Records Management: Agenda

Similar documents
Cybersecurity Overview

TEL2813/IS2820 Security Management

Why you should adopt the NIST Cybersecurity Framework

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

American Association of Port Authorities Port Security Seminar & Expo Cyber Security Preparedness and Resiliency in the Marine Environment

It s Not If But When: How to Build Your Cyber Incident Response Plan

NATIONAL GUIDELINES ON CLOUD COMPUTING FOR GOVERNMENT, MINISTRIES, DEPARTMENTS AND AGENCIES

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

A Framework for Managing Crime and Fraud

European Union Agency for Network and Information Security

Security Management Models And Practices Feb 5, 2008

Cyber Risks in the Boardroom Conference

INFORMATION SECURITY NO MORE THE CINDERELLA?

HCL GRC IT AUDIT & ASSURANCE SERVICES

Bradford J. Willke. 19 September 2007

E-guide CISSP Prep: 4 Steps to Achieve Your Certification

INTELLIGENCE DRIVEN GRC FOR SECURITY

National Cyber Security Strategy - Qatar. Michael Lewis, Deputy Director

IT-CNP, Inc. Capability Statement

2017 RIMS CYBER SURVEY

How to Conduct a Business Impact Analysis and Risk Assessment

Industrial Control System Cyber Security

Sirius Security Overview

What It Takes to be a CISO in 2017

Managing Cybersecurity Risk

You re Leaking: Incident Response in the World of DevOps Jerry Dixon & Levi Gundert

Best Practices & Lesson Learned from 100+ ITGRC Implementations

Understanding Cyber Insurance & Regulatory Drivers for Business Continuity

Cyber Security in the time of Austerity. Shannon Simpson, CCO CNS Group

Introduction. ISNR Abu Dhabi 2020 Program. Participation & Partnership Opportunities

Benefits of Open Cross Border Data Flows

Five Key Considerations for Selecting Cloud Recovery Services

Introduction to ISO/IEC 27001:2005

Greg Garcia President, Garcia Cyber Partners Former Assistant Secretary for Cyber Security and Communications, U.S. Department of Homeland Security

Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist

THE ART OF SECURING 100 PRODUCTS. Nir

How to Prepare a Response to Cyber Attack for a Multinational Company.

Defensible Security DefSec 101

Welcome to the CyberSecure My Business Webinar Series We will begin promptly at 2pm EDT All speakers will be muted until that time

Incident Response: Are You Ready?

(c) Apgar & Associates, LLC

Cyber COBIT. Ophir Zilbiger, CEO SECOZ Shay Zandani, CEO CyberARM. December 2013

EMPOWER PEOPLE IMPROVE LIVES INSPIRE SUCCESS

SFC strengthens internet trading regulatory controls

Incident Command: The far side of the edge

Healthcare HIPAA and Cybersecurity Update

ISO 22301: An Overview of BCM Implementation Process. Presenter: Dejan Kosutic

Enterprise GRC Implementation

THALES DATA THREAT REPORT

Cyber Security in Smart Commercial Buildings 2017 to 2021

Forensics and Active Protection

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

Too Little Too Late: Top Reasons Why You Got Hacked

A company built on security

UAE National Space Policy Agenda Item 11; LSC April By: Space Policy and Regulations Directory

Government-University-Industry Research Roundtable (GUIRR) Update FDP Meeting May 14-15, 2009 Irvine, CA

Changing the Game: An HPR Approach to Cyber CRM007

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

Trends in Cybersecurity in the Water Industry A Strategic Approach to Mitigate Control System Risk

What Why Value Methods

HIPAA Security and Privacy Policies & Procedures

2016 KPMG AS, a Norwegian limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG

CyberUSA Government Cyber Opportunities for your Region: The Federal Agenda - Federal, Grants & Resources Available to Support Community Cyber

CCISO Blueprint v1. EC-Council

Department of Management Services REQUEST FOR INFORMATION

HITRUST CSF Assurance Program HITRUST, Frisco, TX. All Rights Reserved.

Rethinking Information Security Risk Management CRM002

Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City

Disaster Recovery and Business Continuity Planning (Mile2)

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

Managing and Preparing for Cyber Incidents

CRIMINAL NETWORK INTRUSION AND DATA THEFT: Today s Security Landscape and What to Do If You ve Been Compromised

POSITION DESCRIPTION

Building YOUR Privacy Program: One Size Does Not Fit All. IBM Security Services

Incident Response Services

REAL-WORLD STRATEGIES FOR MEDICAL DEVICE SECURITY

Technical Conference on Critical Infrastructure Protection Supply Chain Risk Management

10/4/2018. Prepare For When. About George Usi

Sage Data Security Services Directory

Business Technology Briefing: Fear of Flying, And How You Can Overcome It

CYBER SECURITY AIR TRANSPORT IT SUMMIT

Security Management Seminar

PIPELINE SECURITY An Overview of TSA Programs

Governing cyber security risk: It s time to take it seriously Seven principles for Boards and Investors

CYBER SECURITY AND MITIGATING RISKS

How to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

Cyber Security Updates and Trends Affecting the Real Estate Industry

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010

Cybersecurity in Asia-Pacific State of play, key issues for trade and e-commerce

Critical Infrastructure Partnership

Security Hygiene. Be in a defensible position. Be cyber resilient. November 8 th, 2017

GridEx IV Initial Lessons Learned and Resilience Initiatives

Global Security Consulting Services, compliancy and risk asessment services

The challenges of the NIS directive from the viewpoint of the Vienna Hospital Association

RSA Advanced Cyber Defence Summit

The Office of Infrastructure Protection

Introduction to Business Continuity Management

Twilio cloud communications SECURITY

Transcription:

Records Management: Cyber Security or Cyber Insecurity Robert Pence, ITIL, CBCP, CCEP, PDS-FEMA Sr. Manager of Emergency Management, Compliance & Ethics With: Alaska Communications Systems Phone: (907) 244-4589 Email: robertpence@outlook.com Agenda What we don t know, can hurt us Insecurity comes from knowledge, security comes from action Best practices: records security and lessons learned What to know about securing records and what level of security 2 1

What we don t know, can hurt us Have you read all the cyber reports, attacks on organizations, heard about CEOs quitting? We know cyber danger is out there, but what are the chances of getting attacked? 81% of the applications we tested contained at least one Vulnerability relating to the environment Key Takeaway: Successful action comes from clear knowledge Retrieved April 2014, from ARC Sight: http://images.info.arcsight.com/web/arcsight/%7b201bc2e0 26c4 435b a995 c1273c435c12%7d_hp_cyber_security_risk_report_final_client_review_01_31_14.pdf 3 What we don t know, can hurt us What level of protection/security classification should be identified on records? Examples on what a policy on records security classifications will provide your organization: (Make sure the organization knows the policy and how to find the policy) 1. Language Now your whole organization will speak the same language 2. Standard Same page 3. Clarity no guessing 4. Move how to move records at different levels and what systems 5. Access Who can view 6. Controls How to ensure levels and access are enforced 7. Provides protection Lessens exposure, risk, & protects competitive edge 8. Saves resources Don t have to secure everything at the highest level Example of Records Classification: Your organization will need to identify levels that fit your culture Top Secret Secret Classified Unclassified Key Takeaway: Standardize and clarify security classifications in a policy Great resource for building your own policy Retrieved on April 2014 from University of California, Berkeley: https://security.berkeley.edu/data class intro?destination=node/421 4 2

What we don t know, can hurt us Government Updates National FBI Infragard All events, but mostly Cyber, also do an annual local conference (free) DHS NCC (National Coordinating Center) Coordinating centers are by critical infrastructure / industry Private/Public Partnerships APIP Alaska Partners for Infrastructure Protection, takes a look at crisis events and latest issues and dives into partnering to protect Alaska s Infrastructure (Private and public sector) RIMS Deals with all types of risk Vendors / News / Journals Disaster Recovery Journal CEB legal Pay for Service Dark Reading Security, IT GovSec Updates on Latest events Compliance and Ethics Professional Key Takeaway: Find the sources that works best for you; it is not possible to read them all. 5 Insecurity comes from knowledge, security comes from action Anecdote: (child verses adult watching same scary movie) Child: Can t distinguish the fantasy from reality Knowledge Mixes up what is real, verses fantasy Action Protection against fantasy can t sleep, has nightmares, and develops irrational fears. Inaction Don t distinguish real risk like: chasing a ball into a street or a stranger are lost amongst irrational fears. Adult: Occasional jump or racing heart may occur, but lingering fear of the fantasy is irrational Knowledge Understands what is real, verses fantasy Action Protection against real world risk; spending valuable and limited time and resources for real protection. Knows their appetite for fear and will leave the theater if necessary Inaction For fears that are irrational Key Takeaway: There is no one path to protection 6 3

Insecurity comes from knowledge, security comes from action Compare the anecdote of the scary movie as the: Adult is the experienced records cyber professional Compared with the Child being inexperienced with records management and cyber Knowledge Action Inaction Adult / SME 1. Risk analysis is performed 2. Understand orgs risk appetite 3. Know laws & regulations for records Action is specific, controlled, and latest fears or trends are reviewed, but acted on only if needed. ROI knowsthat some risks to records will have little or no resources because they are of little risk and ROI is minimal Child / Inexperienced 1. Risk analysis not performed, bases of knowledge 2. Understand leaderships appetite for risk 3. Does not know laws and regulations for records Action is random, reacts to latest fear, trend, but does not know if it is a real concern for the organization Inaction is random, does not know their environment, risk, appetite, or even what the organization is good at Key Takeaway: Every Organization is unique, find your own zen. 7 Best practices: records security and lessons learned NIST US Department of Commerce standards ISO International Organization of Standards (yes, it is backwards, don t blame me that is how it is translated) QuICS University of Maryland So following a standard will make our organization safe? Nope, not even close! Key Takeaway: Am I safe and secure yet? Not yet! 8 4

Best practices: records security and lessons learned Standards can t make your organization 100% safe and secure (or even close). Incident response plan is critical (Separate presentation) Approach this task responsibly, rationally, and most importantly, calm! Records cyber security is not successful because you implemented a standard or because one department got all focused! Accessing all these departments and more will be necessary to success: 1. Compliance & Ethics Work with HR, Legal, IT, etc to define the controls and policies 2. IT, Network, field Ops Implement an ITIL model for :change, incidents, controls, etc 3. NOC Monitors, facilitates, escalates, and communicates an incident 4. Legal & regulatory Monitors regulatory environment, recommends guidelines on records, etc Key Takeaway: No one person/department is as smart as all of us. 9 What to know about securing records and what level of security Level of security can be simplified into your basic three layers: (The Diagram is an example from Northrop Grumman and shows lots of detail) 1. Physical building security from both manmade and natural disasters 2. Virtual Applications, systems, firewalls, monitoring, etc 3. Policy or Controls How you manage access, provide guidance, direction, and control the environment from internal corruption Key Takeaway: Protection comes in many layers Resource from March 2014 from Industrial ip.org: http://www.northropgrumman.com/aboutus/contracts/managedservices/pages/securityservices.aspx 10 5

Contacts, Resources, References, and Any Questions: Any Questions? Robert Pence, ITIL, CBCP, CCEP, PDS-FEMA Sr. Manager of Emergency Management, Compliance & Ethics With: Alaska Communications Systems Phone: (907) 244-4589 Email: robertpence@outlook.com Retrieved March 2014, from Northrop Grumman: http://www.northropgrumman.com/aboutus/contracts/managedservices/pages/securityservices.aspx Retrieved April 2014, from University of California, Berkeley: https://security.berkeley.edu/data class intro?destination=node/421 Retrieved April 2014, from ARC Sight: http://images.info.arcsight.com/web/arcsight/%7b201bc2e0 26c4 435b a995 c1273c435c12%7d_hp_cyber_security_risk_report_final_client_review_01_31_14.pdf Retrieved May 2014, from Oracle: http://docs.oracle.com/cd/e23943_01/doc.1111/e10640/c06_classifications.htm Key Takeaway: Choose your poison, death by standard! 11 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback