2014 NACo National Cyber Symposium April 10, 2014



Similar documents
National Cyber Security Awareness Month. Week Two: Creating a Culture of Cybersecurity at Work

Threats to Local Governments and What You Can Do to Mitigate the Risks

JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015

Brief. The BakerHostetler Data Security Incident Response Report 2015

New York State Department of Financial Services. Report on Cyber Security in the Insurance Sector

Top Ten Technology Risks Facing Colleges and Universities

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder

October 24, Mitigating Legal and Business Risks of Cyber Breaches

Current Developments Concerning Cybersecurity. ICI General Membership Meeting Legal Forum Jillian Bosmann and Nancy O Hara Thursday, May 19, 2016

Cyber Insurance: How to Investigate the Right Coverage for Your Company

Report on CAP Cybersecurity November 5, 2015

The Legal Pitfalls of Failing to Develop Secure Cloud Services

Cybersecurity Workshop

Cyber Risks in the Boardroom

OCIE Technology Controls Program

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

Get the most out of Public Sector Cyber Security Associations & Collaboration

Best practices and insight to protect your firm today against tomorrow s cybersecurity breach

Big Data, Big Risk, Big Rewards. Hussein Syed

Insurance Considerations Related to Data Security and Breach in Outsourcing Agreements

Kristin Judge Executive Director Trusted Purchasing Alliance Center for Internet Security

Cyber and Privacy Risk What Are the Trends? Is Insurance the Answer?

The Protection Mission a constant endeavor

Utica College. Information Security Plan

APIP - Cyber Liability Insurance Coverages, Limits, and FAQ

How To Buy Cyber Insurance

Cyber Side-Effects: How Secure is the Personal Information Entered into the Flawed Healthcare.gov? Statement for the Record

Impact of Data Breaches

State Governments at Risk: The Data Breach Reality

How To Manage Risk On A Scada System

OCIE CYBERSECURITY INITIATIVE

SINGAPORE HEALTHCARE ENTERPRISE RISK MANAGEMENT CONGRESS Data Breach : The Emerging Threat to Healthcare Industry

Nationwide Cyber Security Survey

New York State Department of Financial Services. Report on Cyber Security in the Banking Sector

What is Management Responsible For?

Best Practices in Incident Response. SF ISACA April 1 st Kieran Norton, Senior Manager Deloitte & Touch LLP

ACE Advantage PRIVACY & NETWORK SECURITY

Healthcare and IT Working Together KY HFMA Spring Institute

Data Privacy: What your nonprofit needs to know. Donna Balaguer and Ed Lavergne Washington, D.C. February 5, 2015

FINAL May Guideline on Security Systems for Safeguarding Customer Information

Logging In: Auditing Cybersecurity in an Unsecure World

Cyber Risks and Insurance Solutions Malaysia, November 2013

Mitigating and managing cyber risk: ten issues to consider

Purpose. Service Model SaaS (Applications) PaaS (APIs) IaaS (Virtualization) Use Case 1: Public Use Case 2: Use Case 3: Public.

Cyber/Information Security Insurance. Pros / Cons and Facts to Consider

Attachment A. Identification of Risks/Cybersecurity Governance

HIPAA Compliance Evaluation Report

DATA BREACHES: WHEN COMPLIANCE IS NOT ENOUGH

THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS

Cybersecurity and Hospitals. What Hospital Trustees Need to Know About Managing Cybersecurity Risk and Response

CYBER SECURITY A L E G A L P E R S P E C T I V E

AHLA. N. HIPAA Security Breaches: What Should We Be Doing to Keep Us Out of the Headlines? Diane E. Felix Armstrong Teasdale LLP Saint Louis, MO

Cybersecurity: What CFO s Need to Know

The potential legal consequences of a personal data breach

Cybersecurity Awareness. Part 1

6/17/2013 PRESENTED BY: Updates on HIPAA, Data, IT and Security Technology. June 25, 2013

DEPARTMENT OF TAXATION AND FINANCE SECURITY OVER PERSONAL INFORMATION. Report 2007-S-77 OFFICE OF THE NEW YORK STATE COMPTROLLER

CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION. Robert N. Young, Director Carruthers & Roth, P.A. rny@crlaw.com Phone: (336)

Cybersecurity. Are you prepared?

CYBER & PRIVACY LIABILITY INSURANCE GUIDE

Top Five Things You Need to Know About Cybersecurity. Larry Mattox, VC3 Session #7

How To Protect Yourself From Cyber Threats

HEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY CONTROLS

UF IT Risk Assessment Standard

Panel Title: Data Breaches: Industry and Law Enforcement Perspectives on Best Practices

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

Session 1B DON T LET THEM EAT YOUR LUNCH The Prevention Method for Cyber Risk!

Cyber Security. John Leek Chief Strategist

Aftermath of a Data Breach Study

Data breach! cyber and privacy risks. Brian Wright Michael Guidry Lloyd Guidry LLC

Department of Homeland Security

Beazley presentation master

CHAPTER Committee Substitute for Committee Substitute for Committee Substitute for House Bill No. 1033

Legislative Language

Cybersecurity. Shamoil T. Shipchandler Partner, Bracewell & Giuliani LLP

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium

Information Security

AGENDA HIP Ho AA w i rivacy d The B reach Happen? I P nc AA Secu dent R rit esp y o nse Corrective Action Plan What We Learned ACRONYMS USED

GALLAGHER CYBER LIABILITY PRACTICE. Tailored Solutions for Cyber Liability and Professional Liability

Bridging the HIPAA/HITECH Compliance Gap

New Privacy Laws Impacting the Health Care Work Place

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

what your business needs to do about the new HIPAA rules

Anatomy of a Privacy and Data Breach

The Data Breach: How to stay defensible before, during and after the incident. Alex Ricardo, CIPP/US Breach Response Services

Data Breach Lessons Learned. June 11, 2015

Presentation for : The New England Board of Higher Education. Hot Topics in IT Security and Data Privacy

Business Associates and HIPAA

THE DATA BREACH: How to stay defensible before, during and after the incident. after the incident.

Integrating Cybersecurity with Emergency Operations Plans (EOPs) for K-12 Education

ALM Virtual Corporate Counsel Managing Cybersecurity Risks and Mitigating Data Breach Damage

CYBER SECURITY GUIDANCE

Integrating Cybersecurity with Emergency Operations Plans (EOPs) for Institutions of Higher Education (IHEs)

Cybersecurity Best Practices in Mortgage Banking. Article by Jim Deitch October 2015

CYBER SECURITY SPECIALREPORT

Lessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd

Cyber Liability Insurance: It May Surprise You

Network & Information Security Policy

Enterprise PrivaProtector 9.0

Transcription:

2014 NACo National Cyber Symposium April 10, 2014

Chief Information Security and Privacy Officer King County Washington Governance Board President Holistic Information Security Practitioner Institute (HISPI) Member ITT Technical Institute Seattle, Program Advisory Council Member MS-ISAC Trusted Purchasing Alliance Product Review Board Member MS-ISAC Education and Awareness Committee Member National Association of Counties (Naco) Cyber-Security Task Force

A loss of confidentiality results in the unauthorized disclosure of information CONFIDENTIALITY, AVAILABILITY, INTEGRITY A loss of availability results in disruption of access to or use of information or an information system Confidentiality A loss of integrity results in the unauthorized modification or destruction of information Availability Integrity

All Sectors Breaches 4,239 Records 864,108,052 Government Breaches 678 (15.9%) Records 148,366,723 (17.2%)

Officer Greensfelder, Hemker & Gale P.C.

Examples of Personally Identifiable Information Maintained by County Governments: Tax Records Payroll, Benefit and Retirement information of Public Employees Information about public school students Court Records Criminal Records Information relating to medical programs Information relating to social services

With the popularity of social media; conducting business on personal devices; and outsourcing certain business functions to third parties, data breaches are becoming more prevalent.

Political Fallout Damage to reputation Compliance obligations Federal investigations Investigations by State Attorney General Possible Civil litigation

Negligence Malicious or criminal attacks (hacking or theft of electronic devices) Employee/Contractor malfeasance

County governments and county officials are not exempted from compliance with applicable laws aimed at protecting personally identifiable information and may be subject to penalties and fines. Depending upon the laws of the particular State, sovereign immunity may protect county governments and county officials from tort liabilities arising out of failing to comply with applicable laws aimed at protecting personally identifiable information.

Skagit County, WA Los Angeles County, CA Monterey County, CA Erie County, NY Harris County, TX

Notify those within the organization of the incident who need to know Assemble a response team of both internal stakeholders and external experts Carefully investigate and keep language of the investigation in language that is easy to understand Determine whether the incident constitutes a reportable breach: Federal laws and 46 different state laws Contain the breach and mitigate the harm, to the extent possible Notify persons impacted Respond to inquiries Improve processes

Create a Preparedness Plan, now: Identify persons within your organization who are/will be responsible for data management. Identify compliance requirements according to applicable laws. Identify the types of data your organization collects/ processes/ develops. Create a risk assessment plan and mitigation plan. Develop policies and educate all staff. Have a reporting mechanism that is well publicized and encouraged. Review vendor contracts.

Contact Information Lucie F. Huger 314/345-4725 E-mail: lfh@greensfelder.com

Director of Government Affairs Multi-State Information Sharing and Analysis Center Center for Internet Security CEO: Will Pelgrin

Secure Coding Patch Management Phishing Lack of coordination between operational technology (OT) and informational technology (IT)

Leadership Governance Responsibility (Assign) Compliance (Measure)

Harden systems Keep your systems patched Update cyber security policies Monitor compliance with the policies Regularly scan systems Backup your systems on a regular basis and store off site Encrypt your mobile devices Train your users

Resources Daily tips Monthly newsletters Webcasts Guides Nationwide Cyber Security Review (NCSR) 24x7 Managed/Monitored Security Services Vulnerability Assessments Penetration Testing www.cisecurity.org

Contact Information Andrew.Dolan@cisecurity.org or info@msisac.org www.cisecurity.org 518-880-0699

Managing Partner The Khanna Group, LLC Transformation by Design Gopal Khanna 2014. All rights reserved.

TRANSFORMATION DESIGN Action to Direction Implementation to Execution Destruction to Construction Gopal Khanna 2014. All rights reserved.

PARADIGM SHIFT Board of Directors vs. Elected Officials Executive Team vs. Administrators/Managers Subject Matter Experts vs. Staff/Employees Gopal Khanna 2014. All rights reserved.

Demand (for services) DEMAND FOR SERVICES AS NEW THREATS EMERGE SMEs Relevance of Operational Model Funding 24/7 Services Demand for Security Emerging Threats (severity) Gopal Khanna 2014. All rights reserved.

People Programs Government WORKS Gopal Khanna 2014. All rights reserved.

CYBER SECURITY PROTECTING DATA Facts Predictiv e Open Analysis DATA Fluid Knowledgeab le Informationa l

Top-down BRIDGING ELECTED OFFICIAL CIO DISCONNECT Elected Officials Management Staff Bottom-up CIOs/CISOs Gopal Khanna 2014. All rights reserved.

TRANSFORMATION DESIGN Action to Direction Implementation to Execution Destruction to Construction Gopal Khanna 2014. All rights reserved.

ACTION DIRECTION Allow fiscal flexibility Bi-partisan agreement Clear mission Devoid of big P and small p Long term security Partner with Unions Operational re-design Institutionalize support Eliminate fear of failure Staffing flexibility Security part of job description Secure public Data and information Gopal Khanna 2014. All rights reserved.

IMPLEMENTATION EXECUTION Empower SMEs by : Tolerating risk, allow pivoting Encouraging curiosity, providing incentives Bottom-up change, let SMEs redesign processes Accept recommendation from SMEs Avoid Analysis Paralysis Providing direction, clarity of objective 80/20 rule Gopal Khanna 2014. All rights reserved.

DESTRUCTION CONSTRUCTION Enterprise view Horizontal approach Destroy silos Start small-build scale Give up the old, create the new Leave legacy Distribute knowledge Give up control Collaborate Reporting Accept opinion Re-design vs. incremental Re-purpose resources Comprehensive sharing Gopal Khanna 2014. All rights reserved.

Contact Information Gopal Khanna gopal.khanna@gmail.com 952-484-5123 Transformation by Design Gopal Khanna

Ralph Johnson, CISSP, HISP, CISM, CIPP/US ralph.johnson@kingcounty.gov (206) 263-7891 Lucie F. Huger, Esquire (314) 345-4725 lfh@greensfelder.com Andrew Dolan andrew.dolan@cisecurity.org (518) 880-0699 Gopal Khanna gopal.khanna@gmail.com 952-484-5123

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information