Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

Similar documents
112 th Annual Conference May 6-9, 2018 St. Louis, Missouri

CCISO Blueprint v1. EC-Council

NC PRIMA Cyber Symposium STRONG. July 13, Accelerating Speed to Strategic Value Utilizing Quarterly Governance. Information Technology Services

Cyber Security. February 13, 2018 (webinar) February 15, 2018 (in-person)

2018 IT Priorities: Cybersecurity, Cloud Outsourcing & Risk Management. Follow Along

The Data Breach: How to Stay Defensible Before, During & After the Incident

SECURITY & PRIVACY DOCUMENTATION

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

A company built on security

ABB Ability Cyber Security Services Protection against cyber threats takes ability

Incident Response Lessons From the Front Lines. Session 276, March 8, 2018 Nolan Garrett, CISO, Children s Hospital Los Angeles

The 10 Disaster Planning Essentials For A Small Business Network

Business continuity management and cyber resiliency

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Insider Threat Detection Including review of 2017 SolarWinds Federal Cybersecurity Survey

Cyber Security Program

How do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?

QuickBooks Online Security White Paper July 2017

MOBILE SECURITY 2017 SPOTLIGHT REPORT. Information Security PRESENTED BY. Group Partner

2017 Annual Meeting of Members and Board of Directors Meeting

EMPOWER PEOPLE IMPROVE LIVES INSPIRE SUCCESS

10 FOCUS AREAS FOR BREACH PREVENTION

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

The Cyber War on Small Business

What can we lose not implementing proper security in our IT environment? Aleksandar Pavlovic Security Account Manager Cisco

External Supplier Control Obligations. Cyber Security

Plenary Session: Branch Cybersecurity Controls Thursday, February 22 1:15 p.m. 2:15 p.m.

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Information Security Controls Policy

ACM Retreat - Today s Topics:

University of Pittsburgh Security Assessment Questionnaire (v1.7)

HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED

Information Security Controls Policy

Certified Information Security Manager (CISM) Course Overview

Information Technology General Control Review

security FRAUD PREVENTION Business Checklist Safeguard your money, your credit and your good name.

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

Security Audit What Why

Principles of Protection: Cybersecurity Data Protection. 11/01/2017 Julia Breaux William Sellers

WHITE PAPER- Managed Services Security Practices

OFFICE OF INTERNAL AUDIT Information Technology (IT) Audit Plan

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

Information Security Risk Strategies. By

THE POWER OF TECH-SAVVY BOARDS:

NEN The Education Network

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

IT risks and controls

ADIENT VENDOR SECURITY STANDARD

Continuous protection to reduce risk and maintain production availability

Position Title: IT Security Specialist

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

Internet of Things Toolkit for Small and Medium Businesses

Policy and Procedure: SDM Guidance for HIPAA Business Associates

Disaster Recovery Planning Blackout. Katrina

Key Findings from the Global State of Information Security Survey 2017 Indonesian Insights

CYBERSECURITY RESILIENCE

Compliance Audit Readiness. Bob Kral Tenable Network Security

GDPR: Get Prepared! A Checklist for Implementing a Security and Event Management Tool. Contact. Ashley House, Ashley Road London N17 9LZ

Manchester Metropolitan University Information Security Strategy

Altius IT Policy Collection

Cybersecurity The Evolving Landscape

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

Checklist: Credit Union Information Security and Privacy Policies

ISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045

THE CYBER SECURITY PLAYBOOKECTOR SHOULD KNOW BEFPRE, DURING & AFTER WHAT EVERY DIRECTOR SHOULD KNOW BEFORE, DURING AND AFTER AN ATTACK

Recommendations for Implementing an Information Security Framework for Life Science Organizations

Information Security Policy

Sage Data Security Services Directory

Solutions Technology, Inc. (STI) Corporate Capability Brief

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

PCI Compliance. What is it? Who uses it? Why is it important?

Gujarat Forensic Sciences University

HIPAA Compliance Checklist

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Identity Theft Prevention Policy

Service Provider View of Cyber Security. July 2017

ISE North America Leadership Summit and Awards

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

INTELLIGENCE DRIVEN GRC FOR SECURITY

CA Security Management

The Value Of NEONet Cybersecurity. Why You Need To Protect Your The Value Of NEOnet Cybersecurity. Private Student Data In Ohio

IoT & SCADA Cyber Security Services

Heavy Vehicle Cyber Security Bulletin

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

SOLUTION BRIEF HELPING BREACH RESPONSE FOR GDPR WITH RSA SECURITY ADDRESSING THE TICKING CLOCK OF GDPR COMPLIANCE

Cybersecurity Risk Mitigation: Protect Your Member Data. Introduction

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

BASELINE GENERAL PRACTICE SECURITY CHECKLIST Guide

Easy Activation Effortless web-based administration that can be activated in as little as one business day - no integration or migration necessary.

COUNTERING CYBER CHAOS WITH HIPAA COMPLIANCE. Presented by Paul R. Hales, J.D. May 8, 2017

Subject: University Information Technology Resource Security Policy: OUTDATED

DATA PROTECTION SELF-ASSESSMENT TOOL. Protecture:

Getting over Ransomware - Plan your Strategy for more Advanced Threats

K12 Cybersecurity Roadmap

CIO Guide: Disaster recovery solutions that work. Making it happen with Azure in the public cloud

MIS5206-Section Protecting Information Assets-Exam 1

Transcription:

Florida Government Finance Officers Association Staying Secure when Transforming to a Digital Government

Agenda Plante Moran Introductions Technology Pressures and Challenges Facing Government Technology Risks and Mitigation Strategies Technology Cost Considerations Technology Best Practices Questions

Alex Brown Over 20 years of experience in management and technology consulting In depth experience in the assessment of technology risk and evaluation of IT controls associated application security assessments and security within technology driven business processes Serviced a wide range of clients and industries including municipalities and special districts

Technology Pressures Facing Local Government External influences will impact your future direction as much as or more than maintaining the existing environment Mobile Will drive future technology policy, planning, investments and RISK Green IT Current Gov IT Operations Cloud Not every IT buzzword should be immediately actionable Others

Technology Challenges Facing Government Security and Data Breaches Insufficient staffing / skill-gap Budget constraints Lack of IT governance Competing project priorities Outdated infrastructure Aging software systems Accountability to citizens Slow changes due to bureaucracy Lack of reporting and transparency capabilities *

Security Breaches

Data Breaches by Industry

Cost of Data Breach Data breach hits organizations squarely in the wallet. The average cost per record goes up depending on who or what caused the exposure. 8

Other Costs of Data Breach Reputation damage / negative publicity Lost / compromised data Lost productivity Potential further affects on clients (e.g. identify theft)

Technical Staffing Challenge Cybersecurity Skills Gap 2 Million Global Shortage of Cybersecurity Professionals by 2019 84% Organizations believe half or fewer of Applicants for open security jobs are qualified 53% of organizations experience delays as long as 6 months to find qualified security candidates Source: Seefit.com

IT Security Spending Percentage spending 16% or more on security

Planning for Security

IT Governance

Identify Risk and Understand Risk Understanding risk helps to: Identify areas of security weakness and gaps Prioritize and coordinate IT security activities. Budget for security services and IT hardware/devices Determine technical skills required to support current and future operations Comply with regulatory requirements Identify resources commitments required security projects and engagements

Identify Risk and Understand Risk (Continued) Develop risk management procedure Identify and prioritize risks Perform periodic risk assessments Develop risk mitigation / contingency plan Implement risk mitigation plan Monitor progress

IT Governance Structure Establish a Strong IT Governance Structure Policy Administration Procedures and Guides Security Compliance Training Project Administration Change Administration Strategic Planning Annual technology budgeting Project portfolio management

Aligning IT Policy with Strategy Keep policy current Who makes IT policy? Who identifies policy requirements prior to a project? IT policy building blocks Disaster Recovery Plan Password Policy Email Usage Policy Change Management Policy Infrastructure Refresh Policy Patch Management Policy

Example IT Policies IT Governance Area IT Policy Password Policy Email Usage Policy Computer and Internet Usage Policy/Acceptable Use Policy Access Management Social Media Policy Acceptable Use Policy Remote Access Policy Mobile and Personal Device Policy User Access Policy

IT Governance Area IT Policy Portable Storage Policy Data Management and Retention Policy Data Back-up Policy Compliance Policy Performance Metrics IT Operations IT Asset Management Policy Help Desk Policy Security Penetration Testing Policy Disaster Recovery Plan Infrastructure Refresh Policy Change Management Policy Patch Management Policy

Vendor Management Third-party vendor relationships can create additional risks to your organization. Best practices to manage third-party vendors: Conduct third-party screening, onboarding, and due diligence during RFP process Establish a tone at the top with management-level oversight Ensure appropriate investment and staffing Align vendor IT security plan with organization

21 Data Protection

Protecting Information IT Security Planning You are the first and best defense in protecting applications and data information Be mindful of where information lives and how it can be protected Don t be tricked into divulging sensitive information (e.g. Passwords, financial data, future projects, vendor information) Security Awareness and Training Important information should be stored on network drives (e.g. U, Y, etc.) which should be included in the back up of network data Information Retention and Destruction Identify and define requirements for electronic data retention and disposal

IT Security Planning Information Storage and Backup Establish data classification standards. (e.g. Public, Public restricted, Internal Use Only, Restricted Access) Establish storage locations where critical or Important information should be stored. (e.g. on network drives Information Retention and Destruction Establish requirements for data retention and disposal requirements.

IT Security Planning Educate employees Conduct regular user security trainings to help employee aware of security threats and to avoid common malware pitfalls (e.g. malware infection through email attachments, downloads, and web browsing Restrict administrative and system access Limit the number of user accounts to staff roles and responsibilities Remove all default system administrator accounts

IT Security Planning Conduct Regular Backups Conduct regular backups of your system and store the backups offline and preferably offsite so that they cannot be accessed through your network Separate Backup System Backups should be stored on a separate system that cannot be accessed from a network and updated regularly to ensure that a system can be effectively restored after an attack.

IT Security Planning Maintain and update software Maintain and update software to protect against and/or ensuring early detection of ransomware Use Strong Passwords Do not use the same password for everything. Do not use easy-to-guess passwords. Use strong passwords that are at least twelve characters in length and include capitals, numbers, and alternate characters. Be paranoid and change your passwords often.

Password Policy A good method for creating strong passwords is to use a pass phrase, and change certain characters. Examples (please don t use these): I8p@mFR! I ate pizza at my favorite restaurant Msi6&pP0 My son is 6 and plays piano Industry minimum password standard include: Password Change: Every 60 90 day Password History: Last 12 Passwords Restricted Password Length: 12 Characters Password Complexity: Enables Password Characteristics: Upper, Lower, Special Character required It is best to have different user names and passwords for work and personal (home) use

Information Security Basics Protecting limited disclosure and sensitive information Do not release or provide access to limited disclosure or sensitive information unless security requirements are met Be careful when using office systems including printing, faxing and mail Clear Desk / Clear Screen Be sure information is properly secured during non-working hours or when you re away from your desk Locking / logging off your workstation If you are going to be away from your desk or leaving for the day, you should either log off your workstation or lock the screen with a password protected screen saver

Disaster Recovery Plan Structured and documented approach for responding to unplanned incidents Step-by-step plan that minimizes the effects of a disaster Typically, disaster recovery planning involves analysis of business processes and continuity needs Disaster Recovery Plan checklist includes: Definition of what constitutes a disaster Recovery Time Objective (RTO) Recovery Point Objective (RPO) Identify most serious threats and vulnerabilities Disaster recovery strategies Response team roles and responsibilities

Email (and Internet) Usage Policy Internet access is intended for business use and is monitored Email should be treated as public communications Email is sent over the Internet in clear text (meaning messages can be read in transit if it is being monitored) SPAM Establish an email location to forward unwanted messages to a define location SubmitSPAM@example.us Email attachments You should be very cautious about opening any attachment If you don t know the sender or were not expecting the attachment, do not open it as it may contain viruses, spyware or other malicious software

Security Incidents and Reporting Security incidents can happen at any time common examples include: Information is missing or damaged Information is disclosed to an unauthorized individual Equipment is stolen Your computer is infected with a virus When possible, write down what you are observing and report as soon as possible Important do not try to investigate or resolve the incident yourself contact your security liaison or IT department as soon as possible

Furney (Alex) Brown 248 223-3396 Furney.Brown@Plantemoran.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback