Developing National Frameworks & Engaging the Private Sector

Similar documents
Third Party Risk Management 12 April 2012

Cybersecurity and Privacy Hot Topics 2015

Cybersecurity: Considerations for Internal Audit. IIA Atlanta Chapter Meeting January 9, 2015

FFIEC Cybersecurity Assessment Tool

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

Securing the Cloud Infrastructure

IT AUDIT WHO WE ARE. Current Trends and Top Risks of /9/2015. Eric Vyverberg. Randy Armknecht. David Kupinski

Seamus Reilly Director EY Information Security Cyber Security

Internal audit of cybersecurity. Presentation to the Atlanta IIA Chapter January 2015

Ed McMurray, CISA, CISSP, CTGA CoNetrix

PCI Compliance: How to ensure customer cardholder data is handled with care

How To Protect Yourself From A Hacker Attack

Cybersecurity and internal audit. August 15, 2014

Defending Against Data Beaches: Internal Controls for Cybersecurity

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

Top Ten Technology Risks Facing Colleges and Universities

FINRA Publishes its 2015 Report on Cybersecurity Practices

Network Security & Privacy Landscape

Italy. EY s Global Information Security Survey 2013

PCI Compliance for Cloud Applications

Data Security: Fight Insider Threats & Protect Your Sensitive Data

Attachment A. Identification of Risks/Cybersecurity Governance

Big Data, Big Risk, Big Rewards. Hussein Syed

Payment Card Industry Data Security Standards

Cyber security Building confidence in your digital future

Nine Network Considerations in the New HIPAA Landscape

Two Approaches to PCI-DSS Compliance

TODAY S AGENDA. Trends/Victimology. Incident Response. Remediation. Disclosures

January IIA / ISACA Joint Meeting Pre-meeting. Cybersecurity Update for Internal Auditors. Matt Wilson, PwC Risk Assurance Director

Compliance. Review. Our Compliance Review is based on an in-depth analysis and evaluation of your organization's:

Mobile Device Payment Card Processing: How Secure is It? Richard Poworski CISSP, ISP, ITCP, SCF, PCI QSA, PCIP Managing Consultant

SECURITY RISK MANAGEMENT

Cybersecurity: What CFO s Need to Know

Information Security Program CHARTER

ICBA Summary of FFIEC Cybersecurity Assessment Tool

CyberArk Privileged Threat Analytics. Solution Brief

Information Security Services

State Agency Cyber Security Survey v October State Agency Cybersecurity Survey v 3.4

Consolidated Audit Program (CAP) A multi-compliance approach

Assessing the strength of your security operating model

Defending yesterday. Financial Services. Key findings from The Global State of Information Security Survey 2014

Security Risk Management Strategy in a Mobile and Consumerised World

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

Data Security Basics for Small Merchants

Address C-level Cybersecurity issues to enable and secure Digital transformation

MasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate.

OCIE CYBERSECURITY INITIATIVE

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

Domain 1 The Process of Auditing Information Systems

Cyber Security Auditing for Credit Unions. ACUIA Fall Meeting October 7-9, 2015

Real World Healthcare Security Exposures. Brian Selfridge, Partner, Meditology Services

Governance Simplified

Information Security Management System for Microsoft s Cloud Infrastructure

DEVELOPING A CYBERSECURITY POLICY ARCHITECTURE

Cybersecurity The role of Internal Audit

National Cyber Security Policy -2013

Continuous Network Monitoring

NATIONAL CYBER SECURITY AWARENESS MONTH

The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

Cyber security: Are consumer companies up to the challenge?

BIG SHIFT TO CLOUD-BASED SECURITY

White Paper September 2013 By Peer1 and CompliancePoint PCI DSS Compliance Clarity Out of Complexity

Defending the Database Techniques and best practices

Securing the Microsoft Cloud

Cloud Assurance: Ensuring Security and Compliance for your IT Environment

Assessing the Effectiveness of a Cybersecurity Program

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

Office of Inspector General

Cybersecurity Audit Why are we still Vulnerable? November 30, 2015

CYBER & PRIVACY INSURANCE FOR FINANCIAL INSTITUTIONS

Cloud Security Trust Cisco to Protect Your Data

PCI DSS Overview and Solutions. Anwar McEntee

Nine Steps to Smart Security for Small Businesses

fs viewpoint

PCI DSS READINESS AND RESPONSE

10 Hidden IT Risks That Threaten Your Practice

Certified Information Security Manager (CISM)

New York State Department of Financial Services. Report on Cyber Security in the Insurance Sector

IT Insights. Managing Third Party Technology Risk

OCIE Technology Controls Program

To ensure independence, PSC does not represent, resell or receive commissions from any third party hardware, software or solutions vendors.

Cyber Security and Information Assurance Controls Prevention and Reaction NOVEMBER 2013

Security Breaches and Vulnerability Experiences Overview of PCI DSS Initiative and CISP Payment Application Best Practices Questions and Comments

PCI Compliance 3.1. About Us

Department of Management Services. Request for Information

How To Protect Visa Account Information

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors

Transcription:

www.pwc.com Developing National Frameworks & Engaging the Private Sector Focus on Information/Cyber Security Risk Management American Red Cross Disaster Preparedness Summit Chicago, IL September 19, 2012 Dan Fitzgerald

Agenda Section 1. Section 2. Section 3. Introduction: The Business View of Information Security Risk Innovation & Emerging Security Risks Discussion/ Wrap-Up

1. Introduction: The Business View of Information Security Risk

CEOs/Boards are no longer ignoring cyber security Security Hot Topics: Balancing Business Enablers vs Business Risks Privacy Organizations looking to improve privacy management in the event of a breach "have to continually plan and prepare. Social Media Social media can make or break a brand and the fine line between the two must be managed. Regulatory Organizations in all industries are under increased scrutiny by regulatory governance bodies. Mobile & Emerging Tech Cloud computing, Mobile platforms and accelerated product life cycles are just the latest contributors to risk of an enterprise. Data Loss Prevention Company s reputation is paramount and the risk of loss of sensitive customer data threaten this fragile asset. Threat & Vulnerability Management A Major bank s share price dropped three percent after Wiki Leaks threatened to take down a major American bank and reveal an ecosystem of corruption using documents from an executive s hard drive 3rd Parties While risks associated with third parties continue to increase, many companies are less prepared to defend their data. Cyber Crisis Management The cyber threat landscape continues to yield an increasingly sophisticated underworld of criminals. Companies need to remain prepared for such cyber crises. 4

The opportunities and risks of the cyber world Key Management Stakeholders (CEO, CIO, Internal Audit, CFO, CTO, Compliance, Legal) have influence and risks in the following functional areas: C Suite Focus Areas Secure information is power Building In Resilience Business continuity management Disaster recovery Crisis Management Managing Incidents Incident response review Corporate and regulatory investigations Forensic investigation and readiness Business Continuity Management Incident Response & Forensics Setting Direction Security strategy development Organizational design Management reporting CIO,CTO,CISO Security Strategy Enterprisewide IT Risk & Security Assessment Threat & Vulnerability Management CIO,CTO, CISO CFO, CTO,CIO Security Governance & Control Architecture Network General Auditor CIO,CTO, CISO Security & Identity Crisis response Managing Exposure Penetration testing Vulnerability scanning and remediation Continuous and global threat monitoring Creating a Sound Framework of Control Risk, policy and privacy review Regulatory compliance assessment Data loss prevention Awareness programs Third Party Vendors Building Secure Systems and Infrastructure Security architecture Network security Cloud computing security Mobile computing Identity and access management solutions 5

CEOs/Boards are no longer ignoring cyber security Cyber Security is an enterprise-wide issue. Specific types of Cyber Security risks organizations are facing include: Increase in Privacy and Security regulatory mandates in recent years, as well as expected changes in upcoming years. Boards are no longer willing to accept the risk that technology can pose to the business. Growing demand by business leaders to understand how security integrates with privacy ( what data is sensitive to the business) and security ( how they protect the data deemed sensitive) Increase in threats and vulnerabilities to sensitive data and corporate assets. Businesses continue to struggle to maintain accountability to their stakeholders and establish effective strategies and standards for security risk management and privacy control activities. 6

Risks to Consider Financial Risks Financial Companies face several financial risks associated with a breach: Reputational Risk Factors Legal Federal/state regulatory fines Stock price decline Incident response efforts Remediation efforts Legal Risks Companies are experiencing increasing lawsuits from: Regulatory Employees Customers Investors 7

Risks to Consider Regulatory Risks Financial Enforcement actions from federal and state agencies such as: Reputational Risk Factors Legal Federal Trade Commission (FTC) Health and Human Services - Office of Civil Rights (HHS-OCR) State Attorneys General Regulatory inquires may require long-term third party remediation in order to verify regulatory compliance Regulatory Reputational Risks Negative impact to the brand Loss of employee/customer/investor confidence 8

Risks are more risky Risk profiles are changing Complexity: Linkages between global trade, financial markets and supply chains Unpredictability: Privacy breaches, environmental factors, financial uncertainty Variety: Global diversification, culture challenges Speed: Social media, reputation perhaps we feel risk is growing simply because we know more. -Stakeholder respondent Source: 2012 State of the Internal Audit Profession Study 9

2. Innovation & Emerging Security Risks

Mobile devices and social media: New rules and new risks Organizations are beginning to implement strategies to keep pace with employee adoption of mobile devices and social networking, as well as use of personal technology within the enterprise. Yet much remains to be done: Less than half of respondents have implemented safeguards to protect the enterprise from the security hazards that mobile devices and social media can introduce. 50% 40% 43% 37% 30% 32% 20% 10% Have a security strategy for employee use of personal devices Have a security strategy for mobile devices Have a security strategy for social media Question 17: What process information security safeguards does your organization currently have in place? (Not all factors shown. Total does not add up to 100%.) 11

Advanced Persistent Threat is a dangerous and increasingly common threat. Yet few organizations are prepared to combat it. This year, significant percentages of respondents from various industries agree that APT drives their organization s security spending, yet only 16% say their company has a security policy that addresses APT. Worse, implementation of certain tools and processes crucial to combatting this new threat has slowed over the past year. 60% 40% 53% 47% 45% 41% 49% 48% 43% 43% 38% 38% 20% 0% Network access control software Identity management technology Employee security awareness training program Centralized security information management process Penetration tests 2010 2011 Question 28: Which of the following elements, if any, are included in your organization s security policy? Question 17: What process information technology security safeguards does your organization currently have in place? Question 18: What technology information security safeguards does your organization currently have in place? (Not all factors shown. Totals do not add up to 100%.) 12

Advance Persistent Threat (APT) Attack Sequence 1 2 3 4 5 Target a specific organization or entire industry Spam email address space and/or spear phish Exploit a discovered vulnerability Install of custom developed malware: sniffers, beacons, backdoors, password crackers, counter-forensic file deletion Enumeration of network nodes, identify target systems & information 6 Obtain Domain Admin credentials 7 8 9 Use of services available within the environment to move laterally Collect data, exfiltrate, securely delete files Persistence: maintain remote access via beacon malware 13

Managing security risks associated with customers, partners, and suppliers is becoming an increasingly serious issue. Customers and insiders like partners and suppliers traditionally have not been considered likely suspects in data breaches. That s changing fast. Over the past 24 months, the number of security incidents attributed to customers, partners, and suppliers has nearly doubled. Customer Partner or supplier 8% 10% 11% 12% 15% 17% 2009 2010 2011 0% 5% 10% 15% 20% Question 22: Estimated likely source of incident. (Not all factors shown. Totals do not add up to 100%.) 14

Some additional data points on third-parties and security 39% have established security baselines for partners/customers/vendors. Taking this one step further, only 23.6% of respondents stated they have security procedures partners/suppliers must comply with. 69% of respondents said somewhat to very confident when asked how confident they are in partners'/suppliers' information security. 35% of the time, respondents state their organizations were informed of security breaches by customers or suppliers, government officials, the media or perpetrator. What is the greatest security risk to your outsourced strategy? Uncertain ability to enforce provider site security policies - 31.8% Questionable privileged access control at provider site - 14.7% Proximity of your data to someone else's - 11.0% Uncertain ability to recover data - 19.0% Uncertain continued existence of provider - 3.7% Uncertain provider regulatory compliance - 3.5% Uncertain ability to audit provider - 2.8% Access across an untrusted network - 4.1% 15

Mobile devices and social media: New rules and new risks Organizations are beginning to implement strategies to keep pace with employee adoption of mobile devices and social networking, as well as use of personal technology within the enterprise. Yet much remains to be done: Less than half of respondents have implemented safeguards to protect the enterprise from the security hazards that mobile devices and social media can introduce. 50% 40% 43% 37% 30% 32% 20% 10% Have a security strategy for employee use of personal devices Have a security strategy for mobile devices Have a security strategy for social media Question 17: What process information security safeguards does your organization currently have in place? (Not all factors shown. Total does not add up to 100%.) 16

Common Frameworks/ Assessment Tools & Certifications Customized questionnaire developed internally Customized questionnaire developed by third parties GRC tool assessment packages Assessment framework developed by member s. Based on ISO27000, incorporates privacy principals and is easily customized. Agreed Upon Procedures assessments may also be performed on service providers and result in a formal report. AUPs are typically done by third parties. Report of Compliance aka ROC issued by QSA firm. Self-assessment questionnaires (SAQ) may be used directly or incorporated into a custom questionnaire. Prioritized Approach documents also helpful Common Security Framework (CSF) aggregates a set of security principles to assess and certify compliance. 27000 series of standards incorporates information security and risk principles. 27002 provides framework for assessing 13 key security domains. ISO 27001 certification certifies an entities security management posture.. Generally Accepted Privacy Principles (GAPP). Set of best practices created by AICPA. compliance Safe Harbour Certifies with EU Directive 95/46/EC (privacy). 17

The implication for your business What does this mean for you? How can you use this information to improve your security, protect your assets and operations, and improve your business? Use this information to define a vision for your information security program. Ask us for more information on this bracket of leaders in areas critical to your business. Then define and refine your information security strategy. At minimum, focus acutely on (1) leadership, (2) strategy including business alignment, (3) testing and monitoring and (4) focus on sensitive data. 18

3. Discussion Topics/ Wrap-Up

Questions for discussion Security Risk/ Threat & Vulnerability Management: 1 2 3 4 5 How does your organization align its security posture to support its business goals? How do you assess the company s security posture and gain comfort around security management as a whole? How does your organization manage information security risk? Do you use a formal methodology? How do you ensure your enterprise isn t currently being exploited or breached? Are you ever truly prepared to respond to a serious cyber incident? 20

Questions for discussion Data Protection & Third Party Security Risk Management 1 What is most important to your organization? a) Confidentiality of Data b) Integrity of Data c) Availability of Data 2 How do you get your arms around where data is, how data flows, and who has access to data within your organization? 3 What works well or not well about how your organization protects its data? 4 How are you protecting sensitive data at third parties? 21

Thank You! Dan Fitzgerald, CISSP Daniel.w.fitzgerald@us.pwc.com 312-298-6063 Director, IT Security & Risk Assurance Practice 13 + years of information security experience CISSP and a former QSA Dan Fitzgerald is a Director in the IT Risk & Security Assurance practice and is based in Chicago. Dan has more than 13 years of experience in information security and IT governance, risk and compliance. He has developed strategic security and compliance approaches and led delivery of large security programs for numerous multinational businesses. He has experience with control frameworks including PCI DSS, ISO 27002, FISMA/ NIST and COBIT. Dan has developed and implemented technical and procedural solutions enabling customers to achieve and sustain compliance efficiently across differing standards. He has a background in network and infrastructure security and is skilled in emerging technologies such as encryption, tokenization and virtualization. Dan has experience in industry verticals including retail, the energy sector, technology and public service and has worked overseas on several engagements. He focuses on providing strategic security solutions that align to business outcomes.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information