Building a Complete Program around Data Loss Prevention

Size: px
Start display at page:

Download "Building a Complete Program around Data Loss Prevention"

Transcription

1 To download today s materials (depending on your browser): or Building a Complete Program around Data Loss Prevention Tuesday, November 8, 2011 Presenter s Name Presenter: Duane Baldwin Security Practice Manager Audio and Tech Support This meeting is being broadcast, and you can listen through your computer speakers by choosing Use Mic & Speakers (figure 1) To turn up your computer s volume, please select: Start My Computer Control Panel Sounds and Devices Or Please select Use Telephone option on the GoToMeeting Control Panel and a number and ID will be generated along with a PIN number associated with you. (figure 1) PLEASE NOTE All lines will be muted during this presentation. If you would like to ask a question, please use Questions (figure 2) function and your question will be addressed. Experis Tuesday, November 8,

2 Earning CPE Credit To receive 1 CPE credit for this webinar, participants must: Attend the Webinar for at least 60 minutes on individual computers (one person per computer) Answer polling questions asked throughout the webinar At the end of today s presentation, a link to our CPE Learning Event Survey will be posted in the chat box in the control panel Please take a few moments to complete the survey as we appreciate your feedback Experis Tuesday, November 8, To download today s materials (depending on your browser): or Building a Complete Program around Data Loss Prevention Tuesday, November 8, 2011 Presenter s Name Presenter: Duane Baldwin Security Practice Manager 2

3 Agenda Identify information/data loss risks and high exposure information/data breaches Apply an approach to evaluating and evolving your existing data loss prevention capabilities Describe supporting functions that will add to the success of your data loss prevention program Experis Tuesday, November 8, What is Data Loss Prevention? It is a systematic approach to identifying, monitoring and protecting the confidentiality, integrity and availability of data in motion, at rest or in use Experis Tuesday, November 8,

4 Polling Question #1 Where are you in forming a Data Loss Prevention program? A. Full program (strategy, governance, processes, tools, training) in place B. Defined a data classification framework C. Bought a tool D. Just beginning in planning Experis Tuesday, November 8, Risks Posed by Data Loss 4

5 Types of information at risk Intellectual t l Property/ Trade Secrets Personally Identifiable Information (PII) System Data and Configuration Settings Critical Data Personal Health Information (PHI) Corporate Strategy Unreleased Financial Information Experis Tuesday, November 8, Value and Risk of an Organization s Information Information Value Threat Vulnerability Counter Measures Risk Consolidated financial information HIGH MEDIUM LOW HIGH MEDIUM Customer personal information HIGH HIGH MEDIUM HIGH HIGH Internal office memorandums LOW LOW HIGH LOW LOW (non-confidential) Confidential executive MEDIUM MEDIUM MEDIUM LOW MEDIUM memorandums Experis Tuesday, November 8,

6 What is your risk? Data loss can result in: Significant financial penalties Extensive operational impact Increased monitoring costs Adverse publicity Negative effect on your organization s brand and reputation Lost business Experis Tuesday, November 8, How it can happen Intrusion Extrusion Experis Tuesday, November 8,

7 The threat to data continues Loss of business critical information is a real threat: 74 percent somewhat or extremely concerned 42 percent have lost confidential/proprietary information in the past 100 percent saw losses (lost revenue, direct financial cost) Lost devices are a huge problem: 62 percent lost devices in last six months 100 percent have some devices that are not password protected Symantec 2010 SMB Information Protection Survey May/June 2010 Experis Tuesday, November 8, High Profile Data Breach Incidents Sony Corporation, PlayStation Network April 26, ,000,000 records names, addresses, addresses, birthdates, PlayStation Network/Qriocity passwords and logins, handle/psn online ID, profile data, purchase history and possibly credit cards obtained. No known actual costs $4,620,000,000 Ponemon Institute Direct Costs Estimate Sony Corporation May 2, ,600,000 customer dates of birth, addresses and phone numbers, including 12,700 non-u.s. credit or debit card numbers and expiration dates and about 10,700 direct debit records including bank account numbers accessed by hacker No known actual costs $1,476,000,000 Ponemon Institute Direct Costs Estimate Source: Open Security Foundation / DataLossDB.org Experis Tuesday, November 8,

8 High Profile Data Breach Incidents (Cont.) TJX Companies January 17, 2007 January 17, ,000,000 credit card numbers and transactions compromised $64,113,000 total known costs $5,640,000,000 Ponemon Institute Direct Costs Estimate US Department of Veteran Affairs May 22, 2006 May 22, ,500,000 U.S. military veterans Names, Social Security Numbers, and dates of birth $20,000,000 total known costs $1,590,000,000 Ponemon Institute Direct Costs Estimate Source: Open Security Foundation / DataLossDB.org Experis Tuesday, November 8, Security flaws create risks to your data Information security strategies and objectives not adequately linked to business goals Incomplete governance and leadership involvement Ineffective security policies Irregular or ineffective security risk assessments Lack of awareness regarding location of critical data, how to classify it and how to protect it throughout its lifecycle Inadequate monitoring of security controls Miscommunication with internal and external audiences regarding security requirements and expectations Flawed Web application design common vulnerabilities persist Server and database vulnerabilities Ineffective access definitions Phishing and social engineering Experis Tuesday, November 8,

9 What Individuals Would Pay to Protect Their Personal Information Social Security number/government ID: $240/year Credit Card number: $150/year Electronic or Physical Histories: $52 - $59/year Health Industry Medical Records: $38/year On-line buying habits and social profiles: $3 - $5.70/year Contact Information (phone number, or mailing address): $4.20/year Source: What s Your Personal Data Worth by Tim Money, Jan. 18, 2011, designmind.frogdays.com blog Experis Tuesday, November 8, Common mistakes in approaching a DLP Program Looking for the silver bullet Install a tool and my problem is solved Having an isolated project or team rather than a holistic approach Lack of sponsorship Treating it like a compliance project Not building the appropriate foundation for the program to work Experis Tuesday, November 8,

10 Polling Question #2 What priority do you give advancing your DLP program in 2012? A. Top Priority B. In the middle C. Low priority D. No intention to focus on it at all Experis Tuesday, November 8, Building a DLP Program 10

11 Suggested Steps for a Complete DLP Program Profile Your DLP Needs Characterize Your Current DLP Program Assess Your DLP Program Effectiveness Define a DLP Strategy Create an Action Plan to Achieve the Strategy Experis Tuesday, November 8, Profile Your DLP Needs Goal: Gain a complete understanding of data types and their use Suggested Activities: Understand your data s business environment: Business drivers across the Enterprise Regulatory and customer requirements as tied to the business Existing data retention standards Determine how data is used: Identify data classifications in use across the Enterprise Determine data user groups Profile the extent of data use across all avenues: Data at Rest Data in Motion Data at the Endpoints Experis Tuesday, November 8,

12 Characterize Your Current DLP Program Goal: Identify and understand all currently implemented DLP components and ongoing initiatives Activities: Determine maturity levels of processes, procedures and solutions used for a DLP operational framework that includes: Data Classification Data Discovery Data Protection Governance and Risk Management Monitoring, Measurement and Improvement None Progressing Basic Advanced Industry Leading No capability currently exists Current State The Capability capability supports Maturity Scale Elements of a capability exist and meet some of the compliance requirements and business objectives core business processes and compliance requirements The capability incorporates information security solutions that exceed basic compliance requirements and incorporates industry leading practices The capability exceeds industry standards and sets the model for industry to follow Experis Tuesday, November 8, Assess Your DLP Program Effectiveness Goal: Determine if the current DLP program has been effectively executed and identify gaps Activities: Evaluate effectiveness of each implemented component of the DLP program Estimate adoptability and effectiveness of future initiatives Determine gaps and potential risk levels Risk Determination Scale Critical High Moderate Low Extremely weak or nonexistent capabilities to protect critical data; likelihood for exploitation of current state is extremely high; risk of severe adverse impact to company assets is critical and requires immediate attention Limited or poorly implemented capabilities, large gaps exist; likelihood for exploitation of current state is high; risk of serious adverse impact to company assets is high and requires priority attention Capabilities exist, but lack formality and consistency; likelihood for exploitation of current state is moderate to high; risk of adverse impact to company assets is moderate and may require priority attention Consistent, integrated and managed capabilities are employed; likelihood for exploitation of current state is low; even with no priority attention, risk of adverse impact to company assets is low Experis Tuesday, November 8,

13 Define a DLP Program Strategy Goal: Define Objectives to implement Vision and Goals and Finalize Strategyt Activities: Create a vision that resonates with all aspects of the business Define goals that encompass Governance, People, Processes and Technology to be effective Work with data owners and stakeholders to identify objectives across the DLP components as aligned with the goals: Data Classification Data Discovery Data Protection Data Handling Governance and Risk Management Monitoring, Measurement and Improvement Validate and Finalize Experis Tuesday, November 8, Data Loss Prevention Strategy Structure DLP Strategy Framework DLP Vision DLP Goals DLP Objectives Characteristics Sets out a common long-term picture and strategic direction for the Data Loss Prevention program Establishes the core business value to be delivered by the Data Loss Prevention program Identifies common and business specific goals that reflects each aspect of the vision Encompasses both immediate and future direction across the enterprise Integrates measurable targets and procedures for evaluating the progress against specified goals and objectives Experis Tuesday, November 8,

14 Governance Considerations An important aspect of executing an effective DLP program is the incorporation of Governance activities Key areas to include: Roles and Responsibilities Responsibilities for all aspects of DLP operations need to be clearly defined within the business units as well as at the Corporate level Processes Processes including decision points that integrate with defined roles and responsibilities should be defined for the DLP program Oversight, Management and Review Oversight structure should be defined that incorporates a combination of centralized and decentralized (Business Unit) responsibilities Experis Tuesday, November 8, Roles and Responsibilities Data Loss Prevention Audit Committee C-Level Executives Business Operations Information Security Officer Information Technology Internal Audit All Users and Vendors Ultimate Accountability Overall Responsibility Data Ownership Guidance and Oversight Data Custodian and Tool Implementation & Operation Monitor Operating Effectiveness Follow policies and guidance and report suspected breaches Experis Tuesday, November 8,

15 Develop an Action Plan Goal: Create an Action Plan to close current gaps and implement a DLP strategy t Activities: Develop Action Plan which typically includes: Workstream Overview Quick Win Activities Prioritized Implementation Responsible Parties Resource Estimate Cost Range Execution Timeline Critical Success Factors Experis Tuesday, November 8, Polling Question #3 What kind of information breaches have you encountered in the past? A. No breaches B. Lost or stolen laptops, pdas or computers C. Cyber stolen data externally D. Insider theft of sensitive information E. Employees send out unencrypted data through Experis Tuesday, November 8,

16 Key Supporting Functions for Your DLP Program Employee awareness Employees are critical to a successful data management and data loss prevention program. Employee awareness programs need to include: DLP overall Policy and supporting policies (e.g., Acceptable Use) Initial training Ongoing education and periodic reminders Evolution of employee education aligned with evolving technology Consequences Even with strong policies and training employee s may not understand how to execute in their environment. Specific guidelines with Data Use Cases and examples of exceptions have helped bridge this gap Experis Tuesday, November 8,

17 Vendors/Business Partners Vendors and Business Partners play a critical role in protecting your data Service Level Agreements should clearly define your data protection requirements, consequences for failing to provide the proper protection and breach notification requirements Include in your Vendor Management program examination of protections of your data including self-assessments and site inspections Work with vendor to remediate risks identified or choose an alternate vendor preferably before a breach occurs Experis Tuesday, November 8, Incident Response Data breaches can happen! An organization must be prepared Incorporate data breaches into your incident response procedures should include: Reporting any employee discovering a potential breach needs to know who to contact and what information to provide Define an Incident Response Team (members, roles and responsibilities) with the appropriate knowledge to evaluate data breaches Actions to be taken (shutting down, recovery, data scrubbing, retention of data, chain of custody) Communication Protocols (internal, customer, shareholders, authorities, press) Breach Notification Several regulations require notification to the affected parties (understand the different notification triggers) Experis Tuesday, November 8,

18 Tools and Technology Technology needs to be aligned with the goals and objectives of fthe DLP program Tools available include: Discovery and fingerprinting Content awareness and filtering Logging, monitoring and alerting when accessed Encryption content monitoring Mobile device protection Access controls Firewalls, intrusion prevention, intrusion detection Virus protection DLP products Others Experis Tuesday, November 8, Closing Observations Business and personal data will continue to be targets not only from external sources but internal as well Understanding your data is absolutely critical to protecting: what data is important, where your data is located, how it s used, how your data flows during business transactions, etc. Threat profiles and business operations continuously change implementing a strong risk management program to periodically reexamine DLP program effectiveness is important Effective DLP programs go beyond just implementing a tool Data breaches may still happen! Data breach notifications and response are critical to minimize impact and regulatory fines. Experis Tuesday, November 8,

19 Questions? For more information please contact: Duane Baldwin Mobile Experis Tuesday, November 8, Webinar evaluation A link to our CPE Learning Event Survey is now located in the chat box in the control panel Please take a few minutes to provide us with your feedback Experis Tuesday, November 8,

20 More information For more information, please visit Experis Tuesday, November 8,

Combating Cyber Risk in the Supply Chain

Combating Cyber Risk in the Supply Chain SESSION ID: CIN-W10 Combating Cyber Risk in the Supply Chain Ashok Sankar Senior Director Cyber Strategy Raytheon Websense @ashoksankar Introduction The velocity of data breaches is accelerating at an

More information

Business continuity management and cyber resiliency

Business continuity management and cyber resiliency Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Business continuity management and cyber resiliency Introductions Eric Wunderlich,

More information

Neil Peters-Michaud, CHAMP Cascade Asset Management ITAM Awareness Month December 2016

Neil Peters-Michaud, CHAMP Cascade Asset Management ITAM Awareness Month December 2016 Breach New Heights The role of ITAM in preventing a data breach Neil Peters-Michaud, CHAMP Cascade Asset Management ITAM Awareness Month December 2016 Agenda Why Breaches Matter to the ITAM group The cost

More information

Cybersecurity The Evolving Landscape

Cybersecurity The Evolving Landscape Cybersecurity The Evolving Landscape 1 Presenter Zach Shelton, CISA Principal DHG IT Advisory Zach.Shelton@DHG.com Raleigh, NC 14+ years of experience in IT Consulting 11+ years of experience with DHG

More information

Information Security Data Classification Procedure

Information Security Data Classification Procedure Information Security Data Classification Procedure A. Procedure 1. Audience 1.1 All University staff, vendors, students, volunteers, and members of advisory and governing bodies, in all campuses and locations

More information

Cybersecurity for Health Care Providers

Cybersecurity for Health Care Providers Cybersecurity for Health Care Providers Montgomery County Medical Society Provider Meeting February 28, 2017 T h e MARYLAND HEALTH CARE COMMISSION Overview Cybersecurity defined Cyber-Threats Today Impact

More information

Healthcare HIPAA and Cybersecurity Update

Healthcare HIPAA and Cybersecurity Update Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Healthcare HIPAA and Cybersecurity Update Agenda > Introductions > Cybersecurity

More information

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory Audience: NDCBF IT Security Team Last Reviewed/Updated: March 2018 Contact: Henry Draughon hdraughon@processdeliveysystems.com Overview... 2 Sensitive Data Inventory and Classification... 3 Applicable

More information

Rethinking Information Security Risk Management CRM002

Rethinking Information Security Risk Management CRM002 Rethinking Information Security Risk Management CRM002 Speakers: Tanya Scott, Senior Manager, Information Risk Management, Lending Club Learning Objectives At the end of this session, you will: Design

More information

Data Loss Prevention:

Data Loss Prevention: Data Loss Prevention: Considerations from an IT Audit Perspective ISACA November Luncheon 11 November 2010 Agenda What is data loss prevention (DLP)? Ernst & Young point of view on DLP Data loss risk assessment

More information

Information Technology General Control Review

Information Technology General Control Review Information Technology General Control Review David L. Shissler, Senior IT Auditor, CPA, CISA, CISSP Office of Internal Audit and Risk Assessment September 15, 2016 Background Presenter Senior IT Auditor

More information

THE PROCESS FOR ESTABLISHING DATA CLASSIFICATION. Session #155

THE PROCESS FOR ESTABLISHING DATA CLASSIFICATION. Session #155 THE PROCESS FOR ESTABLISHING DATA CLASSIFICATION Session #155 David Forrestall, CISSP CISA SecurIT360 SPEAKERS Carl Scaffidi, CISSP, ISSAP, CEH, CISM Director of Information Security Baker Donelson AGENDA

More information

Securing Your Secured Data

Securing Your Secured Data Securing Your Secured Data Tuesday April 9 th 2013 Roshan Mohammed CipherQuest (Trinidad) Limited AGENDA Perception of Information Risk What Data are we Protecting and Why? Infrastructure Security Application

More information

Question 1: What steps can organizations take to prevent incidents of cybercrime? Answer 1:

Question 1: What steps can organizations take to prevent incidents of cybercrime? Answer 1: Cybercrime Question 1: What steps can organizations take to prevent incidents of cybercrime? Answer 1: Organizations can prevent cybercrime from occurring through the proper use of personnel, resources,

More information

Integrating Information Security Protections In Supplier Agreements: Guidance for Business and Technology Counsel

Integrating Information Security Protections In Supplier Agreements: Guidance for Business and Technology Counsel Presenting a live 90-minute webinar with interactive Q&A Integrating Information Security Protections In Supplier Agreements: Guidance for Business and Technology Counsel Evaluating Data Security Risks

More information

Credit Union Cyber Crisis: Gaining Awareness and Combatting Cyber Threats Without Breaking the Bank

Credit Union Cyber Crisis: Gaining Awareness and Combatting Cyber Threats Without Breaking the Bank Credit Union Cyber Crisis: Gaining Awareness and Combatting Cyber Threats Without Breaking the Bank Introduction The 6,331 credit unions in the United States face a unique challenge when it comes to cybersecurity.

More information

Cyber Insurance: What is your bank doing to manage risk? presented by

Cyber Insurance: What is your bank doing to manage risk? presented by Cyber Insurance: What is your bank doing to manage risk? David Kitchen presented by Lisa Micciche Today s Agenda Claims Statistics Common Types of Cyber Attacks Typical Costs Incurred to Respond to an

More information

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT? NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT? What the new data regulations mean for your business, and how Brennan IT and Microsoft 365 can help. THE REGULATIONS: WHAT YOU NEED TO KNOW Australia:

More information

Cyber Protections: First Step, Risk Assessment

Cyber Protections: First Step, Risk Assessment Cyber Protections: First Step, Risk Assessment Presentation to: Presented to: Mark LaVigne, Deputy Director NYSAC November 21, 2017 500 Avery Lane Rome, NY 13441 315.338.5818 www.nystec.com In this presentation

More information

How to Prepare a Response to Cyber Attack for a Multinational Company.

How to Prepare a Response to Cyber Attack for a Multinational Company. You Have Been Breached! How to Prepare a Response to Cyber Attack for a Multinational Company. Chayan Chakravarti, MBA, CISM, PMP Patrick Enyart, CISA, CISM, CRISC Presenters Chayan Chakravarti Manager,

More information

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations FFIEC Cyber Security Assessment Tool Overview and Key Considerations Overview of FFIEC Cybersecurity Assessment Tool Agenda Overview of assessment tool Review inherent risk profile categories Review domain

More information

What is Penetration Testing?

What is Penetration Testing? What is Penetration Testing? March 2016 Table of Contents What is Penetration Testing?... 3 Why Perform Penetration Testing?... 4 How Often Should You Perform Penetration Testing?... 4 How Can You Benefit

More information

Electronic Communication of Personal Health Information

Electronic Communication of Personal Health Information Electronic Communication of Personal Health Information A presentation to the Porcupine Health Unit (Timmins, Ontario) May 11 th, 2017 Nicole Minutti, Health Policy Analyst Agenda 1. Protecting Privacy

More information

Recommendations for Implementing an Information Security Framework for Life Science Organizations

Recommendations for Implementing an Information Security Framework for Life Science Organizations Recommendations for Implementing an Information Security Framework for Life Science Organizations Introduction Doug Shaw CISA, CRISC Director of CSV & IT Compliance Azzur Consulting Agenda Why is information

More information

Managing Cybersecurity Risk

Managing Cybersecurity Risk Managing Cybersecurity Risk Maureen Brundage Andy Roth August 9, 2016 Managing Cybersecurity Risk Cybersecurity: The Current Legal and Regulatory Environment Cybersecurity Governance: Considerations for

More information

2 The IBM Data Governance Unified Process

2 The IBM Data Governance Unified Process 2 The IBM Data Governance Unified Process The benefits of a commitment to a comprehensive enterprise Data Governance initiative are many and varied, and so are the challenges to achieving strong Data Governance.

More information

PROTECTING BRANDS IN CYBERSPACE

PROTECTING BRANDS IN CYBERSPACE Speaker Profile Abhishek Agarwal, CIPP/US: Security & Privacy Leader at Kraft Foods Manage compliance programs to safeguard consumer, customers and employee information. Responsible for protecting brand

More information

Designing and Building a Cybersecurity Program

Designing and Building a Cybersecurity Program Designing and Building a Cybersecurity Program Based on the NIST Cybersecurity Framework (CSF) Larry Wilson lwilson@umassp.edu ISACA Breakfast Meeting January, 2016 Designing & Building a Cybersecurity

More information

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited Technology Risk Management in Banking Industry Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited Change in Threat Landscape 2 Problem & Threats faced by Banking Industry

More information

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1 Addressing the Evolving Cybersecurity Tom Tollerton, CISSP, CISA, PCI QSA Manager Cybersecurity Advisory Services DHG presenter Tom Tollerton, Manager DHG IT Advisory 704.367.7061 tom.tollerton@dhgllp.com

More information

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO White Paper Incentives for IoT Security May 2018 Author: Dr. Cédric LEVY-BENCHETON, CEO Table of Content Defining the IoT 5 Insecurity by design... 5 But why are IoT systems so vulnerable?... 5 Integrating

More information

Cyber Risks in the Boardroom Conference

Cyber Risks in the Boardroom Conference Cyber Risks in the Boardroom Conference Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing Your Company to Identify, Mitigate and Respond to Risks

More information

How to Optimize Cyber Defenses through Risk-Based Governance. Steven Minsky CEO of LogicManager & Author of the RIMS Risk Maturity Model

How to Optimize Cyber Defenses through Risk-Based Governance. Steven Minsky CEO of LogicManager & Author of the RIMS Risk Maturity Model How to Optimize Cyber Defenses through Risk-Based Governance Steven Minsky CEO of LogicManager & Author of the RIMS Risk Maturity Model The Goal: Risk-Based Operationalization Incident Management IT/IS

More information

Jeff Wilbur VP Marketing Iconix

Jeff Wilbur VP Marketing Iconix 2016 Data Protection & Breach Readiness Guide February 3, 2016 Craig Spiezle Executive Director & President Online Trust Alliance Jeff Wilbur VP Marketing Iconix 1 Who is OTA? Mission to enhance online

More information

From Russia With Love

From Russia With Love #ARDAWorld From Russia With Love Is your technology vulnerable to data theft? Do you know your own security protocols? Learn about auditing cyber-security processes and discover how to stay compliant and

More information

ACM Retreat - Today s Topics:

ACM Retreat - Today s Topics: ACM Retreat - Today s Topics: Phase II Cyber Risk Management Services - What s next? Policy Development External Vulnerability Assessment Phishing Assessment Security Awareness Notification Third Party

More information

mhealth SECURITY: STATS AND SOLUTIONS

mhealth SECURITY: STATS AND SOLUTIONS mhealth SECURITY: STATS AND SOLUTIONS www.eset.com WHAT IS mhealth? mhealth (also written as m-health) is an abbreviation for mobile health, a term used for the practice of medicine and public health supported

More information

Ian Speller CISM PCIP MBCS. Head of Corporate Security at Sopra Steria

Ian Speller CISM PCIP MBCS. Head of Corporate Security at Sopra Steria Ian Speller CISM PCIP MBCS Head of Corporate Security at Sopra Steria Information Risk in the Real World Realistic security management on a tight budget Or some things I have done to make the security

More information

Department of Management Services REQUEST FOR INFORMATION

Department of Management Services REQUEST FOR INFORMATION RESPONSE TO Department of Management Services REQUEST FOR INFORMATION Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services September 3, 2015 250 South President

More information

What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards

What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards PCI DSS What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards Definition: A multifaceted security standard that includes requirements for security management, policies, procedures,

More information

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002 ISO 27002 COMPLIANCE GUIDE How Rapid7 Can Help You Achieve Compliance with ISO 27002 A CONTENTS Introduction 2 Detailed Controls Mapping 3 About Rapid7 8 rapid7.com ISO 27002 Compliance Guide 1 INTRODUCTION

More information

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update) ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update) June 2017 INSERT YEAR HERE Contact Information: Jeremy Dalpiaz AVP, Cyber and Data Security Policy Jeremy.Dalpiaz@icba.org ICBA Summary

More information

INTELLIGENCE DRIVEN GRC FOR SECURITY

INTELLIGENCE DRIVEN GRC FOR SECURITY INTELLIGENCE DRIVEN GRC FOR SECURITY OVERVIEW Organizations today strive to keep their business and technology infrastructure organized, controllable, and understandable, not only to have the ability to

More information

INFORMATION TECHNOLOGY ( IT ) GOVERNANCE FRAMEWORK

INFORMATION TECHNOLOGY ( IT ) GOVERNANCE FRAMEWORK INFORMATION TECHNOLOGY ( IT ) GOVERNANCE FRAMEWORK 1. INTRODUCTION The Board of Directors of the Bidvest Group Limited ( the Company ) acknowledges the need for an IT Governance Framework as recommended

More information

Insider Threat Program: Protecting the Crown Jewels. Monday, March 2, 2:15 pm - 3:15 pm

Insider Threat Program: Protecting the Crown Jewels. Monday, March 2, 2:15 pm - 3:15 pm Insider Threat Program: Protecting the Crown Jewels Monday, March 2, 2:15 pm - 3:15 pm Take Away Identify your critical information Recognize potential insider threats What happens after your critical

More information

Data Breaches: Is IBM i Really At Risk? All trademarks and registered trademarks are the property of their respective owners.

Data Breaches: Is IBM i Really At Risk? All trademarks and registered trademarks are the property of their respective owners. Data Breaches: Is IBM i Really At Risk? HelpSystems LLC. All rights reserved. All trademarks and registered trademarks are the property of their respective owners. ROBIN TATAM, CBCA CISM PCI-P Global Director

More information

Building a Resilient Security Posture for Effective Breach Prevention

Building a Resilient Security Posture for Effective Breach Prevention SESSION ID: GPS-F03B Building a Resilient Security Posture for Effective Breach Prevention Avinash Prasad Head Managed Security Services, Tata Communications Agenda for discussion 1. Security Posture 2.

More information

Continuous protection to reduce risk and maintain production availability

Continuous protection to reduce risk and maintain production availability Industry Services Continuous protection to reduce risk and maintain production availability Managed Security Service Answers for industry. Managing your industrial cyber security risk requires world-leading

More information

What It Takes to be a CISO in 2017

What It Takes to be a CISO in 2017 What It Takes to be a CISO in 2017 Doug Copley Deputy CISO Sr. Security & Privacy Strategist February 2017 IMAGINE You re the CISO In Bangladesh Of a bank On a Friday when you re closed You realize 6 huge

More information

PCI Compliance. What is it? Who uses it? Why is it important?

PCI Compliance. What is it? Who uses it? Why is it important? PCI Compliance What is it? Who uses it? Why is it important? Definitions: PCI- Payment Card Industry DSS-Data Security Standard Merchants Anyone who takes a credit card payment 3 rd party processors companies

More information

Cyber Fraud What can you do about it?

Cyber Fraud What can you do about it? Cyber Fraud What can you do about it? Eric Wright Shareholder June 10, 2014 What is Cyber Fraud? NetLingo definition: Cyber fraud refers to any type of deliberate deception for unfair or unlawful gain

More information

ISE North America Leadership Summit and Awards

ISE North America Leadership Summit and Awards ISE North America Leadership Summit and Awards November 6-7, 2013 Presentation Title: Presenter: Presenter Title: Company Name: Embracing Cyber Security for Top-to-Bottom Results Larry Wilson Chief Information

More information

Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City

Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City 1 Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City The opinions expressed are those of the presenters and are not those of the Federal Reserve Banks, the

More information

Data Breach Preparedness & Response

Data Breach Preparedness & Response Data Breach Preparedness & Response April 16, 2015 Daniel Nelson, C EH, CIPP/US Lucas Amodio, C EH 2015 Armstrong Teasdale 6 Stages of a Data Breach Response Preparation Identification Containment Eradication

More information

Data Breach Preparedness & Response. April 16, 2015 Daniel Nelson, C EH, CIPP/US Lucas Amodio, C EH

Data Breach Preparedness & Response. April 16, 2015 Daniel Nelson, C EH, CIPP/US Lucas Amodio, C EH Data Breach Preparedness & Response April 16, 2015 Daniel Nelson, C EH, CIPP/US Lucas Amodio, C EH 2015 Armstrong Teasdale 6 Stages of a Data Breach Response Preparation Identification Containment Eradication

More information

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft Automate Response Congratulations on selecting IncidentResponse.com to retrieve your custom incident response playbook guide. This guide has been created especially for you for use in within your security

More information

HEALTH CARE AND CYBER SECURITY:

HEALTH CARE AND CYBER SECURITY: HEALTH CARE AND CYBER SECURITY: Increasing Threats Require Increased Capabilities kpmg.com 1 HEALTH CARE AND CYBER SECURITY EXECUTIVE SUMMARY Four-fifths of executives at healthcare providers and payers

More information

Cybersecurity Auditing in an Unsecure World

Cybersecurity Auditing in an Unsecure World About This Course Cybersecurity Auditing in an Unsecure World Course Description $5.4 million that s the average cost of a data breach to a U.S.-based company. It s no surprise, then, that cybersecurity

More information

STAFF REPORT. January 26, Audit Committee. Information Security Framework. Purpose:

STAFF REPORT. January 26, Audit Committee. Information Security Framework. Purpose: STAFF REPORT January 26, 2001 To: From: Subject: Audit Committee City Auditor Information Security Framework Purpose: To review the adequacy of the Information Security Framework governing the security

More information

Defense in Depth Security in the Enterprise

Defense in Depth Security in the Enterprise Defense in Depth Security in the Enterprise Mike Mulville SAIC Cyber Chief Technology Officer MulvilleM@saic.com Agenda The enterprise challenge - threat; vectors; and risk Traditional data protection

More information

MIS5206-Section Protecting Information Assets-Exam 1

MIS5206-Section Protecting Information Assets-Exam 1 Your Name Date 1. Which of the following contains general approaches that also provide the necessary flexibility in the event of unforeseen circumstances? a. Policies b. Standards c. Procedures d. Guidelines

More information

GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE TRENDS BY FCPAK ERIC KIMANI

GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE TRENDS BY FCPAK ERIC KIMANI GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE TRENDS BY FCPAK ERIC KIMANI CONTENTS Overview Conceptual Definition Implementation of Strategic Risk Governance Success Factors Changing Internal Audit Roles

More information

PTLGateway Data Breach Policy

PTLGateway Data Breach Policy 1 PTLGateway Data Breach Policy Last Updated Date: 02 March 2018 Data Breach Policy This page informs you of our policy which is to establish the goals and the vision for the breach response process. This

More information

CCISO Blueprint v1. EC-Council

CCISO Blueprint v1. EC-Council CCISO Blueprint v1 EC-Council Categories Topics Covered Weightage 1. Governance (Policy, Legal, & Compliance) & Risk Management 1.1 Define, implement, manage and maintain an information security governance

More information

Mobile Device Policy. Augusta University Medical Center Policy Library. Policy Owner: Information Technology Support and Services

Mobile Device Policy. Augusta University Medical Center Policy Library. Policy Owner: Information Technology Support and Services Augusta University Medical Center Policy Library Mobile Device Policy Policy Owner: Information Technology Support and Services POLICY STATEMENT Augusta University Medical Center (AUMC) discourages the

More information

A practical guide to IT security

A practical guide to IT security Data protection A practical guide to IT security Ideal for the small business The Data Protection Act states that appropriate technical and organisational measures shall be taken against unauthorised or

More information

Risk Assessment. The Heart of Information Security

Risk Assessment. The Heart of Information Security Risk Assessment The Heart of Information Security Overview Warm-up Quiz Why do we perform risk assessments? The language of risk - definitions The process of risk assessment Risk Mitigation Triangle Lessons

More information

01.0 Policy Responsibilities and Oversight

01.0 Policy Responsibilities and Oversight Number 1.0 Policy Owner Information Security and Technology Policy Policy Responsibility & Oversight Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 1. Policy Responsibilities

More information

Cybersecurity What Companies are Doing & How to Evaluate. Miguel Romero - NAIC David Gunkel & Dan Ford Rook Security

Cybersecurity What Companies are Doing & How to Evaluate. Miguel Romero - NAIC David Gunkel & Dan Ford Rook Security Cybersecurity What Companies are Doing & How to Evaluate Miguel Romero - NAIC David Gunkel & Dan Ford Rook Security Learning Objectives At the end of this presentation, you will be able to: Explain the

More information

Defense in Depth. Constructing Your Walls for Your Enterprise. Mike D Arezzo Director of Security April 21, 2016

Defense in Depth. Constructing Your Walls for Your Enterprise. Mike D Arezzo Director of Security April 21, 2016 Defense in Depth Constructing Your Walls for Your Enterprise Mike D Arezzo Director of Security April 21, 2016 Defense in Depth Defense in Depth Coordinated use of multiple security countermeasures Protect

More information

Changing the Game: An HPR Approach to Cyber CRM007

Changing the Game: An HPR Approach to Cyber CRM007 Speakers: Changing the Game: An HPR Approach to Cyber CRM007 Michal Gnatek, Senior Vice President, Marsh & McLennan Karen Miller, Sr. Treasury & Risk Manager, FireEye, Inc. Learning Objectives At the end

More information

Preparing for a Breach October 14, 2016

Preparing for a Breach October 14, 2016 Preparing for a Breach October 14, 2016 Jeremy Gilbert, GCFE, GASF, EnCE, CPA Manager, DHG Forensics forensics 1 Agenda Medical data breaches Why? Types? Frequency? Impact of a data breach How to prepare

More information

SOC for cybersecurity

SOC for cybersecurity April 2018 SOC for cybersecurity a backgrounder Acknowledgments Special thanks to Francette Bueno, Senior Manager, Advisory Services, Ernst & Young LLP and Chris K. Halterman, Executive Director, Advisory

More information

Privacy Implications Guide. for. the CIS Critical Security Controls (Version 6)

Privacy Implications Guide. for. the CIS Critical Security Controls (Version 6) Privacy Implications Guide for the CIS Critical Security Controls (Version 6) Privacy Implications Guide for the CIS Critical Security Controls (Version 6) Acknowledgements: The Center for Internet Security

More information

Why you should adopt the NIST Cybersecurity Framework

Why you should adopt the NIST Cybersecurity Framework Why you should adopt the NIST Cybersecurity Framework It s important to note that the Framework casts the discussion of cybersecurity in the vocabulary of risk management Stating it in terms Executive

More information

Information Security Controls Policy

Information Security Controls Policy Information Security Controls Policy Classification: Policy Version Number: 1-00 Status: Published Approved by (Board): University Leadership Team Approval Date: 30 January 2018 Effective from: 30 January

More information

Cybersecurity in Higher Ed

Cybersecurity in Higher Ed Cybersecurity in Higher Ed 1 Overview Universities are a treasure trove of information. With cyber threats constantly changing, there is a need to be vigilant in protecting information related to students,

More information

SFC strengthens internet trading regulatory controls

SFC strengthens internet trading regulatory controls SFC strengthens internet trading regulatory controls November 2017 Internet trading What needs to be done now? For many investors, online and mobile internet trading is now an everyday interaction with

More information

SELLING YOUR ORGANIZATION ON APPLICATION SECURITY. Navigating a new era of cyberthreats

SELLING YOUR ORGANIZATION ON APPLICATION SECURITY. Navigating a new era of cyberthreats SELLING YOUR ORGANIZATION ON APPLICATION SECURITY Navigating a new era of cyberthreats Selling Your Organization on Application Security 01 It's no secret that cyberattacks place organizations large and

More information

Incident Response. Tony Drewitt Head of Consultancy IT Governance Ltd

Incident Response. Tony Drewitt Head of Consultancy IT Governance Ltd Incident Response Tony Drewitt Head of Consultancy IT Governance Ltd www.itgovernance.co.uk IT Governance Ltd: GRC One-Stop-Shop Thought Leaders Specialist publisher Implementation toolkits ATO Consultants

More information

Cyber Security and Data Protection: Huge Penalties, Nowhere to Hide

Cyber Security and Data Protection: Huge Penalties, Nowhere to Hide Q3 2016 Security Matters Forum Cyber Security and Data Protection: Huge Penalties, Nowhere to Hide Alan Calder Founder & Executive Chair IT Governance Ltd July 2016 www.itgovernance.co.uk Introduction

More information

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0 Cyber Security and Inside Threats: Turning Policies into Practices Presented by Ingrid Fredeen and Pamela Passman Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0 Presented By Ingrid Fredeen, J.D.

More information

BPS Suite and the OCEG Capability Model. Mapping the OCEG Capability Model to the BPS Suite s product capability.

BPS Suite and the OCEG Capability Model. Mapping the OCEG Capability Model to the BPS Suite s product capability. BPS Suite and the OCEG Capability Model Mapping the OCEG Capability Model to the BPS Suite s product capability. BPS Contents Introduction... 2 GRC activities... 2 BPS and the Capability Model for GRC...

More information

State of Security Operations

State of Security Operations State of Security Operations Roberto Sandoval / September 2014 Security Intelligence & Operations Consulting Founded: 2007 The best in the world at building state of the art security operations capabilities/cyber

More information

Security and Privacy Governance Program Guidelines

Security and Privacy Governance Program Guidelines Security and Privacy Governance Program Guidelines Effective Security and Privacy Programs start with attention to Governance. Governance refers to the roles and responsibilities that are established by

More information

Dissecting Data Breaches. What Keeps Going Wrong?

Dissecting Data Breaches. What Keeps Going Wrong? Dissecting Data Breaches What Keeps Going Wrong? 02 WHO WE ARE Tom Stewart Uriah Robins Senior Manager IT Consulting Protiviti Senior Consultant IT Consulting Protiviti PRESENTATION AGENDA 3 START BREACH

More information

Computer Security Incident Response Plan. Date of Approval: 23-FEB-2014

Computer Security Incident Response Plan. Date of Approval: 23-FEB-2014 Computer Security Incident Response Plan Name of Approver: Mary Ann Blair Date of Approval: 23-FEB-2014 Date of Review: 31-MAY-2016 Effective Date: 23-FEB-2014 Name of Reviewer: John Lerchey Table of Contents

More information

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations May 14, 2018 1:30PM to 2:30PM CST In Plain English: Cybersecurity and IT Exam Expectations Options to Join Webinar and audio Click on the link: https://www.webcaster4.com/webcast/page/584/24606 Choose

More information

SECURITY & PRIVACY DOCUMENTATION

SECURITY & PRIVACY DOCUMENTATION Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive

More information

The Honest Advantage

The Honest Advantage The Honest Advantage READY TO CHALLENGE THE STATUS QUO GSA Security Policy and PCI Guidelines The GreenStar Alliance 2017 2017 GreenStar Alliance All Rights Reserved Table of Contents Table of Contents

More information

Data Protection. Plugging the gap. Gary Comiskey 26 February 2010

Data Protection. Plugging the gap. Gary Comiskey 26 February 2010 Data Protection. Plugging the gap Gary Comiskey 26 February 2010 Data Protection Trends in Financial Services Financial services firms are deploying data protection solutions across their enterprise at

More information

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I Standards Sections Checklist Section Security Management Process 164.308(a)(1) Information Security Program Risk Analysis (R) Assigned Security Responsibility 164.308(a)(2) Information Security Program

More information

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP) SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP) Adaptive Cybersecurity at the Speed of Your Business Attackers Evolve. Risk is in Constant Fluctuation. Security is a Never-ending Cycle.

More information

2017 Cyber Incident & Breach Readiness Webinar Will Start Shortly

2017 Cyber Incident & Breach Readiness Webinar Will Start Shortly 2017 Cyber Incident & Breach Readiness Webinar Will Start Shortly please download the guide at https://otalliance.org/incident 2017 Cyber Incident & Breach Readiness Webinar Craig Spiezle Executive Director

More information

Privacy Breach Policy

Privacy Breach Policy 1. PURPOSE 1.1 The purpose of this policy is to guide NB-IRDT employees and approved users on how to proceed in the event of a privacy breach, and to demonstrate to stakeholders that a systematic procedure

More information

INFORMATION SECURITY-SECURITY INCIDENT RESPONSE

INFORMATION SECURITY-SECURITY INCIDENT RESPONSE Information Technology Services Administrative Regulation ITS-AR-1506 INFORMATION SECURITY-SECURITY INCIDENT RESPONSE 1.0 Purpose and Scope The purpose of the Security Response Administrative Regulation

More information

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security SYMANTEC: SECURITY ADVISORY SERVICES Symantec Security Advisory Services The World Leader in Information Security Knowledge, as the saying goes, is power. At Symantec we couldn t agree more. And when it

More information

Going Paperless & Remote File Sharing

Going Paperless & Remote File Sharing Going Paperless & Remote File Sharing Mary Twitty Family Services Director Earnest L. Hunt-Director of Sub-recipient Monitoring Tammy Smith Program Director Introduction Define the subject matter Move

More information

Cybersecurity and Nonprofit

Cybersecurity and Nonprofit Cybersecurity and Nonprofit 2 2 Agenda Cybersecurity and Non Profits Scenario #1 Scenario #2 What Makes a Difference Cyber Insurance and How it Helps Question and Answer 3 3 Cybersecurity and Nonprofit

More information

How Cyber-Criminals Steal and Profit from your Data

How Cyber-Criminals Steal and Profit from your Data How Cyber-Criminals Steal and Profit from your Data Presented by: Nick Podhradsky, SVP Operations SBS CyberSecurity www.sbscyber.com Consulting Network Security IT Audit Education 1 Agenda Why cybersecurity

More information