are still not adopting basic best practices like blocking executable files and screensaver attachments 4
5 Why Information Security 2015 Internet Security Report More than 317 million new pieces of malware created in 2014 In 2014, up to 28 percent of all malware was virtual machine aware. While advanced targeted attacks may grab the headlines, nontargeted attacks still make up the majority of malware, which increased by 26 percent in Firms reported that they had 205,175,846 data records compromised in 2014 Large resurgence in Ransomware 5
6 Why Information Security To Stay Out of the News HSBC insider breach Donors credit card and banking info in breach after third-party service provider hacked Mahwah Businessman s Bank, hackers obtained enough personal information on one individual to convince his bank to wire $240,000 overseas Heartland Payment Systems (payroll division) reports another breach stolen laptops and computers Skimmers Found at Two Bank of Colorado Branches Former Bank Teller in Orange County Bank Fraud and Identity-Theft Scheme Re-Arrested 6
7 Why Information Security To Stay Open for Business 51% of consumers will take business elsewhere post breach Jumps to 60% in age range 45.6% said that the companies and individuals involved in such a breach should be considered criminally negligent 7
8 Emerging Threats With the Internet s pervasive reach into business, government, and private life, it is unsurprising that cybercrime and cyber espionage not only continue to evolve, but that new techniques are quickly adopted. Source: Georgia Tech Cyber Security Summit
9 Emerging Threats Cloud Data Losses Highly sensitive, confidential and regulatory personal, controlled data is regularly stored in the cloud. Increasing use of cloud services can increase the probability of a $20 million data breach by as much as 3x 36 percent of business-critical applications are housed in the cloud, yet IT isn t aware of nearly half of them 30 percent of business information is stored in the cloud, yet 35 percent of it isn t visible to IT Cybercriminals are regularly using many cloud services to exfiltrate data from inside your business or to gain access using trusted online services, websites or file-sharing sites 9
10 Emerging Threats Forget BYOD how about BYODB Bring Your Own Data Breach As sensors, and not just computing platforms mobile devices bring a new set of threats, including allowing malicious software an unparalleled look into victims lives. As of the end of 2014, there are more Internetconnected mobile devices than people on the planet, with four out of five workers using their personal mobile devices to do work. 10
11 Cyber Fraud Concerns 11
12 Cyber Fraud Concerns Cyber Fraud concerns include Man-In-The-Middle attacks on ACH Malware attacks on systems Keystroke loggers Improper user access Un-audited privileged access Cloud Computing 12
13 Cyber Fraud Concerns Malware attacks on systems Designed to disrupt computer operation, gather sensitive information, or gain unauthorized access to computer systems. Malware includes worms, Trojan horses, spyware, adware, most rootkits, and other malicious programs. 13
14 Cyber Fraud Concerns Keystroke Loggers / Keylogger Hardware and software based Are used to capture all keystrokes typed and then sent to an external attacker Hardware keystroke logger 14
15 Cyber Fraud Concerns Improper User Access Users with unknown or un-approved access to systems, files, folders, data. Account for the majority of all internal breaches User accounts compromised by external attackers regularly used to steal information 15
16 Cyber Fraud Concerns User with too Much Access Users need to have appropriate access to data and information to perform their job duties; the organization and IT need to be in sync with: Who has access to what data What do they do with it day to day Where can data be shared How do personnel share responsibilities What do you do when someone leaves 16
17 Cyber Fraud Concerns Technologies Upgrades No infrastructure is static whether adding a new application, speeding up the ability to process data, or revamping the user experience, IT should be part of a cross-functional team defining compliance expectations as part of the life cycle management 17
18 Management Role Management should approve: o Processes with information security/risk assessment and monitoring responsibilities (e.g., system evaluators, penetration tester, security control assessments, risk assessments, independent verifiers/validators, inspectors general auditors); and o Individuals with risk assessment and monitoring responsibilities (e.g., operations evaluators, physical security control assessors, actuarial risk assessors, independent verifiers/validators, inspectors general, internal and external auditors, regulatory experts). 18
19 Management Role Management review to make certain that there is an approved: o Explicit IT Security risk model, defining key terms and assessable risk factors and the relationships among the factors o Assessment approach, provided by the data owners/application owners specifying the range of values those risk factors can assume during the assessment o Analysis approach, specifying how values of those factors are functionally combined to evaluate risk o Consistent monitoring and reporting approach. 19
20 Management Role Overall, Management should perform efforts in: o Approving and regularly reviewing the controls associated with governing risks and threat mitigation scenarios so you can protect physical, electronic and IP assets that create value for your stakeholders, including external, employees, regulators, and society overall. 20
21 Do It Now! 21
22 Do It Now! Plug Known Holes Turn complexity on for passwords and identify if multi-factor authentication needed Anti-Virus/Anti-Malware out-of-date or not sufficient Patch Workstations and Servers Is your Firewall configured properly? Review and account for all allowed inbound and outbound connections. Turn it on alerting from Firewall or Intrusion Detection System (IDS) Using a third-party IT support company- Have them detail all the controls and settings they have in place. 22
23 Do It Now! Conduct A Comprehensive Risk Assessment Identify and rank where ALL sensitive data is stored, processed, transmitted, maintained, for clients and employees Evaluate existing and potential missing controls Test the Cyber Controls Based on data type found list all regulatory, legal and expected standards Consider more than annual assessments You cannot protect against a risk you do not know exists 23
24 Best Practices Set Routine Audits they are Necessary to Validate controls are working Review Anti-Virus/Anti-Malware status Review Update and Security Patch status Review Firewall Configurations Review User Access, especially those with privileges Review all vendors and third parties 24
25 Best Practices IT Segregation of Duties Assess who has what level access What is absolutely needed Minimum Necessary Conduct careful analysis of job function to identify both internal and external conflicts of interest A determination needs to be made for the extent to which any known or suspected circumstances or events could adversely impact an organization and the likelihood that such circumstances or events will occur. 25
26 Best Practices Vendor Management Outsourced Services Ask for SSAE16 SOC 1 and SOC 2 Has Three Different Reports and each report has differing communication and controls requirements for a Service Organization Controls (SOC) SOC 2: Reports on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy Follow OCC BULLETIN
27 Best Practices Security Training and Awareness is Critical Have everyone review and acknowledge acceptable and computer use policies at least annually. Regularly communicate reminders about confidentiality and protection and any known threats such as phishing s. Have IT staff attend specific training relating to security your data environment Join FS-ISAC and other publications Train on regulatory/data security/privacy laws requirements quarterly 27
28 Hot Topics In Cyberlaw New York Bankers Association Senior Management Conference June 17, 2015 Joseph V. DeMarco, Esq. DeVore & DeMarco LLP 99 Park Avenue, Suite 330 New York, New York
29 My Background Partner, DeVore & DeMarco LLP Boutique law firm in New York City Cyberlaw Practice, 2008-present Previously, Assistant U.S. Attorney, Southern District of New York, Founder, Computer Hacking and Intellectual Property Program Significant experience in government and private practice with law firm cyber-incidents
30 Criminal Laws Federal Computer Fraud and Abuse Act, 18. U.S.C (and state analogues, e.g., NY Penal Law 156) Federal Wiretap Act, 18 U.S.C Electronic Communications Privacy Act Federal Theft of Trade Secrets Act, 18 U.S.C (and state analogue)
31 Wiretap Act Creates civil and criminal cause of action for intercepting communications Federal and New York are one-party consent states But some states require two-party consent Special challenges of International and Interstate transmission Employee monitoring is all the rage but is it legal?
32 Electronic Communication Privacy Act Electronic Communications Privacy Act ( ECPA ) and Stored Communications Act ( SCA ) Articulates mechanisms the government and private parties must use to compel providers to disclose details of stored wire or electronic communications Appropriate mechanism driven by type of data: Basic subscriber records Transactional and other account records (in electronic storage 180 days or less) (in electronic storage more than 180 days) Also governs when a provider, in a civil case, may disclose details of customer data to authorities
33 Threats to Trade Secrets The Center for Strategic and International Studies estimated the annual cost of cybercrime and economic espionage at more than $445 billion. (Washington Post, June 9, 2014.) Law Firms and Other Service Providers: As data aggregators, an especially inviting target (FBI 2012, 2013, 2014 )
34 Digital Tools for Stealing Trade Secrets Technological advances makes it increasingly easy to steal large quantities of valuable trade secrets and client information and to get away with it! Tools for stealing trade secrets today include: External drives Laptops Mobile devices Digital cameras and recorders Printers and scanners FTP Transfers Remote access Hacking and keylogging software
35 Economic Espionage Act: 18 U.S.C Passed by Congress in 1996 in recognition of the threat posed to American economic competitiveness in a global economy by the theft of intellectual property and trade secrets. Sen. Arlen Specter Two key parts: 18 U.S.C Economic espionage directed by foreign governments or government controlled entities Very rare only eight prosecutions since 1996 Highest level of penalties for violations of this part of the statute Increased focus on this section in light of recent activities by China 18 U.S.C Theft of trade secrets Only applies if (1) the trade secret relates to a product placed in interstate commerce; or (2) if it involves the acts of foreign entities Amended December 2012 to correct Second Circuit ruling in U.S. v. Aleynikov
36 Legal and Regulatory Drivers: Other Sources State Breach Notification Laws California Security Standards Law Massachusetts Encryption/Security Policy Law Nevada Encryption Law SSN Protection Laws HIPPA Breach Laws and HI-TECH Act amendments FTC Identity Theft Red Flags Rule Local Wireless Security Laws NIST Cyber Framework (2014) FINRA, PCI DSS, ISO 27002, and similar standards
37 Legal and Regulatory Drivers: Other Sources Failure to abide by any of these standards can be used to support claims of negligence and other torts in addition to regulatory fines and penalties
38 Practical Advice Know What Data You Have Know Where That Data Is Know Who Has Access to That Data Protect most critical data to maximum degree Assess, Test and Evaluate Your Clients Policies Under Counsel Protection Have an Information Security Policy and Incident Response Plan Conduct Tabletop Exercises
39 A Final Word: Hacking Back For private Companies, hacking back is not legal in the U.S. or the EU. In the U.S., the general rule has been that private entities maintain a defensive posture, while the government hunts down the culprits Hacking Back is not Ethical Hacking Hacking Back presents significant consequences: Violations of US and International law May give signals to attackers before coordinated mitigation efforts can be made Can bring about retaliation and further damage. May cause unintended spoliation or inhibit preservation of digital evidence. Can bring about unintended consequences, such as damaging computers belonging to innocent individuals but hijacked by attackers. In short, any proactive measure in response to a cyber threat that can be regarded as revenge or retaliation should be taken off the table.
40 For Further Information Joseph V. DeMarco DeVore & DeMarco LLP 99 Park Avenue, Suite 1100 New York, New York Phone: (212) Fax: (212)
Cybersecurity: Protecting Your Business. March 11, 2015
Cybersecurity: Protecting Your Business March 11, 2015 Grant Thornton. All LLP. rights All reserved. rights reserved. Agenda Introductions Presenters Cybersecurity Cybersecurity Trends Cybersecurity Attacks
More informationInformation Security Addressing Your Advanced Threats
Information Security Addressing Your Advanced Threats Where We are Going Information Security Landscape The Threats You Face How To Protect Yourself This Will Not Be Boring What Is Information Security?
More informationMIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)
MIT s Information Security Program for Protecting Personal Information Requiring Notification (Revision date: 2/26/10) Table of Contents 1. Program Summary... 3 2. Definitions... 4 2.1 Identity Theft...
More informationSymptoms of a Data Breach in Your Business
Cyber Security: What you need to know to protect your business February 2014 Presented by: Jon Zayicek Vice President Sera-Brynn Topics: The landscape is changing What are the threats? How to protect your
More informationplantemoran.com What School Personnel Administrators Need to know
plantemoran.com Data Security and Privacy What School Personnel Administrators Need to know Tomorrow s Headline Let s hope not District posts confidential data online (Tech News, May 18, 2007) In one of
More informationBy: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015
Community Bank Auditors Group Cybersecurity What you need to do now June 9, 2015 By: Gerald Gagne MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2015 Wolf & Company, P.C. Cybersecurity
More informationWhat Data? I m A Trucking Company!
What Data? I m A Trucking Company! Presented by: Marc C. Tucker 434 Fayetteville Street, Suite 2800 Raleigh, NC, 27601 919.755.8713 marc.tucker@smithmoorelaw.com Presented by: Rob D. Moseley, Jr. 2 West
More informationINFORMATION SECURITY FOR YOUR AGENCY
INFORMATION SECURITY FOR YOUR AGENCY Presenter: Chad Knutson Secure Banking Solutions, LLC CONTACT INFORMATION Dr. Kevin Streff Professor at Dakota State University Director - National Center for the Protection
More informationCyber Warfare. Global Economic Crime Survey. Causes of Cyber Attacks. David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP. Why Cybercrime?
Cyber Warfare David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP Global Economic Crime Survey Cyber crime is the fastest growing economic crime up more than 2300% since 2009 1 in 10 companies
More informationRemote Deposit Quick Start Guide
Treasury Management Fraud Prevention How to Protect Your Business Remote Deposit Quick Start Guide What s Inside We re committed to the safety of your company s financial information. We want to make you
More informationInformation Security and Risk Management
Information Security and Risk Management COSO and COBIT Standards and Requirements Page 1 Topics Information Security Industry Standards and COBIT Framework Relation to COSO Internal Control Risk Management
More informationData breach, cyber and privacy risks. Brian Wright Lloyd Wright Consultants Ltd
Data breach, cyber and privacy risks Brian Wright Lloyd Wright Consultants Ltd Contents Data definitions and facts Understanding how a breach occurs How insurance can help to manage potential exposures
More informationCNA NetProtect Essential SM. 1. Do you implement virus controls and filtering on all systems? Background:
1. Do you implement virus controls and filtering on all systems? Anti-Virus anti-virus software packages look for patterns in files or memory that indicate the possible presence of a known virus. Anti-virus
More informationInfor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security
Technical Paper Plain talk about security When it comes to Cloud deployment, security is top of mind for all concerned. The Infor CloudSuite team uses best-practice protocols and a thorough, continuous
More informationTHE CHANGING FACE OF CYBERCRIME AND WHAT IT MEANS FOR BANKS
THE CHANGING FACE OF CYBERCRIME AND WHAT IT MEANS FOR BANKS David Glockner, Managing Director strozfriedberg.com Overview The big picture: what does cybercrime look like today and how is it evolving? What
More information$194 per record lost* 3/15/2013. Global Economic Crime Survey. Data Breach Costs. David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP
David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP Global Economic Crime Survey Global Cyber Crime is the fastest growing economic crime Cyber Crime is more lucrative than trafficking drugs!
More informationCompliance Challenges. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard. Increased Audits & On-site Investigations
Enabling a HITECH & HIPAA Compliant Organization: Addressing Meaningful Use Mandates & Ensuring Audit Readiness Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard Compliance Mandates Increased
More informationCybersecurity The role of Internal Audit
Cybersecurity The role of Internal Audit Cyber risk High on the agenda Audit committees and board members are seeing cybersecurity as a top risk, underscored by recent headlines and increased government
More informationData breach! cyber and privacy risks. Brian Wright Michael Guidry Lloyd Guidry LLC
Data breach! cyber and privacy risks Brian Wright Michael Guidry Lloyd Guidry LLC Collaborative approach Objective: To develop your understanding of a data breach, and risk transfer options to help you
More informationHow a Company s IT Systems Can Be Breached Despite Strict Security Protocols
How a Company s IT Systems Can Be Breached Despite Strict Security Protocols Brian D. Huntley, CISSP, PMP, CBCP, CISA Senior Information Security Advisor Information Security Officer, IDT911 Overview Good
More informationAn Introduction on How to Better Protect Your Computer and Sensitive Data
An Introduction on How to Better Protect Your Computer and Sensitive Data Common Security Problems Computer users who fail to use strong passwords Constant attacks by viruses, worms, key loggers and bots
More informationNATIONAL CYBER SECURITY AWARENESS MONTH
NATIONAL CYBER SECURITY AWARENESS MONTH Tip 1: Security is everyone s responsibility. Develop an awareness framework that challenges, educates and empowers your customers and employees to be part of the
More informationCybersecurity Workshop
Cybersecurity Workshop February 10, 2015 E. Andrew Keeney, Esq. Kaufman & Canoles, P.C. E. Andrew Keeney, Esq. Kaufman & Canoles, P.C. 150 West Main Street, Suite 2100 Norfolk, VA 23510 (757) 624-3153
More informationTODAY S AGENDA. Trends/Victimology. Incident Response. Remediation. Disclosures
TODAY S AGENDA Trends/Victimology Incident Response Remediation Disclosures Trends/Victimology ADVERSARY CLASSIFICATIONS SOCIAL ENGINEERING DATA SOURCES COVERT INDICATORS - METADATA METADATA data providing
More informationDATA SECURITY AGREEMENT. Addendum # to Contract #
DATA SECURITY AGREEMENT Addendum # to Contract # This Data Security Agreement (Agreement) is incorporated in and attached to that certain Agreement titled/numbered and dated (Contract) by and between the
More informationHow are we keeping Hackers away from our UCD networks and computer systems?
How are we keeping Hackers away from our UCD networks and computer systems? Cybercrime Sony's Hacking Scandal Could Cost The Company $100 Million - http://www.businessinsider.com/sonys-hacking-scandal-could-cost-the-company-100-million-2014-12
More informationEd McMurray, CISA, CISSP, CTGA CoNetrix
Ed McMurray, CISA, CISSP, CTGA CoNetrix AGENDA Introduction Cybersecurity Recent News Regulatory Statements NIST Cybersecurity Framework FFIEC Cybersecurity Assessment Questions Information Security Stats
More informationDefending Against Data Beaches: Internal Controls for Cybersecurity
Defending Against Data Beaches: Internal Controls for Cybersecurity Presented by: Michael Walter, Managing Director and Chris Manning, Associate Director Protiviti Atlanta Office Agenda Defining Cybersecurity
More informationClient Security Risk Assessment Questionnaire
Select the appropriate answer from the drop down in the column, and provide a brief description in the section. 1 Do you have a member of your organization with dedicated information security duties? 2
More information2010 AICPA Top Technology Initiatives. About the Presenter. Agenda. Presenter: Dan Schroeder, CPA/CITP Habif, Arogeti, & Wynne, LLP
2010 AICPA Top Technology Initiatives Presenter: Dan Schroeder, CPA/CITP Habif, Arogeti, & Wynne, LLP Georgia Society of CPAs Annual Convention June 16, 2010 About the Presenter Partner-in-Charge, Habif,
More informationData Security for the Hospitality
M&T Bank and SecurityMetrics Present: Data Security for the Hospitality Industry Featuring Lee Pierce, SecurityMetricsStrategicStrategic Accounts Dave Ellis, SecurityMetrics Forensic Investigator Doug
More informationProtecting Personal Information: The Massachusetts Data Security Regulation (201 CMR 17.00)
Protecting Personal Information: The Massachusetts Data Security Regulation (201 CMR 17.00) May 15, 2009 LLP US Information Security Framework Historically industry-specific HIPAA Fair Credit Reporting
More informationWhat is Management Responsible For?
What is Management Responsible For? Matthew J. Putvinski, CPA, CISA, CISSP MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2011 Wolf & Company, P.C. About Wolf & Company, P.C Regional
More informationSINGAPORE HEALTHCARE ENTERPRISE RISK MANAGEMENT CONGRESS 2014 - Data Breach : The Emerging Threat to Healthcare Industry
SINGAPORE HEALTHCARE ENTERPRISE RISK MANAGEMENT CONGRESS 2014 - Data Breach : The Emerging Threat to Healthcare Industry DATA BREACH A FICTIONAL CASE STUDY THE FIRST SIGNS OF TROUBLE Friday, 5.20 pm :
More informationWhat s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.
What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things. AGENDA Current State of Information Security Data Breach Statics Data Breach Case Studies Why current
More informationPrivacy Rights Clearing House
10/13/15 Cybersecurity in Education What you face as educational organizations How to Identify, Monitor and Protect Presented by Jamie Gershon Sr. Vice President Education Practice Group 1 Privacy Rights
More informationThe Education Fellowship Finance Centralisation IT Security Strategy
The Education Fellowship Finance Centralisation IT Security Strategy Introduction This strategy outlines the security systems in place to optimise, manage and protect The Education Fellowship data and
More informationFINRA Publishes its 2015 Report on Cybersecurity Practices
Securities Litigation & Enforcement Client Service Group and Data Privacy & Security Team To: Our Clients and Friends February 12, 2015 FINRA Publishes its 2015 Report on Cybersecurity Practices On February
More informationThe Evolution of Data Breaches
The Evolution of Data Breaches 2015 Data Privacy & Security Summit June 29, 2015 Mark Shelhart Incident Response & Forensics Retail Data Security recent victims The Largest Cyber Risks to your Organization
More informationFranchise Data Compromise Trends and Cardholder. December, 2010
Franchise Data Compromise Trends and Cardholder Security Best Practices December, 2010 Franchise Data Security Agenda Cardholder Data Compromise Overview Breach Commonalities Hacking Techniques Franchisee
More informationRLI PROFESSIONAL SERVICES GROUP PROFESSIONAL LEARNING EVENT PSGLE 123. Cybersecurity: A Growing Concern for Small Businesses
RLI PROFESSIONAL SERVICES GROUP PROFESSIONAL LEARNING EVENT PSGLE 123 Cybersecurity: A Growing Concern for Small Businesses Copyright Materials This presentation is protected by US and International Copyright
More informationManaging Your Cyber & Data Risk 2010 NTA Convention Montreal, Quebec
Managing Your Cyber & Data Risk 2010 NTA Convention Montreal, Quebec Jeremy Ong Divisional Vice-President Great American Insurance Company November 13, 2010 1 Agenda Overview of data breach statistics
More informationLegal Ethics in the Information Age: Unique Data Privacy Issues Faced by Law Firms. v2.18.11, rev
Legal Ethics in the Information Age: Unique Data Privacy Issues Faced by Law Firms v2.18.11, rev 1 Presenters Joseph DeMarco, Partner DeVore & DeMarco, LLP Lauren Shy, Assistant General Counsel Fragomen,
More informationManaging data security and privacy risk of third-party vendors
Managing data security and privacy risk of third-party vendors The use of third-party vendors for key business functions is here to stay. Routine sharing of critical information assets, including protected
More informationInformation Security Services
Information Security Services Information Security In 2013, Symantec reported a 62% increase in data breaches over 2012. These data breaches had tremendous impacts on many companies, resulting in intellectual
More informationSECURING YOUR SMALL BUSINESS. Principles of information security and risk management
SECURING YOUR SMALL BUSINESS Principles of information security and risk management The challenge Information is one of the most valuable assets of any organization public or private, large or small and
More informationHOW SECURE IS YOUR PAYMENT CARD DATA?
HOW SECURE IS YOUR PAYMENT CARD DATA? October 27, 2011 MOSS ADAMS LLP 1 TODAY S PRESENTERS Francis Tam, CPA, CISA, CISM, CITP, CRISC, PCI QSA Managing Director PCI Practice Leader Kevin Villanueva,, CISSP,
More informationAttachment A. Identification of Risks/Cybersecurity Governance
Attachment A Identification of Risks/Cybersecurity Governance 1. For each of the following practices employed by the Firm for management of information security assets, please provide the month and year
More informationNetwork Security & Privacy Landscape
Network Security & Privacy Landscape Presented By: Greg Garijanian Senior Underwriter Professional Liability 1 Agenda Network Security Overview -Latest Threats - Exposure Trends - Regulations Case Studies
More informationLogging In: Auditing Cybersecurity in an Unsecure World
About This Course Logging In: Auditing Cybersecurity in an Unsecure World Course Description $5.4 million that s the average cost of a data breach to a U.S.-based company. It s no surprise, then, that
More informationInformation Security for the Rest of Us
Secure Your Way Forward. AuditWest.com Information Security for the Rest of Us Practical Advice for Small Businesses Brian Morkert President and Chief Consultant 1 Introduction President Audit West IT
More informationCybercrime: Protecting Your Digital Assets in Today's Threat Landscape
Cybercrime: Protecting Your Digital Assets in Today's Threat Landscape Presented by Rachel Ratcliff OM03 Saturday, 10/5/2013 9:30 AM - 10:45 AM Cybercrime: Protecting Your Digital Assets in Today s Threat
More informationThe Future of Data Breach Risk Management Response and Recovery. The Cybersecurity Forum April 14, 2016
The Future of Data Breach Risk Management Response and Recovery Increasing electronic product life and reliability The Cybersecurity Forum April 14, 2016 Today s Topics About Merchants Information Solutions,
More informationEmail Data Security. The dominant business communication tool
Email Data Security Jim Brashear General Counsel Zix Corporation Dallas Business Uses Email The dominant business communication tool Time spent on email exceeds time spent on all other communication tools
More informationCloud Security and Managing Use Risks
Carl F. Allen, CISM, CRISC, MBA Director, Information Systems Security Intermountain Healthcare Regulatory Compliance External Audit Legal and ediscovery Information Security Architecture Models Access
More informationSecurity Breaches and Vulnerability Experiences Overview of PCI DSS Initiative and CISP Payment Application Best Practices Questions and Comments
Security in the Payment Card Industry OWASP AppSec Seattle Oct 2006 Hap Huynh, Information Security Specialist, Visa USA hhuynh@visa.com Copyright 2006 - The OWASP Foundation Permission is granted to copy,
More informationPCI Compliance for Healthcare
PCI Compliance for Healthcare Best practices for securing payment card data In just five years, criminal attacks on healthcare organizations are up by a stunning 125%. 1 Why are these data breaches happening?
More informationThe Top Ten of Information Security - For 2015
7 th Annual Information Security Summit The Executive Forum Information Security Management Overview June 4, 2015 Copyright 2015. Citadel Information Group. All Rights Reserved. 2 Establishing Leadership.
More informationHow To Protect Yourself From Cyber Threats
Cyber Security for Non- Profit Organizations Scott Lawler CISSP- ISSAP, ISSMP, HCISPP Copyright 2015 LP3 May 2015 Agenda IT Security Basics e- Discovery Compliance Legal Risk Disaster Plans Non- Profit
More informationBig Data, Big Risk, Big Rewards. Hussein Syed
Big Data, Big Risk, Big Rewards Hussein Syed Discussion Topics Information Security in healthcare Cyber Security Big Data Security Security and Privacy concerns Security and Privacy Governance Big Data
More informationBrief. The BakerHostetler Data Security Incident Response Report 2015
Brief The BakerHostetler Data Security Incident Response Report 2015 The rate of disclosures of security incidents in 2015 continues at a pace that caused many to call 2013 and then 2014 the year of the
More informationSECURITY. Risk & Compliance Services
SECURITY Risk & Compliance s V1 8/2010 Risk & Compliances s Risk & compliance services Summary Summary Trace3 offers a full and complete line of security assessment services designed to help you minimize
More informationBelmont Savings Bank. Are there Hackers at the gate? 2013 Wolf & Company, P.C.
Belmont Savings Bank Are there Hackers at the gate? 2013 Wolf & Company, P.C. MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2013 Wolf & Company, P.C. About Wolf & Company, P.C.
More informationCyber - Security and Investigations. Ingrid Beierly August 18, 2008
Cyber - Security and Investigations Ingrid Beierly August 18, 2008 Agenda Visa Cyber - Security and Investigations Today s Targets Recent Attack Patterns Hacking Statistics (removed) Top Merchant Vulnerabilities
More informationUniversity of Pittsburgh Security Assessment Questionnaire (v1.5)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.5) Directions and Instructions for completing this assessment The answers provided
More informationDATA SECURITY HACKS, HIPAA AND HUMAN RISKS
DATA SECURITY HACKS, HIPAA AND HUMAN RISKS MSCPA HEALTH CARE SERVICES SEMINAR Ken Miller, CPA, CIA, CRMA, CHC, CISA Senior Manager, Healthcare HORNE LLP September 25, 2015 AGENDA 2015 The Year of the Healthcare
More informationHow NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements
How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements I n t r o d u c t i o n The Payment Card Industry Data Security Standard (PCI DSS) was developed in 2004 by the PCI Security Standards
More informationData Security Incident Response Plan. [Insert Organization Name]
Data Security Incident Response Plan Dated: [Month] & [Year] [Insert Organization Name] 1 Introduction Purpose This data security incident response plan provides the framework to respond to a security
More information3rd Party Assurance & Information Governance 2014-2016 outlook IIA Ireland Annual Conference 2014. Straightforward Security and Compliance
3rd Party Assurance & Information Governance 2014-2016 outlook IIA Ireland Annual Conference 2014 Continuous Education Services (elearning/workshops) Compliance Management Portals Information Security
More informationTop Ten Technology Risks Facing Colleges and Universities
Top Ten Technology Risks Facing Colleges and Universities Chris Watson, MBA, CISA, CRISC Manager, Internal Audit and Risk Advisory Services cwatson@schneiderdowns.com April 23, 2012 Overview Technology
More informationData Breach Response Planning: Laying the Right Foundation
Data Breach Response Planning: Laying the Right Foundation September 16, 2015 Presented by Paige M. Boshell and Amy S. Leopard babc.com ALABAMA I DISTRICT OF COLUMBIA I FLORIDA I MISSISSIPPI I NORTH CAROLINA
More informationModern IT Security. Jerry Craft Sr. Security & Networking Consultant
Modern IT Security Jerry Craft Sr. Security & Networking Consultant August 5, 2014 Arcsight Managed Services Bio Senior Security & Networking Consultant for Nth Generation Computing Ethical Hacker and
More informationData Management Policies. Sage ERP Online
Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...
More informationWritten Information Security Programs: Compliance with the Massachusetts Data Security Regulation
View the online version at http://us.practicallaw.com/7-523-1520 Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation Melissa J. Krasnow, Dorsey & Whitney LLP
More informationData Management & Protection: Common Definitions
Data Management & Protection: Common Definitions Document Version: 5.5 Effective Date: April 4, 2007 Original Issue Date: April 4, 2007 Most Recent Revision Date: November 29, 2011 Responsible: Alan Levy,
More informationPlan of Attack 5 Step Plan
Plan of Attack 5 Step Plan Naming those Digital Assets Practicing Digital Doomsday Training + Policies and Procedures Technology Tuning Security in the Supply Chain Next Steps Sample Plan 0 to 30 Days
More informationSmall Firm Focus: A Practical Approach to Cybersecurity Friday, May 29 9:00 a.m. 10:15 a.m.
Small Firm Focus: A Practical Approach to Cybersecurity Friday, May 29 9:00 a.m. 10:15 a.m. Topics: Explain why it is important for firms of all sizes to address cybersecurity risk. Demonstrate awareness
More informationCyber Security Metrics Dashboards & Analytics
Cyber Security Metrics Dashboards & Analytics Feb, 2014 Robert J. Michalsky Principal, Cyber Security NJVC, LLC Proprietary Data UNCLASSIFIED Agenda Healthcare Sector Threats Recent History Security Metrics
More informationData Breach Cost. Risks, costs and mitigation strategies for data breaches
Data Breach Cost Risks, costs and mitigation strategies for data breaches Tim Stapleton, CIPP/US Deputy Global Head of Professional Liability Zurich General Insurance Data Breaches: Greater frequency,
More informationSecurityMetrics Vision whitepaper
SecurityMetrics Vision whitepaper 1 SecurityMetrics Vision: Network Threat Sensor for Small Businesses Small Businesses at Risk for Data Theft Small businesses are the primary target for card data theft,
More informationAchieving Compliance with the PCI Data Security Standard
Achieving Compliance with the PCI Data Security Standard June 2006 By Alex Woda, MBA, CISA, QDSP, QPASP This article describes the history of the Payment Card Industry (PCI) data security standards (DSS),
More informationPreparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS
Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS CONTENTS PAGE RECONNAISSANCE STAGE 4 INCURSION STAGE 5 DISCOVERY STAGE 6 CAPTURE STAGE 7 EXFILTRATION STAGE
More informationHow-To Guide: Cyber Security. Content Provided by
How-To Guide: Cyber Security Content Provided by Who needs cyber security? Businesses that have, use, or support computers, smartphones, email, websites, social media, or cloudbased services. Businesses
More informationSECURITY RISK MANAGEMENT
SECURITY RISK MANAGEMENT ISACA Atlanta Chapter, Geek Week August 20, 2013 Scott Ritchie, Manager, HA&W Information Assurance Services Scott Ritchie CISSP, CISA, PCI QSA, ISO 27001 Auditor Manager, HA&W
More informationKeeping watch over your best business interests.
Keeping watch over your best business interests. 0101010 1010101 0101010 1010101 IT Security Services Regulatory Compliance Services IT Audit Services Forensic Services Risk Management Services Attestation
More informationCyber Security. John Leek Chief Strategist
Cyber Security John Leek Chief Strategist AGENDA The Changing Business Landscape Acknowledge cybersecurity as an enterprise-wide risk management issue not just an IT issue How to develop a cybersecurity
More informationData Breach and Senior Living Communities May 29, 2015
Data Breach and Senior Living Communities May 29, 2015 Todays Objectives: 1. Discuss Current Data Breach Trends & Issues 2. Understanding Why The Senior Living Industry May Be A Target 3. Data Breach Costs
More informationThe Impact of Wireless LAN Technology on Compliance to the PCI Data Security Standard
The Impact of Wireless LAN Technology on to the PCI Data Security Standard 339 N. Bernardo Avenue, Suite 200 Mountain View, CA 94043 www.airtightnetworks.net Wireless LANs and PCI Retailers today use computers
More informationUnderstanding Layered Security and Defense in Depth
Understanding Layered Security and Defense in Depth Introduction Cybercriminals are becoming far more sophisticated as technology evolves. Well-publicized security breaches of major corporations are capturing
More informationSecurity & Compliance, Sikich LLP
Mark Shelhart, CFI, CISSP, QSA Security & Compliance, Sikich LLP 1. Credit card breaches 2. Disgruntled IT, bad leaver 3. Personal records breach 4. Vendor network connections (and contracts) 5. Everything
More informationCYBERSECURITY INVESTIGATIONS
CYBERSECURITY INVESTIGATIONS Planning & Best Practices May 4, 2016 Lanny Morrow, EnCE Managing Consultant lmorrow@bkd.com Cy Sturdivant, CISA Managing Consultant csturdivant@bkd.com Michal Ploskonka, CPA
More informationPCI Compliance: How to ensure customer cardholder data is handled with care
PCI Compliance: How to ensure customer cardholder data is handled with care Choosing a safe payment process for your business Contents Contents 2 Executive Summary 3 PCI compliance and accreditation 4
More informationData Breach Lessons Learned. June 11, 2015
Data Breach Lessons Learned June 11, 2015 Introduction John Adams, CISM, CISA, CISSP Associate Director Security & Privacy 410.707.2829 john.adams@protiviti.com Powerful Insights. Proven Delivery. Kevin
More informationEnterprise PrivaProtector 9.0
IRONSHORE INSURANCE COMPANIES 75 Federal St Boston, MA 02110 Toll Free: (877) IRON411 Enterprise PrivaProtector 9.0 Network Security and Privacy Insurance Application THE APPLICANT IS APPLYING FOR A CLAIMS
More informationCybersecurity: A Growing Concern for All Businesses. RLI Design Professionals Design Professionals Learning Event DPLE 160 October 7, 2015
Cybersecurity: A Growing Concern for All Businesses RLI Design Professionals Design Professionals Learning Event DPLE 160 October 7, 2015 RLI Design Professionals is a Registered Provider with The American
More informationCyber Insurance: How to Investigate the Right Coverage for Your Company
6-11-2015 Cyber Insurance: How to Investigate the Right Coverage for Your Company Presented by: Faith M. Heikkila, Ph.D., CISM, CIPM, CIPP-US, ABCP Greenleaf Trust Chief Information Security Officer (CISO)
More informationwww.pwc.com Cybersecurity and Privacy Hot Topics 2015
www.pwc.com Cybersecurity and Privacy Hot Topics 2015 Table of Contents Cybersecurity and Privacy Incidents are on the rise Executives and Boards are focused on Emerging Risks Banking & Capital Markets
More informationIT Security Risks & Trends
IT Security Risks & Trends Key Threats to All Businesses 1 1 What do the following have in common? Catholic church parish Hospice Collection agency Main Street newspaper stand Electrical contractor Health
More informationDATA SECURITY BREACH: THE NEW THIRD CERTAINTY OF LIFE
DATA SECURITY BREACH: THE NEW THIRD CERTAINTY OF LIFE ACC-Charlotte February 4, 2015 THIS WILL NEVER HAPPEN TO ME! Death, Taxes & Data Breach Not just Home Depot, Target or Sony Do you employ the next
More informationAltius IT Policy Collection Compliance and Standards Matrix
Governance IT Governance Policy Mergers and Acquisitions Policy Terms and Definitions Policy 164.308 12.4 12.5 EDM01 EDM02 EDM03 Information Security Privacy Policy Securing Information Systems Policy
More information