CYBERCRIME AND INFORMATION GOVERNANCE ARE YOU PREPARED?

Similar documents
Department of Management Services. Request for Information

Personal Security Practices of the CAO

The Importance of Privacy & Data Security in a Changing World

HIDDEN CHALLENGES WITH CLOUD COMPUTING

Vendor Management Panel Discussion. Managing 3 rd Party Risk

AlienVault for Regulatory Compliance

Adding Cloud Solutions to Customer Contracts Robert J. Scott

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

VENDOR MANAGEMENT. General Overview

Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC

Compliance in 5 Steps

CIP Supply Chain Risk Management (RM ) Statement of Jacob S. Olcott Vice President, BitSight Technologies January 28, 2016

Logging In: Auditing Cybersecurity in an Unsecure World

Security & Compliance, Sikich LLP

Ecom Infotech. Page 1 of 6

KEY TRENDS AND DRIVERS OF SECURITY

Data Security 101. Christopher M. Brubaker. A Lawyer s Guide to Ethical Issues in the Digital Age. cbrubaker@clarkhill.com

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

CYBERSECURITY: ISSUES AND ISACA S RESPONSE

Cybersecurity: Protecting Your Business. March 11, 2015

Shady RATs, Topiaries, and Other Curious Creatures: A Lawyer's Look at InfoSec 2011

The Evolution of Data Breaches

Top 10 Tips and Tools for Meeting Regulatory Requirements and Managing Cloud Computing Providers in the United States and Around the World

Over 20 years experience in Information Security Management, Risk Management, Third Party Oversight and IT Audit.

SCAC Annual Conference. Cybersecurity Demystified

Cyber Risks in the Boardroom

Cyber Security: Compliance and Protection 2012 A Complimentary LexisNexis Webinar December 11, 2012

Real World Healthcare Security Exposures. Brian Selfridge, Partner, Meditology Services

U. S. Attorney Office Northern District of Texas March 2013

Information Security Services

Privacy & Data Security

Data Breach Response Planning: Laying the Right Foundation

I n f o r m a t i o n S e c u r i t y

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

FINRA Publishes its 2015 Report on Cybersecurity Practices

The ETM System and Regulatory Compliance

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

PREVENTIA. Skyhigh Best Practices and Use cases. Table of Contents

Into the cybersecurity breach

HIPAA Compliance: Efficient Tools to Follow the Rules

ForeScout CounterACT and Compliance June 2012 Overview Major Mandates PCI-DSS ISO 27002

Mobile Medical Devices and BYOD: Latest Legal Threat for Providers

The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance

Security Intelligence

Who s Doing the Hacking?

WHITEPAPER. Compliance: what it means for databases

IAPP Global Privacy Summit Protecting Privacy Under the Cybersecurity Microscope

The Education Fellowship Finance Centralisation IT Security Strategy

IT Cloud / Data Security Vendor Risk Management Associated with Data Security. September 9, 2014

Identifying and Managing Third Party Data Security Risk

Through the Security Looking Glass. Presented by Steve Meek, CISSP

Jefferson Glassie, FASAE Whiteford, Taylor & Preston

Cyber Security: Not if, but when...

Franchise Data Compromise Trends and Cardholder. December, 2010

ZixCorp. The Market Leader in Encryption Services. Adam Lipkowitz ZixCorp (781)

Compliance and Industry Regulations

Cybersecurity Issues for Community Banks

The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v

Too Critical To Fail Cyber-Attacks on ERP, CRM, SCM and HR Systems

Compliance Challenges. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard. Increased Audits & On-site Investigations

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Using the HITRUST CSF to Assess Cybersecurity Preparedness 1 of 6

Outbound Security and Content Compliance in Today s Enterprise, 2005

Nine Network Considerations in the New HIPAA Landscape

Data Privacy, Security, and Risk Management in the Cloud

State Governments at Risk: The Data Breach Reality

Cybersecurity Assessment

Cloud Computing Contract Clauses

Best Practices in ICS Security for System Operators. A Wurldtech White Paper

A Flexible and Comprehensive Approach to a Cloud Compliance Program

Logging the Pillar of Compliance

INDIANA UNIVERSITY SCHOOL OF OPTOMETRY HIPAA COMPLIANCE PLAN TABLE OF CONTENTS. I. Introduction 2. II. Definitions 3

Adopt a unified, holistic approach to a broad range of data security challenges with IBM Data Security Services.

ENCRYPTION KEY MANAGEMENT SIMPLIFIED A BEGINNER S GUIDE TO ENCRYPTION KEY MANAGEMENT

White paper. Why Encrypt? Securing without compromising communications

Conducting due diligence and managing cybersecurity in medical technology investments

T H E R E A L C O S T O F A D ATA B R E A C H

Research Information Security Guideline

DEVELOPING A CYBERSECURITY POLICY ARCHITECTURE

Accepting Payment Cards and ecommerce Payments

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.

Trend Micro Healthcare Compliance Solutions

Auditing your institution's cybersecurity incident/breach response plan. Baker Tilly Virchow Krause, LLP

Best practices and insight to protect your firm today against tomorrow s cybersecurity breach

PRIVILEGED USERS AND DATA BREACHES: A MATCH MADE IN HEAVEN?

12/4/2013. Regulatory Updates. Eric M. Wright, CPA, CITP. Schneider Downs & Co., Inc. December 5, 2013

Commissioned Study. SURVEY: Web Threats Expose Businesses to Data Loss

KEY STEPS FOLLOWING A DATA BREACH

NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT

DATA SECURITY: A CRUCIAL TOPIC FOR CORPORATE COUNSEL AND MANAGEMENT

Cybersecurity y Managing g the Risks

Business Communications for Healthcare

Securing OS Legacy Systems Alexander Rau

How To Protect Your Computer From Attack

Security Manual Template Policy and Procedure Manual Compliance Management Made Easy ISO / HIPAA / SOX / CobiT / FIPS 199 Compliant

Healthcare Cybersecurity Risk Management: Keys To an Effective Plan

The Pros and Cons of DLP Tools

Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec.

HIPAA Omnibus Compliance How A Data Loss Prevention Solution Can Help

Transcription:

CYBERCRIME AND INFORMATION GOVERNANCE ARE YOU PREPARED? Anthony Diana, Reed Smith LLP Scott Lashway, MassMutual Stephen Ramey, Navigant Consulting

ARE YOU PREPARED?» Your security operations center is monitoring your network and identifies anomalies in the company s network traffic. Large volume of data is being transferred outside your organization to foreign IP address Your company does not conduct business in that country The outbound data is being transferred from your Domain Controller Domain Controller is a governing server typically not used for business productivity, rather it controls authentication and access for user accounts and machines through a network domain Page 2

ARE YOU PREPARED - QUESTIONS» Questions Who should be included in the planning process? Do you have a response plan or at a minimum, someone who can help? What types of policies or documentation are in place for your company? Sensitive data maps? Crown jewels, regulated information, pre-released earnings reports, etc. Infrastructure map? Budgeting? Are you aware of your data types and understand breach notification laws? Page 3

ARE YOU PREPARED - BENEFITS» Legal has a role to play in planning» Incident Response Plan and Team The team and plan should be viewed as a cost avoidance vehicle Organization during a chaos Predefined call list for event management Includes Incident Responders, Forensic Investigators, external counsel, Cyber Insurer, Breach Coach, Law Enforcement Liaison, and Public Relations Liaison» Data Schema Sensitive Data Map Identifies by system the business function and the data type(s) that should be on the system Breach notification laws Sensitive data has varying notification requirements Personally Identifiable Information varies by State Health information is regulated by HIPAA Credit Card information is regulated by its Industry Page 4

WHEN IS CORPORATE POLICY NOT ENOUGH?» During the investigation, digital forensic analysis identified the network breach occurring from an employee s computer after a link was clicked from a personal email account. After clicking the link, malware was downloaded to the employee s work computer and installed itself through a zero-day exploit Your company has a strict Acceptable Use Policy ( AUP ) prohibiting the use of personal email on the company network The AUP also prohibits the use of non-approved technologies for transferring files The investigation also identified the following: Several employees use sites such as Dropbox or Google Drive to share company information Several employee computers stored files with sensitive information outside of the approved database environments for that data Page 5

CORPORATE POLICY - QUESTIONS» Questions: As an organization, what have you done to increase awareness about policies? Do you have a policy committee who actively reviews policies annually to update? Do you use an anonymous hotline to report non-compliant behavior? What is your vendor management policy? Have you audited your vendors? Page 6

CORPORATE POLICY - BENEFITS» End user awareness benefits Annual or Semi-annual training requirement on policies requiring the end user to sign off on successful completion Enforce a mandatory policy for first or second time offenders to take an advanced security awareness training Learn directly from employees about individuals who bypass security protocols Ex. Utilizing unencrypted removable media, non-company approved servers» Vendor Management benefits Establish security controls and protocols to third parties connecting to your systems Provide access to only necessary information Review or evaluate at least once a year, if not more Include third parties in security awareness training Page 7

PERSONAL DEVICES EVOLVED» Google Glasses, Drones, iwatch, Fit Bit and Mobile Devices are increasingly popular with many early adopters. They also present complications to current acceptable use policies. Potentially provide a new attack vector for nefarious actors to access information about employees and gain access to companies networks Data privacy considerations for these devices Another potential storage device to misplace when storing company data Page 8

PERSONAL DEVICES EVOLVED - QUESTIONS» Questions: Are your company s decisions makers and legal teams properly educated on the technologies and security risks? What are some considerations on expectation of privacy for these devices? Should our policy committee meet more frequently than once a year to account for the rapid release of these new devices? How can my company prevent [or encourage] the use of these devices within the organization? Page 9

PERSONAL DEVICES EVOLVED - BENEFITS» Encourage thorough and proper planning to minimize rushed fixes Impact to business: security vs. reality What are the risks?» Breakdown the communication walls Teach talk and legalese can be difficult to understand Educate lawyers, senior management and executive boards about security systems» Emerging technologies Stimulates creativity through application of use Minimizes the amount of devices one employee needs to carry Increases productivity with constantly connected employees In some instances, they can reduce operating costs Ex. Amazon researching deliveries with drones Page 10

QUESTIONS?

APPENDIX Additional Material

FRAMEWORKS» National Institute of Standards and Technology (NIST) Agency of the US Department of Commerce Mission: Promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life Special Publications: http://csrc.nist.gov/publications/pubssps.html» International Organization for Standardization (ISO) Independent, non-governmental membership organization World s largest developer of International Standards http://www.iso.org/iso/home/about.htm Page 13

READING MATERIALS» Regulatory Mandates in the USA Gramm-Leach-Bliley Act https://www.ftc.gov/tips-advice/business-center/privacy-and-security/gramm-leach-bliley-act Health Insurance Portability and Accountability Act (HIPAA / HITECH) http://www.hhs.gov/ocr/privacy/ Sarbanes-Oxley Act of 2002 http://www.soxlaw.com/ Individual State Breach requirements http://www.ncsl.org/research/telecommunications-and-information-technology/security-breachnotification-laws.aspx PCI DSS https://www.pcisecuritystandards.org/security_standards/» Blue Team Handbook: Incident Response Edition, Don Murdoch, 2014» IC3 Public Service Announcement on security concerns with connected devices Ex. Smart TVs, Smart Thermostats, fitness devices, etc http://www.ic3.gov/media/2015/150910.aspx Page 14

EXECUTIVE ORDERS» Cybersecurity Sanctions (2015)» Private Sector Cybersecurity Information Sharing (2015)» Improving the Security of Consumer Financial Transactions (2014)» Improving Critical Infrastructure Cybersecurity (2013) Cybersecurity Framework Information sharing Identification of critical infrastructure for which a cybersecurity attack could have catastrophic effects Agencies to determine whether existing regulations are sufficient and take regulatory action to address deficiencies Use of the federal procurement process to encourage contractors to enhance information security practices Page 15

END Page 16

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information