Building a Complete Program around Data Loss Prevention
|
|
- Mervyn Knight
- 5 years ago
- Views:
Transcription
1 To download today s materials (depending on your browser): or Building a Complete Program around Data Loss Prevention Tuesday, November 8, 2011 Presenter s Name Presenter: Duane Baldwin Security Practice Manager Audio and Tech Support This meeting is being broadcast, and you can listen through your computer speakers by choosing Use Mic & Speakers (figure 1) To turn up your computer s volume, please select: Start My Computer Control Panel Sounds and Devices Or Please select Use Telephone option on the GoToMeeting Control Panel and a number and ID will be generated along with a PIN number associated with you. (figure 1) PLEASE NOTE All lines will be muted during this presentation. If you would like to ask a question, please use Questions (figure 2) function and your question will be addressed. Experis Tuesday, November 8,
2 Earning CPE Credit To receive 1 CPE credit for this webinar, participants must: Attend the Webinar for at least 60 minutes on individual computers (one person per computer) Answer polling questions asked throughout the webinar At the end of today s presentation, a link to our CPE Learning Event Survey will be posted in the chat box in the control panel Please take a few moments to complete the survey as we appreciate your feedback Experis Tuesday, November 8, To download today s materials (depending on your browser): or Building a Complete Program around Data Loss Prevention Tuesday, November 8, 2011 Presenter s Name Presenter: Duane Baldwin Security Practice Manager 2
3 Agenda Identify information/data loss risks and high exposure information/data breaches Apply an approach to evaluating and evolving your existing data loss prevention capabilities Describe supporting functions that will add to the success of your data loss prevention program Experis Tuesday, November 8, What is Data Loss Prevention? It is a systematic approach to identifying, monitoring and protecting the confidentiality, integrity and availability of data in motion, at rest or in use Experis Tuesday, November 8,
4 Polling Question #1 Where are you in forming a Data Loss Prevention program? A. Full program (strategy, governance, processes, tools, training) in place B. Defined a data classification framework C. Bought a tool D. Just beginning in planning Experis Tuesday, November 8, Risks Posed by Data Loss 4
5 Types of information at risk Intellectual t l Property/ Trade Secrets Personally Identifiable Information (PII) System Data and Configuration Settings Critical Data Personal Health Information (PHI) Corporate Strategy Unreleased Financial Information Experis Tuesday, November 8, Value and Risk of an Organization s Information Information Value Threat Vulnerability Counter Measures Risk Consolidated financial information HIGH MEDIUM LOW HIGH MEDIUM Customer personal information HIGH HIGH MEDIUM HIGH HIGH Internal office memorandums LOW LOW HIGH LOW LOW (non-confidential) Confidential executive MEDIUM MEDIUM MEDIUM LOW MEDIUM memorandums Experis Tuesday, November 8,
6 What is your risk? Data loss can result in: Significant financial penalties Extensive operational impact Increased monitoring costs Adverse publicity Negative effect on your organization s brand and reputation Lost business Experis Tuesday, November 8, How it can happen Intrusion Extrusion Experis Tuesday, November 8,
7 The threat to data continues Loss of business critical information is a real threat: 74 percent somewhat or extremely concerned 42 percent have lost confidential/proprietary information in the past 100 percent saw losses (lost revenue, direct financial cost) Lost devices are a huge problem: 62 percent lost devices in last six months 100 percent have some devices that are not password protected Symantec 2010 SMB Information Protection Survey May/June 2010 Experis Tuesday, November 8, High Profile Data Breach Incidents Sony Corporation, PlayStation Network April 26, ,000,000 records names, addresses, addresses, birthdates, PlayStation Network/Qriocity passwords and logins, handle/psn online ID, profile data, purchase history and possibly credit cards obtained. No known actual costs $4,620,000,000 Ponemon Institute Direct Costs Estimate Sony Corporation May 2, ,600,000 customer dates of birth, addresses and phone numbers, including 12,700 non-u.s. credit or debit card numbers and expiration dates and about 10,700 direct debit records including bank account numbers accessed by hacker No known actual costs $1,476,000,000 Ponemon Institute Direct Costs Estimate Source: Open Security Foundation / DataLossDB.org Experis Tuesday, November 8,
8 High Profile Data Breach Incidents (Cont.) TJX Companies January 17, 2007 January 17, ,000,000 credit card numbers and transactions compromised $64,113,000 total known costs $5,640,000,000 Ponemon Institute Direct Costs Estimate US Department of Veteran Affairs May 22, 2006 May 22, ,500,000 U.S. military veterans Names, Social Security Numbers, and dates of birth $20,000,000 total known costs $1,590,000,000 Ponemon Institute Direct Costs Estimate Source: Open Security Foundation / DataLossDB.org Experis Tuesday, November 8, Security flaws create risks to your data Information security strategies and objectives not adequately linked to business goals Incomplete governance and leadership involvement Ineffective security policies Irregular or ineffective security risk assessments Lack of awareness regarding location of critical data, how to classify it and how to protect it throughout its lifecycle Inadequate monitoring of security controls Miscommunication with internal and external audiences regarding security requirements and expectations Flawed Web application design common vulnerabilities persist Server and database vulnerabilities Ineffective access definitions Phishing and social engineering Experis Tuesday, November 8,
9 What Individuals Would Pay to Protect Their Personal Information Social Security number/government ID: $240/year Credit Card number: $150/year Electronic or Physical Histories: $52 - $59/year Health Industry Medical Records: $38/year On-line buying habits and social profiles: $3 - $5.70/year Contact Information (phone number, or mailing address): $4.20/year Source: What s Your Personal Data Worth by Tim Money, Jan. 18, 2011, designmind.frogdays.com blog Experis Tuesday, November 8, Common mistakes in approaching a DLP Program Looking for the silver bullet Install a tool and my problem is solved Having an isolated project or team rather than a holistic approach Lack of sponsorship Treating it like a compliance project Not building the appropriate foundation for the program to work Experis Tuesday, November 8,
10 Polling Question #2 What priority do you give advancing your DLP program in 2012? A. Top Priority B. In the middle C. Low priority D. No intention to focus on it at all Experis Tuesday, November 8, Building a DLP Program 10
11 Suggested Steps for a Complete DLP Program Profile Your DLP Needs Characterize Your Current DLP Program Assess Your DLP Program Effectiveness Define a DLP Strategy Create an Action Plan to Achieve the Strategy Experis Tuesday, November 8, Profile Your DLP Needs Goal: Gain a complete understanding of data types and their use Suggested Activities: Understand your data s business environment: Business drivers across the Enterprise Regulatory and customer requirements as tied to the business Existing data retention standards Determine how data is used: Identify data classifications in use across the Enterprise Determine data user groups Profile the extent of data use across all avenues: Data at Rest Data in Motion Data at the Endpoints Experis Tuesday, November 8,
12 Characterize Your Current DLP Program Goal: Identify and understand all currently implemented DLP components and ongoing initiatives Activities: Determine maturity levels of processes, procedures and solutions used for a DLP operational framework that includes: Data Classification Data Discovery Data Protection Governance and Risk Management Monitoring, Measurement and Improvement None Progressing Basic Advanced Industry Leading No capability currently exists Current State The Capability capability supports Maturity Scale Elements of a capability exist and meet some of the compliance requirements and business objectives core business processes and compliance requirements The capability incorporates information security solutions that exceed basic compliance requirements and incorporates industry leading practices The capability exceeds industry standards and sets the model for industry to follow Experis Tuesday, November 8, Assess Your DLP Program Effectiveness Goal: Determine if the current DLP program has been effectively executed and identify gaps Activities: Evaluate effectiveness of each implemented component of the DLP program Estimate adoptability and effectiveness of future initiatives Determine gaps and potential risk levels Risk Determination Scale Critical High Moderate Low Extremely weak or nonexistent capabilities to protect critical data; likelihood for exploitation of current state is extremely high; risk of severe adverse impact to company assets is critical and requires immediate attention Limited or poorly implemented capabilities, large gaps exist; likelihood for exploitation of current state is high; risk of serious adverse impact to company assets is high and requires priority attention Capabilities exist, but lack formality and consistency; likelihood for exploitation of current state is moderate to high; risk of adverse impact to company assets is moderate and may require priority attention Consistent, integrated and managed capabilities are employed; likelihood for exploitation of current state is low; even with no priority attention, risk of adverse impact to company assets is low Experis Tuesday, November 8,
13 Define a DLP Program Strategy Goal: Define Objectives to implement Vision and Goals and Finalize Strategyt Activities: Create a vision that resonates with all aspects of the business Define goals that encompass Governance, People, Processes and Technology to be effective Work with data owners and stakeholders to identify objectives across the DLP components as aligned with the goals: Data Classification Data Discovery Data Protection Data Handling Governance and Risk Management Monitoring, Measurement and Improvement Validate and Finalize Experis Tuesday, November 8, Data Loss Prevention Strategy Structure DLP Strategy Framework DLP Vision DLP Goals DLP Objectives Characteristics Sets out a common long-term picture and strategic direction for the Data Loss Prevention program Establishes the core business value to be delivered by the Data Loss Prevention program Identifies common and business specific goals that reflects each aspect of the vision Encompasses both immediate and future direction across the enterprise Integrates measurable targets and procedures for evaluating the progress against specified goals and objectives Experis Tuesday, November 8,
14 Governance Considerations An important aspect of executing an effective DLP program is the incorporation of Governance activities Key areas to include: Roles and Responsibilities Responsibilities for all aspects of DLP operations need to be clearly defined within the business units as well as at the Corporate level Processes Processes including decision points that integrate with defined roles and responsibilities should be defined for the DLP program Oversight, Management and Review Oversight structure should be defined that incorporates a combination of centralized and decentralized (Business Unit) responsibilities Experis Tuesday, November 8, Roles and Responsibilities Data Loss Prevention Audit Committee C-Level Executives Business Operations Information Security Officer Information Technology Internal Audit All Users and Vendors Ultimate Accountability Overall Responsibility Data Ownership Guidance and Oversight Data Custodian and Tool Implementation & Operation Monitor Operating Effectiveness Follow policies and guidance and report suspected breaches Experis Tuesday, November 8,
15 Develop an Action Plan Goal: Create an Action Plan to close current gaps and implement a DLP strategy t Activities: Develop Action Plan which typically includes: Workstream Overview Quick Win Activities Prioritized Implementation Responsible Parties Resource Estimate Cost Range Execution Timeline Critical Success Factors Experis Tuesday, November 8, Polling Question #3 What kind of information breaches have you encountered in the past? A. No breaches B. Lost or stolen laptops, pdas or computers C. Cyber stolen data externally D. Insider theft of sensitive information E. Employees send out unencrypted data through Experis Tuesday, November 8,
16 Key Supporting Functions for Your DLP Program Employee awareness Employees are critical to a successful data management and data loss prevention program. Employee awareness programs need to include: DLP overall Policy and supporting policies (e.g., Acceptable Use) Initial training Ongoing education and periodic reminders Evolution of employee education aligned with evolving technology Consequences Even with strong policies and training employee s may not understand how to execute in their environment. Specific guidelines with Data Use Cases and examples of exceptions have helped bridge this gap Experis Tuesday, November 8,
17 Vendors/Business Partners Vendors and Business Partners play a critical role in protecting your data Service Level Agreements should clearly define your data protection requirements, consequences for failing to provide the proper protection and breach notification requirements Include in your Vendor Management program examination of protections of your data including self-assessments and site inspections Work with vendor to remediate risks identified or choose an alternate vendor preferably before a breach occurs Experis Tuesday, November 8, Incident Response Data breaches can happen! An organization must be prepared Incorporate data breaches into your incident response procedures should include: Reporting any employee discovering a potential breach needs to know who to contact and what information to provide Define an Incident Response Team (members, roles and responsibilities) with the appropriate knowledge to evaluate data breaches Actions to be taken (shutting down, recovery, data scrubbing, retention of data, chain of custody) Communication Protocols (internal, customer, shareholders, authorities, press) Breach Notification Several regulations require notification to the affected parties (understand the different notification triggers) Experis Tuesday, November 8,
18 Tools and Technology Technology needs to be aligned with the goals and objectives of fthe DLP program Tools available include: Discovery and fingerprinting Content awareness and filtering Logging, monitoring and alerting when accessed Encryption content monitoring Mobile device protection Access controls Firewalls, intrusion prevention, intrusion detection Virus protection DLP products Others Experis Tuesday, November 8, Closing Observations Business and personal data will continue to be targets not only from external sources but internal as well Understanding your data is absolutely critical to protecting: what data is important, where your data is located, how it s used, how your data flows during business transactions, etc. Threat profiles and business operations continuously change implementing a strong risk management program to periodically reexamine DLP program effectiveness is important Effective DLP programs go beyond just implementing a tool Data breaches may still happen! Data breach notifications and response are critical to minimize impact and regulatory fines. Experis Tuesday, November 8,
19 Questions? For more information please contact: Duane Baldwin Mobile Experis Tuesday, November 8, Webinar evaluation A link to our CPE Learning Event Survey is now located in the chat box in the control panel Please take a few minutes to provide us with your feedback Experis Tuesday, November 8,
20 More information For more information, please visit Experis Tuesday, November 8,
Combating Cyber Risk in the Supply Chain
SESSION ID: CIN-W10 Combating Cyber Risk in the Supply Chain Ashok Sankar Senior Director Cyber Strategy Raytheon Websense @ashoksankar Introduction The velocity of data breaches is accelerating at an
More informationBusiness continuity management and cyber resiliency
Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Business continuity management and cyber resiliency Introductions Eric Wunderlich,
More informationNeil Peters-Michaud, CHAMP Cascade Asset Management ITAM Awareness Month December 2016
Breach New Heights The role of ITAM in preventing a data breach Neil Peters-Michaud, CHAMP Cascade Asset Management ITAM Awareness Month December 2016 Agenda Why Breaches Matter to the ITAM group The cost
More informationCybersecurity The Evolving Landscape
Cybersecurity The Evolving Landscape 1 Presenter Zach Shelton, CISA Principal DHG IT Advisory Zach.Shelton@DHG.com Raleigh, NC 14+ years of experience in IT Consulting 11+ years of experience with DHG
More informationInformation Security Data Classification Procedure
Information Security Data Classification Procedure A. Procedure 1. Audience 1.1 All University staff, vendors, students, volunteers, and members of advisory and governing bodies, in all campuses and locations
More informationCybersecurity for Health Care Providers
Cybersecurity for Health Care Providers Montgomery County Medical Society Provider Meeting February 28, 2017 T h e MARYLAND HEALTH CARE COMMISSION Overview Cybersecurity defined Cyber-Threats Today Impact
More informationHealthcare HIPAA and Cybersecurity Update
Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Healthcare HIPAA and Cybersecurity Update Agenda > Introductions > Cybersecurity
More informationData Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory
Audience: NDCBF IT Security Team Last Reviewed/Updated: March 2018 Contact: Henry Draughon hdraughon@processdeliveysystems.com Overview... 2 Sensitive Data Inventory and Classification... 3 Applicable
More informationRethinking Information Security Risk Management CRM002
Rethinking Information Security Risk Management CRM002 Speakers: Tanya Scott, Senior Manager, Information Risk Management, Lending Club Learning Objectives At the end of this session, you will: Design
More informationData Loss Prevention:
Data Loss Prevention: Considerations from an IT Audit Perspective ISACA November Luncheon 11 November 2010 Agenda What is data loss prevention (DLP)? Ernst & Young point of view on DLP Data loss risk assessment
More informationInformation Technology General Control Review
Information Technology General Control Review David L. Shissler, Senior IT Auditor, CPA, CISA, CISSP Office of Internal Audit and Risk Assessment September 15, 2016 Background Presenter Senior IT Auditor
More informationTHE PROCESS FOR ESTABLISHING DATA CLASSIFICATION. Session #155
THE PROCESS FOR ESTABLISHING DATA CLASSIFICATION Session #155 David Forrestall, CISSP CISA SecurIT360 SPEAKERS Carl Scaffidi, CISSP, ISSAP, CEH, CISM Director of Information Security Baker Donelson AGENDA
More informationSecuring Your Secured Data
Securing Your Secured Data Tuesday April 9 th 2013 Roshan Mohammed CipherQuest (Trinidad) Limited AGENDA Perception of Information Risk What Data are we Protecting and Why? Infrastructure Security Application
More informationQuestion 1: What steps can organizations take to prevent incidents of cybercrime? Answer 1:
Cybercrime Question 1: What steps can organizations take to prevent incidents of cybercrime? Answer 1: Organizations can prevent cybercrime from occurring through the proper use of personnel, resources,
More informationIntegrating Information Security Protections In Supplier Agreements: Guidance for Business and Technology Counsel
Presenting a live 90-minute webinar with interactive Q&A Integrating Information Security Protections In Supplier Agreements: Guidance for Business and Technology Counsel Evaluating Data Security Risks
More informationCredit Union Cyber Crisis: Gaining Awareness and Combatting Cyber Threats Without Breaking the Bank
Credit Union Cyber Crisis: Gaining Awareness and Combatting Cyber Threats Without Breaking the Bank Introduction The 6,331 credit unions in the United States face a unique challenge when it comes to cybersecurity.
More informationCyber Insurance: What is your bank doing to manage risk? presented by
Cyber Insurance: What is your bank doing to manage risk? David Kitchen presented by Lisa Micciche Today s Agenda Claims Statistics Common Types of Cyber Attacks Typical Costs Incurred to Respond to an
More informationNEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?
NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT? What the new data regulations mean for your business, and how Brennan IT and Microsoft 365 can help. THE REGULATIONS: WHAT YOU NEED TO KNOW Australia:
More informationCyber Protections: First Step, Risk Assessment
Cyber Protections: First Step, Risk Assessment Presentation to: Presented to: Mark LaVigne, Deputy Director NYSAC November 21, 2017 500 Avery Lane Rome, NY 13441 315.338.5818 www.nystec.com In this presentation
More informationHow to Prepare a Response to Cyber Attack for a Multinational Company.
You Have Been Breached! How to Prepare a Response to Cyber Attack for a Multinational Company. Chayan Chakravarti, MBA, CISM, PMP Patrick Enyart, CISA, CISM, CRISC Presenters Chayan Chakravarti Manager,
More informationFFIEC Cyber Security Assessment Tool. Overview and Key Considerations
FFIEC Cyber Security Assessment Tool Overview and Key Considerations Overview of FFIEC Cybersecurity Assessment Tool Agenda Overview of assessment tool Review inherent risk profile categories Review domain
More informationWhat is Penetration Testing?
What is Penetration Testing? March 2016 Table of Contents What is Penetration Testing?... 3 Why Perform Penetration Testing?... 4 How Often Should You Perform Penetration Testing?... 4 How Can You Benefit
More informationElectronic Communication of Personal Health Information
Electronic Communication of Personal Health Information A presentation to the Porcupine Health Unit (Timmins, Ontario) May 11 th, 2017 Nicole Minutti, Health Policy Analyst Agenda 1. Protecting Privacy
More informationRecommendations for Implementing an Information Security Framework for Life Science Organizations
Recommendations for Implementing an Information Security Framework for Life Science Organizations Introduction Doug Shaw CISA, CRISC Director of CSV & IT Compliance Azzur Consulting Agenda Why is information
More informationManaging Cybersecurity Risk
Managing Cybersecurity Risk Maureen Brundage Andy Roth August 9, 2016 Managing Cybersecurity Risk Cybersecurity: The Current Legal and Regulatory Environment Cybersecurity Governance: Considerations for
More information2 The IBM Data Governance Unified Process
2 The IBM Data Governance Unified Process The benefits of a commitment to a comprehensive enterprise Data Governance initiative are many and varied, and so are the challenges to achieving strong Data Governance.
More informationPROTECTING BRANDS IN CYBERSPACE
Speaker Profile Abhishek Agarwal, CIPP/US: Security & Privacy Leader at Kraft Foods Manage compliance programs to safeguard consumer, customers and employee information. Responsible for protecting brand
More informationDesigning and Building a Cybersecurity Program
Designing and Building a Cybersecurity Program Based on the NIST Cybersecurity Framework (CSF) Larry Wilson lwilson@umassp.edu ISACA Breakfast Meeting January, 2016 Designing & Building a Cybersecurity
More informationTechnology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited
Technology Risk Management in Banking Industry Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited Change in Threat Landscape 2 Problem & Threats faced by Banking Industry
More informationDHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1
Addressing the Evolving Cybersecurity Tom Tollerton, CISSP, CISA, PCI QSA Manager Cybersecurity Advisory Services DHG presenter Tom Tollerton, Manager DHG IT Advisory 704.367.7061 tom.tollerton@dhgllp.com
More informationIncentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO
White Paper Incentives for IoT Security May 2018 Author: Dr. Cédric LEVY-BENCHETON, CEO Table of Content Defining the IoT 5 Insecurity by design... 5 But why are IoT systems so vulnerable?... 5 Integrating
More informationCyber Risks in the Boardroom Conference
Cyber Risks in the Boardroom Conference Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing Your Company to Identify, Mitigate and Respond to Risks
More informationHow to Optimize Cyber Defenses through Risk-Based Governance. Steven Minsky CEO of LogicManager & Author of the RIMS Risk Maturity Model
How to Optimize Cyber Defenses through Risk-Based Governance Steven Minsky CEO of LogicManager & Author of the RIMS Risk Maturity Model The Goal: Risk-Based Operationalization Incident Management IT/IS
More informationJeff Wilbur VP Marketing Iconix
2016 Data Protection & Breach Readiness Guide February 3, 2016 Craig Spiezle Executive Director & President Online Trust Alliance Jeff Wilbur VP Marketing Iconix 1 Who is OTA? Mission to enhance online
More informationFrom Russia With Love
#ARDAWorld From Russia With Love Is your technology vulnerable to data theft? Do you know your own security protocols? Learn about auditing cyber-security processes and discover how to stay compliant and
More informationACM Retreat - Today s Topics:
ACM Retreat - Today s Topics: Phase II Cyber Risk Management Services - What s next? Policy Development External Vulnerability Assessment Phishing Assessment Security Awareness Notification Third Party
More informationmhealth SECURITY: STATS AND SOLUTIONS
mhealth SECURITY: STATS AND SOLUTIONS www.eset.com WHAT IS mhealth? mhealth (also written as m-health) is an abbreviation for mobile health, a term used for the practice of medicine and public health supported
More informationIan Speller CISM PCIP MBCS. Head of Corporate Security at Sopra Steria
Ian Speller CISM PCIP MBCS Head of Corporate Security at Sopra Steria Information Risk in the Real World Realistic security management on a tight budget Or some things I have done to make the security
More informationDepartment of Management Services REQUEST FOR INFORMATION
RESPONSE TO Department of Management Services REQUEST FOR INFORMATION Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services September 3, 2015 250 South President
More informationWhat are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards
PCI DSS What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards Definition: A multifaceted security standard that includes requirements for security management, policies, procedures,
More informationISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002
ISO 27002 COMPLIANCE GUIDE How Rapid7 Can Help You Achieve Compliance with ISO 27002 A CONTENTS Introduction 2 Detailed Controls Mapping 3 About Rapid7 8 rapid7.com ISO 27002 Compliance Guide 1 INTRODUCTION
More informationICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)
ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update) June 2017 INSERT YEAR HERE Contact Information: Jeremy Dalpiaz AVP, Cyber and Data Security Policy Jeremy.Dalpiaz@icba.org ICBA Summary
More informationINTELLIGENCE DRIVEN GRC FOR SECURITY
INTELLIGENCE DRIVEN GRC FOR SECURITY OVERVIEW Organizations today strive to keep their business and technology infrastructure organized, controllable, and understandable, not only to have the ability to
More informationINFORMATION TECHNOLOGY ( IT ) GOVERNANCE FRAMEWORK
INFORMATION TECHNOLOGY ( IT ) GOVERNANCE FRAMEWORK 1. INTRODUCTION The Board of Directors of the Bidvest Group Limited ( the Company ) acknowledges the need for an IT Governance Framework as recommended
More informationInsider Threat Program: Protecting the Crown Jewels. Monday, March 2, 2:15 pm - 3:15 pm
Insider Threat Program: Protecting the Crown Jewels Monday, March 2, 2:15 pm - 3:15 pm Take Away Identify your critical information Recognize potential insider threats What happens after your critical
More informationData Breaches: Is IBM i Really At Risk? All trademarks and registered trademarks are the property of their respective owners.
Data Breaches: Is IBM i Really At Risk? HelpSystems LLC. All rights reserved. All trademarks and registered trademarks are the property of their respective owners. ROBIN TATAM, CBCA CISM PCI-P Global Director
More informationBuilding a Resilient Security Posture for Effective Breach Prevention
SESSION ID: GPS-F03B Building a Resilient Security Posture for Effective Breach Prevention Avinash Prasad Head Managed Security Services, Tata Communications Agenda for discussion 1. Security Posture 2.
More informationContinuous protection to reduce risk and maintain production availability
Industry Services Continuous protection to reduce risk and maintain production availability Managed Security Service Answers for industry. Managing your industrial cyber security risk requires world-leading
More informationWhat It Takes to be a CISO in 2017
What It Takes to be a CISO in 2017 Doug Copley Deputy CISO Sr. Security & Privacy Strategist February 2017 IMAGINE You re the CISO In Bangladesh Of a bank On a Friday when you re closed You realize 6 huge
More informationPCI Compliance. What is it? Who uses it? Why is it important?
PCI Compliance What is it? Who uses it? Why is it important? Definitions: PCI- Payment Card Industry DSS-Data Security Standard Merchants Anyone who takes a credit card payment 3 rd party processors companies
More informationCyber Fraud What can you do about it?
Cyber Fraud What can you do about it? Eric Wright Shareholder June 10, 2014 What is Cyber Fraud? NetLingo definition: Cyber fraud refers to any type of deliberate deception for unfair or unlawful gain
More informationISE North America Leadership Summit and Awards
ISE North America Leadership Summit and Awards November 6-7, 2013 Presentation Title: Presenter: Presenter Title: Company Name: Embracing Cyber Security for Top-to-Bottom Results Larry Wilson Chief Information
More informationCybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City
1 Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City The opinions expressed are those of the presenters and are not those of the Federal Reserve Banks, the
More informationData Breach Preparedness & Response
Data Breach Preparedness & Response April 16, 2015 Daniel Nelson, C EH, CIPP/US Lucas Amodio, C EH 2015 Armstrong Teasdale 6 Stages of a Data Breach Response Preparation Identification Containment Eradication
More informationData Breach Preparedness & Response. April 16, 2015 Daniel Nelson, C EH, CIPP/US Lucas Amodio, C EH
Data Breach Preparedness & Response April 16, 2015 Daniel Nelson, C EH, CIPP/US Lucas Amodio, C EH 2015 Armstrong Teasdale 6 Stages of a Data Breach Response Preparation Identification Containment Eradication
More informationINCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft
Automate Response Congratulations on selecting IncidentResponse.com to retrieve your custom incident response playbook guide. This guide has been created especially for you for use in within your security
More informationHEALTH CARE AND CYBER SECURITY:
HEALTH CARE AND CYBER SECURITY: Increasing Threats Require Increased Capabilities kpmg.com 1 HEALTH CARE AND CYBER SECURITY EXECUTIVE SUMMARY Four-fifths of executives at healthcare providers and payers
More informationCybersecurity Auditing in an Unsecure World
About This Course Cybersecurity Auditing in an Unsecure World Course Description $5.4 million that s the average cost of a data breach to a U.S.-based company. It s no surprise, then, that cybersecurity
More informationSTAFF REPORT. January 26, Audit Committee. Information Security Framework. Purpose:
STAFF REPORT January 26, 2001 To: From: Subject: Audit Committee City Auditor Information Security Framework Purpose: To review the adequacy of the Information Security Framework governing the security
More informationDefense in Depth Security in the Enterprise
Defense in Depth Security in the Enterprise Mike Mulville SAIC Cyber Chief Technology Officer MulvilleM@saic.com Agenda The enterprise challenge - threat; vectors; and risk Traditional data protection
More informationMIS5206-Section Protecting Information Assets-Exam 1
Your Name Date 1. Which of the following contains general approaches that also provide the necessary flexibility in the event of unforeseen circumstances? a. Policies b. Standards c. Procedures d. Guidelines
More informationGOVERNANCE, RISK MANAGEMENT AND COMPLIANCE TRENDS BY FCPAK ERIC KIMANI
GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE TRENDS BY FCPAK ERIC KIMANI CONTENTS Overview Conceptual Definition Implementation of Strategic Risk Governance Success Factors Changing Internal Audit Roles
More informationPTLGateway Data Breach Policy
1 PTLGateway Data Breach Policy Last Updated Date: 02 March 2018 Data Breach Policy This page informs you of our policy which is to establish the goals and the vision for the breach response process. This
More informationCCISO Blueprint v1. EC-Council
CCISO Blueprint v1 EC-Council Categories Topics Covered Weightage 1. Governance (Policy, Legal, & Compliance) & Risk Management 1.1 Define, implement, manage and maintain an information security governance
More informationMobile Device Policy. Augusta University Medical Center Policy Library. Policy Owner: Information Technology Support and Services
Augusta University Medical Center Policy Library Mobile Device Policy Policy Owner: Information Technology Support and Services POLICY STATEMENT Augusta University Medical Center (AUMC) discourages the
More informationA practical guide to IT security
Data protection A practical guide to IT security Ideal for the small business The Data Protection Act states that appropriate technical and organisational measures shall be taken against unauthorised or
More informationRisk Assessment. The Heart of Information Security
Risk Assessment The Heart of Information Security Overview Warm-up Quiz Why do we perform risk assessments? The language of risk - definitions The process of risk assessment Risk Mitigation Triangle Lessons
More information01.0 Policy Responsibilities and Oversight
Number 1.0 Policy Owner Information Security and Technology Policy Policy Responsibility & Oversight Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 1. Policy Responsibilities
More informationCybersecurity What Companies are Doing & How to Evaluate. Miguel Romero - NAIC David Gunkel & Dan Ford Rook Security
Cybersecurity What Companies are Doing & How to Evaluate Miguel Romero - NAIC David Gunkel & Dan Ford Rook Security Learning Objectives At the end of this presentation, you will be able to: Explain the
More informationDefense in Depth. Constructing Your Walls for Your Enterprise. Mike D Arezzo Director of Security April 21, 2016
Defense in Depth Constructing Your Walls for Your Enterprise Mike D Arezzo Director of Security April 21, 2016 Defense in Depth Defense in Depth Coordinated use of multiple security countermeasures Protect
More informationChanging the Game: An HPR Approach to Cyber CRM007
Speakers: Changing the Game: An HPR Approach to Cyber CRM007 Michal Gnatek, Senior Vice President, Marsh & McLennan Karen Miller, Sr. Treasury & Risk Manager, FireEye, Inc. Learning Objectives At the end
More informationPreparing for a Breach October 14, 2016
Preparing for a Breach October 14, 2016 Jeremy Gilbert, GCFE, GASF, EnCE, CPA Manager, DHG Forensics forensics 1 Agenda Medical data breaches Why? Types? Frequency? Impact of a data breach How to prepare
More informationSOC for cybersecurity
April 2018 SOC for cybersecurity a backgrounder Acknowledgments Special thanks to Francette Bueno, Senior Manager, Advisory Services, Ernst & Young LLP and Chris K. Halterman, Executive Director, Advisory
More informationPrivacy Implications Guide. for. the CIS Critical Security Controls (Version 6)
Privacy Implications Guide for the CIS Critical Security Controls (Version 6) Privacy Implications Guide for the CIS Critical Security Controls (Version 6) Acknowledgements: The Center for Internet Security
More informationWhy you should adopt the NIST Cybersecurity Framework
Why you should adopt the NIST Cybersecurity Framework It s important to note that the Framework casts the discussion of cybersecurity in the vocabulary of risk management Stating it in terms Executive
More informationInformation Security Controls Policy
Information Security Controls Policy Classification: Policy Version Number: 1-00 Status: Published Approved by (Board): University Leadership Team Approval Date: 30 January 2018 Effective from: 30 January
More informationCybersecurity in Higher Ed
Cybersecurity in Higher Ed 1 Overview Universities are a treasure trove of information. With cyber threats constantly changing, there is a need to be vigilant in protecting information related to students,
More informationSFC strengthens internet trading regulatory controls
SFC strengthens internet trading regulatory controls November 2017 Internet trading What needs to be done now? For many investors, online and mobile internet trading is now an everyday interaction with
More informationSELLING YOUR ORGANIZATION ON APPLICATION SECURITY. Navigating a new era of cyberthreats
SELLING YOUR ORGANIZATION ON APPLICATION SECURITY Navigating a new era of cyberthreats Selling Your Organization on Application Security 01 It's no secret that cyberattacks place organizations large and
More informationIncident Response. Tony Drewitt Head of Consultancy IT Governance Ltd
Incident Response Tony Drewitt Head of Consultancy IT Governance Ltd www.itgovernance.co.uk IT Governance Ltd: GRC One-Stop-Shop Thought Leaders Specialist publisher Implementation toolkits ATO Consultants
More informationCyber Security and Data Protection: Huge Penalties, Nowhere to Hide
Q3 2016 Security Matters Forum Cyber Security and Data Protection: Huge Penalties, Nowhere to Hide Alan Calder Founder & Executive Chair IT Governance Ltd July 2016 www.itgovernance.co.uk Introduction
More informationPresented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0
Cyber Security and Inside Threats: Turning Policies into Practices Presented by Ingrid Fredeen and Pamela Passman Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0 Presented By Ingrid Fredeen, J.D.
More informationBPS Suite and the OCEG Capability Model. Mapping the OCEG Capability Model to the BPS Suite s product capability.
BPS Suite and the OCEG Capability Model Mapping the OCEG Capability Model to the BPS Suite s product capability. BPS Contents Introduction... 2 GRC activities... 2 BPS and the Capability Model for GRC...
More informationState of Security Operations
State of Security Operations Roberto Sandoval / September 2014 Security Intelligence & Operations Consulting Founded: 2007 The best in the world at building state of the art security operations capabilities/cyber
More informationSecurity and Privacy Governance Program Guidelines
Security and Privacy Governance Program Guidelines Effective Security and Privacy Programs start with attention to Governance. Governance refers to the roles and responsibilities that are established by
More informationDissecting Data Breaches. What Keeps Going Wrong?
Dissecting Data Breaches What Keeps Going Wrong? 02 WHO WE ARE Tom Stewart Uriah Robins Senior Manager IT Consulting Protiviti Senior Consultant IT Consulting Protiviti PRESENTATION AGENDA 3 START BREACH
More informationComputer Security Incident Response Plan. Date of Approval: 23-FEB-2014
Computer Security Incident Response Plan Name of Approver: Mary Ann Blair Date of Approval: 23-FEB-2014 Date of Review: 31-MAY-2016 Effective Date: 23-FEB-2014 Name of Reviewer: John Lerchey Table of Contents
More informationMay 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations
May 14, 2018 1:30PM to 2:30PM CST In Plain English: Cybersecurity and IT Exam Expectations Options to Join Webinar and audio Click on the link: https://www.webcaster4.com/webcast/page/584/24606 Choose
More informationSECURITY & PRIVACY DOCUMENTATION
Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive
More informationThe Honest Advantage
The Honest Advantage READY TO CHALLENGE THE STATUS QUO GSA Security Policy and PCI Guidelines The GreenStar Alliance 2017 2017 GreenStar Alliance All Rights Reserved Table of Contents Table of Contents
More informationData Protection. Plugging the gap. Gary Comiskey 26 February 2010
Data Protection. Plugging the gap Gary Comiskey 26 February 2010 Data Protection Trends in Financial Services Financial services firms are deploying data protection solutions across their enterprise at
More informationIT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I
Standards Sections Checklist Section Security Management Process 164.308(a)(1) Information Security Program Risk Analysis (R) Assigned Security Responsibility 164.308(a)(2) Information Security Program
More informationSOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)
SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP) Adaptive Cybersecurity at the Speed of Your Business Attackers Evolve. Risk is in Constant Fluctuation. Security is a Never-ending Cycle.
More information2017 Cyber Incident & Breach Readiness Webinar Will Start Shortly
2017 Cyber Incident & Breach Readiness Webinar Will Start Shortly please download the guide at https://otalliance.org/incident 2017 Cyber Incident & Breach Readiness Webinar Craig Spiezle Executive Director
More informationPrivacy Breach Policy
1. PURPOSE 1.1 The purpose of this policy is to guide NB-IRDT employees and approved users on how to proceed in the event of a privacy breach, and to demonstrate to stakeholders that a systematic procedure
More informationINFORMATION SECURITY-SECURITY INCIDENT RESPONSE
Information Technology Services Administrative Regulation ITS-AR-1506 INFORMATION SECURITY-SECURITY INCIDENT RESPONSE 1.0 Purpose and Scope The purpose of the Security Response Administrative Regulation
More informationSYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security
SYMANTEC: SECURITY ADVISORY SERVICES Symantec Security Advisory Services The World Leader in Information Security Knowledge, as the saying goes, is power. At Symantec we couldn t agree more. And when it
More informationGoing Paperless & Remote File Sharing
Going Paperless & Remote File Sharing Mary Twitty Family Services Director Earnest L. Hunt-Director of Sub-recipient Monitoring Tammy Smith Program Director Introduction Define the subject matter Move
More informationCybersecurity and Nonprofit
Cybersecurity and Nonprofit 2 2 Agenda Cybersecurity and Non Profits Scenario #1 Scenario #2 What Makes a Difference Cyber Insurance and How it Helps Question and Answer 3 3 Cybersecurity and Nonprofit
More informationHow Cyber-Criminals Steal and Profit from your Data
How Cyber-Criminals Steal and Profit from your Data Presented by: Nick Podhradsky, SVP Operations SBS CyberSecurity www.sbscyber.com Consulting Network Security IT Audit Education 1 Agenda Why cybersecurity
More information