Clearing Away The Shadows: Cloud Privacy and Security for Research Data
|
|
- Shonda Weaver
- 6 years ago
- Views:
Transcription
1 Clearing Away The Shadows: Cloud Privacy and Security for Research Data Melissa L. Markey Hall, Render, Killian, Heath & Lyman, PLLC 201 W Big Beaver Rd., Suite 1200 Troy MI mmarkey@hallrender.com
2 What is Cloud? Cloud computing is a model for enabling ubiquitous, convenient, on demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. NIST Special Publication
3 What is Cloud? On demand self service. Consumer managed Broad network access. Multiple types of assets Resource pooling. Multi tenancy Rapid elasticity. High flexibility Measured service. 3
4 What is Cloud? Service Models: Software as a Service (SaaS) Platform as a Service (PaaS) Infrastructure as a Service (IaaS) Security as a Service (SECaaS) 4
5 What is Subject to FDA Part 11? Records with GxP Data Quality Decision Records Records submitted to FDA Research Data Laboratory Data Animal Data Manufacturing Data SOPs QA Data Tracking Logs Batch Records Supplier Records Audit Reports Anything else that goes to FDA Consider Risk 5
6 Part 11 Closed System 21 CFR (a) Validation (b) Accurate and Complete Records (c) Protection of Records (d) Access Controls (e) Audit Trails (f) Operational System Checks (g) Authority Checks (Authentication of Authority) (h) Device Checks (i) Training (j) Written Policies (k) Controls over System Documentation 6
7 Part 11 Open System 21 CFR Controls and systems to ensure authenticity, integrity and confidentiality of the record Includes the items in 21 CFR PLUS: Encryption Appropriate digital signature standards to ensure integrity, authenticity, and confidentiality as appropriate Note that availability is not required! 7
8 Electronic Signatures 21 C.F.R. 50, 70, and Part 11 Subpart C Includes printed name, date, time and meaning of signature Subject to same controls as other electronic records Human readable on screen/print outs Linked to the relevant record in a manner that prevents removal, copying, transfer, falsification 8
9 Electronic Signatures 21 C.F.R. 50, 70, and Part 11 Subpart C Signer must be identity proofed by organization Signature must be unique and NOT SHARED Certification that electronic signature is equivalent to wet ink signature If not biometric, need 2 factors Batch signing no true batch signing permitted; can do rapid signing with 1 factor after first document uses 2 factor authentication Good computer credentials hygiene required 9
10 What is Cloud? Deployment Models Private Cloud Public Cloud Hybrid Community Cloud 10
11 Why Cloud? Cost No/Sharply Reduced Capital Expenditure Operating Expenditure Matches Need Speed Provisioning takes 15 minutes instead of 6 months Ease Get a server by going to a website Avoid internal approvals/barriers 11
12 Why Cloud? Scalability Permits upscaling to handle very large datasets Facilitates data sharing when appropriate Interoperability Most cloud environments are made to be application/os/hardware agnostic 12
13 Why Worry? There are some risks FDA Part 11/EMEA Annex 11 GMP Data Protection HIPAA Other compliance issues Trade secrets. 13
14 Why Worry? Business Risks Outages/Down Time Loss of Connection Breaches Data Portability Must be able to transfer data out if change provider/return to in house data solution Security is critical 14
15 Cloud Computing Diagram 15
16 What are the Risks? Confidentiality of Data At Rest: Within the software application Within the primary and secondary backup systems Including storage media Within mobile devices (smartphones, ipad). In Motion: Hardwired Wireless Mobile Devices 16
17 What are the Risks? Where is your data, and what law applies? Data rights and ownership What are operations/performance expectations? What are remedies for failures? What are backup, disaster recovery, restore expectations? Who is responsible for security? What about audits, pen tests, etc? 17
18 What are the Risks? Data Breach/Loss of Confidentiality Data Leaks Loss of Integrity Loss of Availability Hacktivism/Hijacking of Account Changes in business model/termination of vendor/transition of contract 18
19 Data Breach/Loss of Confidentiality Hackers Stole Account Details for Over 60 Million Dropbox Users (Aug. 30, 2016) Probably #1 concern of most customers In past 2 years, cloud vendors have had a good experience with respect to data breaches But they give you tools, you are responsible for using them properly 19
20 Data Breach/Loss of Confidentiality Strategy: Encryption User access controls and multifactor authentication Audit trails Training Set up a secure cloud image, with basic security policies applied and security tools configured Only that image can be used Segregate environments to the greatest extent possible Use least privileges; minimize user accounts 20
21 Basics of Encryption 21
22 Key, Key, Who Has the Key? Other alternatives Symmetric key: encrypt, then have master key that encrypts the symmetric key. The symmetric key is stored with the data, but cannot be used without being decrypted by the master key. Client side encryption: you encrypt the data and send it to the cloud vendor. Cloud vendor is essentially a dumb backup only. Server side encryption 22
23 Key, Key, Who Has the Key? Server side encryption Encrypts data at rest Typically cloud vendor has access to the key Uses symmetric data key hierarchy For some vendors, can provide your key to encrypt, and cloud vendor does not retain key Some vendors offer key management services, so customer does not have to keep track of their own keys 23
24 Key, Key, Who Has the Key? Control of the encryption key helps determine status as business associate for entities subject to HIPAA Allows audit trails of who encrypted/ decrypted data If you use customer provided keys, consider where the hardware necessary for key security management will be located This can grant complete control over keys 24
25 Data Leakage Often occurs due to insufficient user access and authentication controls Need to know where your data is, and where it is going Strategy: Who controls/enforces user access controls and authentication? Audit trails Monitor network activity 25
26 Integrity Loss of Integrity Corruption due to malware Errors in backup Failure of access control Configuration errors Strategy: Due diligence of vendor Can you have your own backup? Check your data integrity from time to time 26
27 Availability Not referenced in Part 11; part of integrity and an express concern under HIPAA Some unavailability is to be expected; the question is what is acceptable and based on mission criticality of data DDoS is a risk in cloud computing Physical security/disaster of data center or internet connections 27
28 Availability Configuration/pen testing/change management disruptions If your co tenant or vendor is raided, your servers may be affected Strategies Look at Continuous Integration/Continuous Delivery options Understand disaster recovery responsibilities Do you have a copy of your data? Consider a failover option 28
29 HIPAA OCR Guidance: Cloud Provider is a Business Associate Whether or not the data is encrypted Without regard to who holds the encryption key A cloud computing provider is not a conduit Therefore, the cloud provider must be subject to a Business Associate Agreement The cloud provider will also be directly subject to regulation 29
30 HIPAA OCR Guidance: Cloud Provider is a Business Associate Service Level Agreements should address, consistent with legal requirements: System availability and reliability Backup and data reliability Return of data to customer after termination Security responsibility Use, retention and disclosure limitations 30
31 HIPAA OCR Guidance: Cloud Provider is a Business Associate Cloud provider security vulnerabilities should be considered in the Covered Entity s risk assessment There needs to be a clear allocation of security responsibility between the cloud provider and the customer/covered Entity, and no gaps should exist If the CSP cannot access data, security requirements may be eased 31
32 FTC Federal Trade Commission is becoming very active in data privacy issues Recent Guidance: Entities that hold PHI may also hold consumer data and be subject to FTC jurisdiction There are jurisdictional limits Entities that are not subject to HIPAA need to be sensitive to FTC privacy requirements 32
33 EU: Network and Information Security Directive Came into effect August 2016 Enforceable May 2018 Requires each Member State to adopt a national strategy on the security of network and information systems Establishes security and incident notification requirements for operators of essential services and digital services providers Subordinate to sector specific laws 33
34 EU: Network and Information Security Directive Essential Services include: Energy companies Air, rail, water and road transport companies Banking and financial institutions Drinking water suppliers Healthcare providers Digital Infrastructure 34
35 EU: Network and Information Security Directive Operators of Essential Services must: take appropriate and proportional technical and administrative measures to control risk posed to network and data take appropriate measures to minimize the impact of security incidents notify the CSIRT or authority of incidents that have a significant impact on the continuity of the essential services provided 35
36 EU: Network and Information Security Directive Digital Services Providers Must identify and take appropriate and proportionate technical and organizational measures to manage the risks posed to the security of their network and information systems Take measures to prevent and minimize impact of security incidents Notify CSIRT or authority of incidents having a substantial impact on provision of services Includes cloud computing services 36
37 EU: Network and Information Security Directive Cloud computing services means services that allow access to a scalable and elastic pool of shareable computing resources [including] resources such as networks, servers or other infrastructure, storage, applications and services... The term scalable refers to computing resources that are flexibly allocated by the cloud service provider, irrespective of the geographical location of the resources, in order to handle fluctuations in demand 37
38 EU Impact As with the GDPR, the EU NIS Directive has potentially global impact If an entity is directing services to EU citizens, then purportedly the Directive applies to that entity, whether or not physically located in the EU Entity is required to have a registered agent in the EU 38
39 GDPR EU Impact Any cross border transfer must be supported by legal basis To a country with substantially equivalent privacy protections Not the US Privacy Shield Model Contract Clauses Binding Corporate Rules Consent Derogations 39
40 Major Security Risks Compromised Credentials and Failures of Authentication Use of weak passwords Failure to deactivate credentials for terminated employees Re use of passwords that are compromised in other hacks Failure to use 2 factor authentication Use of default passwords, or saving credentials in public facing locations 40
41 Major Security Risks Vulnerable Interfaces and APIs Often disregarded, but open to Internet and need to be secure Bugs and software vulnerabilities Shared memory and databases result in larger attack surfaces Hijacked accounts Phishing, spearphishing, and whaling May attack your account, or use your account to attack other accounts 41
42 Major Security Risks Malicious Insiders Current or former employee, contractor, cloud provider employee, business partner Motivation ranges from financial to emotional Strategies: Segregation of duties and audits are critical Monitor user access Audit access authorizations annually Look for exfiltration of data 42
43 Major Security Risks Advanced Persistent Threats May move laterally through a cloud environment to other customers Can t abdicate vigilance against APTs just because you are in the cloud Strategy: Require cloud provider to maintain security measures to monitor for APTs Monitor your data and audit logs 43
44 Data Breach Strategy: Major Security Risks Business Associate Agreement with indemnification Training Backup data Data Loss due to Error Strategy: Backup data Require use of standardized change control procedures 44
45 Major Security Risks Lack of Diligence in Selection/Contracting Due diligence before you select your cloud provider Security measures Physical, technological and administrative security measures Negotiate the contract Business Continuity/Disaster Recovery Location of data center Jurisdiction/Venue Require updated information each year Security, operational and other policies 45
46 Major Security Risks Lack of Diligence in Selection/Contracting Make sure to address transition away from cloud provider and transition of data When, in what format OCR guidance: It is a HIPAA breach for a business associate to attempt to withhold PHI from a Covered Entity in the event of a dispute or termination of an agreement 46
47 Ransomware Major Security Risks Malware that either locks computers, or encrypts data, preventing data owner s access until a ransom is paid Ransom typically demanded in bitcoins Some variants either increase ransom demand, or delete data, if ransom is not paid in time required Effort of several governments and Kaspersky Security called No More Ransom Project is starting to make inroads in decryption of some variants 47
48 Ransomware Strategy: Major Security Risks Encrypt data at rest and in transit Backup data Keep at least one backup off line Restore backups Keep systems patched Training Don t click on links Don t open suspicious/unexpected documents Use whitelisting 48
49 DDoS Major Security Risks Denial of Service/Distributed Denial of Service millions of requests for service tie up servers and prevent access to servers of legitimate requests On October 21, 2016, a DDoS attack using malware called Mirai established a botnet of Internet of Things devices, such as DVRs and connected cameras, and interrupted Internet connections for many companies This type of attack can disrupt cloud providers as well 49
50 DDoS Strategy Major Security Risks Redundant telecom connections from company to cloud provider Talk to your cloud provider about their plans for defense against DDoS Be prepared to go offline under the business continuity plan 50
51 Major Security Risks Hacktivism/Hijacking You may be a target, another co tenant may be a target, or the vendor may be a target of the hacktivist Your accounts could be hijacked Data could be deleted/modified Strategy Ensure patching is up to date Monitor network traffic Do you have a copy of your data? 51
52 In Summary Cloud computing can work, in healthcare and in research, but it requires: Diligence in selecting the cloud provider Careful negotiation of an appropriate contract that allocates responsibility and risk For a HIPAA Covered Entity, a BAA with the cloud provider (unless access to PHI is not required) Continuing oversight by the customer 52
53 Questions? Please contact: Melissa Markey, Esq
Version 1/2018. GDPR Processor Security Controls
Version 1/2018 GDPR Processor Security Controls Guidance Purpose of this document This document describes the information security controls that are in place by an organisation acting as a processor in
More informationGDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd
GDPR Processor Security Controls GDPR Toolkit Version 1 Datagator Ltd Implementation Guidance (The header page and this section must be removed from final version of the document) Purpose of this document
More informationCloud Computing, SaaS and Outsourcing
Cloud Computing, SaaS and Outsourcing Michelle Perez, AGC Privacy, IPG Bonnie Yeomans, VP, AGC & Privacy Officer, CA Technologies PLI TechLaw Institute 2017: The Digital Agenda Introduction to the Cloud
More informationThe Common Controls Framework BY ADOBE
The Controls Framework BY ADOBE The following table contains the baseline security subset of control activities (derived from the Controls Framework by Adobe) that apply to Adobe s enterprise offerings.
More informationCyber Security. February 13, 2018 (webinar) February 15, 2018 (in-person)
Cyber Security Presenters: - Brian Everest, Chief Technology Officer, Starport Managed Services - Susan Pawelek, Accountant, Compliance and Registrant Regulation February 13, 2018 (webinar) February 15,
More informationThe NIS Directive and Cybersecurity in
The NIS Directive and Cybersecurity in ehealth Dr. Athanasios Drougkas Officer in NIS Belgian Hospitals Meeting on Security Brussels 13 th October European Union Agency For Network And Information Security
More informationGeneral Data Protection Regulation
General Data Protection Regulation Workshare Ltd ( Workshare ) is a service provider with customers in many countries and takes the protection of customers data very seriously. In order to provide an enhanced
More informationHIPAA & Privacy Compliance Update
HIPAA & Privacy Compliance Update Vermont Medical Society FREE Wednesday Webinar Series March 15, 2017 Anne Cramer and Shireen Hart Primmer Piper Eggleston & Cramer PC acramer@primmer.com shart@primmer.com
More informationData Security: Public Contracts and the Cloud
Data Security: Public Contracts and the Cloud July 27, 2012 ABA Public Contract Law Section, State and Local Division Ieuan Mahony Holland & Knight ieuan.mahony@hklaw.com Roadmap Why is security a concern?
More informationControlled Document Page 1 of 6. Effective Date: 6/19/13. Approved by: CAB/F. Approved on: 6/19/13. Version Supersedes:
Page 1 of 6 I. Common Principles and Approaches to Privacy A. A Modern History of Privacy a. Descriptions, definitions and classes b. Historical and social origins B. Types of Information a. Personal information
More informationSECURITY & PRIVACY DOCUMENTATION
Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive
More informationNew York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines
New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines New York Department of Financial Services ( DFS ) Regulation 23 NYCRR 500 requires that entities
More informationSparta Systems TrackWise Solution
Systems Solution 21 CFR Part 11 and Annex 11 Assessment October 2017 Systems Solution Introduction The purpose of this document is to outline the roles and responsibilities for compliance with the FDA
More informationSparta Systems TrackWise Digital Solution
Systems TrackWise Digital Solution 21 CFR Part 11 and Annex 11 Assessment February 2018 Systems TrackWise Digital Solution Introduction The purpose of this document is to outline the roles and responsibilities
More informationINTO THE CLOUD WHAT YOU NEED TO KNOW ABOUT ADOPTION AND ENSURING COMPLIANCE
INTO THE CLOUD WHAT YOU NEED TO KNOW ABOUT ADOPTION AND ENSURING COMPLIANCE INTRODUCTION AGENDA 01. Overview of Cloud Services 02. Cloud Computing Compliance Framework 03. Cloud Adoption and Enhancing
More informationAUTOTASK ENDPOINT BACKUP (AEB) SECURITY ARCHITECTURE GUIDE
AUTOTASK ENDPOINT BACKUP (AEB) SECURITY ARCHITECTURE GUIDE Table of Contents Dedicated Geo-Redundant Data Center Infrastructure 02 SSAE 16 / SAS 70 and SOC2 Audits 03 Logical Access Security 03 Dedicated
More informationChecklist: Credit Union Information Security and Privacy Policies
Checklist: Credit Union Information Security and Privacy Policies Acceptable Use Access Control and Password Management Background Check Backup and Recovery Bank Secrecy Act/Anti-Money Laundering/OFAC
More informationSparta Systems Stratas Solution
Systems Solution 21 CFR Part 11 and Annex 11 Assessment October 2017 Systems Solution Introduction The purpose of this document is to outline the roles and responsibilities for compliance with the FDA
More informationUPDATE: HEALTHCARE CYBERSECURITY & INCIDENT RESPONSE Lindsay M. Johnson, Esq. Partner, Freund, Freeze & Arnold, LPA
UPDATE: HEALTHCARE CYBERSECURITY & INCIDENT RESPONSE Lindsay M. Johnson, Esq. Partner, Freund, Freeze & Arnold, LPA ljohnson@ffalaw.com INTRODUCTION Cyber attacks increasing Liability/actions resulting
More informationA Checklist for Cybersecurity and Data Privacy Diligence in TMT Transactions
May 2018 TMT INSIGHTS From the Debevoise Technology, Media & Telecommunications Practice A Checklist for Cybersecurity and Data Privacy Diligence in TMT Transactions Companies in the technology, media
More informationLayer Security White Paper
Layer Security White Paper Content PEOPLE SECURITY PRODUCT SECURITY CLOUD & NETWORK INFRASTRUCTURE SECURITY RISK MANAGEMENT PHYSICAL SECURITY BUSINESS CONTINUITY & DISASTER RECOVERY VENDOR SECURITY SECURITY
More informationCloud-Security: Show-Stopper or Enabling Technology?
Cloud-Security: Show-Stopper or Enabling Technology? Fraunhofer Institute for Secure Information Technology (SIT) Technische Universität München Open Grid Forum, 16.3,. 2010, Munich Overview 1. Cloud Characteristics
More informationUniversity of Pittsburgh Security Assessment Questionnaire (v1.7)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.7) Directions and Instructions for completing this assessment The answers provided
More informationNYDFS Cybersecurity Regulations
SPEAKERS NYDFS Cybersecurity Regulations Lisa J. Sotto Hunton & Williams LLP (212) 309-1223 lsotto@hunton.com www.huntonprivacyblog.com March 9, 2017 The Privacy Team at Hunton & Williams Over 30 privacy
More informationData Security and Privacy Principles IBM Cloud Services
Data Security and Privacy Principles IBM Cloud Services 2 Data Security and Privacy Principles: IBM Cloud Services Contents 2 Overview 2 Governance 3 Security Policies 3 Access, Intervention, Transfer
More informationOracle Data Cloud ( ODC ) Inbound Security Policies
Oracle Data Cloud ( ODC ) Inbound Security Policies Contents Contents... 1 Overview... 2 Oracle Data Cloud Security Policy... 2 Oracle Information Security Practices - General... 2 Security Standards...
More informationIBM Cloud Security for the Cloud. Amr Ismail Security Solutions Sales Leader Middle East & Pakistan
IBM Cloud Security for the Cloud Amr Ismail Security Solutions Sales Leader Middle East & Pakistan Today s Drivers for Cloud Adoption ELASTIC LOWER COST SOLVES SKILLS SHORTAGE RAPID INNOVATION GREATER
More informationTARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS
Target2-Securities Project Team TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS Reference: T2S-07-0270 Date: 09 October 2007 Version: 0.1 Status: Draft Target2-Securities - User s TABLE OF CONTENTS
More informationCloud Computing and Its Impact on Software Licensing
Cloud Computing and Its Impact on Software Licensing By Gretchen Kwashnik & Jim Cecil January 25, 2012 What is Cloud Computing? Cloud computing is a model for enabling: on-demand network access to a shared
More informationSecuring Your Most Sensitive Data
Software-Defined Access Securing Your Most Sensitive Data Company Overview Digital Growth Means Digital Threats Digital technologies offer organizations unprecedented opportunities to innovate their way
More informationHIPAA Security and Privacy Policies & Procedures
Component of HIPAA Security Policy and Procedures Templates (Updated for HITECH) Total Cost: $495 Our HIPAA Security policy and procedures template suite have 71 policies and will save you at least 400
More informationInformation Technology General Control Review
Information Technology General Control Review David L. Shissler, Senior IT Auditor, CPA, CISA, CISSP Office of Internal Audit and Risk Assessment September 15, 2016 Background Presenter Senior IT Auditor
More informationTwilio cloud communications SECURITY
WHITEPAPER Twilio cloud communications SECURITY From the world s largest public companies to early-stage startups, people rely on Twilio s cloud communications platform to exchange millions of calls and
More informationLevel 3 Certificate in Cloud Services (for the Level 3 Infrastructure Technician Apprenticeship) Cloud Services
9628-08 Level 3 Certificate in Cloud Services (for the Level 3 Infrastructure Technician Apprenticeship) 9628-808 Cloud Services Sample question paper Duration: 60 minutes Candidate s name: Candidate s
More informationCloud Computing. Faculty of Information Systems. Duc.NHM. nhmduc.wordpress.com
Cloud Computing Faculty of Information Systems Duc.NHM nhmduc.wordpress.com Evaluating Cloud Security: An Information Security Framework Chapter 6 Cloud Computing Duc.NHM 2 1 Evaluating Cloud Security
More informationCloud Customer Architecture for Securing Workloads on Cloud Services
Cloud Customer Architecture for Securing Workloads on Cloud Services http://www.cloud-council.org/deliverables/cloud-customer-architecture-for-securing-workloads-on-cloud-services.htm Webinar April 19,
More informationWhy the cloud matters?
Why the cloud matters? Speed and Business Impact Expertise and Performance Cost Reduction Trend Micro Datacenter & Cloud Security Vision Enable enterprises to use private and public cloud computing with
More informationCriminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud
Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud Introduction The Criminal Justice Information Security (CJIS) Policy is a publically accessible document that contains
More informationManaging SaaS risks for cloud customers
Managing SaaS risks for cloud customers Information Security Summit 2016 September 13, 2016 Ronald Tse Founder & CEO, Ribose For every IaaS/PaaS, there are 100s of SaaS PROBLEM SaaS spending is almost
More informationIs your privacy secure? HIPAA Compliance Workshop September Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner
Is your privacy secure? HIPAA Compliance Workshop September 2008 Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner Agenda Have you secured your key operational, competitive and financial
More informationWatson Developer Cloud Security Overview
Watson Developer Cloud Security Overview Introduction This document provides a high-level overview of the measures and safeguards that IBM implements to protect and separate data between customers for
More informationCyber Security in M&A. Joshua Stone, CIA, CFE, CISA
Cyber Security in M&A Joshua Stone, CIA, CFE, CISA Agenda About Whitley Penn, LLP The Threat Landscape Changed Cybersecurity Due Diligence Privacy Practices Cybersecurity Practices Costs of a Data Breach
More informationBUSINESS CONTINUITY MANAGEMENT
BUSINESS CONTINUITY MANAGEMENT 64 th RBAP National Convention & General Membership Meeting 29 30 May 2017 PRESENTATION OUTLINE 2015 Disasters in Numbers 2016 & 2017 Top Business Risks What is BCM? Supervisory
More informationCloud Transformation Program Cloud Change Champions June 20, 2018
Cloud Transformation Program Cloud Change Champions June 20, 2018 W June C Today s Agenda C C M! 1 Welcome and Agenda Overview Program Updates 2 Security Issues in the Cloud Presenter: Michael Timineri
More informationCyber Security Issues
RHC Summit 6/9/2017 Cyber Security Issues Dennis E. Leber CISO CHFS Why is it Important? Required by Law Good Business Strategy Right Thing to Do Why is it Important? According to Bitglass' 2017 Healthcare
More informationInformation Governance, the Next Evolution of Privacy and Security
Information Governance, the Next Evolution of Privacy and Security Katherine Downing, MA, RHIA, CHPS, PMP Sr. Director AHIMA IG Advisors Follow me @HIPAAQueen 2017 2017 Objectives Part Part I IG Topic
More informationProtecting Your Business: Best Practices for Implementing a Legally Compliant Cybersecurity Program Trivalent Solutions Expo June 19, 2014
Protecting Your Business: Best Practices for Implementing a Legally Compliant Cybersecurity Program Trivalent Solutions Expo June 19, 2014 2014, Mika Meyers Beckett & Jones PLC All Rights Reserved Presented
More informationThe simplified guide to. HIPAA compliance
The simplified guide to HIPAA compliance Introduction HIPAA, the Health Insurance Portability and Accountability Act, sets the legal requirements for protecting sensitive patient data. It s also an act
More informationEU Data Protection Agreement
EU Data Protection Agreement This Data Protection Agreement ("Agreement") is entered into by and between TechTarget, Inc., a Delaware corporation with a principle place of business at 275 Grove Street,
More informationCloud First Policy General Directorate of Governance and Operations Version April 2017
General Directorate of Governance and Operations Version 1.0 24 April 2017 Table of Contents Definitions/Glossary... 2 Policy statement... 3 Entities Affected by this Policy... 3 Who Should Read this Policy...
More informationNIS-Directive and Smart Grids
NIS-Directive and Smart Grids Workshop on European Smart Grid Cybersecurity: Emerging Threats and Countermeasures Marie Holzleitner Table of Content Aims & Objectives Affected Parties Selected Requirements
More informationDirective on security of network and information systems (NIS): State of Play
Directive on security of network and information systems (NIS): State of Play Svetlana Schuster Unit H1 Cybersecurity and Digital Privacy DG Communications Networks, Content and Technology, European Commission
More informationManaging IT Risk: What Now and What to Look For. Presented By Tina Bode IT Assurance Services
Managing IT Risk: What Now and What to Look For Presented By Tina Bode IT Assurance Services Agenda 1 2 WHAT TOP TEN IT SECURITY RISKS YOU CAN DO 3 QUESTIONS 2 IT S ALL CONNECTED Introduction All of our
More informationCompliance of Panda Products with General Data Protection Regulation (GDPR) Panda Security
Panda Security Compliance of Panda Products with General Data Protection Regulation (GDPR) 1 Contents 1.1. SCOPE OF THIS DOCUMENT... 3 1.2. GENERAL DATA PROTECTION REGULATION: OBJECTIVES... 3 1.3. STORED
More informationUT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES
ACCESS MANAGEMENT Policy UT Health San Antonio shall adopt access management processes to ensure that access to Information Resources is restricted to authorized users with minimal access rights necessary
More informationHow to Respond to a HIPAA Breach. Tuesday, Oct. 25, 2016
How to Respond to a HIPAA Breach Tuesday, Oct. 25, 2016 This Webinar is Brought to You By. About HealthInsight and Mountain-Pacific Quality Health HealthInsight and Mountain-Pacific Quality Health are
More information"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary
Course Summary Description In this course, you will perform evaluations of organizational policies, procedures, and processes to ensure that an organization's information systems align with overall business
More informationNORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers
Identify Protect Detect Respond Recover Identify: Risk Assessments & Management 1. Risk assessments are conducted frequently (e.g. annually, quarterly). 2. Cybersecurity is included in the risk assessment.
More informationJuniper Vendor Security Requirements
Juniper Vendor Security Requirements INTRODUCTION This document describes measures and processes that the Vendor shall, at a minimum, implement and maintain in order to protect Juniper Data against risks
More informationQuickBooks Online Security White Paper July 2017
QuickBooks Online Security White Paper July 2017 Page 1 of 6 Introduction At Intuit QuickBooks Online (QBO), we consider the security of your information as well as your customers and employees data a
More informationHow do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?
Cybersecurity Due Diligence Checklist Control # Control Name Risks Questions for IT 1 Make an Benign Case: Employees Inventory of using unapproved Authorized devices without Devices appropriate security
More information2017 Annual Meeting of Members and Board of Directors Meeting
2017 Annual Meeting of Members and Board of Directors Meeting Dan Domagala; "Cybersecurity: An 8-Point Checklist for Protecting Your Assets" Join this interactive discussion about cybersecurity trends,
More informationISSP Network Security Plan
ISSP-000 - Network Security Plan 1 CONTENTS 2 INTRODUCTION (Purpose and Intent)... 1 3 SCOPE... 2 4 STANDARD PROVISIONS... 2 5 STATEMENT OF PROCEDURES... 3 5.1 Network Control... 3 5.2 DHCP Services...
More informationBuilding a Secure and Compliant Cloud Infrastructure. Ben Goodman Principal Strategist, Identity, Compliance and Security Novell, Inc.
Building a Secure and Compliant Cloud Infrastructure Ben Goodman Principal Strategist, Identity, Compliance and Security Novell, Inc. Why Are We Here? Expanded Enterprise Data access anywhere, anytime
More informationData Centers & Technology:
Data Centers & Technology: Risk in the digital landscape Presented by; Ralph de Mesquita Principal Risk Analyst, Risk Engineering UK Agenda Rise of cloud providers Four scenarios: where are the insurable
More informationCyber Insurance: What is your bank doing to manage risk? presented by
Cyber Insurance: What is your bank doing to manage risk? David Kitchen presented by Lisa Micciche Today s Agenda Claims Statistics Common Types of Cyber Attacks Typical Costs Incurred to Respond to an
More informationCloud is the 'Only' Way Forward in Information Security. Leveraging Scale to Make the Unknown Known, in Dev, Sec & Ops.
George Gerchow, Sumo Logic Chief Information Security Officer Cloud is the 'Only' Way Forward in Information Security. Leveraging Scale to Make the Unknown Known, in Dev, Sec & Ops. Agenda Sumo Security
More informationRecommendations for Implementing an Information Security Framework for Life Science Organizations
Recommendations for Implementing an Information Security Framework for Life Science Organizations Introduction Doug Shaw CISA, CRISC Director of CSV & IT Compliance Azzur Consulting Agenda Why is information
More informationISSUE N 1 MAJOR MODIFICATIONS. Version Changes Related Release No. PREVIOUS VERSIONS HISTORY. Version Date History Related Release No.
ISSUE N 1 MAJOR MODIFICATIONS Version Changes Related Release No. 01 First issue. 2.8.0 PREVIOUS VERSIONS HISTORY Version Date History Related Release No. N/A N/A N/A N/A APPROVAL TABLE Signatures below
More information"PPS" is Private Practice Software as developed and produced by Rushcliff Ltd.
Rushcliff Ltd Data Processing Agreement This Data Processing Agreement ( DPA ) forms part of the main terms of use of PPS, PPS Express, PPS Online booking, any other Rushcliff products or services and
More informationSecurity Audit What Why
What A systematic, measurable technical assessment of how the organization's security policy is employed at a specific site Physical configuration, environment, software, information handling processes,
More informationElectronic Communication of Personal Health Information
Electronic Communication of Personal Health Information A presentation to the Porcupine Health Unit (Timmins, Ontario) May 11 th, 2017 Nicole Minutti, Health Policy Analyst Agenda 1. Protecting Privacy
More informationDON T GET STUNG BY A BREACH! WHAT'S NEW IN HIPAA PRIVACY AND SECURITY
DON T GET STUNG BY A BREACH! WHAT'S NEW IN HIPAA PRIVACY AND SECURITY Practice Areas: Healthcare Labor and Employment JASON YUNGTUM jyungtum@clinewilliams.com (402) 397 1700 Practice Areas: Healthcare
More informationCyber Risks in the Boardroom Conference
Cyber Risks in the Boardroom Conference Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing Your Company to Identify, Mitigate and Respond to Risks
More informationWHITE PAPER. Title. Managed Services for SAS Technology
WHITE PAPER Hosted Title Managed Services for SAS Technology ii Contents Performance... 1 Optimal storage and sizing...1 Secure, no-hassle access...2 Dedicated computing infrastructure...2 Early and pre-emptive
More informationTechnology Security Failures Common security parameters neglected. Presented by: Tod Ferran
Technology Security Failures Common security parameters neglected Presented by: Tod Ferran October 31 st, 2015 1 HALOCK Overview Founded in 1996 100% focus on information security Privately owned Owned
More informationCybersecurity in Higher Ed
Cybersecurity in Higher Ed 1 Overview Universities are a treasure trove of information. With cyber threats constantly changing, there is a need to be vigilant in protecting information related to students,
More informationDeveloping Issues in Breach Notification and Privacy Regulations: Risk Managers Are you having the right conversation with the C Suite?
Developing Issues in Breach Notification and Privacy Regulations: Risk Managers Are you having the right conversation with the C Suite? Minnesota RIMS 39 th Annual Seminar Risk 2011-2012: Can You Hack
More informationDecrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use
Click to edit Master title style Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use Andy Petrovich, MHSA, MPH M-CEITA / Altarum Institute October 1, 2014 10/1/2014 1 1 Who is
More informationCybersecurity and Hospitals: A Board Perspective
Cybersecurity and Hospitals: A Board Perspective Cybersecurity is an important issue for both the public and private sector. At a time when so many of our activities depend on information systems and technology,
More informationSecurity Models for Cloud
Security Models for Cloud Kurtis E. Minder, CISSP December 03, 2011 Introduction Kurtis E. Minder, Technical Sales Professional Companies: Roles: Security Design Engineer Systems Engineer Sales Engineer
More informationIntroduction. Deployment Models. IBM Watson on the IBM Cloud Security Overview
IBM Watson on the IBM Cloud Security Overview Introduction IBM Watson on the IBM Cloud helps to transform businesses, enhancing competitive advantage and disrupting industries by unlocking the potential
More informationFlorida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government
Florida Government Finance Officers Association Staying Secure when Transforming to a Digital Government Agenda Plante Moran Introductions Technology Pressures and Challenges Facing Government Technology
More informationTechnical Reference [Draft] DRAFT CIP Cyber Security - Supply Chain Management November 2, 2016
For Discussion Purposes Only Technical Reference [Draft] DRAFT CIP-013-1 Cyber Security - Supply Chain Management November 2, 2016 Background On July 21, 2016, the Federal Energy Regulatory Commission
More informationEU GDPR & ISO Integrated Documentation Toolkit https://advisera.com/eugdpracademy/eu-gdpr-iso integrated-documentation-toolkit
EU GDPR & https://advisera.com/eugdpracademy/eu-gdpr-iso-27001-integrated-documentation-toolkit Note: The documentation should preferably be implemented in the order in which it is listed here. The order
More informationDeMystifying Data Breaches and Information Security Compliance
May 22-25, 2016 Los Angeles Convention Center Los Angeles, California DeMystifying Data Breaches and Information Security Compliance Presented by James Harrison OM32 5/25/2016 3:00 PM - 4:15 PM The handouts
More informationORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers
All Affiliate Research Policy Subject: HIPAA File Under: For Researchers ORA HIPAA Issuing Department: Office of Research Administration Original Policy Date Page 1 of 5 Approved by: May 9,2005 Revision
More informationNATIONAL GUIDELINES ON CLOUD COMPUTING FOR GOVERNMENT, MINISTRIES, DEPARTMENTS AND AGENCIES
NATIONAL GUIDELINES ON CLOUD COMPUTING FOR GOVERNMENT, MINISTRIES, DEPARTMENTS AND AGENCIES DOCUMENT DETAIL Security Classification Unclassified Authority National Information Technology Authority - Uganda
More informationCOUNTERING CYBER CHAOS WITH HIPAA COMPLIANCE. Presented by Paul R. Hales, J.D. May 8, 2017
COUNTERING CYBER CHAOS WITH HIPAA COMPLIANCE Presented by Paul R. Hales, J.D. May 8, 2017 1 HIPAA Rules Combat Cyber Crime HIPAA Rules A Blueprint to Combat Cyber Crime 2 HIPAA Rules Combat Cyber Crime
More informationCisco Webex Messenger
Cisco Webex Messenger This describes the processing of personal data (or personal identifiable information) by Cisco Webex Messenger. 1. Overview of Cisco Webex Messenger Capabilities Cisco Webex Messenger
More informationSecurity Policies and Procedures Principles and Practices
Security Policies and Procedures Principles and Practices by Sari Stern Greene Chapter 3: Information Security Framework Objectives Plan the protection of the confidentiality, integrity and availability
More informationGuide to Cyber Security Compliance with GDPR
Guide to Cyber Security Compliance with GDPR Security V1.3 General Data Protection Regulation GDPR Overview What is GDPR? An EU regulation coming into force in May 2018 Which means it applies to all EU
More informationProtecting Your Cloud
WHITE PAPER Protecting Your Cloud Maximize security in cloud-based solutions EXECUTIVE SUMMARY With new cloud technologies introduced daily, security remains a key focus. Hackers and phishers capable of
More informationCybersecurity The Evolving Landscape
Cybersecurity The Evolving Landscape 1 Presenter Zach Shelton, CISA Principal DHG IT Advisory Zach.Shelton@DHG.com Raleigh, NC 14+ years of experience in IT Consulting 11+ years of experience with DHG
More informationProtect Your Endpoint, Keep Your Business Safe. White Paper. Exosphere, Inc. getexosphere.com
Protect Your Endpoint, Keep Your Business Safe. White Paper Exosphere, Inc. getexosphere.com White Paper Today s Threat Landscape Cyber attacks today are increasingly sophisticated and widespread, rendering
More informationCloud computing the use of contracts as a means of governing networked computer services.
Cloud computing the use of contracts as a means of governing networked computer services. Kevin McGillivray PhD Research Fellow, UiO kevin.mcgillivray@jus.uio.no Agenda Introduction to cloud computing
More informationISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045
Solution Brief 8815 Centre Park Drive, Columbia MD 21045 About delivers business critical software and services that transform high-volume cryptic log data into actionable, prioritized intelligence that
More informationGranted: The Cloud comes with security and continuity...
Granted: The Cloud comes with security and continuity... or, does it? Bogac Ozgen, MSc GyroFalco Ltd. http://www.gyrofalco.com Questions & Answers Do we still need security and continuity? YES Should I
More informationPart 11 Compliance SOP
1.0 Commercial in Confidence 16-Aug-2006 1 of 14 Part 11 Compliance SOP Document No: SOP_0130 Prepared by: David Brown Date: 16-Aug-2006 Version: 1.0 1.0 Commercial in Confidence 16-Aug-2006 2 of 14 Document
More informationASD CERTIFICATION REPORT
ASD CERTIFICATION REPORT Amazon Web Services Elastic Compute Cloud (EC2), Virtual Private Cloud (VPC), Elastic Block Store (EBS) and Simple Storage Service (S3) Certification Decision ASD certifies Amazon
More information