Getting Executive Buy-in. Tips & Strategies

Similar documents
Course Content Summary ITN 267 Legal Topics in Network Security (3 Credits)

3/13/2015 HIPAA/HITECH WHAT S YOUR COMPLIANCE STATUS? Daniel B. Mills Pretzel & Stouffer, Chartered WHAT IS HIPAA?

Ubiquity of Security Compliance and Content Management

Internet Gaming: The New Face of Cyber Liability. Presented by John M. Link, CPCU Cottingham & Butler

HIPAA and Privacy Policy Training

Medical Information Breaches: Are Your Records Safe?

Adding Cloud Solutions to Customer Contracts Robert J. Scott

Cyber Insurance: How to Investigate the Right Coverage for Your Company

Law & Ethics, Policies & Guidelines, and Security Awareness

Information Security Program

Don t Be a Victim to Data Breach Risks Protecting Your Organization From Data Breach and Privacy Risks

How to Lead the People in a Program Based Environment

Securing Your Business with Managed File Transfer

AUTOMATED PENETRATION TESTING PRODUCTS

CONSIDERATIONS BEFORE MOVING TO THE CLOUD

How To Buy Cyber Insurance

Harmonizing Your Compliance and Security Objectives. Bonnie A. Goins Adjunct Professor, Illinois Institute of Technology

ipatch System Manager - HIPAA Compliance

SMB Data Breach Risk Management Best Practices. By Mark Pribish February 19, 2015

RISK MANAGEMENT PROGRAM THAT WORKS FOUR KEYS TO CREATING A VENDOR. HEADQUARTERS 33 Bradford Street Concord, MA PHONE:

Security Controls What Works. Southside Virginia Community College: Security Awareness

What Should IS Majors Know About Regulatory Compliance?

SINGAPORE HEALTHCARE ENTERPRISE RISK MANAGEMENT CONGRESS Data Breach : The Emerging Threat to Healthcare Industry

Securing Critical Information Assets: A Business Case for Managed Security Services

University of Sunderland Business Assurance Information Security Policy

By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN

Network Security & Privacy Landscape

MASSIVE NETWORKS Online Backup Compliance Guidelines Sarbanes-Oxley (SOX) SOX Requirements... 2

AUTOMATED PENETRATION TESTING PRODUCTS

Self-Service SOX Auditing With S3 Control

EMR: Electronic Medical Records Security: International Law Review

Somansa Data Security and Regulatory Compliance for Healthcare

The Onslaught of Cyber Security Threats and What that Means to You

UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C

Cyber Insurance Presentation

Data breach! cyber and privacy risks. Brian Wright Michael Guidry Lloyd Guidry LLC

Data breach, cyber and privacy risks. Brian Wright Lloyd Wright Consultants Ltd

Recession Calls for Better Change Management Separation of duties, logging paramount in times of great, rapid change

Our Commitment to Information Security

Data Security Incident Response Plan. [Insert Organization Name]

Law Firm Cyber Security & Compliance Risks

2/3/2016 HIPAA PRIVACY AND SECURITY RISK ASSESSMENTS: WHY ARE THEY IMPORTANT? 2015 THE WORST YEAR FOR BREACHES

INFORMATION TECHNOLOGY POLICY

Weighing in on the Benefits of a SAS 70 Audit for Payroll Service Providers

Understanding the Business Risk

INFORMATION SECURITY FOR YOUR AGENCY

New HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010

Data Security Breaches: Learn more about two new regulations and how to help reduce your risks

Computer Forensics Preparation

How-To Guide: Cyber Security. Content Provided by

The Role of Password Management in Achieving Compliance

Privacy Legislation and Industry Security Standards

Understanding Data Governance ROI: A Compliance Perspective

Information Resources Security Guidelines

The Right Choice for Call Recording Call Recording and Regulatory Compliance

Achieving Regulatory Compliance through Security Information Management

HIPAA BREACH NOTIFICATION REQUIREMENTS. Heman A. Marshall, III July 25, 2014

Standards of. Conduct. Important Phone Number for Reporting Violations

Data Encryption WHITE PAPER ON. Prepared by Mohammed Samiuddin.

PCI Compliance for Healthcare

Design of Database Security Policy In Enterprise Systems

Willis Healthcare Practice 11 th Annual Forum July 10,2007. Managing and Insuring Risks in Network Privacy/Cyber Risk

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

Pacific University. Policy Governing. Identity Theft Prevention Program. Red Flag Guidelines. Approved June 10, 2009

How a Company s IT Systems Can Be Breached Despite Strict Security Protocols

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

Singlefin. protection services. Compliance. Security Solutions for @ By Kevin Beaver

Cloud Computing and the Regulatory Compliance Labyrinth

The Risks of and the Rewards of Innovative Encryption

Information Protection Framework: Data Security Compliance and Today s Healthcare Industry

Lots of workers, many applications, multiple locations......and you need one smart way to handle access for all of them.

How To Justify A Security Program

Massachusetts Residents

In an age where so many businesses and systems are reliant on computer systems,

Achieving Regulatory Compliance

Cyber Risks and Insurance Solutions Malaysia, November 2013

PREVENTING IDENTITY THEFT AT The University of North Carolina at Greensboro. Presented By Roy Davenport Shred-it North Carolina

AlienVault for Regulatory Compliance

787 Wye Road, Akron, Ohio P F

IT GOVERNANCE GSI 615

Data Loss Prevention and HIPAA. Kit Robinson Director

INFORMATION SECURITY & HIPAA COMPLIANCE MPCA

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

HIPAA Privacy & Security Rules

Hackers, Slackers & Packers: Preventing Data Loss & Dealing with the Inevitable. Data Breaches Are All Too Common

Clients Legal Needs in HIPAA Security Compliance

COMPLIANCE ALERT 10-12

Big Data, Big Risk, Big Rewards. Hussein Syed

SAFEGUARDS FOR PROTECTING PRIVATE DATA - SERVICE PROVIDERS AND CONTRACTORS

Managing Your Cyber & Data Risk 2010 NTA Convention Montreal, Quebec

CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION. Robert N. Young, Director Carruthers & Roth, P.A. rny@crlaw.com Phone: (336)

REPRODUCTIVE ASSOCIATES OF DELAWARE (RAD) NOTICE OF PRIVACY PRACTICES PLEASE REVIEW IT CAREFULLY.

Information Security Policy

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

Clinical Solutions. 2 Hour CEU

Corporate Incident Response. Why You Can t Afford to Ignore It

FACT SHEET: Ransomware and HIPAA

what your business needs to do about the new HIPAA rules

Transcription:

Getting Executive Buy-in Tips & Strategies

Program Management & Planning Overview Why security is important to the organization Why management buy-in is needed Strategies for obtaining executive buy-in Case studies

Reputation Why Security is Important Reputation is about protecting the brand/public perception What is your organization s reputation worth What will happen if there is a negative security event Asset Protection Legal Intellectual property Customer data Employee data There are various compliance laws that will apply in just about every organization Some sectors have more strict laws on privacy and security (Healthcare, Finance, other) Legal requirements as a business driver for security is good way to start

Why Management Buy-in Is Needed Security transcends: Departmental silos Physical, logical, and electronic boundaries IT disciplines: systems, network, applications Information is a valuable corporate asset Protection of information is a management responsibility Corporate Governance/Risk Management Security failures are management failures that have organization-wide impact on operations

Obtaining Management Buy-In 1. Communication is key Speak the language Monetary and business risk vs. technical jargon Fear Uncertainty and Doubt (FUD) does not work Fear is not a justifiable business case facts are Keep your message short Managers can be very busy, keep message succinct Follow up regularly Metrics, charts and figures Pictures sell Soft skills People skills are more important than the hardware and software

Obtaining Management Buy-In 2. Focus on the big picture Tie efforts to corporate goals Core values Corporate mantra Speak to operational abilities By implementing x, we can do y and z Security as a business enabler Show how efforts enhance user experience E.g. Single Sign On Find out the needs of the business and help make that easier Show ROI if possible Be practical Balance protection with value of data Don t spend $100 to protect $10 Make decisions that raise the level of security as the risk is raised

Obtaining Management Buy-In 3. Find your security champion(s) Power in numbers Demonstrate how management increases success through leadership Local office POC/responsible party Similar to company fire marshal 4. On-going learning and adaptation Stick vs carrot approach Stick - fines, reputation, prosecution Carrot - reduce costs, reduce risk, improve manageability, improve public perception Don t be in a hurry Seed the idea today and let it grow Culture change Case studies A wise man learns from the mistakes of others

Case Study: CVS Pharmacy Represented, expressly or by implication, that it implemented reasonable and appropriate measures to protect personal information against unauthorized access July 2006 and continuing into 2007, television stations and other media outlets reported finding personal information in unsecured dumpsters used by CVS pharmacies in at least 15 cities throughout the United States. The personal information found in the dumpsters included information about both CVS s customers and its employees

Case Study: CVS Pharmacy For failing to employ reasonable and appropriate measures to prevent unauthorized access to personal information CVS agreed to: Pay $2.2 million Establish, implement, and maintain a comprehensive information security program Designate a person to be accountable for the information security program Identify material internal and external risks to the security, confidentiality, and integrity of personal information Design and implement reasonable safeguards to control the risks Require service providers by contract to implement and maintain appropriate safeguards Obtain an independent 3 rd party assessment every 2 years for twenty years after service of the order

Case Study: Major City s Municipal Courts On Wednesday, February 4 th 2009 the Virut virus was discovered The virus infected 475 out of 16,000 city computers (<3%) The court system was shut down over the weekend and during the entire week of February 9 th Hearings and jurors during that time had to be re-scheduled Affected city s 311 help line Workers were still receiving phone calls and they had to write down the details manually Impossible to track work orders

Case Study: Major City s Municipal Courts The city tried to get the word out about the closure on Friday and over the weekend, but some didn t hear the news in time there were hundreds of frustrated citizens It took the city more than a week to recover systems and return operations to normal (2/4 2/13) A contractor ($25,000) was also used to help restore systems

Regulatory Requirements Laws Electronic Communications Privacy Act Gramm-Leach-Bliley Act (GLBA) Health Insurance Portability and Accountability Act (HIPAA) Family Educational Rights and Privacy Act (FERPA) Sarbanes-Oxley (SOX) Cyber Crime USA Patriot Act Computer Fraud and Abuse Act States Security Breach Notification Act Economic Espionage Act Digital Millennium Copyright Act

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information