Agenda. Security essentials. Year in review. College/university challenges. Recommendations. Agenda RSM US LLP. All Rights Reserved.

Similar documents
Cybersecurity The Evolving Landscape

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

Engaging Executives and Boards in Cybersecurity Session 303, Feb 20, 2017 Sanjeev Sah, CISO, Texas Children s Hospital Jimmy Joseph, Senior Manager,

Cyber Security Program

GDPR: A QUICK OVERVIEW

Cybersecurity in Higher Ed

2018 Data Security Incident Response Report Building Cyber Resilience: Compromise Response Intelligence in Action

Data Protection. Practical Strategies for Getting it Right. Jamie Ross Data Security Day June 8, 2016

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

What It Takes to be a CISO in 2017

Managing Cyber Risk. Robert Entin Executive Vice President Chief Information Officer Vornado Realty Trust

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Cyber Insurance: What is your bank doing to manage risk? presented by

Cyber Risks in the Boardroom Conference

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Unified Communications Phase 2 Presentation to IT Services Users Group

FTA 2017 SEATTLE. Cybersecurity and the State Tax Threat Environment. Copyright FireEye, Inc. All rights reserved.

What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards

10 FOCUS AREAS FOR BREACH PREVENTION

Today s Security Threats: Emerging Issues Keeping CFOs Up at Night Understanding & Protecting Against Information Security Breaches

Key Findings from the Global State of Information Security Survey 2017 Indonesian Insights

Cybersecurity Today Avoid Becoming a News Headline

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

Anticipating the wider business impact of a cyber breach in the health care industry

Certified Information Security Manager (CISM) Course Overview

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

Background FAST FACTS

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

Governance Ideas Exchange

How to avoid storms in the cloud. The Australian experience and global trends

Webcast title in Verdana Regular

BHConsulting. Your trusted cybersecurity partner

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

112 th Annual Conference May 6-9, 2018 St. Louis, Missouri

The Devil is in the Details: The Secrets to Complying with PCI Requirements. Michelle Kaiser Bray Faegre Baker Daniels

Will you be PCI DSS Compliant by September 2010?

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

Sage Data Security Services Directory

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

Cybersecurity Risk Mitigation: Protect Your Member Data. Introduction

The Evolving Threat to Corporate Cyber & Data Security

Cyber Risks, Coverage, and the Board of Directors.

Cyber Resilience - Protecting your Business 1

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

Effective Strategies for Managing Cybersecurity Risks

Leveraging ediscovery Technology for Internal Audit 2016 Houston IIA 7th Annual Conference

2017 Annual Meeting of Members and Board of Directors Meeting

Credit Union Service Organization Compliance

locuz.com SOC Services

Challenges 3. HAWK Introduction 4. Key Benefits 6. About Gavin Technologies 7. Our Security Practice 8. Security Services Approach 9

CYBER SECURITY AIR TRANSPORT IT SUMMIT

Forensic analysis with leading technology: the intelligent connection Fraud Investigation & Dispute Services

Cybersecurity Fortification Initiative (CFI) infrastructure whitepaper

Evaluating Cybersecurity Coverage A Maturity Model. Presented to: ISACA Charlotte Chapter Vision for IT Audit 2020 Symposium

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

The Data Breach: How to Stay Defensible Before, During & After the Incident

External Supplier Control Obligations. Cyber Security

Understanding Cyber Insurance & Regulatory Drivers for Business Continuity

CCISO Blueprint v1. EC-Council

Assessing Your Incident Response Capabilities Do You Have What it Takes?

PCI DATA SECURITY STANDARDS VERSION 3.2. What's Next?

Protect Your Institution with Effective Cybersecurity Governance. Baker Tilly Virchow Krause, LLP

Healthcare HIPAA and Cybersecurity Update

Must Have Items for Your Cybersecurity or IT Budget in 2018

Cybersecurity Protecting your crown jewels

t a Foresight Consulting, GPO Box 116, Canberra ACT 2601, AUSTRALIA e foresightconsulting.com.

encrypted, and that all portable devices (laptops, phones, thumb drives, etc.) be encrypted while in use and while at rest?

CipherCloud CASB+ Connector for ServiceNow

Cybersecurity, safety and resilience - Airline perspective

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

CYBER INSURANCE: MANAGING THE RISK

Cyber Incident Response. Prepare for the inevitable. Respond to evolving threats. Recover rapidly. Cyber Incident Response

PCI DSS Addressing Cyber-Security Threats. ETCAA June Gabriel Leperlier

Data Loss Prevention:

Designing and Building a Cybersecurity Program

Addressing penetration testing and vulnerabilities, and adding verification measures

Cybersecurity Auditing in an Unsecure World

Cybersecurity and the role of internal audit An urgent call to action

Is your business prepared for Cyber Risks in 2018

2018 IT Priorities: Cybersecurity, Cloud Outsourcing & Risk Management. Follow Along

Information Technology General Control Review

4/5/2017. April 5, 2017 CYBER-RISK: WHAT MANAGEMENT & BOARDS NEED TO KNOW

NCUA IT Exam Focus. By Tom Schauer, Principal CliftonLarsonAllen

Cybersecurity. Securely enabling transformation and change

UPDATE: HEALTHCARE CYBERSECURITY & INCIDENT RESPONSE Lindsay M. Johnson, Esq. Partner, Freund, Freeze & Arnold, LPA

IT Security Training MS-500: Microsoft 365 Security Administration. Upcoming Dates. Course Description. Course Outline $2,

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

European Union Agency for Network and Information Security

FFIEC Cybersecurity Assessment Tool

The Impact of Cybersecurity, Data Privacy and Social Media

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

SOC 2 examinations and SOC for Cybersecurity examinations: Understanding the key distinctions

Security Hygiene. Be in a defensible position. Be cyber resilient. November 8 th, 2017

How to Prepare a Response to Cyber Attack for a Multinational Company.

Cyber Security Incident Response Fighting Fire with Fire

Managing Cybersecurity Risk

SRM Service Guide. Smart Security. Smart Compliance. Service Guide

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

BHConsulting. Your trusted cybersecurity partner

Transcription:

Agenda Agenda Security essentials Year in review College/university challenges Recommendations 2

About me Matt Franko Director, Risk Advisory Services matthew.franko@rsmus.com (216) 927-8224 11+ years in cybersecurity Provides security, privacy and risk related services to several Ohio universities and colleges. PCI QSA, CISSP 3

Security essentials To protect assets, you need strong controls in three primary areas: Personnel/process Cyber Physical Failure in any of the three primary controls can cause a breach of your assets. Failure of the two wrappers can either increase the impact of the breach or further cause problems with the primary controls 4

Year in review: top attack vectors Top external attack vectors Phishing 24% Weak passwords Internal pivot points Weak passwords Outdated systems 30% 85% Of compromises were due to lack of user awareness 22% *$166/Record *Per IBM s 2018 Cost of a Data Breach Study Default passwords 18% Sensitive data insecurely stored Weak passwords Web consoles NBNS spoofing Phishing Misconfigs Missing patches 5

How are hackers getting to information? Get the initial foothold Phishing Weak passwords Default/missing credentials Pivot to the data Clear text passwords in memory Improper network segmentation Sensitive data left unprotected at rest Phishing email sent to store manager User downloads malicious attachment allowing access to computer Weak passwords on system allow passwords to be cracked Local Administrator account identified Credential provides access to internal IT server that was also logged into by Domain Admin Domain Admin credentials allow access to Loyalty Database Unencrypted data is recovered and taken from organization 6

Office 365 type attacks Record retention Outlook rules 7

Specific challenges for colleges and universities Disparate departments doing their own thing or don t know their responsibilities Rogue systems and servers being deployed Sensitive data on insecure laptops/mobile devices Soft physical security targets Complications translating/implementing critical incident and business continuity requirements 8

University threats Critical data Personally identifiable information Bank account information Cardholder data Protected health information Research data Donor information Open environments Freedom of information Increased exposure Students with access and skill set 9

Key areas to limit risk Incident response planning Identify vulnerabilities/risks within the environment and develop a plan for remediation User education and awareness Primary source of compromise in environments Vigilance, password complexity Segmentation Secure research environments Sensitive data storage areas with increased access controls Security controls based on risk presented by each department Establishing a physical business impact analysis and risk assessment program Determine and regularly review potential impacts to a university arising from disruptive events 10

Board level discussion points What are we doing to protect our data? Do we know where our sensitive data is stored, processed, transmitted and accessed? What data elements are we collecting? Has internal audit been engaged to conduct an IT controls review? How are we managing regulatory/compliance requirements? 11

Board level discussion points Monitor metrics Look for systemic issues. Are we getting better or worse? What is the root cause? Show me our phishing assessments from the last four quarters Quarterly reinforcement How are we educating users on using better passwords and are we testing this? Are we running password audits to determine where areas of weaknesses exist? Have we or when will we move to 12 character passwords? How mature is our cyber awareness program? Does it match our policies? 12

Key takeaways Security is not just IT/cyber related To properly secure an asset (people, technology, physical data) you must include three facets physical, cyber and personnel Targeting weaknesses in personnel remain the easiest way to gain unauthorized access Incident response planning and testing is key in limiting damages Remember your discussion points ask questions and be curious 13

Questions Questions

Consulting services In addition to tax and audit, RSM offers cost-effective risk, financial, and technology and management advisory services. Financial advisory Transaction advisory Valuation Litigation and dispute advisory Forensic accounting and fraud investigations IPO readiness Real estate advisory Risk advisory Internal audit/sarbanes-oxley advisory IT audit Security and privacy Governance, risk and compliance and enterprise risk management Contract compliance Service organization control assurance Regulatory compliance ERP risk advisory Technology and management consulting Management consulting ERP and CRM Cloud computing Business intelligence Content management and collaboration Application development and integration Infrastructure Managed services Business process outsourcing 15

RSM US LLP +1 800 274 3978 www.rsmus.com www.r sm us.c om RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent audit, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. RSM US LLP For more information, visit rsmus.com/aboutus for more information regarding RSM US LLP and RSM International. 2018 RSM US LLP. All Rights Reserved One S. Wacker Driv e Suite 800 Chicago, IL 60606 800.274.3978 www.mcgladrey.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback