Sustainable Security & Compliance Solutions NSAA IT Conference & Workshop Copyright 2016 Terra Verde, LLC. All rights reserved.

Transcription

1 Sustainable Security & Compliance Solutions 2016 NSAA IT Conference & Workshop

2 FAST FACTS Founded in 2008 by Cyber Security, Risk, Compliance Executives & Experts Headquartered in Phoenix Arizona Security, Risk, Compliance Consulting One of the Largest PCI QSA in Arizona Hundreds of Engagements Performed Across Multiple Continents Annually Senior Executive, Entrepreneur, Cybersecurity Expert ASU Advisory Board AZ Commission on Post-Secondary Education CEV Acquisitions Jefferson Wells Authoriszor BULL Invested Millions of Dollars, Thousands of Hours Developing TruSOC and Breach Radar - Managed Security Services TruSOC utilized by customers across the U.S. Ongoing Investments in Services Portfolio, Technologies, Sales & Distribution Channels

3 Disclaimer & Objectives A Story, Some Definitions & Key Questions Case Study & Recommendations Parting Thoughts - QA

4 Its Not Paranoia if They Really Are Out to Get You! There Are No Silver Bullets. Change is Difficult. People and Process Create Vulnerabilities.

5 Understand data supply chains, from a security perspective Understand key risks and impacts to a data supply chain Provide high-level recommendations to measure / monitor/ maintain / reduce risks

6 A story of the inadvertent exposure of 500,000 customer records

7 Traditional Supply Chain Example

8 A Data Supply Chain, however Data Suppliers Data Partners Data Aggregator Customers Service Data* - Data is raw, unorganized facts that need to be processed. Data can be something simple and seemingly random and useless until it is organized. Information* - When data is processed, organized, structured or presented in a given context so as to make it useful, it is called information. Critical Data - Data that needs to be protected because of its value to internal or external sources. This data may not be considered information by your organization, but when used (bought / sold) for malicious purposes, it s information to someone *Source:

9 What is critical data? PII/SPI? ephi? PAN? Other? If you (or someone else) defines it as such Where is your critical data (in the company)? Locations? In the Cloud? Not necessarily in a master database somewhere Phone records

10 Do you have defined data standards? Classification? Protection? Destruction? Where does your data come from / go to? Data Suppliers / aggregators identified? How are you assuring the data is accurate? Data Partners identified? How are you assuring the data is secured to your standards? What are you doing to monitor/measure risk?

11 US Health Insurer $60 billion annual revenue / 50,000 employees 23.5 million members across the US (60 percent subscribed through employer contracts) Used a patient care application, which provides medical alerts and allows health practitioners across its provider network to access patient records and insurance coverage information Held open enrollment (the annual period when people can enroll in health insurance plans) November through January Regulated by both state and federal authorities Planned to raise $1 billion in debt capital to acquire a health system Paid $7 million annual premium for a $100 million cyber insurance policy Situation A laptop containing 2.8 million of its personal health information (PHI) records had been stolen from the company s health care analytics software vendor. The compromise was revealed days later when the company was notified by a corporate client that the client s employee s information had been listed for sale on cybercrime dark web sites. Deloitte, Beneath the Surface of a Cyberattack Report, 2016

12 Sub-total % Deloitte, Beneath the Surface of a Cyberattack Report, 2016

13 Deloitte, Beneath the Surface of a Cyberattack Report, 2016

14 Protect your critical data Encrypt (at rest & in transit) Establish, monitor and review who has access Reduce internal opportunities for internal data over-exposure Data leakage detection (DLD) / protection (DLP) 24x7 monitoring in place?

15 Find your critical data (protect your house ) Interviews Data flow diagrams Tools (just a few ) PAN Buster from XMCO CCSRCH Open Source PAN / Credit Card Scanner Cornell Spider MAX Risk Intelligence Senf Card Recon ControlCase Data Discovery Nessus / Security Center

16 People, Patches, Passwords Choose your data suppliers & partners wisely... Search and scrub data before moving critical data through the supply chain...

17 Review (update) and enforce contracts How do you expect suppliers and partners to protect data? Compliance requirements in contract? Ability to audit/assess in contract? Establish / Enhance Vendor Risk Management Program Focused on data supply chain On-line / Onphone survey On-site Visits Reporting Dashboard

18 Establish / Enhance Vendor Risk Management Program On-line/ phone survey topics Company Overview Service Provided Administrative Controls Technical Controls Physical Controls Business Continuity

19 Establish Vendor Risk Management Program Site Visit Report (Short-Form Example)

20 Establish Vendor Risk Management Program Dashboard example Copyright 2016 Terra Verde, LLC.

21 Research resources, partners. Utilize available tools, resources. Subscribe to cybersecurity intelligence resources, feeds. Participate in various cybersecurity industry associations and events. Find a trusted partner & subject matter expert.

22 Visit our website blog for information on this topic! Ed Vasko, CEO Cell: Office: , x4 ed.vasko@tvrms.com