Jeff Wilbur VP Marketing Iconix

Similar documents
2016 Data Protection & Breach Readiness Webinar Will Start Shortly. please download the guide at

2017 Cyber Incident & Breach Readiness Webinar Will Start Shortly

2015 Online Trust Audit & Honor Roll Methodology

Cybersecurity The Evolving Landscape

2015 Online Trust Audit & Honor Roll Review June 23, All rights reserved. Online Trust Alliance (OTA) Slide 1

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

OTA Strategic Update Building & Amplifying April 5, 2017

About Us. Overview Integrity Audit Fighting Malicious & Deceptive August 13, 2014

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

CYBER INSURANCE: MANAGING THE RISK

How to Prepare a Response to Cyber Attack for a Multinational Company.

Cyber Risks in the Boardroom Conference

Bringing cyber to the Board of Directors & C-level and keeping it there. Dirk Lybaert, Proximus September 9 th 2016

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

The Impact of Cybersecurity, Data Privacy and Social Media

Information Security Controls Policy

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

The Evolving Threat to Corporate Cyber & Data Security

Cybersecurity and Nonprofit

Protect Your Institution with Effective Cybersecurity Governance. Baker Tilly Virchow Krause, LLP

RIMS Perk Session Protecting the Crown Jewels A Risk Manager's guide to cyber security March 18, 2015

Putting security first for critical online brand assets. cscdigitalbrand.services

About Us. Unsub Best Practices & Audit A Decade Since CAN-SPAM. Unsub Best Practices & Audit A Decade Since CAN-SPAM September 30, 2014

What It Takes to be a CISO in 2017

GDPR: A QUICK OVERVIEW

ANATOMY OF A DATA BREACH: DEVELOPMENTS IN DATA SECURITY AND CLOUD COMPUTING LAW

EU GDPR & NEW YORK CYBERSECURITY REQUIREMENTS 3 KEYS TO SUCCESS

What is Penetration Testing?

Managing Cybersecurity Risk

The Role of the Data Protection Officer

CyberEdge. End-to-End Cyber Risk Management Solutions

Defensible and Beyond

Data Protection and GDPR

Sirius Security Overview

M&A Cyber Security Due Diligence

A company built on security

Martijn Loderus. Merritt Maxim. Principal Analyst Forrester. Director & Global Practice Partner for Advisory Consulting Janrain

European Union Agency for Network and Information Security

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

SECURITY & PRIVACY DOCUMENTATION

Department of Management Services REQUEST FOR INFORMATION

General Data Protection Regulation: Knowing your data. Title. Prepared by: Paul Barks, Managing Consultant

Cybersecurity Auditing in an Unsecure World

The Cyber War on Small Business

Brian S. Dennis Director Cyber Security Center for Small Business Kansas Small Business Development Center

Cyber Attack: Is Your Business at Risk?

Critical Infrastructure Protection (CIP) as example of a multi-stakeholder approach.

Oracle Data Cloud ( ODC ) Inbound Security Policies

Are You Protecting Your & Your Customers? Learnings from the 2017 OTA Trust Audit. August 1, 2017

2018 Data Security Incident Response Report Building Cyber Resilience: Compromise Response Intelligence in Action

FTA 2017 SEATTLE. Cybersecurity and the State Tax Threat Environment. Copyright FireEye, Inc. All rights reserved.

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

SOLUTION BRIEF HELPING BREACH RESPONSE FOR GDPR WITH RSA SECURITY ADDRESSING THE TICKING CLOCK OF GDPR COMPLIANCE

Cyber Security. The Question of the Day. Sylint Group, Inc. How did we come up with the company name Sylint and what does it mean?

ANATOMY OF AN ATTACK!

THE PROCESS FOR ESTABLISHING DATA CLASSIFICATION. Session #155

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

Cylance Axiom Alliances Program

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

NYDFS Cybersecurity Regulations

Plan a Pragmatic Approach to the new EU Data Privacy Regulation

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Cyber Security and Data Protection: Huge Penalties, Nowhere to Hide

How will cyber risk management affect tomorrow's business?

2017 RIMS CYBER SURVEY

UPDATE: HEALTHCARE CYBERSECURITY & INCIDENT RESPONSE Lindsay M. Johnson, Esq. Partner, Freund, Freeze & Arnold, LPA

Incident Response and Cybersecurity: A View from the Boardroom

Internet of Things Toolkit for Small and Medium Businesses

Cybersecurity in Higher Ed

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Top Five Privacy and Data Security Issues for Nonprofit Organizations

Crises Control Cloud Security Principles. Transputec provides ICT Services and Solutions to leading organisations around the globe.

Securing Your Most Sensitive Data

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

Security Information & Policies

Cybersecurity and Hospitals: A Board Perspective

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

Defensible Security DefSec 101

Privacy Statement. Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information

ADIENT VENDOR SECURITY STANDARD

ISE North America Leadership Summit and Awards

KuppingerCole Whitepaper. by Dave Kearns February 2013

General Data Protection Regulation (GDPR) The impact of doing business in Asia

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

Information Security Policy

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

Cloud is the 'Only' Way Forward in Information Security. Leveraging Scale to Make the Unknown Known, in Dev, Sec & Ops.

Achieving End-to-End Security in the Internet of Things (IoT)

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

Cybersecurity: Federalism as Defense-in-Depth

CipherCloud CASB+ Connector for ServiceNow

EU General Data Protection Regulation (GDPR) Achieving compliance

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Hong Kong s Personal Data (Privacy) Ordinance

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Delivering Integrated Cyber Defense for the Cloud Generation Darren Thomson

CISO as Change Agent: Getting to Yes

Jeff Marron, IT Specialist Security National Institute of Standards and Technology (NIST)

LCU Privacy Breach Response Plan

Transcription:

2016 Data Protection & Breach Readiness Guide February 3, 2016 Craig Spiezle Executive Director & President Online Trust Alliance Jeff Wilbur VP Marketing Iconix 1 Who is OTA? Mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. Goal to help educate businesses, policy makers and stakeholders while developing and advancing best practices and tools to enhance the protection of users' security, privacy and identity. Collaborative public-private partnerships, benchmark reporting, meaningful self-regulation and data stewardship. U.S. based 501(c)(3) tax-exempt charitable organization. Global focus & charter. Supported by dues, donations and grants. 2 1

2016 Breach Report Highlights 91% of 2015 breaches were preventable! Actionable advice to enhance data protection and to be prepared for a data loss incident Includes: Summary of key learnings Risk Assessment Guides Security Best Practices Forensics Do s & Don'ts Cyber Insurance Considerations Law Enforcement Report Template https://otalliance.org/breach 5 2

Overview of the Guide Executive Summary Risk Assessment Security Best Practices Data Lifecycle & Stewardship Incident Response Fundamentals Cyber Insurance Considerations Notification Requirements Training, Testing & Budgeting Regulatory Landscape Resources/Templates 6 Key Metrics (page 8) 29% increase in publically disclosed breaches 91% of incidents could have been prevented 30% due to lack of internal employee controls Anthem led with 78.8 million records compromised $3.8 MM cost / breach (U.S. $6.5MM) $154 cost per record (U.S. $217/record) > 50% average cyber insurance coverage 7 3

What is Preventable? Not patching known / public vulnerabilities Misconfigured devices / servers Unencrypted data and/or keys disclosed End of life devices, operating systems and applications Employee errors Lost data, files, drives, devices, computers Accidental disclosure via email, posting on public sites Business Email Compromise & social exploits 8 The Realities of Breach 9 4

10 Laws of Data Your data includes covered information You have regulatory requirement(s) You will have a data incident If you are unprepared it will cost you Direct Expenses Remediation Partners Brand Business Shock Your Reputation 11 5

What We Have Learned? (page 10) 1. There needs to be a critical shift in attitude regarding roles and responsibilities of data stewardship and security. 2. Data is often a company s most valuable asset requiring the appropriate level of protection. 3. The level of data security you apply must be commensurate with the data held. 4. Only collect and retain data that has a purpose. 12 What We Have Learned? 5. All businesses need to think about the consequences of a data breach and what could happen. 6. Security and privacy are not absolutes and must evolve. 7. Security is beyond your walls. 8. Being prepared is not just for Boy Scouts. Needs to incorporate both planning and training to help prevent, detect, mitigate and respond. Planning is the key to maintaining online trust and business continuity. 13 6

What is Your Risk Appetite? 14 Risk Assessment (pp. 11-13) Board, Officers & Investors What is the worst-case scenario your crown jewels that could be compromised? Internal Operation Risk Are your practices defendable? Cloud, Vendors & Service Providers Do you know who they are? What are their notification triggers? 15 7

Learn From Mistakes of Others! 16 Security Best Practices (pp.14 16) 1. Encryption & Key Management At rest, storage and in some cases in use 1. Password Management 2. Least privilege user access (LUA) 3. Security design and code reviews including penetration tests and vulnerability scans 4. Deploy multi-layered firewall protections 5. Authenticate on all mail servers Outbound & Inbound SPF, DKIM & DMARC Sub-domains, active & Parked Domains 17 8

Security Best Practices, cont d 7. Mobile device (and IoT) management program 8. Continuous monitoring in real-time SSL Configurations Log reports 9. Web application firewalls 10. Permit only authorized wireless devices 11. Implement https EVERYWHERE 18 Security Best Practices, cont d 12. Review server certificates for vulnerabilities. Consider Extended Validation SSL Certs. Upgrade Domain Validated to Organizational Validated Certs. 12. Develop, test and continually refine your breach response plan. 13. Establish and manage a vulnerability / threat intelligence reporting program 19 9

Embrace Data Stewardship 20 Data Collection Considerations 21 10

Plan Fundamentals (page 24) Create and Empower a Team Designate First Responders Create a Notification Tree Develop Law Enforcement Relationships Create Communication Templates Training Regulatory and Legal Review Cyber Insurance Testing, Critique and Refinement 22 Cyber Insurance Realities (p. 30) Liability (defense costs, settlements, judgments) Incident response (including forensics, public relations, breach notification, credit monitoring) Loss/replacement of electronic data Expenses for cyber extortion Regulatory fines Business interruption, including lost revenue Areas for potential claims denial negilance? 23 11

Communications (p. 34) Know your audience Internal Key partners & customers Regulators Law enforcement, Impacted parties Press, media and analysts 4 T s Tactic, Tone, Timing & Technology 24 Remediation (page 35) Move beyond the minimum; it has been a race to the bottom. Consider ID theft counseling and case managers Partner with community based resources 25 12

Evolving Regulatory Landscape Where do the impacted parties now reside? EU Data Protection Directive Canada Australia New Zealand 26 Regulatory Landscape (page 38) Opt-in v. Opt Out Honor Do-Not-Track Safe Harbor Provisions Reasonable Security Adequate Notice Right to be Forgotten Data Server Locations Definition of PII Government Access 27 13

Apply What You Have Learned Next week you should: Identify data owners Identify external service providers In the 90 days you should: Complete an internal & external assessment Identify security & privacy investments In six months you should: Have an updated security & privacy roadmap Make security & privacy part of your value position 28 Webinar Series Starting March 9 Security & Responsible Privacy Best Practices Cyber Insurance Considerations Understanding the Landscape Risk Assessment Fundamentals Internal & with Service / Cloud Providers Remediation Services & Considerations Breach Regulatory Landscape Working With Law Enforcement; Before, During & After An Incident Cyber Forensics Realities; CSI or Mr. Robot? Schedule @ https://otalliance.org/breach 29 14

More Information Join OTA https://otalliance.org/membership IoT Framework https://otalliance.org/iot Data Breach Readiness Guide https://otalliance.org/breach Contact us +1 425-455-7400 admin@otalliance.org Follow OTA on Twitter @otalliance 30 Resources & Tool UK Information Commissioner's Office https://ico.org.uk/for-organisations/improve-yourpractices/data-protection-self-assessment-toolkit/ 31 15

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback