Leveraging Regulatory Compliance to Improve Cyber Security

Similar documents

Attachment A. Identification of Risks/Cybersecurity Governance

State Agency Cyber Security Survey v October State Agency Cybersecurity Survey v 3.4

OCIE CYBERSECURITY INITIATIVE

Five keys to a more secure data environment

Small Firm Focus: A Practical Approach to Cybersecurity Friday, May 29 9:00 a.m. 10:15 a.m.

This policy shall be reviewed at least annually and updated as needed to reflect changes to business objectives or the risk environment.

Logging In: Auditing Cybersecurity in an Unsecure World

Security Issues in Cloud Computing

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Cybersecurity: What CFO s Need to Know

Responses: Only a 0% Only b 100% Both a and b 0% Neither a nor b 0%

Cyber Self Assessment

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

Critical Controls for Cyber Security.

North American Electric Reliability Corporation (NERC) Cyber Security Standard

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

BMC s Security Strategy for ITSM in the SaaS Environment

PCI Compliance for Cloud Applications

Dodging Breaches from Dodgy Vendors: Tackling Vendor Risk Management in Healthcare

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

North American Electric Reliability Corporation: Critical Infrastructure Protection, Version 5 (NERC-CIP V5)

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

The Education Fellowship Finance Centralisation IT Security Strategy

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Department of Management Services. Request for Information

The Protection Mission a constant endeavor

THE BLUENOSE SECURITY FRAMEWORK

CIP Supply Chain Risk Management (RM ) Statement of Jacob S. Olcott Vice President, BitSight Technologies January 28, 2016

Securing the Service Desk in the Cloud

PCI Requirements Coverage Summary Table

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

Big Data, Big Risk, Big Rewards. Hussein Syed

O N L I N E I N C I D E N T R E S P O N S E C O M M U N I T Y

PCI Requirements Coverage Summary Table

Defending the Database Techniques and best practices

The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

Data Breach and Cybersecurity: What Happens If You or Your Vendor Is Hacked

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

Click to edit Master title style

DEVELOPING A CYBERSECURITY POLICY ARCHITECTURE

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

Pharma CloudAdoption. and Qualification Trends

Security Management. Keeping the IT Security Administrator Busy

Client Update SEC Releases Updated Cybersecurity Examination Guidelines

Overcoming PCI Compliance Challenges

Securing and Auditing Cloud Computing. Jason Alexander Chief Information Security Officer

NERC CIP VERSION 5 COMPLIANCE

Defending Against Data Beaches: Internal Controls for Cybersecurity

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

Payment Card Industry Data Security Standard

Goals. Understanding security testing

Top Ten Technology Risks Facing Colleges and Universities

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

John Essner, CISO Office of Information Technology State of New Jersey

Cloud Computing: Risks and Auditing

Data Security and Privacy Principles for IBM SaaS How IBM Software as a Service is protected by IBM s security-driven culture

Anatomy of a Breach: A case study in how to protect your organization. Presented By Greg Sparrow

How To Control Vcloud Air From A Microsoft Vcloud (Vcloud)

ABB s approach concerning IS Security for Automation Systems

Using the HITRUST CSF to Assess Cybersecurity Preparedness 1 of 6

NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT

PCI DSS Requirements - Security Controls and Processes

University of Pittsburgh Security Assessment Questionnaire (v1.5)

Is Your IT Environment Secure? November 18, Sarah Ackerman, Greg Bernard, Brian Matteson Clark Schaefer Consulting

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

April 8, Ms. Diane Honeycutt National Institute of Standards and Technology 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899

CLOUD STORAGE SECURITY INTRODUCTION. Gordon Arnold, IBM

Security and Privacy

Best practices and insight to protect your firm today against tomorrow s cybersecurity breach

Third-Party Access and Management Policy

Payment Card Industry Data Security Standard

Addressing Cloud Computing Security Considerations

Cloud Computing: What needs to Be Validated and Qualified. Ivan Soto

Managing Cloud Computing Risk

3/4/2015. Scope of Problem. Data Breaches A Daily Phenomenon. Cybersecurity: Minimizing Risk & Responding to Breaches. Anthem.

PCI Compliance Top 10 Questions and Answers

Applying IBM Security solutions to the NIST Cybersecurity Framework

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

CONCEPTS IN CYBER SECURITY

Network/Cyber Security

White Paper How Noah Mobile uses Microsoft Azure Core Services

Continuous Network Monitoring

Too Critical To Fail Cyber-Attacks on ERP, CRM, SCM and HR Systems

Supplier Security Assessment Questionnaire

Information Security: A Perspective for Higher Education

Transcription:

Leveraging Regulatory Compliance to Improve Cyber Security

Leveraging Regulatory Compliance to Improve Cyber Security

Brian Irish, Cyber Security Assurance Manager Salt River Project LEVERAGING REGULATORY COMPLIANCE TO IMPROVE CYBER SECURITY

Today s Topics Regulatory Compliance to Improve Security Cyber Security Trends and Security Practices Within The Supply Chain Questions Utilities Should be Asking (and Suppliers Ready To Answer)

Safety Minute

Security Minute Two-factor Authentication Two-step Verification

Today s Topics Regulatory Compliance to Improve Security Cyber Security Trends and Security Practices Within The Supply Chain Questions Utilities Should be Asking (and Suppliers Ready To Answer)

SRP at the Super Bowl

History

Power Delivery

Cyber Security Services 7 years ago we didn t exist, things change fast Reduce cyber risk to SRP Everyone plays a role in protecting SRP

Compliance as a Starting Point Security And, when it comes to protecting themselves from the threats, respondents unanimously agreed that being in compliance with NERC regulations does not guarantee security Compliance

The Opportunity to Advance Security $

What s Our Recipe? Body of Knowledge Culture of Security

Policy & Standards Awareness and Training Patch Management Quarterly Access Reviews Logging and Alerting

Compliance Culture of Security

Would we have done this without regulation?

Today s Topics Regulatory Compliance to Improve Security Cyber Security Trends and Security Practices Within The Supply Chain Questions Utilities Should be Asking (and Suppliers Ready To Answer)

Cyber Security Trends Cyber Events Board of Directors Framework Movement Cyber Insurance Evolving Solutions The Answer

2015 US Cyber Events Jan - April April 2015 Anthem Insurance Cyber Attack/ Data Breach GHOST glibc Vulnerability Superfish VisualDiscovery on Lenovo laptops causing spoofed HTTPS traffic AT&T Data Breach FREAK TLS/ Insider SSL Threat Vulnerability White House hacked by Russians

Board Awareness Questions Visibility Activity

Security Frameworks NIST Cybersecurity Framework ES-C2M2 NIST 800-53 NIST 800-82 SANS 20 (Critical Security Controls) ISO 27001

Cyber Insurance Coverage Deductible Exclusions

Evolving Solution Security takes more than a tool

The Answer Everyone has the answer Does it include a guarantee?

The Balance Risk Acceptance Business Impact

Contract Language Information Management and Protection Clause Ownership Encryption Destruction Portability Retention Breach notification

Contract Language Audit Clause Annual independent review Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization. Service Organization Control (SOC) framework SOC 2 Readiness Assessment Application reviews

Assessments Determine cyber security involvement early in the process Security Assessments Access controls Identification and authorization Configuration management System monitoring and response Physical protections

Assessments (cont.) Research solution for background information Send/receive vendor questionnaire Identify control gaps and recommendations Create a report with assessment and summary Meet with clients to review the report Work with client to help implement security recommendations

Today s Topics Regulatory Compliance to Improve Security Cyber Security Trends and Security Practices Within The Supply Chain Questions Utilities Should be Asking (and Suppliers Ready To Answer)

Ask Questions Cyber security is no longer: Behind the curtain Too scary so don t talk about it Only understood by a few Someone else s responsibility

Utility / Supplier Questions (1) Do you run full background checks on candidate employees your employees during the hiring process and at regular intervals afterwards? Is the passing of a background check a condition of employment?

Utility / Supplier Questions (2) Please describe your Access Control processes: Provisioning/ Deprovisioning, Approval for Access, Recertification of Access (on a defined time interval), Role- Based Access, and Privileged Access.

Utility / Supplier Questions (3) Do you have Security Policies and Standards in place? How are they communicated to employees?

Utility / Supplier Questions (4) Do you have an Incident Response process that defines how you Detect, Identify, Categorize, Contain, Eradicate, and Recover from an Incident? This should include how Communications are handled to affected customers/partners.

Utility / Supplier Questions (5) Do you perform Independent 3rd Party Audits against your Data Center, Applications, or Processes (e.g. SOC2, Pen Tests, Vulnerability Scans, etc.) on a regular basis? Please be prepared to provide those reports on request

In Summary Compliance = Security / Understand the business Share information Understand the risk and reduce it Figure out what YOU can do

Let s talk about it Questions