Bored with Your Board s Involvement with Privacy/Security Program?

Similar documents
Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Engaging Executives and Boards in Cybersecurity Session 303, Feb 20, 2017 Sanjeev Sah, CISO, Texas Children s Hospital Jimmy Joseph, Senior Manager,

Security and Privacy Governance Program Guidelines

Advising the C-Suite and Boards of Directors on Cybersecurity. February 11, 2015

Cyber Security Program

building a security culture to counter emerging cybersecurity threats

Cyber Risks in the Boardroom Conference

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

Why you should adopt the NIST Cybersecurity Framework

Evaluating Cybersecurity Coverage A Maturity Model. Presented to: ISACA Charlotte Chapter Vision for IT Audit 2020 Symposium

Data Breach Preparation and Response. April 21, 2017

DeMystifying Data Breaches and Information Security Compliance

Cybersecurity in Higher Ed

Getting Security Right: The CISO of the Future

PONEMON INSTITUTE RESEARCH REPORT 2018 STUDY ON GLOBAL MEGATRENDS IN CYBERSECURITY

The Impact of Cybersecurity, Data Privacy and Social Media

The Evolving Threat to Corporate Cyber & Data Security

Chris Apgar, CISSP President, Apgar & Associates, LLC December 12, 2007

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

Nine Steps to Smart Security for Small Businesses

Combating Cyber Risk in the Supply Chain

PTLGateway Data Breach Policy

CYBER RISK MANAGEMENT

The ABCs of HIPAA Security

MNsure Privacy Program Strategic Plan FY

a publication of the health care compliance association MARCH 2018

Why you MUST protect your customer data

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Managing Cybersecurity Risk

THE CYBERSECURITY LITERACY CONFIDENCE GAP

Incident Response and Cybersecurity: A View from the Boardroom

Cybersecurity and the Board of Directors

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

It s Not If But When: How to Build Your Cyber Incident Response Plan

CYBERSECURITY FOR STARTUPS AND SMALL BUSINESSES OVERVIEW OF CYBERSECURITY FRAMEWORKS

Securing the User: Winning Hearts & Minds to Drive Secure Behavior

CYBERSECURITY AND THE BOARD OF DIRECTORS TIPS FOR SECURING SUPPORT FOR YOUR CYBER RISK MANAGEMENT PROGRAM

PROTECTING ARIZONA AGAINST CYBER THREATS THE ARIZONA CYBERSECURITY TEAM

Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI

Cybersecurity and Hospitals: A Board Perspective

Cybersecurity Session IIA Conference 2018

Checklist: Credit Union Information Security and Privacy Policies

CYBER INSURANCE: MANAGING THE RISK

4/5/2017. April 5, 2017 CYBER-RISK: WHAT MANAGEMENT & BOARDS NEED TO KNOW

Enterprise Risk Management (ERM) and Cybersecurity. Na9onal Science Founda9on March 14, 2018

PLEASE NOTE. - Text the phrase MICHAELBERWA428 to the number /23/2016 1

2018 Data Security Incident Response Report Building Cyber Resilience: Compromise Response Intelligence in Action

SOLUTIONS BRIEFS. ADMINISTRATION (Solutions Brief) KEY SERVICES:

Awareness and training programs OPTUS MACQUARIE UNIVERSITY CYBER SECURITY HUB

What It Takes to be a CISO in 2017

Hearing Voices: The Cybersecurity Pro s View of the Profession

CISM Certified Information Security Manager

T11: Incident Response Clinic Kieran Norton, Deloitte & Touche

NERC Staff Organization Chart Budget 2019

TEL2813/IS2820 Security Management

Building a Business Case for Cyber Threat Intelligence. 5Reasons Your. Organization Needs a Risk-Based 5Approach to Cybersecurity

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

Auditing and Access to Electronic Health Records. December 15, p (Eastern)

SELLING YOUR ORGANIZATION ON APPLICATION SECURITY. Navigating a new era of cyberthreats

Cybersecurity. Securely enabling transformation and change

Anatomy of a Data Breach: A Practical Guide for Small Law Departments

EXECUTIVE SUMMARY JUNE 2016 Multifamily and Cybersecurity: The Threat Landscape and Best Practices

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

Information Security Strategy

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

TEL2813/IS2820 Security Management

IMPLEMENTING SECURITY, PRIVACY, AND FAIR DATA USE PRINCIPLES

Financial Regulations, Enforcement & Cybersecurity

December 10, Statement of the Securities Industry and Financial Markets Association. Senate Committee on Banking, Housing, and Urban Development

Cybersecurity: Pre-Breach Preparedness and Post-Breach Duties

Operations & Technology Seminar. Tuesday, November 8, 2016 Crowne Plaza Monroe, Monroe Township, NJ

Cybersecurity and Nonprofit

RIMS Perk Session Protecting the Crown Jewels A Risk Manager's guide to cyber security March 18, 2015

Putting It All Together:

RISK INTELLIGENCE Assurance and efficiency improvement through a robust Enterprise Risk Management approach

Cybersecurity for Health Care Providers

Don t Be the Next Headline! PHI and Cyber Security in Outsourced Services.

Data Security and Breach Notification Legislative Update: What You Need to Know (SESSION CODE CRM001)

Cyber Insurance: What is your bank doing to manage risk? presented by

BREAKING BARRIERS TO COLLABORATE WITH THE C-SUITE

INTELLIGENCE DRIVEN GRC FOR SECURITY

falanx Cyber ISO 27001: How and why your organisation should get certified

ISACA West Florida Chapter - Cybersecurity Event

BOARD DIRECTOR CONCERNS ABOUT CYBER AND TECHNOLOGY RISK

10/4/2018. Prepare For When. About George Usi

Upcoming PIPEDA Changes What is changing and what to do about it

A new approach to Cyber Security

Website ADA Compliance Made Easy: How to Respond to Legal Demand Letters or Avoid Them, Altogether.

Cyber Security. The Question of the Day. Sylint Group, Inc. How did we come up with the company name Sylint and what does it mean?

Uncovering the Risk of SAP Cyber Breaches

Investor Presentation. March 2018 NYSE AMERICAN: CTEK

Turning Risk into Advantage

How to Optimize Cyber Defenses through Risk-Based Governance. Steven Minsky CEO of LogicManager & Author of the RIMS Risk Maturity Model

Motorola Mobility Binding Corporate Rules (BCRs)

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

Rethinking Information Security Risk Management CRM002

NERC Staff Organization Chart Budget 2019

Bringing cyber to the Board of Directors & C-level and keeping it there. Dirk Lybaert, Proximus September 9 th 2016

Internet of Things Toolkit for Small and Medium Businesses

Transcription:

Bored with Your Board s Involvement with Privacy/Security Program? Marti Arvin, Cynergistek Joseph A. Dickinson, Tucker Ellis March 28, 2017 1 Initial Exercise: CISO Board Update Board of Directors/Trustees Monthly Security Program Update March 28, 2017 2 1

March 28, 2017 3 Initial Exercise: CISO Board Update Engaged? Informed? Prepared to participate in strategic decision making? March 28, 2017 4 2

Not the Best Result? March 28, 2017 5 Why the Board needs to be involved? Strategic Importance Number one concern of senior leaders today Most agencies require Board oversight Remind Board of the duty of oversight Personal Liability Significant financial risk/reputational risk March 28, 2017 6 3

Tone at the Top This is nothing new An important basis of a strong compliance program is the support of senior leadership If they don t understand the issues it will be difficult for them to support it Cybersecurity issues can be highly technical The presentations to the board must be in layperson s terms A clear understanding of the key factors that put the organization at risk are very important Reflecting the Board s commitment The minutes of the BOD meeting or compliance committee meeting should reflect the discussion of cybersecurity The balance between documenting the discussion and not giving away important infrastructure information must be kept in mind especially in organizations subject to open records laws The minutes should reflect the agreed upon strategy and the Board s involvement in selecting that strategy. 4

Training for the Board members The Board does not need to be filled with cybersecurity experts. The questions to ask Does the Board understand the issues? Could be Board articulate the issues in a meaningful fashion to an outside party? The use of analogies that board members can relate to everyday life are a helpful way to get them to relate Training for the Board might be different than training for others Be ready to explain why Identify any areas that the Board needs to be more versed in than the average staff member Explaining the cybersecurity and privacy program to the Board Providing audit results Continuing theme is to minimize the technical jargon Provide concise easy to understand graphics Provide trends over time Explain why there are increased or decreases Don t bury the lead If there is a system or function that is of more concern that another make sure that is a focus Identify the top three to five points you want to assure the Board s hears 5

WHY IS BOARD INVOLVEMENT SO IMPORTANT? Strategic planning IT projects can have a significant impact on the strategic planning of the organization Implementation of a new electronic health record Health information exchange Financial system Telemedicine service 6

Cybersecurity threats are a top concern Key threats in healthcare Hacking Randsomware Espionage Cybersecurity threats are big business Estimated that in 2016 it was a $600 billion dollar business Criminals are selling technology to other criminals You don t have to be a computer expert any more to be a cybercriminal Obligations of the governing body The Federal Sentencing guidelines specify that the involvement of the governing body is key to an effective compliance program. Federal law identifies the obligations of senior leadership and the governing body in a number of cases Case law demonstrates the expectation of the fiduciary duty for the governing body and senior leadership. New theories of liability may make personal liability of the Board members and the senior leadership more of a reality 7

Financial and Reputational Risk The average cost per record for a breach is $221 according the the Ponemon study for 2016. The average cost for the healthcare industry is $402 per record Study by Identity Theft Resources Center and CyberScout 1093 data breaches in US in 2016 Increase of 40% over 2015 Healthcare made up 377 which is 34.5% of the total Financial and Reputational Risk The OCR entered resolution agreements for a total of $23,504,800 in 2016 with the median being $1,550,000 Class action lawsuits Even if the organization is successful the cost of defense is still significant State law and federal law cause of action 8

Be the Guide Who Makes The Knowledge Useful When a man's knowledge is not in order, the more of it he has the greater will be his confusion. Herbert Spencer March 28, 2017 17 What the Board needs to know and how to provide that knowledge Not an IT issue only Legal, HR, Risk, Compliance, Operational Departments Cyber Security Program is only part of overall risk management program, but a critical part Technical, Administrative and Physical Safeguards CISO s tend to focus only on technical aspects of security March 28, 2017 18 9

March 28, 2017 19 What the Board needs to know and how to provide that knowledge Inform Board of any actual breaches You don t want a board member being blind sided by inquiries Inform Board of any active investigations, complaints or audits The Board and C Suite don t need to know how to configure a barracuda appliance In fact, they do not even need to know that you have one Example Logging Capabilities March 28, 2017 20 10

If everyone is looking at you for the answers you want to have the answers. March 28, 2017 21 What the Board needs to know and how to provide that knowledge Overview of the program Technical, Administrative, Physical Insurance Are we in line with others in the industry? Briefly outline the legal requirements and reference how the cyber security program addresses each Summarize the assets Provide Metrics March 28, 2017 22 11

Other Components of Risk Management Enable the Board to meet its duty of oversight by: Helping the Board become better acquainted with the Company cyber security posture and risk landscape Enabling the Board to model the effectiveness of the cyber security plan and internal/external controls Enabling the Board to understand the resource needs Document the discussions and the Board meetings adequately to reflect that these issues are regularly addressed Help the Board understand what they do not know (do they need a Board member with cyber experience?) Management incentives based on cyber security risk management March 28, 2017 23 What the Board needs to know and how to provide that knowledge (continued) CISO/CIO Board updates received the lowest rating scores (KPMG) The Board is busy/time is limited Seek to incorporate cyber updates as part of the regular Board Update Become a trusted advisor Don t limit interactions with Board members to formal meetings only Identify Board members who are allies March 28, 2017 24 12

March 28, 2017 25 What the Board needs to know and how to provide that knowledge (continued) Tie the Cyber Security Program to overall strategies of the organization Engrained as key component Flexibility with who presents Speak their language Avoid technical jargon March 28, 2017 26 13

March 28, 2017 27 Questions? March 28, 2017 28 14

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback