IT Security to Combat Today s Cyber Fraud
|
|
- Aldous Logan Haynes
- 8 years ago
- Views:
Transcription
1 IT Security to Combat Today s Cyber Fraud Thomas J. DeMayo, CISSP, CIPP, CEH, CPT, MCSE Director, IT Audit and Consulting - O Connor Davies, LLP Timothy M. Simons, CPA, CFA, CIPM, CSCP, CFP Senior Managing Member Focus 1 Associates LLC
2 Speakers Tom DeMayo, CISSP, CIPP, CEH, CPT, MCSE Director, IT Audit and Consulting Services - O Connor Davies, LLP TDeMayo@odpkf.com Tim Simons, CPA, CFA, CIPM, CSCP, CFP Senior Managing Member - Focus 1 Associates LLC tim@focus1associates.com Footer 2
3 Objectives Current cyber security threats Information security and privacy compliance obligations and enforcement Business Continuity/Disaster Recovery considerations Risk management 3
4 Financial Industries in the Headlines 4
5 Why Attack a Financial Services Company? Why Not? A Financial Services company has: Bank accounts Brokerage accounts Customer personal information Employee payroll Employee personal Information EFT transactions frequently performed Large amounts of funds and assets under management 5
6 Why Attack a Financial Services Company? Indisputable cyber truths: Any Company that is connected to the internet can become a victim Any Company that uses software to manage their operations can become a victim A Company does not need to be a target to become a victim Majority of attacks are opportunistic and not targeted 6
7 What can happen? Personal information compromised Fraudulent fund transfers Fraudulent trades Stock prices manipulated Operations disrupted Regulatory fines Reputational damage 7
8 Types of Attacks Denial of Service Cyber Espionage Cyber Extortion Electronic Fund Transfer Fraud Data Ex-filtration 8
9 Cyber Extortion A Closer Look Cyber Extortion has been on the rise Companies are being held ransom at the risk of: Holding data hostage Data may be encrypted and made unusable, placing the company in limbo A financial application can have all database contents encrypted 9
10 Cyber Extortion A Closer Look Companies are being held ransom at the risk of: Releasing protected or personal data Threats may be placed to expose employee SSN s or Health Information on file Selling corporate secrets Denying service Financial systems could be brought off-line 10
11 Cyber Extortion A Closer Look Companies are being held ransom at the risk of: A ransomware variant will place child pornography on your system and threaten to alert the authorities No financial services company wants to be associated in the headlines with child pornography, regardless of how it got there 11
12 Cyber Extortion A Closer Look 12
13 Cyber Fraud is Big Business Malware is specifically written to target bank accounts, credit card information, personal information etc. Zeus SpyEye Hackers for hire Crime gangs are hiring rogue programmers to modify existing and/or create new malware to evade detection from anti-virus software 13
14 Cyber Fraud is Big Business Fraud as a Service ( FaaS ) Turnkey fraud solutions hosted by criminal organizations Malware is no longer just targeting your PC s but your Smart Phones as well Mobile Malware grew 614% from March 2012 to March 2013 (Juniper) 14
15 Cyber Fraud is Big Business Img. Source Webroot 15
16 Cyber Fraud is Big Business What have the mobile attacks accomplished? Intercept text messages and forward (specifically when banks or other applications send text messages with one time codes to log in) Record phone calls, turn on microphone to record conversations Track GPS location remotely Send text messages to premium services increasing fees Destroy the phone or components (Camera, Messaging, etc.) 16
17 Cyber Fraud is Big Business 17
18 Cyber Fraud is Big Business Img Source - Trusteer 18
19 Cyber Fraud is Big Business Img Source - Trusteer 19
20 Cyber Fraud is Big Business Img Source Krebs on security 20
21 Cyber Fraud is Big Business How do such services exist on the internet without being shutdown? The current (or downright absent) cyber laws in effect in different countries have sustained the growth of cyber-crime worldwide 21
22 Cyber Fraud is Big Business Commercial and Consumer EFT s are protected differently under the law Consumers are protected by the Electronic Funds Transfer Act Consumers are allowed up to 60 Days to report fraudulent transactions Commercial EFT s are regulated by the Uniform Commercial Code Article 4A Businesses are allowed up to two days to report the fraudulent transaction depending if it was an ACH or Wire Transfer Section 202: a payment order received by the bank is effective as the order of the customer, whether or not authorized, if the bank proves that it accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer 22
23 Security Laws and Obligations Gramm Leach Bliley Act ( GLBA ) and SEC Regulation S-P Fair Credit Reporting Act ( FCRA ) Fair and Accurate Credit Transactions Act ( FACTA ) and the Red Flags Rule State Privacy and Breach Notification Laws 23
24 GLBA and SEC Regulation S-P Regulation S-P was adopted by the SEC in accordance with Title V of GLBA GLBA requires the SEC and other federal agencies to adopt rules relating to notice requirements and restrictions on a financial institution s ability to disclose nonpublic personal information about its consumers 24
25 GLBA and SEC Regulation S-P The two primary rules under Regulation S-P are as follows: Rule 10 - Disclosure Rule -Financial institutions are required to: provide notices to customers about their information-collection and information-sharing practices subject to certain exceptions, consumers may "opt out" if they do not want their information shared with nonaffiliated third parties 25
26 GLBA and SEC Regulation S-P Rule 30 Safeguards Rule - requires every broker, dealer, investment company and every SEC-registered investment adviser to adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information Safeguards implemented must be reasonably designed to: ensure that consumer records and information are kept secure and confidential; protect against anticipated threats or hazards to the security of such consumer records and information; and protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience. 26
27 Enforcement of Regulation S-P April 2011, the SEC announced the first ever assessment of financial penalties against individuals charged solely with violations of Regulation S-P in connection with: broker dealer whose registered representatives took customers personal information when leaving the firm without disclosing that personal information was being shared with non-affiliated third parties the chief compliance officer failed to ensure that the firm s policies and procedures were reasonably designed to safeguard confidential customer information 27
28 Enforcement of Regulation S-P Other SEC enforcement actions include: Fine against registered broker dealer that did not require its independent contractor registered representatives to maintain anti-virus software on computers Fine against broker dealer for failing to have adequate safeguards in its online trading platform, which resulted in a security breach, and for failure to have an information security policy that adequately protected customer records and information 28
29 2014 SEC Examinations U.S. Securities and Exchange Commission s Office of Compliance Inspections and Examinations (OCIE) announced that its 2014 Examination Priorities included a focus on technology, including cyber security preparedness March 26, 2014, the SEC sponsored a cyber security roundtable that underscored the importance of information security to the integrity of our market system and customer data protection 29
30 2014 SEC Examinations April 2014, the SEC OCIE issued a national exam program alert entitled OCIE Cybersecurity Initiative The alert includes a seven page sample document request list Footer 30
31 2014 SEC Examinations The alert specifies the SEC will focus on the following areas: Cyber Security Governance; Identification and Assessment of Cyber Security Risks; Protection of Networks and Information; Risks Associated with Remote Customer Access and Funds Transfer Requests; Risks Associated with Vendors and Other Third Parties; Detection of Unauthorized Activity; Expenses Associated with Certain Cyber Security Threats. 31
32 2014 SEC Examinations - TIPS Do not consider these cyber security examinations to be low risk Do not underestimate the possibility of serious and costly regulatory findings from the examination Do not simply take a check list approach In order for any cyber security plan to be effective it must be holistic, and it all starts with a detailed cyber security risk assessment 32
33 FCRA and FACTA FCRA regulates the content, use and disclosure of consumer reports issued by consumer reporting agencies FACTA added sections to FCRA intended primarily to help consumers fight the growing crime of identity theft (Red Flags Rule) The Dodd-Frank Act added the SEC to the list of other federal agencies directed by FACTA to adopt and enforce Red Flags Rules April 2013, the SEC voted unanimously to adopt a final rule requiring broker-dealers, mutual funds, investment advisers, and other regulated entities to implement programs designed to detect and prevent identity theft 33
34 FCRA and FACTA The final rule requires covered firms to: establish policies and procedures designed to identify relevant types of identity theft red flags, detect the occurrence of those red flags, respond appropriately to the detected red flags; and periodically update the identity theft program. provide staff training and oversight of service providers 34
35 State Privacy and Breach Notification Laws Regulation S-P does not require notice to be given to affected parties in the event of a security breach. You must look to the state laws for breach notification requirements Approximately 47 states have enacted a statute requiring a company to notify state residents if the security of certain sensitive customer information is breached Note- the majority of these laws require notification regardless of the location of the business operations. Most laws apply to sensitive information; however, the definition of sensitive information varies by state. For example Name and SSN, Drivers License ID, etc. 35
36 State Privacy and Breach Notification Laws If breached, a risk assessment may be necessary to determine whether notification is necessary Typically, data that is encrypted can remove a company from having to issue a breach notification Some states require notification whenever data is accessed by or reasonably assumed to have been accessed by an unauthorized person; however, some states take a risk of harm approach. 36
37 State Privacy and Breach Notification Laws Massachusetts Why all the fuss? Massachusetts has some of the strictest information privacy and security laws in the country. In addition, the law extends to all entities that own, license, or store personal information on any resident of the state regardless of the location of business operations 37
38 State Privacy and Breach Notification Laws Massachusetts Privacy Law Requirements Key points: Duty to develop and implement a comprehensive, written information security program applicable to any records containing the personal information of Massachusetts residents Security system requirements for computer and wireless networks Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly 38
39 Business Continuity and Disaster Recovery Look Familiar?! 39
40 Business Continuity and Disaster Recovery In a time of a local or wide spread emergency, a Financial Services firm must have a business continuity and disaster recovery plan ( BCP/DR ) The plan will be your script to recovery and assurance that your client s needs are met 40
41 Business Continuity and Disaster Recovery FINRA Emergency Preparedness Rule requires firms to create and maintain business continuity plans (BCPs) appropriate to the scale and scope of their businesses, and to provide FINRA with emergency contact information FINRA members business continuity plan must, at a minimum, address the following: Data back-up and recovery (hard copy and electronic) All mission critical systems Financial and operational assessments Alternate communications with customers and employee Alternate physical location of employees Critical business constituent, bank, and counter-party impact Regulatory reporting and communications with regulators Assuring customers prompt access to funds and securities 41
42 Business Continuity and Disaster Recovery Take a structured approach to the plan s development Identify all your business processes and prioritize them Determine how much data loss is acceptable and how long these business processes can be down Your clients needs and market status will define your objectives (e.g. market makers must be up and running in 4 hours) Identify the people, processes and technology that support the business processes TECHNOLOGY ALONE IS NOT THE SOLUTION Identify Interdependencies Create Calling Trees Internal, client and regulatory Define your recovery strategies DO NOT FOCUS ON THE POSSIBLE SCENERIOS, FOCUS ON THE IMPACT Four Key Area of Impact Premises, People, Systems, Suppliers 42
43 Risk Management All of our slides stress one key point RISK MANAGEMENT! Before risk can be managed, it must be understood While many financial service companies feel comfortable with identifying and understanding operational risk, IT risk remains a black box 43
44 Risk Management 44
45 Risk Management When it comes to IT security and governance, do not assume that just because it works, it is secure and managed effectively Do not assume that IT security is strictly an IT issue IT Security is a business issue that requires the assistance of a technical solution 45
46 Risk Management The first step in tackling all of these issues is a detailed IT risk assessment and gap analysis Ideally this assessment is performed by an unbiased third party Internal IT often: does not have the specific risk and security training necessary to complete the assessment; has difficulty in communicating the risks to management; is under resourced; and has difficulty in seeing the forest from the trees. 46
47 Risk Management Regardless of who performs the risk assessment, at its completion, management should have: A listing of possible threats with a ranking of their inherent risk A mapping of controls that have been implemented to reduce the identified inherent risks The residual risk ranking after the application of the controls A remediation plan if the residual risk is high to unacceptable 47
48 Key First Steps Ensure your IT governance program covers cyber security threats and operational issues Perform a detailed cyber security risk assessment and gap analysis Incorporate into gap analysis 206(4)-7 Annual Review, FINRA 3012/3120 or NFA Rule 2-9 Design a comprehensive information security policy and relevant supporting standards and procedures Patch Management, Change Management, Vendor Management, Password Management, Account Management, etc. When developing policies and procedures do not over commit or under commit Develop a security awareness training program Incorporate phishing testing to see who is prone to social engineering Create an incident response plan in the event a breach has occurred Ensure your BCP/DR plan is comprehensive and well tested to ensure recovery 48
49 Key First Steps Ensure vendor patches are applied consistently to address security vulnerabilities. Both Operating System (Microsoft) and Third Party Applications (Java, Adobe, etc) need to patched Ensure Antivirus is installed on all systems (no exceptions) and is active and up to date If you allow remote access consider two factor authentication Perform due diligence on all third parties Formalize the process with questionnaires and require they have independent third party audits Have mobile device policies and the technical solutions in place to enforce them Minimum password length, idle period timeout, application installation control, remote wipe, etc Network devices (switches and firewalls) are configured correctly Have a reasonable level of monitoring (security and operational) Ensure password parameters are strong and consistently enforced across all applicatoins 49
50 Questions? Tom DeMayo, CISSP, CIPP, CEH, CPT, CHFI, MCSE Director, IT Audit and Consulting Services - O Connor Davies, LLP TDeMayo@odpkf.com Tim Simons, CPA, CFA, CIPM, CSCP, CFP Senior Managing Member - Focus 1 Associates LLC tim@focus1associates.com
51 Information Technology Consulting Services We serve a wide range of clients including investment advisers, investment companies, private equity, hedge and venture capital funds, private foundations, endowments, management companies and family offices. With increasing threats to cyber security and greater mobility of our workforce and customers, we custom design our engagements to address control environment; vulnerability surrounding cyber perimeter, remote access, wireless network, physical access, internal network, user account security, online transactions and phishing; and business continuity. O Connor Davies provides industry experience and expertise in analyzing and testing transaction flows and interfaces. In particular, we evaluate information security risks as they interrelate and impact areas, including, operational functions, trading, clearing and settlement. Flexible in Scope and Deliverable: IT Audit, Consulting and Governance IT Policies and Procedures and Manuals - Review and Creation Risk Assessments, Gap Analysis and IT Risk Management Disaster Recovery and Business Continuity Cyber Security Vulnerability Assessments and Penetration Testing SOX IT Controls Security Awareness Training SOC-1 and SSAE 16 (formerly SAS 70) Reports 51
52 Contact Peter Heuzey, CPA CIPM Partner T: Thomas DeMayo, CISSP, MCSE, CEH, CIPP/US, CPT Director, IT Audit and Consulting Eric Gelb, CPA Director of Business Development, Financial Services 2014 Advent Software, Inc. Advent Confidential 52
Cybersecurity A Clear and Present Danger
Cybersecurity A Clear and Present Danger Thomas J. DeMayo, CISSP, CISA, CIPP, CEH, CHFI, MCSE Director IT Audit and Consulting Services TDeMayo@odpkf.com Objectives Gain an understanding of current cyber
More informationSEC s Cybersecurity Risk Alert Part 2 of 3
SEC s Cybersecurity Risk Alert Part 2 of 3 How-To: Assessing Cybersecurity Risk Thomas J. DeMayo, CISSP, CIPP, CEH, CPT, MCSE Director, IT Audit and Consulting - O Connor Davies, LLP Timothy M. Simons,
More informationCybersecurity and the Threat to Your Company
Why is BIG Data Important? March 2012 1 Cybersecurity and the Threat to Your Company A Navint Partners White Paper September 2014 www.navint.com Cyber Security and the threat to your company September
More informationFINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information
FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1
More informationCybercrime and Regulatory Priorities for Cybersecurity
NRS Technology and Communication Compliance Forum Cybercrime and Regulatory Priorities for Cybersecurity Copyright 2014 by K&L Gates LLP. All rights reserved. Sean P. Mahoney sean.mahoney@klgates.com K&L
More informationOCIE CYBERSECURITY INITIATIVE
Topic: Cybersecurity Examinations Key Takeaways: OCIE will be conducting examinations of more than 50 registered brokerdealers and registered investment advisers, focusing on areas related to cybersecurity.
More informationMIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)
MIT s Information Security Program for Protecting Personal Information Requiring Notification (Revision date: 2/26/10) Table of Contents 1. Program Summary... 3 2. Definitions... 4 2.1 Identity Theft...
More informationData Privacy and Gramm- Leach-Bliley Act Section 501(b)
Data Privacy and Gramm- Leach-Bliley Act Section 501(b) October 2007 2007 Enterprise Risk Management, Inc. Agenda Introduction and Fundamentals Gramm-Leach-Bliley Act, Section 501(b) GLBA Life Cycle Enforcement
More informationCurrent Developments Concerning Cybersecurity. ICI General Membership Meeting Legal Forum Jillian Bosmann and Nancy O Hara Thursday, May 19, 2016
Current Developments Concerning Cybersecurity ICI General Membership Meeting Legal Forum Jillian Bosmann and Nancy O Hara Thursday, May 19, 2016 AGENDA Why is Cybersecurity Important? Top Cybersecurity
More informationOCIE Technology Controls Program
OCIE Technology Controls Program Cybersecurity Update Chris Hetner Cybersecurity Lead, OCIE/TCP 212-336-5546 Introduction (Role, Disclaimer, Background and Speech Topics) SEC Cybersecurity Program Overview
More informationCybersecurity: What CFO s Need to Know
Cybersecurity: What CFO s Need to Know William J. Nowik, CISA, CISSP, QSA PCIP MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2014 Wolf & Company, P.C. Today s Agenda Introduction
More informationWritten Information Security Programs: Compliance with the Massachusetts Data Security Regulation
Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation Melissa J. Krasnow, Dorsey & Whitney LLP A Note discussing written information security programs (WISPs)
More information787 Wye Road, Akron, Ohio 44333 P 330-666-6200 F 330-666-7801 www.keystonecorp.com
Introduction Keystone White Paper: Regulations affecting IT This document describes specific sections of current U.S. regulations applicable to IT governance and data protection and maps those requirements
More informationSmall Firm Focus: A Practical Approach to Cybersecurity Friday, May 29 9:00 a.m. 10:15 a.m.
Small Firm Focus: A Practical Approach to Cybersecurity Friday, May 29 9:00 a.m. 10:15 a.m. Topics: Explain why it is important for firms of all sizes to address cybersecurity risk. Demonstrate awareness
More informationBy: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015
Community Bank Auditors Group Cybersecurity What you need to do now June 9, 2015 By: Gerald Gagne MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2015 Wolf & Company, P.C. Cybersecurity
More informationCyber Security, Fraud and Corporate Account Takeovers LBA Bank Counsel Conference December 2014
Cyber Security, Fraud and Corporate Account Takeovers LBA Bank Counsel Conference December 2014 Lisa D. Traina, CPA, CITP, CGMA Lisa Traina utilizes her 30+ years of experience as a CPA, CITP and CGMA
More informationWritten Information Security Programs: Compliance with the Massachusetts Data Security Regulation
View the online version at http://us.practicallaw.com/7-523-1520 Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation Melissa J. Krasnow, Dorsey & Whitney LLP
More informationCYBER & PRIVACY INSURANCE FOR FINANCIAL INSTITUTIONS
CYBER & PRIVACY INSURANCE FOR FINANCIAL INSTITUTIONS 1 As regulators around the world move to tighten compliance requirements for financial institutions, improvement in cyber security controls will become
More informationNATIONAL CYBER SECURITY AWARENESS MONTH
NATIONAL CYBER SECURITY AWARENESS MONTH Tip 1: Security is everyone s responsibility. Develop an awareness framework that challenges, educates and empowers your customers and employees to be part of the
More informationCyber Security. Moderator: Marla J. Kreindler, Partner, Morgan, Lewis & Bockius LLP
Cyber Security Moderator: Marla J. Kreindler, Partner, Morgan, Lewis & Bockius LLP Speakers: Keith Overly, Executive Director, Ohio Deferred Compensation Program Raj Patel, Partner, Plante & Moran, PLLC
More informationDON T BE A VICTIM! IS YOUR ORGANIZATION PROTECTED FROM CYBERSECURITY THREATS?
HEALTH WEALTH CAREER DON T BE A VICTIM! IS YOUR ORGANIZATION PROTECTED FROM CYBERSECURITY THREATS? FREEMAN WOOD HEAD OF MERCER SENTINEL NORTH AMERICA GREGG SOMMER HEAD OF OPERATIONAL RISK ASSESSMENTS MERCER
More informationPROPOSED INTERPRETIVE NOTICE
August 28, 2015 Via Federal Express Mr. Christopher J. Kirkpatrick Secretary Office of the Secretariat Commodity Futures Trading Commission Three Lafayette Centre 1155 21st Street, N.W. Washington, DC
More informationEnterprise PrivaProtector 9.0
IRONSHORE INSURANCE COMPANIES 75 Federal St Boston, MA 02110 Toll Free: (877) IRON411 Enterprise PrivaProtector 9.0 Network Security and Privacy Insurance Application THE APPLICANT IS APPLYING FOR A CLAIMS
More informationTen Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder
Ten Questions Your Board Should be asking about Cyber Security Eric M. Wright, Shareholder Eric Wright, CPA, CITP Started my career with Schneider Downs in 1983. Responsible for all IT audit and system
More informationCybersecurity Issues for Community Banks
Eastern Massachusetts Compliance Network Cybersecurity Issues for Community Banks Copyright 2014 by K&L Gates LLP. All rights reserved. Sean P. Mahoney sean.mahoney@klgates.com K&L Gates LLP State Street
More informationINFORMATION SECURITY FOR YOUR AGENCY
INFORMATION SECURITY FOR YOUR AGENCY Presenter: Chad Knutson Secure Banking Solutions, LLC CONTACT INFORMATION Dr. Kevin Streff Professor at Dakota State University Director - National Center for the Protection
More informationCYBERSECURITY: PROTECTING YOUR ORGANIZATION AGAINST CYBER ATTACKS. Viviana Campanaro CISSP Director, Security and Compliance July 14, 2015
CYBERSECURITY: PROTECTING YOUR ORGANIZATION AGAINST CYBER ATTACKS Viviana Campanaro CISSP Director, Security and Compliance July 14, 2015 TODAY S PRESENTER Viviana Campanaro, CISSP Director, Security and
More informationCyber Security Pr o t e c t i n g y o u r b a n k a g a i n s t d a t a b r e a c h e s
Cyber Security Pr o t e c t i n g y o u r b a n k a g a i n s t d a t a b r e a c h e s 1 Agenda Data Security Trends Root causes of Cyber Attacks How can we fix this? Secure Infrastructure Security Practices
More informationData breach! cyber and privacy risks. Brian Wright Michael Guidry Lloyd Guidry LLC
Data breach! cyber and privacy risks Brian Wright Michael Guidry Lloyd Guidry LLC Collaborative approach Objective: To develop your understanding of a data breach, and risk transfer options to help you
More informationWellesley College Written Information Security Program
Wellesley College Written Information Security Program Introduction and Purpose Wellesley College developed this Written Information Security Program (the Program ) to protect Personal Information, as
More informationHIPAA Security Alert
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
More informationCybersecurity Risks, Regulation, Remorse, and Ruin
Financial Planning Association of Michigan 2014 Fall Symposium Cybersecurity Risks, Regulation, Remorse, and Ruin Shane B. Hansen shansen@wnj.com (616) 752-2145 October 23, 2014 Copyright 2014 Warner Norcross
More informationPage 1 of 15. VISC Third Party Guideline
Page 1 of 15 VISC Third Party Guideline REVISION CONTROL Document Title: Author: File Reference: VISC Third Party Guidelines Andru Luvisi CSU Information Security Managing Third Parties policy Revision
More informationHow To Protect Your Cybersecurity From Cyber Incidents
SEC ENFORCEMENT The SEC s Two Primary Theories in Cybersecurity Enforcement Actions By Daniel F. Schubert, Jonathan G. Cedarbaum and Leah Schloss WilmerHale Cyber attacks are increasingly common and affect
More informationIRONSHORE SPECIALTY INSURANCE COMPANY 75 Federal St. Boston, MA 02110 Toll Free: (877) IRON411
IRONSHORE SPECIALTY INSURANCE COMPANY 75 Federal St. Boston, MA 02110 Toll Free: (877) IRON411 Enterprise PrivaProtector 9.0 Network Security and Privacy Insurance Application THE APPLICANT IS APPLYING
More informationCYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION. Robert N. Young, Director Carruthers & Roth, P.A. Email: rny@crlaw.com Phone: (336) 478-1131
CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION Robert N. Young, Director Carruthers & Roth, P.A. Email: rny@crlaw.com Phone: (336) 478-1131 TOPICS 1. Threats to your business s data 2. Legal obligations
More informationGramm Leach Bliley Act. GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev. 7/1/2007
Gramm Leach Bliley Act 15 U.S.C. 6801-6809 6809 GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev. 7/1/2007 1 Objectives for GLBA Training GLBA Overview Safeguards Rule
More informationWhat is Management Responsible For?
What is Management Responsible For? Matthew J. Putvinski, CPA, CISA, CISSP MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2011 Wolf & Company, P.C. About Wolf & Company, P.C Regional
More informationBelmont Savings Bank. Are there Hackers at the gate? 2013 Wolf & Company, P.C.
Belmont Savings Bank Are there Hackers at the gate? 2013 Wolf & Company, P.C. MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2013 Wolf & Company, P.C. About Wolf & Company, P.C.
More informationDON T BE A VICTIM! IS YOUR INVESTMENT PROGRAM PROTECTED FROM CYBERSECURITY THREATS?
HEALTH WEALTH CAREER DON T BE A VICTIM! IS YOUR INVESTMENT PROGRAM PROTECTED FROM CYBERSECURITY THREATS? Gregg Sommer, CAIA Head of Operational Risk Assessments St. Louis MERCER 2015 0 CYBERSECURITY BREACHES
More informationCYBERSECURITY EXAMINATION SWEEP SUMMARY
This Risk Alert provides summary observations from OCIE s examinations of registered broker-dealers and investment advisers, conducted under the Cybersecurity Examination Initiative, announced April 15,
More informationCybercrime: risks, penalties and prevention
Cybercrime: risks, penalties and prevention Cyber attacks have been appearing in the news with increased frequency and recent victims of cybercrime have included well-known companies such as Sony, LinkedIn,
More informationWritten Information Security Programs: Compliance with the Massachusetts Data Security Regulation
View the online version at http://us.practicallaw.com/7-523-1520 Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation MELISSA J. KRASNOW, DORSEY & WHITNEY LLP
More informationLAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES
LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable
More informationInformation Security for the Rest of Us
Secure Your Way Forward. AuditWest.com Information Security for the Rest of Us Practical Advice for Small Businesses Brian Morkert President and Chief Consultant 1 Introduction President Audit West IT
More informationINFORMATION TECHNOLOGY RISK MANAGEMENT PLAN
10/25/2012 TECHNOLOGY SERVICES INFORMATION TECHNOLOGY RISK MANAGEMENT PLAN Procedure Name: LIT Risk Management Information Technology Plan ver 2.31.docx Risk Management Plan Issue Date: TBD Procedure Owner:
More informationASCINSURE SPECIALTY RISK PRIVACY/SECURITY PLAN July 15, 2010
ASCINSURE SPECIALTY RISK PRIVACY/SECURITY PLAN July 15, 2010 OBJECTIVE This Security Plan (the Plan ) is intended to create effective administrative, technical and physical safeguards for the protection
More informationInformation Technology. A Current Perspective on Risk Management
Information Technology A Current Perspective on Risk Management Topics Covered Information Security Program Common Examination Findings Existing and Emerging Risks ACH/Wire Fraud and Corporate Account
More informationKeeping watch over your best business interests.
Keeping watch over your best business interests. 0101010 1010101 0101010 1010101 IT Security Services Regulatory Compliance Services IT Audit Services Forensic Services Risk Management Services Attestation
More informationCyber Insurance: How to Investigate the Right Coverage for Your Company
6-11-2015 Cyber Insurance: How to Investigate the Right Coverage for Your Company Presented by: Faith M. Heikkila, Ph.D., CISM, CIPM, CIPP-US, ABCP Greenleaf Trust Chief Information Security Officer (CISO)
More informationData Security Incident Response Plan. [Insert Organization Name]
Data Security Incident Response Plan Dated: [Month] & [Year] [Insert Organization Name] 1 Introduction Purpose This data security incident response plan provides the framework to respond to a security
More informationCKAHU Symposium Cyber-Security
CKAHU Symposium Cyber-Security Scott Logan Technical Director of Security Position: Technical Director of Security Employment: NetGain Technologies (6+ years) NetGain is a Regional partner with 7 locations
More informationCybersecurity Governance Update: New FFIEC Requirements cliftonlarsonallen.com
Cybersecurity Governance Update: New FFIEC Requirements cliftonlarsonallen.com Overview Up To Date Cybersecurity and Fraud Risks Current threat environment Industry examples and case studies FFIEC Cybersecurity
More informationAttachment A. Identification of Risks/Cybersecurity Governance
Attachment A Identification of Risks/Cybersecurity Governance 1. For each of the following practices employed by the Firm for management of information security assets, please provide the month and year
More informationNine recommendations for alternative funds battling cyber crime. kpmg.ca/cybersecurity
Nine recommendations for alternative funds battling cyber crime kpmg.ca/cybersecurity Cyber criminals steal user names and passwords and use it to conduct financial trading activity illicitly. Hackers
More informationCybersecurity The role of Internal Audit
Cybersecurity The role of Internal Audit Cyber risk High on the agenda Audit committees and board members are seeing cybersecurity as a top risk, underscored by recent headlines and increased government
More informationRisk Management of Outsourced Technology Services. November 28, 2000
Risk Management of Outsourced Technology Services November 28, 2000 Purpose and Background This statement focuses on the risk management process of identifying, measuring, monitoring, and controlling the
More informationThe Protection Mission a constant endeavor
a constant endeavor The IT Protection Mission a constant endeavor As businesses become more and more dependent on IT, IT must face a higher bar for preparedness Cyber preparedness is the process of ensuring
More informationData breach, cyber and privacy risks. Brian Wright Lloyd Wright Consultants Ltd
Data breach, cyber and privacy risks Brian Wright Lloyd Wright Consultants Ltd Contents Data definitions and facts Understanding how a breach occurs How insurance can help to manage potential exposures
More informationFACT SHEET: Ransomware and HIPAA
FACT SHEET: Ransomware and HIPAA A recent U.S. Government interagency report indicates that, on average, there have been 4,000 daily ransomware attacks since early 2016 (a 300% increase over the 1,000
More informationCYBERSECURITY HOT TOPICS
1 CYBERSECURITY HOT TOPICS Secure Banking Solutions 2 Presenter Chad Knutson VP SBS Institute Senior Information Security Consultant Masters in Information Assurance CISSP, CISA, CRISC www.protectmybank.com
More informationCYBER & PRIVACY LIABILITY INSURANCE GUIDE
CYBER & PRIVACY LIABILITY INSURANCE GUIDE 01110000 01110010 011010010111011001100001 01100 01110000 01110010 011010010111011001100001 0110 Author Gamelah Palagonia, Founder CIPM, CIPT, CIPP/US, CIPP/G,
More information2011 2012 Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec.
The OCR Auditors are coming - Are you next? What to Expect and How to Prepare On June 10, 2011, the U.S. Department of Health and Human Services Office for Civil Rights ( OCR ) awarded KPMG a $9.2 million
More informationCyber- Attacks: The New Frontier for Fraudsters. Daniel Wanjohi, Technology Security Specialist
Cyber- Attacks: The New Frontier for Fraudsters Daniel Wanjohi, Technology Security Specialist What is it All about The Cyber Security Agenda ; Protecting computers, networks, programs and data from unintended
More informationSTATE OF NEW JERSEY Security Controls Assessment Checklist
STATE OF NEW JERSEY Security Controls Assessment Checklist Appendix D to 09-11-P1-NJOIT P.O. Box 212 www.nj.gov/it/ps/ 300 Riverview Plaza Trenton, NJ 08625-0212 Agency/Business (Extranet) Entity Response
More informationTOOLBOX. ABA Financial Privacy
ABA Financial Privacy TOOLBOX This tool will help ensure that privacy remains a core value in all corners of your institution. The success of your privacy program depends upon your board s and your management
More informationZurich Security And Privacy Protection Policy Application
Zurich Security And Privacy Protection Policy Application COVERAGE A. AND COVERAGE F. OF THE POLICY FOR WHICH YOU ARE APPLYING IS WRITTEN ON A CLAIMS FIRST MADE AND REPORTED BASIS. ONLY CLAIMS FIRST MADE
More informationClient Advisory October 2009. Data Security Law MGL Chapter 93H and 201 CMR 17.00
Client Advisory October 2009 Data Security Law MGL Chapter 93H and 201 CMR 17.00 For a discussion of these and other issues, please visit the update on our website at /law. To receive mailings via email,
More informationInformation Security Awareness Training Gramm-Leach-Bliley Act (GLB Act)
Information Security Awareness Training Gramm-Leach-Bliley Act (GLB Act) The GLB Act training packet is part of the Information Security Awareness Training that must be completed by employees. Please visit
More informationInformation Security Addressing Your Advanced Threats
Information Security Addressing Your Advanced Threats Where We are Going Information Security Landscape The Threats You Face How To Protect Yourself This Will Not Be Boring What Is Information Security?
More informationplantemoran.com What School Personnel Administrators Need to know
plantemoran.com Data Security and Privacy What School Personnel Administrators Need to know Tomorrow s Headline Let s hope not District posts confidential data online (Tech News, May 18, 2007) In one of
More informationExternal Supplier Control Requirements
External Supplier Control s Cyber Security For Suppliers Categorised as Low Cyber Risk 1. Asset Protection and System Configuration Barclays Data and the assets or systems storing or processing it must
More informationTop Ten Technology Risks Facing Colleges and Universities
Top Ten Technology Risks Facing Colleges and Universities Chris Watson, MBA, CISA, CRISC Manager, Internal Audit and Risk Advisory Services cwatson@schneiderdowns.com April 23, 2012 Overview Technology
More informationSupplier IT Security Guide
Revision Date: 28 November 2012 TABLE OF CONTENT 1. INTRODUCTION... 3 2. PURPOSE... 3 3. GENERAL ACCESS REQUIREMENTS... 3 4. SECURITY RULES FOR SUPPLIER WORKPLACES AT AN INFINEON LOCATION... 3 5. DATA
More information10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft)
1- A (firewall) is a computer program that permits a user on the internal network to access the internet but severely restricts transmissions from the outside 2- A (system failure) is the prolonged malfunction
More informationWealthfront Brokerage Corporation
Wealthfront Brokerage Corporation Business Continuity Plan Disclosure Wealthfront Brokerage Corporation ( Wealthfront Brokerage ) has developed a Business Continuity Plan on how we will respond to events
More informationwww.pwc.com Cybersecurity and Privacy Hot Topics 2015
www.pwc.com Cybersecurity and Privacy Hot Topics 2015 Table of Contents Cybersecurity and Privacy Incidents are on the rise Executives and Boards are focused on Emerging Risks Banking & Capital Markets
More informationNetwork Security & Privacy Landscape
Network Security & Privacy Landscape Presented By: Greg Garijanian Senior Underwriter Professional Liability 1 Agenda Network Security Overview -Latest Threats - Exposure Trends - Regulations Case Studies
More informationDelaware Cyber Security Workshop September 29, 2015. William R. Denny, Esquire Potter Anderson & Corroon LLP
Changing Legal Landscape in Cybersecurity: Implications for Business Delaware Cyber Security Workshop September 29, 2015 William R. Denny, Esquire Potter Anderson & Corroon LLP Agenda Growing Cyber Threats
More informationClient Update SEC Releases Updated Cybersecurity Examination Guidelines
Client Update September 18, 2015 1 Client Update SEC Releases Updated Cybersecurity Examination Guidelines NEW YORK Jeremy Feigelson jfeigelson@debevoise.com Jim Pastore jjpastore@debevoise.com David Sarratt
More informationBest practices and insight to protect your firm today against tomorrow s cybersecurity breach
Best practices and insight to protect your firm today against tomorrow s cybersecurity breach July 8, 2015 Baker Tilly Virchow Krause, LLP Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently
More informationData Breach Lessons Learned. June 11, 2015
Data Breach Lessons Learned June 11, 2015 Introduction John Adams, CISM, CISA, CISSP Associate Director Security & Privacy 410.707.2829 john.adams@protiviti.com Powerful Insights. Proven Delivery. Kevin
More informationSEC Cybersecurity Findings May Establish De Facto Standard
Portfolio Media. Inc. 860 Broadway, 6th Floor New York, NY 10003 www.law360.com Phone: +1 646 783 7100 Fax: +1 646 783 7161 customerservice@law360.com SEC Cybersecurity Findings May Establish De Facto
More informationFINRA Publishes its 2015 Report on Cybersecurity Practices
Securities Litigation & Enforcement Client Service Group and Data Privacy & Security Team To: Our Clients and Friends February 12, 2015 FINRA Publishes its 2015 Report on Cybersecurity Practices On February
More informationMONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP)
MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP) 201 CMR 17.00 Standards for the Protection of Personal Information Of Residents of the Commonwealth of Massachusetts Revised April 28,
More informationNationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011
Nationwide Review of CMS s HIPAA Oversight Brian C. Johnson, CPA, CISA Wednesday, January 19, 2011 1 WHAT I DO Manage Region IV IT Audit and Advance Audit Technique Staff (AATS) IT Audit consists of 8
More informationRLI PROFESSIONAL SERVICES GROUP PROFESSIONAL LEARNING EVENT PSGLE 123. Cybersecurity: A Growing Concern for Small Businesses
RLI PROFESSIONAL SERVICES GROUP PROFESSIONAL LEARNING EVENT PSGLE 123 Cybersecurity: A Growing Concern for Small Businesses Copyright Materials This presentation is protected by US and International Copyright
More informationFive keys to a more secure data environment
Five keys to a more secure data environment A holistic approach to data infrastructure security Compliance professionals know better than anyone how compromised data can lead to financial and reputational
More informationA Wake-Up Call? Fight Back Against Cybercrime. Prepared for: Ricky Link Managing Director, Southwest Region May 15, 2014
A Wake-Up Call? Fight Back Against Cybercrime Prepared for: Ricky Link Managing Director, Southwest Region May 15, 2014 1 Coalfire Background Leading Information Security Consulting Firm Offices: Atlanta,
More informationTape Vaulting Audit And Encryption Usage Analysis
Tape Vaulting Audit And Encryption Usage Analysis Prepared for Public Presentation (includes SB 1386, Gramm Leach Bliley, and Personal Data Protection and Security Act of 2005 Customer Information Protection
More informationPresentation for : The New England Board of Higher Education. Hot Topics in IT Security and Data Privacy
Presentation for : The New England Board of Higher Education Hot Topics in IT Security and Data Privacy October 22, 2010 Rocco Grillo, CISSP Managing Director Protiviti Inc. Quote of the Day "It takes
More informationData Privacy And Cybersecurity For Investment Funds. Gregory J. Nowak Angelo A. Stio III October 28, 2014
Data Privacy And Cybersecurity For Investment Funds Gregory J. Nowak Angelo A. Stio III October 28, 2014 WHY IS DATA PRIVACY AND SECURITY IMPORTANT? 2 Why is it important to protect data? Data privacy
More informationPage 1. Copyright 2009. MFA - Moody, Famiglietti & Andronico, LLP. All Rights Reserved.
Page 1 Page 2 Page 3 Agenda Defining the Massachusetts Personal Data Security Law Becoming Compliant Page 4 Massachusetts Privacy Law Defining the Massachusetts Personal Data Security Law - 201 CMR 17.00
More informationFACTA Identity Theft Red Flags Program. www.chs.acfei.com
1 FACTA Identity Theft Red Flags Program Module 1 Fair and Accurate Credit Transactions Act Overview Identity thieves use individual s personal identifiable information to open new accounts and misuse
More informationPrivacy Policy & Identity Theft Prevention Program
Privacy Policy & Identity Theft Prevention Program Orcam Financial Group LLC PO Box 91098 4640 Cass St San Diego, CA 92109 (858) 220-5383 Orcam Financial Group LLC Privacy Policy February, 2014 Page 1
More informationA practical guide to IT security
Data protection A practical guide to IT security Ideal for the small business The Data Protection Act states that appropriate technical and organisational measures shall be taken against unauthorised or
More informationStandard: Information Security Incident Management
Standard: Information Security Incident Management Page 1 Executive Summary California State University Information Security Policy 8075.00 states security incidents involving loss, damage or misuse of
More information10 Smart Ideas for. Keeping Data Safe. From Hackers
0100101001001010010001010010101001010101001000000100101001010101010010101010010100 0100101001001010010001010010101001010101001000000100101001010101010010101010010100000 0100101001001010010001010010101001010101001000000100101001010101010010101010010100000
More information