Data Centric Security Management. Protecting information in a rapidly evolving and interconnected future
|
|
- Antonia Short
- 8 years ago
- Views:
Transcription
1 Data Centric Security Management Protecting information in a rapidly evolving and interconnected future
2 Speakers Bio Clint Jensen Director (San Francisco) IT Security Privacy & Risk Mobile: (415) Talha Tariq Manager (San Francisco) IT Security Privacy & Risk Mobile: (415) Clint is a Director with over 12 years of experience with information security strategy, IT security risk management program design and execution, security controls design and review, and data protection program design and execution. He currently focuses on assisting organizations with the following types of engagements: Security Program Development and Process Design Data Protection Program Design, Remediation, and Enabling Technology Deployment Privacy, PCI, and Other Regulatory Assessment and Remediation Threat & Vulnerability Assessment and Remediation ISO27001 Readiness Strategy Planning and Execution IT Security Control Framework Customization, Adoption, and Controls Audit Technical Configuration Definition, Testing, Deployment, and Monitoring Talha is a Manager in PwC's IT Security, Privacy & Risk practice with more than 7 years of international experience in information security strategy, design and technical security assessments. He is a contributing member of the OWASP Mobile Security project, member of the PwC Attack & Penetration and Mobile Security Core Team, He is also the west region Subject Matter Specialist on malware trends, Advanced Persistent Threats and leads the Attack and Penetration testing teams on the west coast. Prior to joining PwC, Talha worked at Microsoft and Sun Microsystems and has Research & Development experience in Secure Operating Systems, Virtualization and Secure Cloud computing. His work has been published in renowned conferences and tech magazines and he holds a patent in building trusted platforms.
3 Speakers Bio Chris Toohey Partner (San Francisco) Internal Audit Mobile: (925) Mike Corey Partner (San Francisco) IT Risk & Security Mobile: (415) Chris is a Partner in PwC s San Francisco office and leads the Internal Audit Services Practice. He has been engaged to perform a wide array of governance, risk and controls related services during his 26-year professional career. This experience includes conducting internal and external audits on public companies, non-public companies and quasi governmental agencies and serving as the Audit Committee Chairman and on the Boards of several non-profit organizations. Chris specializes in assisting clients understand and manage complex operational processes, IT, accounting, and financial reporting requirements. His overall responsibilities focus on providing leadership in the planning and execution of risk based internal audit services encompassing governance, IT, regulatory, compliance process and controls analyses. More specifically, he provides thought leadership; manages groups of professionals to identify, monitor and mitigate risk; and participates in process improvement and project management support, as necessary. He also assists company management in executing its business objectives while also aiding the Audit Committee of the Board of Directors in discharging its fiduciary responsibilities. Mike is a Partner with over 20 years of experience leading internal audit, IT internal audit, information security strategy, IT security risk management, data protection and privacy engagements. Mike is responsible for our West Region IT Risk and Security practice. This practice specializes in providing IT risk and information security services to our internal audit clients. Mike s experience includes leading numerous IT Internal Audit outsourcing and co-sourcing engagements and is a CPA and CISA. Prior to joining PwC, Mike led the IT Internal Audit department for a large Midwestern financial service company.
4 The new reality 4
5 Breaches are frequent and large 47,000+ reported security incidents *Source: Verizon 2013 Data Breach Investigations Report 700m+ records lost last year 44m+ compromised data records Organizations reporting losses of $10M or greater increasing 75% from * 2014 PwC Global State of Information Security Average cost of data breach is approximately $5.4m Average cost per record: $188 *Source: Ponemon Institute s 2013 Annual Study: U.S. Cost of a Data Breach 5
6 Significant Data Breaches in 2013 Company Breach Stats Details Target 110 million records A data breach over a three week period capturing credit and debit card records. Encrypted PIN information also stolen. Other Customer Information may also have been stolen. Schnuck Markets CorporateCar Online.com Adobe 2.4 million records In October, Schnucks agreed to a proposed class-action settlement stemming from the breach of its computer systems. 850,000 records Hackers stole and stored information online related to customers who used limousine and other ground transportation for this St Louis based limo software provider. The online information included plain text archives of credit card numbers, expiration dates, names, and addresses. Many of the customers were wealthy and used credit cards that would be attractive to identity thieves. Some of the big names on the list include Tom Hanks, Sen. Tom Daschle, and Donald Trump. 38 million customer accounts 3 million credit card accounts Originally just thought to be a compromise of 3 million PII records, the loss of a vast trove of login credentials was subsequently, and, more also its source code for various applications LivingSocial 50 million accounts Computer systems were hacked, resulting in unauthorized access. The company updated its password encryption method after the breach. Names, addresses, dates of birth, and salted passwords were stolen. Advocate Medical Group 4 million patient records stolen The theft of four computers from offices owned by this medical company exposed more than 4 million patient records. One of the largest losses of unsecured health information since notification to the Department of Health and Human Services became mandatory in
7 The actors and the information they target Adversary What s most at risk? Nation State Industrial Control Systems (SCADA) Emerging technologies Hacktivists $ Payment card and related information / financial markets Advanced materials and manufacturing techniques Organized Crime Military technologies Healthcare, pharmaceuticals, and related technologies Business deals information R&D and / or product design data Insiders Health records and other personal data Information and communication technology and data Input from Office of the National Counterintelligence Executive, Report to Congress on the Foreign Economic Collection and Industrial Espionage, , October Adversary motives and tactics evolve as business strategies change and business activities are executed; crown jewels must be identified and their protection prioritized, monitored and adjusted accordingly. 7
8 Risk and Impact Evaluation Why organizations have not kept pace Years of underinvestment in certain areas has left organizations unable to adequately adapt and respond to dynamic cyber risks. Board, Audit Committee, and Executive Leadership Engagement Business Alignment and Enablement Insider Threat Physical Security Operational Technology Security Secure Mobile and Cloud Computing Patch & Configuration Management Critical Asset User Identification and Administration Protection Ecosystem & Supply Chain Security Product & Service Security Technology Adoption and Enablement Threat Modeling & Scenario Planning Monitoring and Detection Threat Intelligence Global Security Operations Public/Private Information Sharing Breach Investigation and Response Notification and Disclosure Incident and Crisis Management Privileged Access Management Compliance Remediation Process and Technology Fundamentals Security Technology Rationalization Technology Debt Management Security consectetur Culture and adipiscing Mindset elit Resource Prioritization Security Strategy and Roadmap Security Program, Functions, Resources and Capabilities 8
9 Risk and Impact Evaluation Has your organization kept pace? Questions to consider when evaluating your ability to respond to the new challenges. Identify, prioritize, and protect the assets most essential to the business Have you identified your most critical assets and know where they are stored and transmitted? How do you evaluate their value and impact to the business if compromised? Do you prioritize the protection of your crown jewels differently than other information assets? Insider Threat Critical Asset User Identification and Administration Protection Ecosystem & Supply Chain Security Product & Service Security Technology Adoption and Enablement Board, Audit Committee, and Executive Leadership Engagement Physical Security Threat Modeling & Scenario Planning Monitoring and Detection Understand the threats to your industry and your business Who are your adversaries and what are their motivations? Business What information Alignment are they and targeting Enablement and what tactics are they using? How are you anticipating and adapting your strategy and controls? Threat Intelligence Global Security Operations Operational Technology Security Public/Private Information Sharing Breach Investigation and Response Notification and Disclosure Incident and Crisis Management Privileged Access Management Compliance Remediation Evaluate and improve effectiveness of existing processes and technologies Have you patched and upgraded your core platforms and technology? How are you securing new technology adoption and managing vulnerability with your legacy technology? Have you evolved your security architecture and Secure Mobile associated processes? Patch & and Cloud Configuration Computing Management Process and Technology Fundamentals Security Technology Rationalization Technology Debt Management Security consectetur Culture and adipiscing Mindset elit Resource Prioritization Enhance situational awareness to detect and respond to security events How are you gaining visibility into internal and external security events and activities? Are you applying correlation and analytics to identify patterns or exceptions? How do you timely and efficiently determine when to take action? Develop a cross-functional incident response plan for effective crisis management Security Strategy and Roadmap Have your business leaders undertaken cyberattack scenario planning? Do you have a defined cross functional structure, process and capability to respond? Are you enhancing and aligning your plan to ongoing business changes? Security Program, Functions, Resources and Capabilities Establish values and behaviors to create and promote security effectiveness How is leadership engaged and committed to addressing cyber risks facing the business? What sustained activities are in place to improve awareness and sensitivity to cyber risks? How have your business practices evolved to address the threats to your business? 9
10 The security challenge now extends beyond the enterprise Global Business Ecosystem Traditional boundaries have shifted; companies operate in a dynamic environment that is increasingly interconnected, integrated, and interdependent. The ecosystem is built around a model of open collaboration and trust the very attributes being exploited by an increasing number of global adversaries. Constant information flow is the lifeblood of the business ecosystem. Data is distributed and disbursed throughout the ecosystem, expanding the domain requiring protection. Adversaries are actively targeting critical assets throughout the ecosystem significantly increasing the exposure and impact to businesses. Years of underinvestment in security has impacted organizations ability to adapt and respond to evolving, dynamic cyber risks. Pressures and changes which create opportunity and risk 10
11 Protecting Data & Role of IA 11
12 Data Privacy & Information Security Risks Compliance with government or industry regulations / enforcements (HIPAA, PCI, GLBA, COPPA, FTC Act) Compliance with selfregulatory frameworks (i.e., U.S.-EU Safe Harbor, TRUSTe, DMA OBA Principles) Compliance Financial Companies face several financial risks associated with a breach: Federal/state regulatory fines Stock price decline Remediation efforts Reputational Risk Factors Legal Companies are experiencing increasing lawsuits from: Employees Customers Investors Negative impact to the brand Loss of employee, customer, & investor confidence Regulatory Enforcement actions from federal and state agencies Regulatory inquires may require long-term third party remediation in order to verify regulatory compliance 12
13 Risks generally not perceived as well managed Risks seen as increasing the most in the last year Economic uncertainty Regulations and government IT security/cyber security Data privacy Government spending and taxation Competition Commercial market shifts Financial markets Large Programs (such as ERP) Talent and labor Risks seen as the most well managed last year Talent & Labor Competition Reputation/brand Financial markets Fraud and ethics Government spending and taxation Mergers, acquisitions and JVs Regulations and government policies IT / Cyber Security Economic uncertainty 85% believe security threats are increasing, yet only 12% think their organization manages risks extremely well. Source: PwC s 2013 State of the Internal Audit Profession Study 13
14 Organizations with high-performing internal audit functions manage risk better than others Source: PwC s 2013 State of the Internal Audit Profession Study 14
15 What you should be thinking 15
16 Having a Program In Place to Protect Data A comprehensive program is needed to address the myriad of compliance requirements, and to protect consumer information and sensitive company information. Incident Response Governance Monitoring & Auditing Risk Assessment Training & Awareness Processes & Controls Technical Security & Controls 16
17 Strategic Approach : End to End Data Lifecycle Protection Organizations have historically focused on protecting the perimeter to prevent intrusion (and therefore data loss). The organizations should start by looking at various stages of the Information Lifecycle and understand the best way to protect sensitive data in each of these stages. 17
18 Engage your Stakeholders Data protection and privacy is a relatively new consideration within the Risk Management disciplines. As a result, the manner with which organizations address this risk could differ widely. Some of the typical stakeholders associated with data protection and privacy concerns are listed below: Process Area Legal Marketing Information Security Internal Audit Compliance Privacy Office Concern (examples) FTC complaints Records Management ecommerce initiatives CRM Social media campaigns Audit findings PCI readiness Data breaches Board or Audit Committee requests Increasing the enterprise risk scope HIPAA (healthcare), GLBA (financial) Regulatory examination Governance structure Operating privacy, how to live by the privacy policy 18
19 Data Protection and Privacy Program Monitoring Ongoing auditing or monitoring of a company s data protection and privacy program is essential. Example of areas that auditing and monitoring activities should focus on include: Data protection and privacy program gap assessment Evaluation of, or assistance with, the company s periodic data protection and privacy risk assessment process Compliance with established data protection and privacy policies and procedures Data protection and privacy training and awareness programs Data protection and privacy related remediation Third party/vendor data protection and privacy practices 19
20 Considerations for Your Organization Understanding threats Has your data been exposed and would you know if it were? Do you know what breach indicators you should be monitoring? Building protections Has the company established formal governance and controls to protect the sensitive data? Are the controls and safeguards periodically tested? Have the controls and safeguards been updated to respond to changing business models? Responding to incidents Are you prepared to respond to legal actions? If a Regulator were to inquire or investigate the company, would the company be prepared to respond? Has the company established formal plans to respond to incidents when they occur? PwC 20
21 Considerations for Your Organization Understanding Company Governance & Awareness What are the company s compliance requirements? What is the culture of the company and what is the philosophy regarding information security and privacy? Who leads the efforts for information security (e.g., Steering Committee)? How does the company ensure alignment between the management and staff? What is the company trying to achieve with their information security/privacy program? Understanding sensitive data What sensitive data do you have that needs to be protected? Has the company classified and inventoried that data? Who has access to sensitive data internally and externally? Who is responsible for protecting your sensitive data? Who is responsible for the oversight of vendors that may hold sensitive data? PwC 21
22 Coordinated lines of defense Senior management Board/audit committee 1st 2nd 3rd Line of defense: Management Functional and line management are responsible for operationalizing risk management and internal controls Line of defense: Risk Mgmt & Compliance Risk management and compliance functions are responsible for establishing and monitoring effective risk management policies & standards Line of defense: Internal Audit Internal audit is responsible for providing objective assurance and advice on governance, risk, and compliance to the board and executive management 22
23 The role of internal audit Internal Audit can play a role in the ongoing independent monitoring of a company s data protection and privacy program. Keep the board abreast of emerging security and privacy risks Embed yourself in key activities that roll out new business processes, products or information systems (i.e., privacy by design) Communicate with the board and executive management Privacy/Security program gap assessment Evaluation of, or assistance with, the company s periodic privacy/security risk assessment process Audits of established privacy/security policies and procedures and/or controls Audits of privacy/security training and awareness programs Audits of third party/vendor data protection and privacy practices 23
24 Questions you should be asking 1. Is our cybersecurity program aligned with our business strategy? Enhancing security strategy and capability Understanding and adapting to changes in the security risk environment Advance their security posture through a shared vision and culture 2. Do we have the capabilities to identify and advise on strategic threats and adversaries targeting us? 3. Can we explain our cybersecurity strategy to our stakeholders? Our investors? Our regulators? Our ecosystem partners? 1. Do we know what information is most valuable to the business? 2. Do we know what our adversaries are after / what would they target? 3. Do we have an insider threat program? Is it inter-departmental? 4. Are we actively involved in relevant public-private partnerships? 1. How was our last security crisis identified; in-house or government identified? 2. Who leads our incident and crisis management program? Is our program cross functional / inter-departmental? 3. How often are we briefed on our cyber initiatives? Do we understand the cyber risks associated with certain business decisions and related activities? 24
25 What is important to regulators Accountability and program ownership Considerations of data protection, privacy and security throughout the organization and its processes Training and awareness programs Risk assessment processes Policies/procedures Data protection controls Monitoring technologies and capabilities Focus is on transparency in notice to consumers Do the systems and controls process data as described by your privacy notice? Do consumers have choice, and do they consent? 25
26 Additional Questions? This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, [insert legal name of the PwC firm], its members, employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it PricewaterhouseCoopers LLP All rights reserved. In this document, PwC refers to PricewaterhouseCoopers LLP which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity.
27 Appendix Slides PwC Global State of Information Security Survey
28 A US-only survey shows that, even when in place, security technologies and policies often do not prevent incidents. Respondents to the 2013 US State of Cybercrime Survey, 1 co-sponsored by PwC, say security incidents increased 33%, despite implementation of security practices. For many, existing security technologies and policies are simply not keeping pace with fast-evolving threats. Security technologies and policies in place (US only) Use policy-based network connections to detect and/or counter security incidents 68% Inspect inbound and outbound network traffic 61% Use account/password management in an attempt to reduce security incidents 60% Have an acceptable-use policy 55% Use malware analysis as a tool to counter advanced persistent threats (APTs) 51% Use data loss prevention technology to prevent and/or counter security incidents 51% Use security event management to detect and/or counter security incidents 50% Use cyber-threat research in an attempt to reduce security incidents 25% Do not allow non-corporate-supplied devices in the workplace/network access 17% US State of Cybercrime Survey, co-sponsored by CSO magazine, CERT Coordination Center at Carnegie Mellon University, Federal Bureau of Investigation, PwC, and the US Secret Service, March-April
29 Despite the potential consequences, many respondents do not adequately safeguard their high-value information. It is imperative that organizations identify, prioritize, and protect their crown jewels. Many, however, have not yet implemented basic policies necessary to safeguard intellectual property (IP). Have policies to help safeguard IP and trade secrets 37% 22% 22% 16% 17% 20% 20% 29% 24% 26% 32% 31% Classifying business value of data Procedures dedicated to protecting IP Inventory of assets/ asset management Regular review of users and access
30 Technology Reliance/Complexity Evolution of the Security Paradigm Shift Assumed State of Compromise Significant and evolving cyberthreats unlike ever before. Highly skilled/motivated, and yet patient adversaries, including nation states. Increasing speed of business, digital transformation, and hyper connectivity across supply chain and to customers. Massive consumerization of IT and reliance on mobile technologies. Increasing regulatory compliance requirements (e.g., SEC Cyber Guidance). Perimeter Security Layered Security Inclusion & Exclusion Security Focus on security technology for the perimeter. Focus on enhanced layers of security, adoption of incremental security solutions. Heavy focus on identity management right people, right place, right access. 1980s 1990s Time 2000s
31 What is this thing on my external network? 31
32 Internet Cencus 32
33 Project Sonar 33
www.pwc.com The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v8 2-25-14
www.pwc.com The data breach lifecycle: From prevention to response IAPP global privacy summit (4:30-5:30) Draft v8 2-25-14 Common Myths 1. You have not been hacked. 2. Cyber security is about keeping the
More informationwww.pwc.com Cybersecurity and Privacy Hot Topics 2015
www.pwc.com Cybersecurity and Privacy Hot Topics 2015 Table of Contents Cybersecurity and Privacy Incidents are on the rise Executives and Boards are focused on Emerging Risks Banking & Capital Markets
More informationwww.pwc.co.uk Cyber security Building confidence in your digital future
www.pwc.co.uk Cyber security Building confidence in your digital future November 2013 Contents 1 Confidence in your digital future 2 Our point of view 3 Building confidence 4 Our services Confidence in
More informationThreat and Vulnerability Management (TVM) Protecting IT assets through a comprehensive program. Chicago IIA/ISACA
www.pwc.com Vulnerability Management (TVM) Protecting IT assets through a comprehensive program Chicago IIA/ISACA 2 nd Annual Hacking Conference Introductions Paul Hinds Managing Director Cybersecurity
More informationManaging cyber risks with insurance
www.pwc.com.tr/cybersecurity Managing cyber risks with insurance Key factors to consider when evaluating how cyber insurance can enhance your security program June 2014 Managing cyber risks to sensitive
More informationDefending yesterday. Financial Services. Key findings from The Global State of Information Security Survey 2014
www.pwc.com/security Defending yesterday While organizations have made significant security improvements, they have not kept pace with today s determined adversaries. As a result, many rely on yesterday
More informationwww.pwc.com Developing a robust cyber security governance framework 16 April 2015
www.pwc.com Developing a robust cyber security governance framework 16 April 2015 Cyber attacks are ubiquitous Anonymous hacker group declares cyber war on Hong Kong government, police - SCMP, 2 October
More informationCybersecurity and internal audit. August 15, 2014
Cybersecurity and internal audit August 15, 2014 arket insights: what we are seeing so far? 60% of organizations see increased risk from using social networking, cloud computing and personal mobile devices
More information10Minutes. on the stark realities of cybersecurity. The Cyber Savvy CEO. A changed business environment demands a new approach:
10Minutes on the stark realities of cybersecurity The Cyber Savvy CEO Highlights Business leaders must recognise the exposure and business impact that comes from operating within an interconnected global
More informationCybersecurity The role of Internal Audit
Cybersecurity The role of Internal Audit Cyber risk High on the agenda Audit committees and board members are seeing cybersecurity as a top risk, underscored by recent headlines and increased government
More informationCyber-Security Risk- IP Theft and Data Breaches Protecting your Crown Jewels Internally and with Your Key Third Parties
Cyber-Security Risk- IP Theft and Data Breaches Protecting your Crown Jewels Internally and with Your Key Third Parties Pamela Passman President and CEO Center for Responsible Enterprise And Trade (CREATe.org)
More informationDefending yesterday. Key findings from The Global State of Information Security Survey 2014
www.pwc.com/security Defending yesterday While organizations have made significant security improvements, they have not kept pace with today s determined adversaries. As a result, many rely on yesterday
More informationBig Data, Big Risk, Big Rewards. Hussein Syed
Big Data, Big Risk, Big Rewards Hussein Syed Discussion Topics Information Security in healthcare Cyber Security Big Data Security Security and Privacy concerns Security and Privacy Governance Big Data
More informationwww.pwc.nl/cybersecurity Cyber security Building confidence in your digital future
www.pwc.nl/cybersecurity Cyber security Building confidence in your digital future 2015 Contents 1 Confidence in your digital future 2 Our point of view 3 Building confidence 4 Our services Confidence
More informationPwC Cybersecurity Briefing
www.pwc.com/cybersecurity Cybersecurity Briefing June 25, 2014 The views expressed in these slides are solely the views of the presenters and do not necessarily reflect the views of the PCAOB, the members
More informationAnswering your cybersecurity questions The need for continued action
www.pwc.com/cybersecurity Answering your cybersecurity questions The need for continued action January 2014 Boards and executives keeping a sustained focus on cybersecurity do more than protect the business:
More informationPrivilege Gone Wild: The State of Privileged Account Management in 2015
Privilege Gone Wild: The State of Privileged Account Management in 2015 March 2015 1 Table of Contents... 4 Survey Results... 5 1. Risk is Recognized, and Control is Viewed as a Cross-Functional Need...
More informationASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES
ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES Leonard Levy PricewaterhouseCoopers LLP Session ID: SEC-W03 Session Classification: Intermediate Agenda The opportunity Assuming
More informationSECURITY. Risk & Compliance Services
SECURITY Risk & Compliance s V1 8/2010 Risk & Compliances s Risk & compliance services Summary Summary Trace3 offers a full and complete line of security assessment services designed to help you minimize
More informationCyber Risks in the Boardroom
Cyber Risks in the Boardroom Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing Your Company to Identify, Mitigate and Respond to Risks in a Changing
More informationCYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility
CYBER SECURITY AND RISK MANAGEMENT An Executive level responsibility Cyberspace poses risks as well as opportunities Cyber security risks are a constantly evolving threat to an organisation s ability to
More informationThe Changing IT Risk Landscape Understanding and managing existing and emerging risks
The Changing IT Risk Landscape Understanding and managing existing and emerging risks IIA @ Noon Kareem Sadek Senior Manager, Deloitte Canada Chris Close Senior Manager, Deloitte Canada December 2, 2015
More informationwww.pwc.com/cybersecurity Cybersecurity and Cloud Briefing December 3, 2015
www.pwc.com/cybersecurity Cybersecurity and Cloud Briefing Wendy L. Frank, principal,, Advisory, Cybersecurity, Privacy and Risk wendy.l.frank@pwc.com Office (213) 217-3615 Former Chief Security Officer
More informationDefending Against Data Beaches: Internal Controls for Cybersecurity
Defending Against Data Beaches: Internal Controls for Cybersecurity Presented by: Michael Walter, Managing Director and Chris Manning, Associate Director Protiviti Atlanta Office Agenda Defining Cybersecurity
More informationInternal audit of cybersecurity. Presentation to the Atlanta IIA Chapter January 2015
Internal audit of cybersecurity Presentation to the Atlanta IIA Chapter January 2015 Agenda Executive summary Why is this topic important? Cyber attacks: increasing complexity arket insights: What are
More informationwww.pwc.com Third Party Risk Management 12 April 2012
www.pwc.com Third Party Risk Management 12 April 2012 Agenda 1. Introductions 2. Drivers of Increased Focus on Third Parties 3. Governance 4. Third Party Risks and Scope 5. Third Party Risk Profiling 6.
More informationDATA BREACHES: WHEN COMPLIANCE IS NOT ENOUGH
DATA BREACHES: WHEN COMPLIANCE IS NOT ENOUGH Andy Watson Grant Thornton LLP. All rights reserved. CYBERSECURITY 2 SURVEY OF CHIEF AUDIT EXECUTIVES (CAEs) GRANT THORNTON'S 2014 CAE SURVEY Data privacy and
More informationInto the cybersecurity breach
Into the cybersecurity breach Tim Sanouvong State Sector Cyber Risk Services Deloitte & Touche LLP April 3, 2015 Agenda Setting the stage Cyber risks in state governments Cyber attack vectors Preparing
More informationData Breach and Senior Living Communities May 29, 2015
Data Breach and Senior Living Communities May 29, 2015 Todays Objectives: 1. Discuss Current Data Breach Trends & Issues 2. Understanding Why The Senior Living Industry May Be A Target 3. Data Breach Costs
More informationon Data and Identity Theft*
on Data and Identity Theft* What you need to know about emerging topics essential to your business. Brought to you by PricewaterhouseCoopers. October 2008 A collaborative business world s Achilles heel
More informationRisky Business. Is Your Cybersecurity in Cruise Control? ISACA Austin Chapter Meeting May 5, 2015
Risky Business Is Your Cybersecurity in Cruise Control? ISACA Austin Chapter Meeting May 5, 2015 What We ll Cover About Me Background The threat Risks to your organization What your organization can/should
More informationAnatomy of a Healthcare Data Breach
BUSINESS WHITE PAPER Anatomy of a Healthcare Data Breach Prevention and remediation strategies Anatomy of a Healthcare Data Breach Table of Contents 2 Increased risk 3 Mitigation costs 3 An Industry unprepared
More informationTen Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder
Ten Questions Your Board Should be asking about Cyber Security Eric M. Wright, Shareholder Eric Wright, CPA, CITP Started my career with Schneider Downs in 1983. Responsible for all IT audit and system
More informationERM Symposium April 2009. Moderator Nancy Bennett
ERM Symposium April 2009 RI4-Implementing a Comprehensive Privacy Program John Kelly Joseph Nocera Moderator Nancy Bennett Data & Identity Theft: Keeping sensitive data out of the wrong hands Presented
More informationPrivilege Gone Wild: The State of Privileged Account Management in 2015
Privilege Gone Wild: The State of Privileged Account Management in 2015 March 2015 1 Table of Contents... 4 Survey Results... 5 1. Risk is Recognized, and Control is Viewed as a Cross-Functional Need...
More informationNine recommendations for alternative funds battling cyber crime. kpmg.ca/cybersecurity
Nine recommendations for alternative funds battling cyber crime kpmg.ca/cybersecurity Cyber criminals steal user names and passwords and use it to conduct financial trading activity illicitly. Hackers
More informationCYBERSECURITY IN FINANCIAL SERVICES POINT OF VIEW CHALLENGE 1 REGULATORY COMPLIANCE ACROSS GEOGRAPHIES
POINT OF VIEW CYBERSECURITY IN FINANCIAL SERVICES Financial services institutions are globally challenged to keep pace with changing and covert cybersecurity threats while relying on traditional response
More informationSecurity & privacy in the cloud; an easy road?
Security & privacy in the cloud; an easy road? A journey to the trusted cloud Martin Vliem CISSP, CISA National Security Officer Microsoft The Netherlands mvliem@microsoft.com THE SHIFT O L D W O R L D
More informationWhat Data? I m A Trucking Company!
What Data? I m A Trucking Company! Presented by: Marc C. Tucker 434 Fayetteville Street, Suite 2800 Raleigh, NC, 27601 919.755.8713 marc.tucker@smithmoorelaw.com Presented by: Rob D. Moseley, Jr. 2 West
More informationOCIE CYBERSECURITY INITIATIVE
Topic: Cybersecurity Examinations Key Takeaways: OCIE will be conducting examinations of more than 50 registered brokerdealers and registered investment advisers, focusing on areas related to cybersecurity.
More informationDeveloping National Frameworks & Engaging the Private Sector
www.pwc.com Developing National Frameworks & Engaging the Private Sector Focus on Information/Cyber Security Risk Management American Red Cross Disaster Preparedness Summit Chicago, IL September 19, 2012
More informationI ve been breached! Now what?
I ve been breached! Now what? THE AFTERMATH OF A BREACH & STEPS TO REDUCE RISK The number of data breaches in the United States in 2014 hit a record high. And 2015 is not looking any better. There have
More informationAdvanced Threat Protection with Dell SecureWorks Security Services
Advanced Threat Protection with Dell SecureWorks Security Services Table of Contents Summary... 2 What are Advanced Threats?... 3 How do advanced threat actors operate?... 3 Addressing the Threat... 5
More informationCybersecurity: Protecting Your Business. March 11, 2015
Cybersecurity: Protecting Your Business March 11, 2015 Grant Thornton. All LLP. rights All reserved. rights reserved. Agenda Introductions Presenters Cybersecurity Cybersecurity Trends Cybersecurity Attacks
More information20+ At risk and unready in an interconnected world
At risk and unready in an interconnected world Key findings from The Global State of Information Security Survey 2015 Cyber attacks against power and utilities organizations have transitioned from theoretical
More informationCYBER & PRIVACY INSURANCE FOR FINANCIAL INSTITUTIONS
CYBER & PRIVACY INSURANCE FOR FINANCIAL INSTITUTIONS 1 As regulators around the world move to tighten compliance requirements for financial institutions, improvement in cyber security controls will become
More informationAdopting a Cybersecurity Framework for Governance and Risk Management
The American Hospital Association s Center for Healthcare Governance 2015 Fall Symposium Adopting a Cybersecurity Framework for Governance and Risk Management Jim Giordano Vice Chairman & Chair of Finance
More informationCONSULTING IMAGE PLACEHOLDER
CONSULTING IMAGE PLACEHOLDER KUDELSKI SECURITY CONSULTING SERVICES CYBERCRIME MACHINE LEARNING ECOSYSTEM & INTRUSION DETECTION: CYBERCRIME OR REALITY? ECOSYSTEM COSTS BENEFITS BIG BOSS Criminal Organization
More informationCyber Resilience Implementing the Right Strategy. Grant Brown Security specialist, CISSP @TheGrantBrown
Cyber Resilience Implementing the Right Strategy Grant Brown specialist, CISSP @TheGrantBrown 1 2 Network + Technology + Customers = $$ 3 Perfect Storm? 1) Increase in Bandwidth (extended reach) 2) Available
More informationFINRA Publishes its 2015 Report on Cybersecurity Practices
Securities Litigation & Enforcement Client Service Group and Data Privacy & Security Team To: Our Clients and Friends February 12, 2015 FINRA Publishes its 2015 Report on Cybersecurity Practices On February
More informationCYBERSECURITY: PROTECTING YOUR ORGANIZATION AGAINST CYBER ATTACKS. Viviana Campanaro CISSP Director, Security and Compliance July 14, 2015
CYBERSECURITY: PROTECTING YOUR ORGANIZATION AGAINST CYBER ATTACKS Viviana Campanaro CISSP Director, Security and Compliance July 14, 2015 TODAY S PRESENTER Viviana Campanaro, CISSP Director, Security and
More informationA Wake-Up Call? Fight Back Against Cybercrime. Prepared for: Ricky Link Managing Director, Southwest Region May 15, 2014
A Wake-Up Call? Fight Back Against Cybercrime Prepared for: Ricky Link Managing Director, Southwest Region May 15, 2014 1 Coalfire Background Leading Information Security Consulting Firm Offices: Atlanta,
More informationSecuring the Cloud Infrastructure
EXECUTIVE STRATEGY BRIEF Microsoft recognizes that security and privacy protections are essential to building the necessary customer trust for cloud computing to reach its full potential. This strategy
More informationReducing Cyber Risk in Your Organization
Reducing Cyber Risk in Your Organization White Paper 2016 The First Step to Reducing Cyber Risk Understanding Your Cyber Assets With nearly 80,000 cyber security incidents worldwide in 2014 and more than
More informationStay ahead of insiderthreats with predictive,intelligent security
Stay ahead of insiderthreats with predictive,intelligent security Sarah Cucuz sarah.cucuz@spyders.ca IBM Security White Paper Executive Summary Stay ahead of insider threats with predictive, intelligent
More informationBy: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015
Community Bank Auditors Group Cybersecurity What you need to do now June 9, 2015 By: Gerald Gagne MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2015 Wolf & Company, P.C. Cybersecurity
More informationServices. Cybersecurity. Capgemini & Sogeti. Guiding enterprises and government through digital transformation while keeping them secure
Home Secure digital transformation SMACT Advise, Protect & Monitor Why Capgemini & Sogeti? In safe hands Capgemini & Sogeti Cybersecurity Services Guiding enterprises and government through digital transformation
More information11/27/2015. Cyber Risk as a Component of Business Risk: Communicating with the C-Suite. Conflict of interest. Learning Objectives
Cyber Risk as a Component of Business Risk: Communicating with the C-Suite Jigar Kadakia DISCLAIMER: The views and opinions expressed in this presentation are those of the author and do not necessarily
More informationCompliance Guide ISO 27002. Compliance Guide. September 2015. Contents. Introduction 1. Detailed Controls Mapping 2.
ISO 27002 Compliance Guide September 2015 Contents Compliance Guide 01 02 03 Introduction 1 Detailed Controls Mapping 2 About Rapid7 7 01 INTRODUCTION If you re looking for a comprehensive, global framework
More informationCIP Supply Chain Risk Management (RM15 14 000) Statement of Jacob S. Olcott Vice President, BitSight Technologies January 28, 2016
CIP Supply Chain Risk Management (RM15 14 000) Statement of Jacob S. Olcott Vice President, BitSight Technologies January 28, 2016 My name is Jacob Olcott and I am pleased to share some observations on
More information2015 CENTRI Data Breach Report:
INDUSTRY REPORT 2015 CENTRI Data Breach Report: An Analysis of Enterprise Data Breaches & How to Mitigate Their Impact P r o t e c t y o u r d a t a Introduction This industry report attempts to answer
More informationCybersecurity. Shamoil T. Shipchandler Partner, Bracewell & Giuliani LLP 214.758.1048
Cybersecurity Shamoil T. Shipchandler Partner, Bracewell & Giuliani LLP 214.758.1048 Setting expectations Are you susceptible to a data breach? October 7, 2014 Setting expectations Victim Perpetrator
More informationHealthcare Cybersecurity Perspectives from the Michigan Healthcare Cybersecurity Council
Healthcare Cybersecurity Perspectives from the Michigan Healthcare Cybersecurity Council Presented by Doug Copley, Chairman Michigan Healthcare Cybersecurity Council Mr. Chairman and Committee Members,
More informationMaintaining PCI-DSS compliance. Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com
Maintaining PCI-DSS compliance Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com Sessione di Studio Milano, 21 Febbraio 2013 Agenda 1 Maintaining PCI-DSS compliance
More informationTeradata and Protegrity High-Value Protection for High-Value Data
Teradata and Protegrity High-Value Protection for High-Value Data 03.16 EB7178 DATA SECURITY Table of Contents 2 Data-Centric Security: Providing High-Value Protection for High-Value Data 3 Visibility:
More informationWRITTEN TESTIMONY OF
WRITTEN TESTIMONY OF KEVIN MANDIA CHIEF EXECUTIVE OFFICER MANDIANT CORPORATION BEFORE THE SUBCOMMITTEE ON CRIME AND TERRORISM JUDICIARY COMMITTEE UNITED STATES SENATE May 8, 2013 Introduction Thank you
More informationKey Cyber Risks at the ERP Level
Key Cyber Risks at the ERP Level Process & Industrial Products (P&IP) Sector December, 2014 Today s presenters Bhavin Barot, Sr. Manager Deloitte & Touche LLP Goran Ristovski, Manager Deloitte & Touche
More informationCybersecurity for Nonprofits: How to Protect Your Organization's Data While Still Fulfilling Your Mission. June 25, 2015
Cybersecurity for Nonprofits: How to Protect Your Organization's Data While Still Fulfilling Your Mission June 25, 2015 1 Your Panelists Kenneth L. Chernof Partner, Litigation, Arnold & Porter LLP Nicholas
More informationMiddle Class Economics: Cybersecurity Updated August 7, 2015
Middle Class Economics: Cybersecurity Updated August 7, 2015 The President's 2016 Budget is designed to bring middle class economics into the 21st Century. This Budget shows what we can do if we invest
More informationNERC CIP VERSION 5 COMPLIANCE
BACKGROUND The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standards define a comprehensive set of requirements that are the basis for maintaining
More informationIT audit updates. Current hot topics and key considerations. IT risk assessment leading practices
IT audit updates Current hot topics and key considerations Contents IT risk assessment leading practices IT risks to consider in your audit plan IT SOX considerations and risks COSO 2013 and IT considerations
More informationCONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL
CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL WHAT IS CDM? The continuous stream of high profile cybersecurity breaches demonstrates the need to move beyond purely periodic, compliance-based approaches to
More informationInformation Security Addressing Your Advanced Threats
Information Security Addressing Your Advanced Threats Where We are Going Information Security Landscape The Threats You Face How To Protect Yourself This Will Not Be Boring What Is Information Security?
More informationTHE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS
THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS Read the Marsh Risk Management Research Briefing: Cyber Risks Extend Beyond Data and Privacy Exposures To access the report, visit www.marsh.com.
More informationData Breaches and Trade Secrets: What to Do When Your Client Gets Hacked
Data Breaches and Trade Secrets: What to Do When Your Client Gets Hacked R. Mark Halligan, FisherBroyles, LLP Andreas Kaltsounis, Stroz Friedberg Amy L. Carlson, Stoel Rives LLP Moderated by David A. Bateman,
More informationAANVAL INDUSTRY FOCUS SOLUTIONS BRIEF. Aanval for Financial Services
TACTICAL FLEX, INC. AANVAL INDUSTRY FOCUS SOLUTIONS BRIEF Aanval for Financial Services Aanval is a product of Tactical FLEX, Inc. - Copyright 2012 - All Rights Reserved Challenge for IT in Today s Financial
More informationwww.pwc.com/us/cyber Statement of Qualifications Cybercrime & data breach
www.pwc.com/us/cyber Statement of Qualifications Cybercrime & data breach Contents Countering cyber threats and fraud Cyber forensics and investigative services Cyber forensics and investigations Past
More informationDefending yesterday. Retail & Consumer. Key findings from The Global State of Information Security Survey 2014
www.pwc.com/security Defending yesterday While organizations have made significant security improvements, they have not kept pace with today s determined adversaries. As a result, many rely on yesterday
More informationInfor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security
Technical Paper Plain talk about security When it comes to Cloud deployment, security is top of mind for all concerned. The Infor CloudSuite team uses best-practice protocols and a thorough, continuous
More informationCybersecurity: Learn Critical Strategies to Protecting Your Enterprise November 6, 2013 1:00PM EST
Cybersecurity: Learn Critical Strategies to Protecting Your Enterprise November 6, 2013 1:00PM EST November 6, 2013 Copyright 2013 Trusted Computing Group 1 November 6, 2013 Copyright 2013 Trusted Computing
More informationThe promise and pitfalls of cyber insurance January 2016
www.pwc.com/us/insurance The promise and pitfalls of cyber insurance January 2016 2 top issues The promise and pitfalls of cyber insurance Cyber insurance is a potentially huge but still largely untapped
More informationCybersecurity Enhancement Account. FY 2017 President s Budget
Cybersecurity Enhancement Account FY 2017 President s Budget February 9, 2016 Table of Contents Section 1 Purpose... 3 1A Mission Statement... 3 1.1 Appropriations Detail Table... 3 1B Vision, Priorities
More informationNetwork Security & Privacy Landscape
Network Security & Privacy Landscape Presented By: Greg Garijanian Senior Underwriter Professional Liability 1 Agenda Network Security Overview -Latest Threats - Exposure Trends - Regulations Case Studies
More informationLaw Firm Cyber Security & Compliance Risks
ALA WEBINAR Law Firm Cyber Security & Compliance Risks James Harrison CEO, INVISUS Breach Risks & Trends 27.5% increase in breaches in 2014 (ITRC) Over 500 million personal records lost or stolen in 2014
More informationSeptember 20, 2013 Senior IT Examiner Gene Lilienthal
Cyber Crime September 20, 2013 Senior IT Examiner Gene Lilienthal The following presentation are views and opinions of the speaker and does not necessarily reflect the views of the Federal Reserve Bank
More informationAddress C-level Cybersecurity issues to enable and secure Digital transformation
Home Overview Challenges Global Resource Growth Impacting Industries Address C-level Cybersecurity issues to enable and secure Digital transformation We support cybersecurity transformations with assessments,
More informationREGULATIONS FOR THE SECURITY OF INTERNET BANKING
REGULATIONS FOR THE SECURITY OF INTERNET BANKING PAYMENT SYSTEMS DEPARTMENT STATE BANK OF PAKISTAN Table of Contents PREFACE... 3 DEFINITIONS... 4 1. SCOPE OF THE REGULATIONS... 6 2. INTERNET BANKING SECURITY
More informationHow To Protect Your Data From Theft
Understanding the Effectiveness of a Data Protection Program IIA: Almost Free Seminar 21 June 2011 Agenda Data protection overview Case studies Ernst & Young s point of view Understanding the effectiveness
More informationOctober 24, 2014. Mitigating Legal and Business Risks of Cyber Breaches
October 24, 2014 Mitigating Legal and Business Risks of Cyber Breaches AGENDA Introductions Cyber Threat Landscape Cyber Risk Mitigation Strategies 1 Introductions 2 Introductions To Be Confirmed Title
More informationPresented By: Corporate Security Information Security Treasury Management
Presented By: Corporate Security Information Security Treasury Management Is Your Business Prepared for a Cyber Incident? It s not a matter of if, it s a matter of when Cyber Attacks are on the Rise; Physical
More informationThe Value of Vulnerability Management*
The Value of Vulnerability Management* *ISACA/IIA Dallas Presented by: Robert Buchheit, Director Advisory Practice, Dallas Ricky Allen, Manager Advisory Practice, Houston *connectedthinking PwC Agenda
More informationThe Business Case for Security Information Management
The Essentials Series: Security Information Management The Business Case for Security Information Management sponsored by by Dan Sullivan Th e Business Case for Security Information Management... 1 Un
More informationHealthcare Security: Improving Network Defenses While Serving Patients
White Paper Healthcare Security: Improving Network Defenses While Serving Patients What You Will Learn Safeguarding the privacy of patient information is critical for healthcare providers. However, Cisco
More informationGetting real about cyber threats: where are you headed?
Getting real about cyber threats: where are you headed? Energy, utilities and power generation companies that understand today s cyber threats will be in the best position to defeat them June 2011 At a
More informationSecuring the Microsoft Cloud
Securing the Microsoft Cloud Page 1 Securing the Microsoft Cloud Microsoft recognizes that trust is necessary for organizations and customers to fully embrace and benefit from cloud services. We are committed
More informationHot Topics and Trends in Cyber Security and Privacy
Hot Topics and Trends in Cyber Security and Privacy M. Darren Traub March 13, 2015 Cyber Attacks Ranked Top 5 Most Likely Risks in 2015 - The World Economic Forum Recent Global Headlines Include: 1 Where
More informationLogging In: Auditing Cybersecurity in an Unsecure World
About This Course Logging In: Auditing Cybersecurity in an Unsecure World Course Description $5.4 million that s the average cost of a data breach to a U.S.-based company. It s no surprise, then, that
More informationAttachment A. Identification of Risks/Cybersecurity Governance
Attachment A Identification of Risks/Cybersecurity Governance 1. For each of the following practices employed by the Firm for management of information security assets, please provide the month and year
More informationPreemptive security solutions for healthcare
Helping to secure critical healthcare infrastructure from internal and external IT threats, ensuring business continuity and supporting compliance requirements. Preemptive security solutions for healthcare
More informationData Breach Lessons Learned. June 11, 2015
Data Breach Lessons Learned June 11, 2015 Introduction John Adams, CISM, CISA, CISSP Associate Director Security & Privacy 410.707.2829 john.adams@protiviti.com Powerful Insights. Proven Delivery. Kevin
More information