Responses: Only a 0% Only b 100% Both a and b 0% Neither a nor b 0%
|
|
- Ashley Shepherd
- 8 years ago
- Views:
Transcription
1 The Cyber Security Council has requested basic "state of the state" cyber security information from each member firm of the Association. While the information that was requested in the survey questionnaire below relates solely to each respondent s overall approach to information security, it is important because the Association needs to formulate a cyber security profile of the asset management industry in order to help educate regulators. In turn, regulators and possibly the Congress might then be in a better position to help facilitate industry cooperation and information sharing by industry participants - which is deemed by cyber security experts as the key to combating cyber attacks. The cyber security profile of the asset management industry that possibly emerges from this survey and perhaps related analytical work will be subject to review and approval by the participating member firms. Once the Association completes this vetting process, the industry cyber security profile could then be shared with regulators by members and/or the Association. 1. What is the extent of awareness within your organization of the National Institute of Standards and Technology's Cybersecurity Framework (the "NIST Framework")? In any event, has the IST Framework gained sufficient traction within your organization to the point where it has meaningfully changed how your organization manages cyber risks? Very Aware 100% Somewhat Aware 0% Not Aware 0% Other remarks: The NIST framework has impacted how we identify and evaluate cyber risks and the impact they have on our business. 2. Were you familiar with the NIST Framework before the SEC's OCIE pronouncement in April, 2014? If so, how did your organization first learn about the NIST Frameworkwhat was your primary source of information? Yes, familiar 60% Not familiar 40% Other remarks: Aware of the NIST updated framework through Information Security periodicals and industry groups. From internal security professionals who are knowledgeable of best practices in the information security area. We participated in the CSF working groups to create the CSF 3. Is your organization working with any sector-specific groups (e.g. FS-ISAC, FSSCC) or other trade groups to ascertain information about the NIST Framework? Please list any groups.
2 FS-ISAC and FSSCC FS-ISAC, Wall Street Technology Association, etc. FS-ISAC ICI Information Security Committee Institutional Investors Cyber Security Council FSSCC, FS-ISAC, BITS, direct interaction with DOT and DHS 4. Is there general awareness by your colleagues that the NIST Framework: a) is intended as a cyber risk management tool for all levels of an organization in assessing risk and how cyber security factors into risk assessments; and b) builds on existing cyber security frameworks, standards, guidelines, and other management practices related to cyber security? Only a 0% Only b 100% Both a and b 0% Neither a nor b 0% 5. Has your organization adopted a standard or framework other than the NIST Framework for the purpose of guiding your information security program? If so, please indicate whether ISO-27001, COBIT, SANS, COSO or other. ISO2700x No, but these frameworks are the basis for our policies, standards, etc. ISO Our program considers industry practices and proposed standards such as those promoted by NIST, COBIT ISO ISO and COSO 6. Many organizations and most sectors operate globally or rely on the interconnectedness of the global digital infrastructure. If your organization is planning to enhance its cyber security framework, will the asset management business use it internationally or will it be a U.S. only application? US 40% International 40% US & International 20% 7. Has your primary regulatory agency adopted or announced its intention to adopt the NIST Framework? If so, how extensive have your efforts been to enhance your cyber security program in light of regulatory expectations?
3 very extensive /new program being implemented 0% recently redefined new program 20% in process of defining enhancements 80% 8. Is your organization doing any form of outreach or education to clients, vendors or others regarding cyber security risk management? Yes 100% No 0% 9. Please comment on whether clients want to know the most relevant types of cyber attacks likely to apply to your organization. Yes 100% No 0% several hundred clients ask us detialed questions about this topic every year 10. If your firm is on board with the framework, please indicate whether you have undertaken any of the following activities: awareness building with clients; assessment of your existing policies vis-a-vis the NIST Framework; development of a current state ""baseline"" against the likely sub-categories of the Framework; or defined a ""future state"" against the NIST Framework. Yes, on board 60% Not on board 20% Definite program 20% Current state assessed and future state be defined by management The framework was used to review and enhance our policies and processes. 11. Regarding cyber security activities with vendors that are critical to your business, does your approach involve you categorizing these vendors? Examples of such categories could include securities valuation providers, custodians, collateral management agents, SSI data repositories, CCPs, FCMs, clearing agents (including industry utilities & trade information warehouses), etc. Please indicate any other categories that you feel are relevant to the asset management industry.
4 Yes 80% No 20% BITS Shared Assessment We take a risk based approach to inventory and perform due diligence on our vendors and third parties. 12. Also, is it standard procedure to meet with such vendors as part of your cyber security due diligence? Yes 100% No 0% 13. What about actual visits to critical vendors or alternate vendors to gain an understanding of data entry and exit points -- do you conduct such visits consistent with a checklist?briefly state the nature of these visits. Yes 80% No 20% This is for a very small subset of vendors Site visits are conducted periodically based upon risk. A formal checklist is followed on these site visits, where the results and action items are documented as part of our vendor governance processes. To gain a better understanding of our critical vendors' infrastructure and there data management practices to so how they meet regulatory requirements, industry standards and best practices. 14. Would you suggest testing with critical vendors as a due diligence best practice? Yes 60% No 40% 15. Do you inquire of critical vendors whether they also test with their own vendors? Yes 60% No 40%
5 16. Do you participate in any shared assessments programs (such as those provided by a credible consultant) when undertaking vendor due diligence reviews? Yes 40% No 60% 17. Do you utilize independent attestations as part of your review processes? If so, which do you utilize: ISO certification 100% SOC (Service Organization Controls) 2 and/or 3 reports 80% SSAE-16 / SOC 1 reports 100% PCI-DSS 40% Cloud Security Alliance 20% Other (please list below): BITS shared assessments These independent attestations are used in conjunction with our own internally developed questionnaire. 18. Do you re-assess vendors after specific periods of time (annually, bi-annually, etc.)? Please indicate interval, if any: annual Yes, periodically based upon risk Annually yes annual as required by contract 19. What technology tools, if any, do you use as part of your vendor assessment program to keep assessment results, open issue tracking, scheduling and other items? Please specify tools and whether you use a PMO to ensure tracking of all vendors: home grown today, but looking at solutions like Hiperos There is a vendor governance system for the inventory and tracking of vendors. None currently besides excel spreadsheets. N/A internally created risk management software
6 20. Regarding cyber security insurance and the asset management segment of your organization, is your firm looking into obtaining coverage for cyber investigations related to security breach incidents concerning vendor related issues? Yes 60% No 40% 21. Do you feel it is beneficial to raise awareness with senior management or your audit committee concerning the intricacies and nuances of industry-wide cyber security best practices? If yes, briefly state one or two positive takeaways. Please so state they want to know how we benchmark to peers "Yes, it is beneficial. Positive takeaways include: o Senior management is setting a security conscious cultural for the organization and o Are aware of the roles and responsibilities if there is a security incident" "Yes. o Inform senior management of cyber risks that are specific to our Firm and the business impact of these risks. o Obtain authorization and support to implement security best practices." Yes use of the NIST framework, risk based asset protection, 22. Any general observations about cyber security developments currently affecting the asset management industry? An example of a current cyber security development would be the use of external evaluations of policies and procedures that are currently in place. record keeping and data destruction don't have adequate handling in the "best practices" Besides cybersecurity threats as a whole to the industry, the regulatory focus and expectations around cybersecurity will continue to affect asset managers, especially as the regulators begin to test and assess these controls. An increase in the amount of time, effort, and money spent on responding to due diligence and RPF responses pertaining to cyber security. This increase in the type of cyber security-related questions by current and potential customers has changed how our organization investigates and responds to potential security issues even if our Firm is not vulnerable to the risk. Yes
7 the increased focus by regulators in this space is broadening the awareness in the firm and enabling ready adoption of new risk management efforts as we align with the framework. The burden of the increased requests for information in this space is creating a need for standardized question/responses which can be re-used for multiple requestors. 23. How do you manage insider risk? Combined team with HR, Physcial Security, and Info Sec. Looking at technical and human factors "This is a layer approach using the following controls: o Data Loss Prevention (DLP) Monitoring o Least privilege access model o Role based access o Recertification of user access o Filtered internet access o Restrictions on removable storage o surveillance" We limit access to confidential data based on access controls, we have separation of duties for sensitive functions, and some limited DLP capabilities (through our implementation of biometrics). This is an area that we are currently looking to expand. N/A education, monitoring, DLP controls, and analytics 25. Would you consider participating in Association-sponsored tabletop exercises (which would also include certain vendors that are critical to your business) in order to test incident response plans to certain cyber attack scenarios? Yes 80% No 20% NOTE: This survey was conducted in late May & early June, 2015.
Leveraging Regulatory Compliance to Improve Cyber Security
Leveraging Regulatory Compliance to Improve Cyber Security Leveraging Regulatory Compliance to Improve Cyber Security Brian Irish, Cyber Security Assurance Manager Salt River Project LEVERAGING REGULATORY
More informationUsing the HITRUST CSF to Assess Cybersecurity Preparedness 1 of 6
to Assess Cybersecurity Preparedness 1 of 6 Introduction Long before the signing in February 2013 of the White House Executive Order Improving Critical Infrastructure Cybersecurity, HITRUST recognized
More informationRe: Experience with the Framework for Improving Critical Infrastructure Cybersecurity ( Framework )
10 October 2014 Ms. Diane Honeycutt National Institute of Standards and Technology 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899 Re: Experience with the Framework for Improving Critical Infrastructure
More informationOCIE CYBERSECURITY INITIATIVE
Topic: Cybersecurity Examinations Key Takeaways: OCIE will be conducting examinations of more than 50 registered brokerdealers and registered investment advisers, focusing on areas related to cybersecurity.
More informationFINRA Publishes its 2015 Report on Cybersecurity Practices
Securities Litigation & Enforcement Client Service Group and Data Privacy & Security Team To: Our Clients and Friends February 12, 2015 FINRA Publishes its 2015 Report on Cybersecurity Practices On February
More informationBy: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015
Community Bank Auditors Group Cybersecurity What you need to do now June 9, 2015 By: Gerald Gagne MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2015 Wolf & Company, P.C. Cybersecurity
More informationLogging In: Auditing Cybersecurity in an Unsecure World
About This Course Logging In: Auditing Cybersecurity in an Unsecure World Course Description $5.4 million that s the average cost of a data breach to a U.S.-based company. It s no surprise, then, that
More informationEnabling Compliance Requirements using ISMS Framework (ISO27001)
Enabling Compliance Requirements using ISMS Framework (ISO27001) Shankar Subramaniyan Manager (GRC) Wipro Consulting Services Shankar.subramaniyan@wipro.com 10/21/09 1 Key Objectives Overview on ISO27001
More informationCybersecurity@RTD Program Overview and 2015 Outlook
Cybersecurity@RTD Program Overview and 2015 Outlook Finance & Administration Committee Meeting February 10, 2015 Sheri Le, Manager of Cybersecurity RTD Information Technology Department of Finance & Administration
More informationFrequently Asked Questions about the HITRUST Risk Management Framework
Frequently Asked Questions about the HITRUST Risk Management Framework Addressing common questions and misconceptions about the HITRUST CSF, CSF Assurance Program and supporting methods and tools, and
More informationDON T BE A VICTIM! IS YOUR INVESTMENT PROGRAM PROTECTED FROM CYBERSECURITY THREATS?
HEALTH WEALTH CAREER DON T BE A VICTIM! IS YOUR INVESTMENT PROGRAM PROTECTED FROM CYBERSECURITY THREATS? Gregg Sommer, CAIA Head of Operational Risk Assessments St. Louis MERCER 2015 0 CYBERSECURITY BREACHES
More informationCyber Risks in the Boardroom
Cyber Risks in the Boardroom Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing Your Company to Identify, Mitigate and Respond to Risks in a Changing
More informationRisk-Ops at Scale: Framework Operationalization to Address Business Risk
SESSION ID: GRC-T08 Risk-Ops at Scale: Framework Operationalization to Address Business Risk Eddie Block Chief Information Security Officer State of Texas @jurishacker Nancy Rainosek Statewide GRC Program
More informationDON T BE A VICTIM! IS YOUR ORGANIZATION PROTECTED FROM CYBERSECURITY THREATS?
HEALTH WEALTH CAREER DON T BE A VICTIM! IS YOUR ORGANIZATION PROTECTED FROM CYBERSECURITY THREATS? FREEMAN WOOD HEAD OF MERCER SENTINEL NORTH AMERICA GREGG SOMMER HEAD OF OPERATIONAL RISK ASSESSMENTS MERCER
More informationVENDOR MANAGEMENT. General Overview
VENDOR MANAGEMENT General Overview With many organizations outsourcing services to other third-party entities, the issue of vendor management has become a noted topic in today s business world. Vendor
More informationInformation Security, Privacy and Compliance Convergence
Information Security, Privacy and Compliance Convergence Rebecca Herold, CIPP, CISSP, CISM, CISA, FLMI Rebecca Herold & Associates, LLC April 2009 Agenda Information lifecycles Security and privacy challenges
More informationCybersecurity..Is your PE Firm Ready? October 30, 2014
Cybersecurity..Is your PE Firm Ready? October 30, 2014 The Panel Melinda Scott, Founding Partner, Scott Goldring Eric Feldman, Chief Information Officer, The Riverside Company Joe Campbell, CTO, PEF Services
More informationCybersecurity: The Legal, Legislative and Regulatory Outlook
Cybersecurity: The Legal, Legislative and Regulatory Outlook Jamie Barnett Rear Admiral USN (Retired) Co-Chair, Telecommunications Partner in Cybersecurity Practice Cybersecurity Impact and Costs Direct
More informationTrends in Information Technology (IT) Auditing
Trends in Information Technology (IT) Auditing Padma Kumar Audit Officer May 21, 2015 Discussion Topics Common and Emerging IT Risks Trends in IT Auditing IT Audit Frameworks & Standards IT Audit Plan
More informationCYBERSECURITY EXAMINATION SWEEP SUMMARY
This Risk Alert provides summary observations from OCIE s examinations of registered broker-dealers and investment advisers, conducted under the Cybersecurity Examination Initiative, announced April 15,
More informationThe NIST Cybersecurity Framework
View the online version at http://us.practicallaw.com/5-599-6825 The NIST Cybersecurity Framework RICHARD RAYSMAN, HOLLAND & KNIGHT LLP AND JOHN ROGERS, BOOZ ALLEN HAMILTON A Practice Note discussing the
More informationSmall Firm Focus: A Practical Approach to Cybersecurity Friday, May 29 9:00 a.m. 10:15 a.m.
Small Firm Focus: A Practical Approach to Cybersecurity Friday, May 29 9:00 a.m. 10:15 a.m. Topics: Explain why it is important for firms of all sizes to address cybersecurity risk. Demonstrate awareness
More informationCybersecurity: What CFO s Need to Know
Cybersecurity: What CFO s Need to Know William J. Nowik, CISA, CISSP, QSA PCIP MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2014 Wolf & Company, P.C. Today s Agenda Introduction
More informationNext. CDS 2015 Survey Module 7 Information Security Survey Errata
1 CDS 2015 Survey Survey Errata This module includes questions about the IT security organization, staffing, policies, and practices related to information technology security. This is an optional module.
More informationwww.pwc.com Third Party Risk Management 12 April 2012
www.pwc.com Third Party Risk Management 12 April 2012 Agenda 1. Introductions 2. Drivers of Increased Focus on Third Parties 3. Governance 4. Third Party Risks and Scope 5. Third Party Risk Profiling 6.
More informationNext. CDS 2015 Survey Module 7 Information Security Survey Errata
CDS 2015 Survey Survey Errata This module includes questions about the IT security organization, staffing, policies, and practices related to information technology security. This is an optional module.
More informationVENDOR MANAGEMENT An Update & Discussion
VENDOR MANAGEMENT An Update & Discussion Ground Rules TO ENCOURAGE FREE DISCUSSION, NO RECORDING DEVICES OF ANY KIND INCLUDING CELL PHONES, CAMERAS, ETC, ARE ALLOWED NO EXCEPTIONS VIOLATORS WILL BE ASKED
More informationNIST Cybersecurity Framework Sean Sweeney, Information Security Officer 5/20/2015
NIST Cybersecurity Framework Sean Sweeney, Information Security Officer 5/20/2015 Overview The University of Pittsburgh NIST Cybersecurity Framework Pitt NIST Cybersecurity Framework Program Wrap Up Questions
More informationMicrosoft s Compliance Framework for Online Services
Microsoft s Compliance Framework for Online Services Online Services Security and Compliance Executive summary Contents Executive summary 1 The changing landscape for online services compliance 4 How Microsoft
More informationDiane Honeycutt National Institute of Standards and Technology (NIST) 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899
Submitted via email: cyberframework@nist.gov April 8, 2013 Diane Honeycutt National Institute of Standards and Technology (NIST) 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899 Re: Developing a Framework
More informationSEC Cybersecurity Findings May Establish De Facto Standard
Portfolio Media. Inc. 860 Broadway, 6th Floor New York, NY 10003 www.law360.com Phone: +1 646 783 7100 Fax: +1 646 783 7161 customerservice@law360.com SEC Cybersecurity Findings May Establish De Facto
More information08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview
Data protection and compliance In the cloud and in your data center 1 November 2013 Agenda 1 Introduction 2 Data protection overview 3 Understanding the cloud 4 Where do I start? 5 Wrap-up Page 2 Data
More information2015 CEO & Board University Cybersecurity on the Rise. Matthew J. Putvinski, CPA, CISA, CISSP
2015 CEO & Board University Cybersecurity on the Rise Matthew J. Putvinski, CPA, CISA, CISSP MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2011 Wolf & Company, P.C. About Wolf
More informationItaly. EY s Global Information Security Survey 2013
Italy EY s Global Information Security Survey 2013 EY s Global Information Security Survey 2013 This year s survey our 16th edition captures the responses of 1,909 C-suite and senior level IT and information
More informationClient Update NFA Adopts Interpretive Notice Regarding Information Systems Security Programs
1 Client Update NFA Adopts Interpretive Notice Regarding Information Systems Security Programs NEW YORK Byungkwon Lim blim@debevoise.com Gary E. Murphy gemurphy@debevoise.com Michael J. Decker mdecker@debevoise.com
More informationWhitepaper. Security Best Practices for Evaluating Google Apps Marketplace Applications. Introduction. At a Glance
Whitepaper Security Best Practices for Evaluating Google Apps Marketplace Applications At a Glance Intended Audience: Security Officers CIOs of large enterprises evaluating Google Apps Marketplace applications
More informationAssessing the Effectiveness of a Cybersecurity Program
Assessing the Effectiveness of a Cybersecurity Program Lynn D. Shiang Delta Risk LLC, A Chertoff Group Company Objectives Understand control frameworks, assessment structures and scoping of detailed reviews
More informationMaintaining PCI-DSS compliance. Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com
Maintaining PCI-DSS compliance Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com Sessione di Studio Milano, 21 Febbraio 2013 Agenda 1 Maintaining PCI-DSS compliance
More informationToday s Financial Services IT Organization Delivering Security, Value and Performance Amid Major Transformation
Today s Financial Services IT Organization Delivering Security, Value and Performance Amid Major Transformation Assessing the Financial Services Industry Results from Protiviti s 2014 IT Priorities and
More informationWhat is Management Responsible For?
What is Management Responsible For? Matthew J. Putvinski, CPA, CISA, CISSP MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2011 Wolf & Company, P.C. About Wolf & Company, P.C Regional
More informationBig Data, Big Risk, Big Rewards. Hussein Syed
Big Data, Big Risk, Big Rewards Hussein Syed Discussion Topics Information Security in healthcare Cyber Security Big Data Security Security and Privacy concerns Security and Privacy Governance Big Data
More informationBusiness Continuity for Cyber Threat
Business Continuity for Cyber Threat April 1, 2014 Workshop Session #3 3:00 5:30 PM Susan Rogers, MBCP, MBCI Cyberwise CP S2 What happens when a computer program can activate physical machinery? Between
More informationDesigning & Building a Cybersecurity Program. Based on the NIST Cybersecurity Framework (CSF)
Designing & Building a Cybersecurity Program Based on the NIST Cybersecurity Framework (CSF) Larry Wilson Lesson 1 June, 2015 1 About the Class This course covers the essential elements for planning, building
More informationService Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard
Information Systems Audit and Controls Association Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard February 4, 2014 Tom Haberman, Principal, Deloitte & Touche LLP Reema Singh,
More informationMEMORANDUM. Date: October 28, 2013. Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance
MEMORANDUM Date: October 28, 2013 To: Federally Regulated Financial Institutions Subject: Guidance The increasing frequency and sophistication of recent cyber-attacks has resulted in an elevated risk profile
More information9/14/2015. Before we begin. Learning Objectives. Kevin Secrest IT Audit Manager, University of Pennsylvania
Evaluating and Managing Third Party IT Service Providers Are You Really Getting The Assurance You Need To Mitigate Information Security and Privacy Risks? Kevin Secrest IT Audit Manager, University of
More informationCybersecurity and the AICPA Cybersecurity Attestation Project
Cybersecurity and the AICPA Cybersecurity Attestation Project Chris Halterman Executive Director EY Chair AICPA Trust Information Integrity Task Force 2 October 2015 Increasing awareness of cybersecurity
More informationCybersecurity The role of Internal Audit
Cybersecurity The role of Internal Audit Cyber risk High on the agenda Audit committees and board members are seeing cybersecurity as a top risk, underscored by recent headlines and increased government
More informationRisk Management in Practice A Guide for the Electric Sector
Risk Management in Practice A Guide for the Electric Sector Annabelle Lee Senior Technical Executive ICCS European Engagement Summit April 28, 2015 Before we continue let s get over our fears and myths
More informationAttachment A. Identification of Risks/Cybersecurity Governance
Attachment A Identification of Risks/Cybersecurity Governance 1. For each of the following practices employed by the Firm for management of information security assets, please provide the month and year
More informationPast vs. Present: Third Party Risk
Past vs. Present: Third Party Risk Kevin O Sullivan and Hicham Chahine 3 rd Party Risk, Crowe Horwath LLP April 30th, 2015 Agenda Drivers pushing Third Party Risk Past vs. Present Events and Trends Vendor
More informationThe Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant
THE MARKET LEADER IN IT, SECURITY AND COMPLIANCE SERVICES FOR COMMUNITY FINANCIAL INSTITUTIONS The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant Agenda
More informationCISM ITEM DEVELOPMENT GUIDE
CISM ITEM DEVELOPMENT GUIDE Updated January 2015 TABLE OF CONTENTS Content Page Purpose of the CISM Item Development Guide 3 CISM Exam Structure 3 Writing Quality Items 3 Multiple-Choice Items 4 Steps
More informationDefending Against Data Beaches: Internal Controls for Cybersecurity
Defending Against Data Beaches: Internal Controls for Cybersecurity Presented by: Michael Walter, Managing Director and Chris Manning, Associate Director Protiviti Atlanta Office Agenda Defining Cybersecurity
More informationCan Cyber Insurance Be Linked to Assurance?
SESSION ID: CXO-W03 Can Cyber Insurance Be Linked to Assurance? Larry Clinton President and CEO Internet Security Alliance @ISalliance Dan Reddy Adjunct Faculty: Engineering & Technology Quinsigamond Community
More informationSecurity and Compliance Play Critical Roles in Protecting IT Assets of Law Firms and Their Clients
Security and Compliance Play Critical Roles in Protecting IT Assets of Law Firms and Their Clients Executive Overview Within the legal sector, IT system security and compliance have changed dramatically
More informationHIPAA and HITRUST - FAQ
A COALFIRE WHITE PAPER HIPAA and HITRUST - FAQ by Andrew Hicks, MBA, CISA, CCM, CRISC, HITRUST CSF Practitioner Director, Healthcare Practice Lead Coalfire February 2013 Introduction Organizations are
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity 18 November 2015 grance@nist.gov cyberframework@nist.gov National Institute of Standards and Technology About NIST NIST s mission is to develop
More informationMU Security & Privacy Risk Assessments: What It Is & How to Approach It
MU Security & Privacy Risk Assessments: What It Is & How to Approach It Dr. Bryan S. Cline, CISSP-ISSEP, CISM, CISA, CCSFP, HCISPP Advisor, Health Information Trust Alliance 2011-2014 HITRUST LLC, Frisco,
More informationLooking at the SANS 20 Critical Security Controls
Looking at the SANS 20 Critical Security Controls Mapping the SANS 20 to NIST 800-53 to ISO 27002 by Brad C. Johnson The SANS 20 Overview SANS has created the 20 Critical Security Controls as a way of
More informationPractical Vendor Management to Minimize Compliance Risks November 12, 2015
Practical Vendor Management to Minimize Compliance Risks November 12, 2015 v 1 Today s Speakers Ray Everett Principal Consultant & Director Product Management TRUSTe Charlie Miller SVP Shared Assessments
More informationCybersecurity: Considerations for Internal Audit. IIA Atlanta Chapter Meeting January 9, 2015
Cybersecurity: Considerations for Internal Audit IIA Atlanta Chapter Meeting January 9, 2015 Agenda Key Risks Incorporating Internal Audit Resources for Internal Auditors Questions 2 Key Risks 3 4 Key
More informationAn Overview of Information Security Frameworks. Presented to TIF September 25, 2013
An Overview of Information Security Frameworks Presented to TIF September 25, 2013 What is a framework? A framework helps define an approach to implementing, maintaining, monitoring, and improving information
More informationCybersecurity. Regional and Community Banks. Inherent Risks and Preparedness. www.bostonfed.org
Cybersecurity Inherent Risks and Preparedness Regional and Community Banks www.bostonfed.org Disclaimer The opinions expressed in this presentation are intended for informational purposes, and are not
More informationDeveloping National Frameworks & Engaging the Private Sector
www.pwc.com Developing National Frameworks & Engaging the Private Sector Focus on Information/Cyber Security Risk Management American Red Cross Disaster Preparedness Summit Chicago, IL September 19, 2012
More informationCOBIT 5 For Cyber Security Governance and Management. Nasser El-Hout Managing Director Service Management Centre of Excellence (SMCE)
COBIT 5 For Cyber Security Governance and Management Nasser El-Hout Managing Director Service Management Centre of Excellence (SMCE) Cybersecurity Governance using COBIT5 Cyber Defence Summit Riyadh, KSA
More informationSecure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities
Secure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities Sean Barnum sbarnum@mitre.org September 2011 Overview What is SCAP? Why SCAP?
More informationCyber Security Risks for Banking Institutions.
Cyber Security Risks for Banking Institutions. September 8, 2014 1 Administrative CPE regulations require that online participants take part in online questions Must respond to a minimum of four questions
More informationSURVEY RESULTS CYBER-SECURITY PRACTICES OF MINNESOTA REGISTERD INVESTMENT ADVISERS
SURVEY RESULTS CYBER-SECURITY PRACTICES OF MINNESOTA REGISTERD INVESTMENT ADVISERS Minnesota Department of Commerce July 2014 GENERIC FIRM INFORMATION Has your firm been the subject of a cyber-security
More informationACCESS RIGHTS MANAGEMENT Securing Assets for the Financial Services Sector
ACCESS RIGHTS MANAGEMENT Securing Assets for the Financial Services Sector V.2 Final Draft May 1, 2014 financial_nccoe@nist.gov This revision incorporates comments from the public. Page Use case 1 Comments
More informationCloud Computing Risks & Reality. Sandra Liepkalns, CRISC sandra.liepkalns@netrus.com
Cloud Computing Risks & Reality Sandra Liepkalns, CRISC sandra.liepkalns@netrus.com What is Cloud Security The quality or state of being secure to be free from danger & minimize risk To be protected from
More informationDealer Member Cyber-security
Administrative Notice General Please distribute internally to: Legal and Compliance Senior Management Contact: Wendy Rudd Senior Vice President, Member Regulation and Strategic Initiatives 416 646-7216
More informationCIP Supply Chain Risk Management (RM15 14 000) Statement of Jacob S. Olcott Vice President, BitSight Technologies January 28, 2016
CIP Supply Chain Risk Management (RM15 14 000) Statement of Jacob S. Olcott Vice President, BitSight Technologies January 28, 2016 My name is Jacob Olcott and I am pleased to share some observations on
More informationIT ASSET MANAGEMENT Securing Assets for the Financial Services Sector
IT ASSET MANAGEMENT Securing Assets for the Financial Services Sector V.2 Final Draft May 1, 2014 financial_nccoe@nist.gov This revision incorporates comments from the public. Page Use case 1 Comments
More informationExperience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.
Experience the commitment WHITE PAPER Information Security Continuous Monitoring Charting the Right Course May 2014 cgi.com 2014 CGI GROUP INC. During the last few months of 2013, six federal agencies
More informationCyber-Security. FAS Annual Conference September 12, 2014
Cyber-Security FAS Annual Conference September 12, 2014 Maysar Al-Samadi Vice President, Professional Standards IIROC Cyber-Security IIROC Rule 17.16 BCP The regulatory landscape Canadian Government policy
More informationInformation Security Management System for Microsoft s Cloud Infrastructure
Information Security Management System for Microsoft s Cloud Infrastructure Online Services Security and Compliance Executive summary Contents Executive summary 1 Information Security Management System
More informationBladeLogic Software-as-a- Service (SaaS) Solution. Help reduce operating cost, improve security compliance, strengthen cybersecurity posture
BladeLogic Software-as-a- Service (SaaS) Solution Help reduce operating cost, improve security compliance, strengthen cybersecurity posture February 20, 2014 Contents The Configuration Security Compliance
More informationPROPOSED INTERPRETIVE NOTICE
August 28, 2015 Via Federal Express Mr. Christopher J. Kirkpatrick Secretary Office of the Secretariat Commodity Futures Trading Commission Three Lafayette Centre 1155 21st Street, N.W. Washington, DC
More informationVISP Vendor Information Security Plan: A tool for IT and Institutions to evaluate third party vendor capacity and technology to protect research data
VISP Vendor Information Security Plan: A tool for IT and Institutions to evaluate third party vendor capacity and technology to protect research data 1 Table of Contents Executive Summary... 3 Template
More informationDUE DILIGENCE Designing and Implementing a Three-Step Cybersecurity Framework for Assessing and Vetting Third Parties (Part One of Two)
DUE DILIGENCE Designing and Implementing a Three-Step Cybersecurity Framework for Assessing and Vetting Third Parties (Part One of Two) By Amy Terry Sheehan Vendors and other third parties are vital to
More informationPerspectives on Navigating the Challenges of Cybersecurity in Healthcare
Perspectives on Navigating the Challenges of Cybersecurity in Healthcare May 2015 1 Agenda 1. Why the Healthcare Industry Established HITRUST 2. What We Are and What We Do 3. How We Can Help Health Plans
More informationEXECUTIVE STRATEGY BRIEF. Securing the Cloud Infrastructure. Cloud. Resources
EXECUTIVE STRATEGY BRIEF Securing the Cloud Infrastructure Cloud Resources 01 Securing the Cloud Infrastructure / Executive Strategy Brief Securing the Cloud Infrastructure Microsoft recognizes that trust
More informationThe silver lining: Getting value and mitigating risk in cloud computing
The silver lining: Getting value and mitigating risk in cloud computing Frequently asked questions The cloud is here to stay. And given its decreased costs and increased business agility, organizations
More informationCYBER AND PRIVACY INSURANCE: LOSS MITIGATION SERVICES
CYBER AND PRIVACY INSURANCE: LOSS MITIGATION SERVICES How can you better prepare and respond to cyber risks? ACE developed Loss Mitigation Services to help policyholders understand and gauge various areas
More informationNothing in this job description restricts management's right to assign or reassign duties and responsibilities to this job at any time.
H23790, page 1 Nothing in this job description restricts management's right to assign or reassign duties and responsibilities to this job at any time. DUTIES This is a non-career term job at the Metropolitan
More informationManaging Liabilities from Cyber Threats Using the SAFETY Act
Managing Liabilities from Cyber Threats Using the SAFETY Act Brian Zimmet Dismas Locaria Jason Wool August 5, 2014 2013 Venable LLP 1 Agenda 1. Introduction 2. The SAFETY Act An Overview 3. Applicability
More informationCyber Security. Moderator: Marla J. Kreindler, Partner, Morgan, Lewis & Bockius LLP
Cyber Security Moderator: Marla J. Kreindler, Partner, Morgan, Lewis & Bockius LLP Speakers: Keith Overly, Executive Director, Ohio Deferred Compensation Program Raj Patel, Partner, Plante & Moran, PLLC
More informationImpact of New Internal Control Frameworks
Impact of New Internal Control Frameworks Webcast: Tuesday, February 25, 2014 CPE Credit: 1 0 With You Today Bob Jacobson Principal, Risk Advisory Services Consulting Leader West Region Bob.Jacobson@mcgladrey.com
More informationTHE BLUENOSE SECURITY FRAMEWORK
THE BLUENOSE SECURITY FRAMEWORK Bluenose Analytics, Inc. All rights reserved TABLE OF CONTENTS Bluenose Analytics, Inc. Security Whitepaper ISO 27001/27002 / 1 The Four Pillars of Our Security Program
More informationNIST Cybersecurity Framework. ARC World Industry Forum 2014
NIST Cybersecurity Framework Vicky Yan Pillitteri NIST ARC World Industry Forum 2014 February 10-13, 2014 Orlando, FL Executive Order 13636 Improving Critical Infrastructure Cybersecurity It is the policy
More informationCYBER & PRIVACY INSURANCE FOR FINANCIAL INSTITUTIONS
CYBER & PRIVACY INSURANCE FOR FINANCIAL INSTITUTIONS 1 As regulators around the world move to tighten compliance requirements for financial institutions, improvement in cyber security controls will become
More informationCloud Computing An Auditor s Perspective
Cloud Computing An Auditor s Perspective Sailesh Gadia, CPA, CISA, CIPP sgadia@kpmg.com December 9, 2010 Discussion Agenda Introduction to cloud computing Types of cloud services Benefits, challenges,
More informationCASRO Digital Research Conference Data Security: Don t Risk Being the Weak Link
CASRO Digital Research Conference Data Security: Don t Risk Being the Weak Link Peter Milla CASRO Technical Consultant/CIRQ Technical Advisor peter@petermilla.com Background CASRO and Standards CASRO takes
More informationApril 8, 2013. Ms. Diane Honeycutt National Institute of Standards and Technology 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899
Salt River Project P.O. Box 52025 Mail Stop: CUN204 Phoenix, AZ 85072 2025 Phone: (602) 236 6011 Fax: (602) 629 7988 James.Costello@srpnet.com James J. Costello Director, Enterprise IT Security April 8,
More informationInformation Governance Roadmap
Information Governance Roadmap Mitigating Privacy Risks, Reducing Costs And Meeting Obligations Speakers Heather Buchta Quarles & Brady Partner Rebecca Perry Jordan Lawrence CIPP/US/G Director of Professional
More informationDEVELOPING A CYBERSECURITY POLICY ARCHITECTURE
TECHNICAL PROPOSAL DEVELOPING A CYBERSECURITY POLICY ARCHITECTURE A White Paper Sandy Bacik, CISSP, CISM, ISSMP, CGEIT July 2011 7/8/2011 II355868IRK ii Study of the Integration Cost of Wind and Solar
More informationCybercrime and Regulatory Priorities for Cybersecurity
NRS Technology and Communication Compliance Forum Cybercrime and Regulatory Priorities for Cybersecurity Copyright 2014 by K&L Gates LLP. All rights reserved. Sean P. Mahoney sean.mahoney@klgates.com K&L
More information2 0 1 4 F G F O A A N N U A L C O N F E R E N C E
I T G OV E R NANCE 2 0 1 4 F G F O A A N N U A L C O N F E R E N C E RAJ PATEL Plante Moran 248.223.3428 raj.patel@plantemoran.com This presentation will discuss current threats faced by public institutions,
More informationwww.pwc.com Cybersecurity and Privacy Hot Topics 2015
www.pwc.com Cybersecurity and Privacy Hot Topics 2015 Table of Contents Cybersecurity and Privacy Incidents are on the rise Executives and Boards are focused on Emerging Risks Banking & Capital Markets
More information