AB 1149 Compliance: Data Security Best Practices



Similar documents
ITAR Compliance Best Practices Guide

How to use the Alertsec Service to Achieve HIPAA Compliance for Your Organization

SecureAge SecureDs Data Breach Prevention Solution

The Cloud App Visibility Blindspot

Protecting personally identifiable information: What data is at risk and what you can do about it

DISCOVER, MONITOR AND PROTECT YOUR SENSITIVE INFORMATION Symantec Data Loss Prevention. symantec.com

How-To Guide: Cyber Security. Content Provided by

Cyber Threats: Exposures and Breach Costs

How To Protect Yourself From Cyber Threats

Remote Access Securing Your Employees Out of the Office

Data Loss Prevention in the Enterprise

Information Security Addressing Your Advanced Threats

Hard vs. Soft Tokens Making the Right Choice for Security

Reducing Cyber Risk in Your Organization

How to Secure Your Environment

Countering Insider Threats Jeremy Ho

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

The Case for a New Approach to Network Security

Stay ahead of insiderthreats with predictive,intelligent security

WHITE PAPER WHAT HAPPENED?

Don't Be The Next Data Loss Story

Payment Card Industry Data Security Standard

Data Loss Prevention Program

A HELPING HAND TO PROTECT YOUR REPUTATION

Five PCI Security Deficiencies of Restaurants

Data Breach Lessons Learned. June 11, 2015

Top Five Ways to Protect Your Network. A MainNerve Whitepaper

Managing the Unpredictable Human Element of Cybersecurity

Security Management. Keeping the IT Security Administrator Busy

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Network Security. Intertech Associates, Inc.

Five PCI Security Deficiencies of Retail Merchants and Restaurants

Cloud Assurance: Ensuring Security and Compliance for your IT Environment

Avoiding the Top 5 Vulnerability Management Mistakes

Ensuring HIPAA Compliance with AcclaimVault Online Backup and Archiving Services

Are You Ready for PCI 3.1?

WHAT EVERY CEO, CIO AND CFO NEEDS TO KNOW ABOUT CYBER SECURITY.

I ve been breached! Now what?

Security A to Z the most important terms

Incident Response. Six Best Practices for Managing Cyber Breaches.

Securely Yours LLC IT Hot Topics. Sajay Rai, CPA, CISSP, CISM

Top five strategies for combating modern threats Is anti-virus dead?

Five PCI Security Deficiencies of Restaurants

Data Loss Prevention: Data-at-Rest vs. Data-in-Motion

Prevent Security Breaches by Protecting Information Proactively

Increasing Security Defenses in Cost-Sensitive Healthcare IT Environments

The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance

IA/CYBERSECURITY IS CRITICAL TO OPERATE IN CYBERSPACE

2014: A Year of Mega Breaches

The Cloud App Visibility Blind Spot

White Paper. Data Security. The Top Threat Facing Enterprises Today

HEALTH CARE AND CYBER SECURITY:

WHITE PAPER KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST PROTECTING THE PROTECTOR

Intro. Tod Ferran, CISSP, QSA. SecurityMetrics. 2 years PCI and HIPAA security consulting, performing entity compliance audits

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

AVOIDING ONLINE THREATS CYBER SECURITY MYTHS, FACTS, TIPS. ftrsecure.com

Copyright 2013, Oracle and/or its affiliates. All rights reserved.

White Paper. Information Security -- Network Assessment

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

Proactive Credential Monitoring as a Method of Fraud Prevention and Risk Mitigation. By Marc Ostryniec, vice president, CSID

How To Secure Your Store Data With Fortinet

Society for Information Management

FERPA: Data & Transport Security Best Practices

RSA Solution Brief RSA. Data Loss. Uncover your risk, establish control. RSA. Key Manager. RSA Solution Brief

Seven Things To Consider When Evaluating Privileged Account Security Solutions

HIPAA Security Balancing Security & Costs

Defensible Strategy To. Cyber Incident Response

A Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards

Mobile Medical Devices and BYOD: Latest Legal Threat for Providers

Cisco Security Optimization Service

DATA SECURITY HACKS, HIPAA AND HUMAN RISKS

10 Top Tips for Data Protection in the New Workplace

Compliance Challenges. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard. Increased Audits & On-site Investigations

Fraud Prevention Checklist for Small Businesses

Lessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd

CyberArk Privileged Threat Analytics. Solution Brief

Cybersecurity Best Practices in Mortgage Banking. Article by Jim Deitch October 2015

Managing Your Cyber & Data Risk 2010 NTA Convention Montreal, Quebec

Critical Controls for Cyber Security.

NATIONAL CYBER SECURITY AWARENESS MONTH

Managing IT Security with Penetration Testing

National Cyber Security Month 2015: Daily Security Awareness Tips

Cybercrime: Protecting Your Digital Assets in Today's Threat Landscape

WHITE PAPER. Managed File Transfer: When Data Loss Prevention Is Not Enough Moving Beyond Stopping Leaks and Protecting

Making Database Security an IT Security Priority

Hands on, field experiences with BYOD. BYOD Seminar

Multi-factor authentication

Why Lawyers? Why Now?

Requirements When Considering a Next- Generation Firewall

2015 VORMETRIC INSIDER THREAT REPORT

10 Smart Ideas for. Keeping Data Safe. From Hackers

Nine Steps to Smart Security for Small Businesses

Healthcare IT Compliance Service. Services > Overview MaaS360 Healthcare IT Compliance Service

Patient Privacy and Security. Presented by, Jeffery Daigrepont

Nine Network Considerations in the New HIPAA Landscape

Whitepaper on AuthShield Two Factor Authentication with ERP Applications

THREE KEYS TO COST-EFFECTIVE SECURITY FOR YOUR SMALL BUSINESS

Cybersecurity: Protecting Your Business. March 11, 2015

RETHINKING CYBER SECURITY Changing the Business Conversation

Data Management Policies. Sage ERP Online

Transcription:

AB 1149 Compliance: Data Security Best Practices 1

Table of Contents Executive Summary & Overview 3 Data Security Best Practices 4 About Aurora 10 2

Executive Summary & Overview: AB 1149 is a new California bill which requires notification of data breaches for local and county government agencies. With the goal of Identity Theft prevention, AB 1149 mandates that local and country government agencies notify residents of breaches regarding personal information in a timely manner, without reasonable delay. Personal Data has a largely defined scope, even requiring breach notifications for the leaks of usernames or e-mail addresses (Senate Bill 46 [S.B. 46] clearly defines the scope of personal data in the context of AB 1149) State Government Agencies as well as Commercial Organizations have already been subject to Data Security Compliance measures and Breach Notification Laws in the past. The consequential punishments that come along with non-compliance include: fines, penalties, negative publicity, lost business/revenue, and lawsuits by those affected. With AB 1149, Local and County government agencies will now be held to the same standards. There are several Data Security Best Practices to help guide local agencies towards AB 1149 compliance, which local City and County agencies can evaluate as a fit for their IT security strategy. The following is an outline for an AB 1149 compliant Data Security Strategy. Investing in data security in a timely fashion can go a long way in preventing a data breach and the subsequent negative PR and often times financial burdens that follow. 3

AB 1149 Compliance Data Security Best Practices: What can organizations do to protect data (Minimize Identity Theft) as it relates to AB 1149? We listed a short, summarized list below that can help organizations with AB 1149 compliance through some data security best-practices. It is important to understand that data security is not an end result, but a continuous journey in protecting City and County information assets. We are required to implement solutions, test and validate our security by third parties and constantly fine tune our security posture, while enabling city and county business units to function optimally. Sound more like an art form than a science? It often can be. We ve listed a few best-practices below that can help you get started on your journey: Security Policies & Incident Response Procedures: A specific data security policy is the foundation of an IT security practice and strategy. However, this is not a check box or one time deliverable, but a living, breathing document--as the business environment changes, so do the policies and the strategy. These policies should address physical and network security considerations as well as incident response procedures. The best-intentioned security measures cannot guarantee that we will not be breached. However, in the event of a breach, a good incident response program can be the difference between a quick remediation and a costly data breach. The policies and incident response procedures should be tested and validated annually. Lastly, the policy documents also function as a baseline for employee security awareness training, which is also highly recommended and a critical component to AB 1149 compliance and Identity Theft prevention. Next Generation Firewall: Attackers are getting more and more sophisticated. Several of them are now organized and sponsored by enemy nation states. These enemy states now target local Government agencies as they are aware of budget cuts and IT security limitations on a city or county level. Smart, agile perimeter security is vital for identity theft prevention and AB 1149 compliance and for protection from savvy hackers and ever changing threat vectors. Traditional firewalls are a thing of the past. Perimeter firewalls today have to provide advanced threat defense from malware, viruses, and zero day attacks as well as provide traditional firewall functionality. Some of the new functionality to look for is sandboxing (for Malware protection), IPS/IDS functionality, some SIEM (Security Identity and Event Management) 4

functionality, Application Protection, an easy GUI based management and easy incident response capability. If our security team cannot easily identify, manage and respond to attacks, a highly complex firewall can truly work against us. Look for complexity in functionality, but ease in ongoing management of next generation firewalls. Data Classification: For cities and counties, all data is truly not created equal. We are all concerned about Data theft, be it credit card information, healthcare (ephi) information or private and confidential employee data or possibly some local government- level business secrets. In recent cases, we have heard a lot about corporate espionage and hacking threats from competing nation states. Well, how do we go about protecting our information assets from data thieves? In most cases, a combination of Data Classification, Data Leakage Prevention and Encryption will get you there. Data classification is a pre-requisite to a successful Data Leakage Prevention (DLP) implementation. Before we can protect our data from leaking, we need to classify our own information into some iteration of the below four categories: 1) Public Use, 2) Internal Use Only, 3) Confidential and 4) Top Secret. In order to accomplish this task: A scan of the environment (data discovery) is recommended for identity-type information, key words and phrases and content that the business unit deems potentially confidential and at risk. 5

This information is identified and consolidated initially. It s a lot easier to safeguard assets in a couple of locations, rather than if they were spread out all across the network. Once the data is consolidated, appropriate protection and data security (data at rest encryption for example) measures can be applied to the data or the devices it resides on. From that point on, all the information assets can be tagged appropriately (Example: Public Use, Internal Use Only, Confidential and Top Secret). The organization can then set policies for data in use and data in motion. A Data Leakage Prevention (DLP) solution can then follow the defined policies to protect identity data from leaving the organization or getting into the wrong hands internally as well. In conclusion, for an effective identity theft prevention and data security strategy, we really have to lay the foundation through a data classification exercise, and then follow it up with preventative data security measures like DLP and Encryption. Data Leakage Prevention: There are three employee scenarios that a properly implemented DLP solution can protect you against: The well-meaning insider: This is the accidental leak. The innocent employee who made a mistake. Someone emailing themselves, or taking data home to work on it, mentioning what they do or worked on their social media page, leaving a USB device or smart phone at the coffee shop, etc. Malicious Insider: The employee that didn t get the promotion he/she thought they deserved, or just a trouble maker trying to leak information, or someone working for the competition or a foreign state (in the case of AB 1149 specifically). Malicious Outsider: Competitors, identity thieves, enemy nation states, corporate espionage, hackers, etc fall into this category. 6

Once data is appropriately tagged, we can then have DLP protect it from all three scenarios listed above. Lastly, if sensitive data does need to leave the organization for valid business reasons, it needs to be encrypted. Data Encryption: Encryption policies must be in place to effectively secure all types of identity data including: Data at Rest (Laptops, desktops, USB Devices, Offsite Backup, Databases, etc.) Data in Motion (Emails, File Transfers, Web Traffic, etc.) Data in Use (SharePoint, Private Cloud, File & Application Servers, Database, etc.) 7

Encryption can usually work in conjunction with DLP to provide holistic identity theft data security and policy enforcement. Once we ve determined that AB 1149-regulated data needs to legitimately leave the organization, and we confirm that it is going to the intended recipient, we can enforce encryption of the data, so only the intended recipient can access and read the information. Multi-Factor Authentication: Something you know (password) and something you have (token, soft token, smart phone, etc.). At some point in the near future, all sensitive online accounts or network access accounts will require multi-factor authentication. From our online banking institutions to our applications at work; Multi- factor authentication makes it much harder for identity thieves to access sensitive information. It is possible to steal credentials in the form of static and weak passwords but a random generated token for 2-factor authentication makes hacking just a password useless. These token can now be received via smart phones apps (soft tokens) or text messages, so we no longer need to carry physical tokens with us and risk losing them. 8

Identity & Access Management (IAM): Identity is the Who who needs to have access to this information and from which authorized systems. In the IT world, we refer to this combination of people and systems as your digital identity. Now we know who you are and where you re accessing the information from. Access is the What what information do they need to access. The individual s role, permissions and security restrictions come into play as well. The correct combination of Identity and Access Management can help a great deal with AB 1149 compliance. We can ensure that only the authorized individuals are accessing information that they need to have access to, from pre-authorized systems, and nothing more. IAM paired with multifactor authentication can make it very difficult for a hacker or identity thieves to access AB 1149 governed information solely by compromising an employee s network password. End User Security Awareness Training: You are as secure as your weakest link. And that unfortunately is us people, employees, end users, execs, managers, bosses whatever our role may be in the organization. Invest in end user training, annually if you can, biennially if you have budgetary restrictions. Onsite, live, interactive training is usually the most beneficial. The trainee gets the opportunity to ask questions, delve deeper into a specific topic (AB 1149 in this case) if needed, and it helps with overall attention span. Online trainings are also available for new employees, but not as an alternate to the live ones. A trained employee can help avoid a data breach which can cost a city or county millions in repercussions. End user training is a huge step towards proactive security versus reactive security which again is much more costly. Prevention is truly the best option here, and effective end user training is taking a huge stride in that direction. In conclusion, this is not a guide for 100% AB 1149 compliance. However, the goal is to build a security foundation to protect against AB 1149 violations and identity theft b reaches. The threat landscape changes every second and our goal is to provoke thought and to provide an easy to understand checklist to get us started. If some of the above foundational security elements are not in place, it would make it very difficult for us to prove that we did our due diligence to be AB 1149 compliant or to prevent a data breach from occurring. 9

About Aurora For over 20 years, our experienced team of security experts have been helping our clients conquer the complex challenges of data security. Aurora s Services, Sales and Software teams combine to uniquely position the company as a single source, full service solutions provider to enterprises and government agencies. Aurora is a national 8(a) certified and Disadvantaged /Minority Business Enterprise (DBE/MBE), for information security software, hardware and consulting services. Aurora provides enterprise-class security consulting services at a mid-market price. Our security assessment services are centered on Application Security, Network Security and Endpoint Security. From quick Vulnerability Assessments to deep dive Security Strategy Development, our security professionals include practical recommendations with a holistic approach to information privacy. Aurora specializes in implementing solutions that cover Web Security, Email Security, Application Security and Data Encryption. We protect both the network as well as the Endpoint, providing our customers end-to-end security and easy management. Aurora currently holds 11 state contracts for IT products and services. Aurora is a security cleared entity with a focus on helping our Federal Government in their cyber security initiatives. We are especially proud to have both Civilian and Department of Defense agencies as customers. All our current contracts and certifications can be viewed and downloaded at http://www.aurorait.com/government/ 10

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information