Don t Become a Poster Child for a Cyber Breach

Transcription

1

2 Don t Become a Poster Child for a Cyber Breach Breakout Session #: B10 Presented by: Robert E. Jones CPA, CPCM, Fellow Terry O Connor J.D., LL.M. Partner, Berenzweig Leonard LLP Date: July 24, 2017 Time: 2:30 PM 1

3 Positive Share 2

4 Safety Check 3

5 4

6 Were You Ready? Were You Ready on May 12, 2017? 5

7 Don t Become a Poster Child You DON T want a court case or new rule named after you! 6

8 The FAR Requirements FAR

9 The FAR Requirements Explaining the Basic Safeguards FAR requires 15 controls at a minimum on covered contractor information systems. 8

10 The FAR Requirements The 15 requirements are requirements that most prudent businesses follow. 9

11 The FAR Requirements The FAR focus is on SYSTEMS, not DATA 10

12 The FAR Requirements Definitions Covered Contractor Information Systems Federal Contract Information Information Information System 11

13 The FAR Requirements Access Controls Limit Access To Authorized Users To the transactions/functions authorized users can execute 12

14 The FAR Requirements Access Controls Control: Use of External Information Systems Posting of information on publicly accessible information systems 13

15 The FAR Requirements Identification and Authentication Identify users and authenticate their identity before letting them use information system 14

16 The FAR Requirements Media Protection Destroy media before disposal 15

17 The FAR Requirements Physical Protection Limit physical access Escorts, sign-in logs, and door-openers 16

18 The FAR Requirements Systems & Communications Protection Boundary protections Subnetworks 17

19 The FAR Requirements Systems & Communications Protection Timely report and fix flaws Protect against malicious code and install update protections Scan system periodically and scan downloads in real-time 18

20 The Guidelines NIST (SP) Categories 109 Specific Requirements 19

21 Compliance Efforts Large businesses spending more than 12 months and hundreds of thousands of dollars. What s a small or medium business to do? 20

22 Compliance Efforts Make a good-faith effort Document your efforts 21

23 Compliance Efforts Protect all data and networks as if they were your own. These are practical items every business should already employ. 22

24 What Hackers Want Steal data Tarnish your reputation 23

25 What s at Stake Corporate Network Mobile Devices Cloud Storage Social Media Online Accounts 24

26 What You Can Do Assesment Assess your risks and develop a program that meets your needs. 25

27 What You Can Do Authentication Verify identity and need-to-know before granting access. Authenticate users with each access. 26

28 What You Can Do Training Train employees on cyber security, threats, and your process. 27

29 What You Can Do Audit Audit your process, address findings, document results Repeat 28

30 What You Can Do Physical Security Limit access to facility and servers 29

31 What You Can Do Physical Security Tools Key Cards Visitor Logs Security Systems 30

32 What You Can Do Updates & Patches Install all software updates and patches. Auto-install preferred. 31

33 What You Can Do Updates & Patches 32

34 What You Can Do Virus Protection Install virus and malware protection on all devices. 33

35 What You Can Do Virus Protection Tools Avast, AVG, Eset, Kaspersky, Malware Bytes, McAfee 34

36 What You Can Do Password Management Create secure passphrases Use password management tool 35

37 What You Can Do Password Management Tools Dashlane, Keeper, LastPass, OneLogin, Roboform, SplashID 36

38 What You Can Do WIFI & Bluetooth Turn off until needed Avoid public WIFI Use VPN 37

39 What You Can Do WIFI & Bluetooth Tools Change admin username and password Separate from corporate network 38

40 What You Can Do Wifi VPN Tools Avast, Pure VPN, SaferVPN, Vyprvpn 39

41 What You Can Do Mobile Devices Use PIN Setup remote wipe 40

42 What You Can Do Mobile Device Tools 41

43 What You Can Do Mobile Device Tools Avira Lookout McAfee 42

44 What You Can Do Use separate accounts Setup multi-factor authentication 43

45 What You Can Do Cloud Storage Use separate accounts Setup multi-factor authentication 44

46 What You Can Do Cloud Storage Tools Box, Carbonite, Dropbox, Google Drive, idrive, OneDrive 45

47 What You Can Do Encryption Use PIN on mobile devices Encrypt laptops, storage, and websites Encrypt s 46

48 What You Can Do Encryption Tools Comodo, Entrust, Globalsign 47

49 What You Can Do Multi-Factor Authentication User ID Password Another item 48

50 What You Can Do Multi-Factor Tools Google Authenticator Windows Authenticator RSA SecurID 49

51 The Cost of Compliance Generally, as long as the safeguards are in place, failure of the controls to adequately protect the information does not constitute a breach of contract. -81 Federal Register

52 Safety Check Use the Q&A process to get specific solicitation requirements Read the contract! 51

53 Download presentation and access all resources: 52

54 Contact Information Robert E. Jones CPA, CPCM, Fellow (614) Terry O Connor J.D., LL.M. (703) toconnor@berenzweiglaw.com 53