INFORMATION SECURITY FOR YOUR AGENCY

Similar documents
CHIS, Inc. Privacy General Guidelines

Belmont Savings Bank. Are there Hackers at the gate? 2013 Wolf & Company, P.C.

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

HIPAA Security Alert

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

CNA NetProtect Essential SM. 1. Do you implement virus controls and filtering on all systems? Background:

Overview of the HIPAA Security Rule

HIPAA Privacy and Security Risk Assessment and Action Planning

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

BCS IT User Syllabus IT Security for Users Level 2. Version 1.0

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Cyber Security 2014 SECURE BANKING SOLUTIONS, LLC

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Security Controls What Works. Southside Virginia Community College: Security Awareness

Procedure Title: TennDent HIPAA Security Awareness and Training

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Wellesley College Written Information Security Program

Cyber Self Assessment

Protecting Personal Information: The Massachusetts Data Security Regulation (201 CMR 17.00)

National Cyber Security Month 2015: Daily Security Awareness Tips

FACT SHEET: Ransomware and HIPAA

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

HIPAA Information Security Overview

How To Write A Health Care Security Rule For A University

Stable and Secure Network Infrastructure Benchmarks

Data Management & Protection: Common Definitions

DRAFT National Rural Water Association Identity Theft Program Model September 22, 2008

OCT Training & Technology Solutions Training@qc.cuny.edu (718)

SECURITY CONSIDERATIONS FOR LAW FIRMS

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

SBA Cybersecurity for Small Businesses. 1.1 Introduction. 1.2 Course Objectives. 1.3 Course Topics

HIPAA Compliance Evaluation Report

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

CYBERSECURITY HOT TOPICS

Critical Controls for Cyber Security.

HIPAA Security COMPLIANCE Checklist For Employers

CYBERSECURITY: PROTECTING YOUR ORGANIZATION AGAINST CYBER ATTACKS. Viviana Campanaro CISSP Director, Security and Compliance July 14, 2015

Network Security & Privacy Landscape

Policy Title: HIPAA Security Awareness and Training

The Department of Health and Human Services Privacy Awareness Training. Fiscal Year 2015

Cyber Security Awareness

HIPAA Security. assistance with implementation of the. security standards. This series aims to

OCR LEVEL 3 CAMBRIDGE TECHNICAL

Certified Secure Computer User

Cyber Security Awareness

Healthcare Compliance Solutions

Compliance Challenges. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard. Increased Audits & On-site Investigations

How To Protect Yourself From Cyber Threats

How To Protect Your Data From Being Stolen

Top 10 Baseline Cybersecurity Controls Banks Aren't Doing

MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP)

Chapter 11 Manage Computing Securely, Safely and Ethically. Discovering Computers Your Interactive Guide to the Digital World

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft)

How To Protect The Time System From Being Hacked

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

Real World Healthcare Security Exposures. Brian Selfridge, Partner, Meditology Services

HFS DATA SECURITY TRAINING WITH TECHNOLOGY COMES RESPONSIBILITY

WHITE PAPER. HIPAA-Compliant Data Backup and Disaster Recovery

HIPAA Security. Jeanne Smythe, UNC-CH Jack McCoy, ECU Chad Bebout, UNC-CH Doug Brown, UNC-CH

University of Cincinnati Limited HIPAA Glossary

HIPAA: Bigger and More Annoying

Defending Against Data Beaches: Internal Controls for Cybersecurity

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

What s New with HIPAA? Policy and Enforcement Update

PCI DSS Requirements - Security Controls and Processes

The Ministry of Information & Communication Technology MICT

Risk Assessment Guide

Top Ten Technology Risks Facing Colleges and Universities

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

VMware vcloud Air HIPAA Matrix

Client Security Risk Assessment Questionnaire

Malware & Botnets. Botnets

Corporate Account Take Over (CATO) Guide

SCAC Annual Conference. Cybersecurity Demystified

HIPAA Compliance Guide

Business ebanking Fraud Prevention Best Practices

Transcription:

INFORMATION SECURITY FOR YOUR AGENCY Presenter: Chad Knutson Secure Banking Solutions, LLC

CONTACT INFORMATION Dr. Kevin Streff Professor at Dakota State University Director - National Center for the Protection of the Financial Infrastructure Managing Partner at SBS kevin@protectmybank.com Chad Knutson Senior Information Security Consultant CISSP, CISA, CRISC Phone: 605-480-3366 chad@protectmybank.com 2

DAKOTA STATE NATIONALLY RECOGNIZED National Security Agency Department of Homeland Security 4,000 universities in the country Only 100 named national centers in the past 10 years 3

DAKOTA STATE UNIVERSITY SUMMARY Dakota State University is the only national center of excellence focused on the security of banks www.dsu.edu 4

SECURE BANKING SOLUTIONS Information Security IT Risk Assessment Policy Development IT Audit Vulnerability Assessments Penetration Testing Social Engineering Financial Institutions www.protectmybank.com Community Banks & Credit Unions Healthcare www.protectmyphi.com 5

AGENDA What information security laws and regulations apply to me? What security threats exist in todays world that I should be concerned about? How can I protect my business? What should I do next to improve security? 6

CYBERCRIME WHO IS THE TARGET? Cybercrime will eclipse terrorism FBI Director around 85% of cyber attacks are now targeting small businesses Whitehouse 70% of small business lack basic security controls Who has the data that cybercriminals want? Who are the least expecting targets? Where might information security be the weakest? Where could a cybercriminal break in, where they are the least likely to get caught? 7

HACKING MADE EASY Default Passwords http://cirt.net/passwords Hacking Tools http://sectools.org/ Caller ID Spoofing http://www.telespoof.com/freecall/agi Social Engineer Toolkit http://www.socialengineer.org/framework/computer_based_social_eng ineering_tools:_social_engineer_toolkit_(set) 8

Size / Location Large/Metro Small/Rural INDUSTRY RISK ASSESSMENT High Risk Insurance Agent Community Bank Community Hospital Commercial Business Low Risk Business Health Financial Sensitive Data 9

GRAMM-LEACH-BLILEY ACT (GLBA) "develop, implement, and maintain a comprehensive written Information Security Program containing administrative, technical, and physical safeguards that are appropriate to the size and complexity of the entity, the nature and scope of its activities, and the sensitivity of any customer information at issue." - Safeguards Rule implement section 501(b) of GLBA (effective on July 1, 2001) The law covers banks, savings and loans, credit unions, insurance companies and securities firms. 10

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-phi. Specifically, covered entities must: Ensure the confidentiality, integrity, and availability of all e-phi they create, receive, maintain or transmit; Identify and protect against reasonably anticipated threats to the security or integrity of the information; Protect against reasonably anticipated, impermissible uses or disclosures; and Ensure compliance by their workforce. 11

OTHER STATE & FEDERAL LAWS Identify Theft Red Flags Rule Fair Credit Reporting Act Fair & Accurate Credit Transactions (FACT) Act State Data Breach Notification Laws Massachusetts Privacy Law Payment Card Industry (PCI) 12

PERSONALLY IDENTIFIABLE INFORMATION Information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother s maiden name, etc. (NIST 800-122 and Westport Personal Data ) First name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit (Mass Privacy Law) 13

SECURITY PROCESS Plan Test Do 14

INFORMATION SECURITY PROGRAM Administrative Physical Technical 15

INFORMATION SECURITY PROGRAM Administrative Documented Security Program Security Awareness Training Social Engineering Testing Physical Technical Data Backup Mobile Devices Physical Security Security Cameras Motion Sensors Receptionist Secure Areas Locked Doors Malware Protection Hardware Firewall Software Firewall Software Patching Wireless Security Unique User Accounts Limited User Permissions Data Encryption 16

ISP BLUEPRINT Agency Risk Assessment Incident Response Penetration Test Business Continuity Vulnerability Assessment Security Awareness Social Engineering IT Audit Policy & Procedures 17

ISP BLUEPRINT Agency Risk Assessment Incident Response Penetration Test Business Continuity Vulnerability Assessment Security Awareness Social Engineering Q1 Q1 Q2 Q2 Q3 Q3 Q4 Q4 IT Audit Policy & Procedures 18

SMALL BUSINESS INFORMATION SECURITY: THE FUNDAMENTALS October 2009 NIST 7621 was released Assist small business management in understanding how to provide basic security for their information, systems, and networks. Provides commercially reasonable security measures which will reduce the likeliness of a security incident. Three basic areas which may reduce likeliness: Absolutely Necessary (todays focus) Highly Recommended Other Considerations http://csrc.nist.gov/publications/nistir/ir7621/nistir-7621.pdf 19

1) MALWARE - VIRUS, TROJANS, SPYWARE If your networks access the internet, then you have higher risk from Malware (Malicious Software). 20

2) HARDWARE FIREWALL Most small businesses have a broadband (high speed) internet connection which is always on. This leaves the network susceptible to network attacks on a 24/7 basis from anywhere in the world. 21

3) SOFTWARE FIREWALL In addition to hardware firewalls, software firewalls should be used on all workstations, mobile devices, and servers. Software firewalls protect systems from each other. Microsoft provides built in firewall 22

4) SOFTWARE PATCHING All operating systems such as Microsoft Windows, Apple OSX, and all distributions of UNIX/Linux have patches that need to be installed on a regular basis. Most software products require patches, including Microsoft Office, Adobe, Java, QuickTime, Firefox. These patches fix compatibility issues and known security vulnerabilities, not applying them leaves you vulnerable. 23

5) BACKUP DATA Backing up your data protects it from numerous threats: Hackers destroying your computer Malware corrupting your data Fire and other natural disaster destroying your systems Many other threats Include all your critical data, backup often. Store a copy offsite. Test your backup process to know you can restore data. 24

6) PHYSICAL ACCESS SECURITY Secure each entrance point Monitor areas for unauthorized people Escort visitors around the building Secure documents, computers, servers from theft Secure? Secure? 25

7) WIRELESS SECURITY Do not use wireless unless required for business Securely configure all wireless devices and access points. Most users implement with default settings Default passwords - http://cirt.net/passwords WEP encryption can be hacked in hours (WPA2) Security vulnerabilities in wireless technology www.us-cert.gov/cas/techalerts/ta12-006a.html Update wireless software and firmware Users connect wireless devices to unsecured wireless, then conduct business. 26

8) SECURITY AWARENESS TRAINING Email Traffic for April 2010 Legitimate Email 11% Phishing 15% Employees should read security policies Employees should sign Acceptable Use Agreement Employees should receive training on security threats: Malware Phishing Social Engineering Unauthorized Access Other Spam 74% 27

9) UNIQUE USER ACCOUNTS Users should have a unique login to all computers, programs, and websites. Users should not be administrators on their local machine. If users can install software, then malware can install itself to the computer when clicked. Complex passwords - the password Spring08 can be cracked with on a normal computer in 24 seconds. Secure Passwords - 73% of users share the passwords which they use for online banking, with at least one nonfinancial website. If its easy to remember, its easy to guess. Try mnemonics Proud to be an American + birth year = PtbaA0&91 0&91 where the & has been substituted for 8 and 0891 is backwards for 1980. 28

10) LIMIT ACCESS TO DATA For all employees, provide access to only those systems and only to the specific information that they need to do their jobs. Do not allow a single individual to both initiate and approve a transaction (financial or otherwise). Limited access reduces the exposure of data to malware and hackers. Also reduces the impacts of malicious insiders. 29

11) ENCRYPT PERSONALLY IDENTIFIABLE INFORMATION Identify where in your institution you have personally identifiable information. When that information leaves your institution, assess whether or not you have encrypted that data during transmission or storage. Common systems needing encryption are: Company Website Email Offsite backup tapes Laptops Mobile phones / Tablets / ipads 30

12) DOCUMENTED INFORMATION SECURITY POLICY Document the process of how risks to personally identifiable information will be assessed. Document specific controls implemented to protect this information. Document auditing and testing procedures used to validate your security policy. Document acceptable use of information and technology by employees. Document how you will identify, contain, and respond to a security incident; including communication with third parties, regulators, authorities, and customers. Document how you will recover from a disaster. 31

RESOURCES HIPAA Security Rule http://www.hhs.gov/ocr/privacy/hipaa/understan ding/srsummary.html GLBA http://business.ftc.gov/privacy-andsecurity/gramm-leach-bliley-act NIST 7621 http://csrc.nist.gov CERT http://www.us-cert.gov/cas BBB http://www.bbb.org/data-security/ FTC http://www.ftc.gov/bcp SANS www.sans.org SearchSecurity http://searchsecurity.techtarget.com 32

Questions? Presenter: Chad Knutson, Secure Banking Solutions chad@protectmybank.com 33

CONTACT INFORMATION Dr. Kevin Streff Professor at Dakota State University Director - National Center for the Protection of the Financial Infrastructure Managing Partner at SBS kevin@protectmybank.com Chad Knutson Senior Information Security Consultant CISSP, CISA, CRISC Phone: 605-480-3366 chad.knutson@protectmybank.com 34

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information