Protect Your Institution with Effective Cybersecurity Governance. Baker Tilly Virchow Krause, LLP

Similar documents
Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International.

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

ISE North America Leadership Summit and Awards

Cyber Risks in the Boardroom Conference

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

DeMystifying Data Breaches and Information Security Compliance

Cybersecurity in Higher Ed

Sage Data Security Services Directory

Healthcare HIPAA and Cybersecurity Update

Cyber Risk Emerging Trends and Regulatory Update

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

The Impact of Cybersecurity, Data Privacy and Social Media

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

4/5/2017. April 5, 2017 CYBER-RISK: WHAT MANAGEMENT & BOARDS NEED TO KNOW

Designing and Building a Cybersecurity Program

Incident Response and Cybersecurity: A View from the Boardroom

Cybersecurity Today Avoid Becoming a News Headline

Business continuity management and cyber resiliency

Jeff Wilbur VP Marketing Iconix

What It Takes to be a CISO in 2017

No IT Audit Staff? How to Hack an IT Audit. Presenters. Mark Bednarz, Partner-In-Charge, Risk Advisory PKF O Connor Davies, LLP

Automating the Top 20 CIS Critical Security Controls

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

Les joies et les peines de la transformation numérique

Boston Chapter AGA 2018 Regional Professional Development Conference Cyber Security MAY 2018

How do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?

Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

The Evolving Threat to Corporate Cyber & Data Security

01.0 Policy Responsibilities and Oversight

Privacy Implications Guide. for. the CIS Critical Security Controls (Version 6)

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

Art of Performing Risk Assessments

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

Tangible Measures to Prepare for Intensified Regulatory Oversight of Cybersecurity in 2016

2016 Data Protection & Breach Readiness Webinar Will Start Shortly. please download the guide at

Security Hygiene. Be in a defensible position. Be cyber resilient. November 8 th, 2017

Google Cloud & the General Data Protection Regulation (GDPR)

Establishing a Credible Cybersecurity Program. September 2016

Effective Strategies for Managing Cybersecurity Risks

K12 Cybersecurity Roadmap

SOC for cybersecurity

External Supplier Control Obligations. Cyber Security

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

The Common Controls Framework BY ADOBE

Cybersecurity The Evolving Landscape

Background FAST FACTS

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP)

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Cybersecurity Auditing in an Unsecure World

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

How to Prepare a Response to Cyber Attack for a Multinational Company.

Information Security Policy

FDIC InTREx What Documentation Are You Expected to Have?

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

Cyber Security Program

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Why you should adopt the NIST Cybersecurity Framework

RBI GUIDELINES ON CYBER SECURITY AND RAKSHA APPROACH

Information Technology General Control Review

10 FOCUS AREAS FOR BREACH PREVENTION

DATA SHEET RSA NETWITNESS PLATFORM PROFESSIONAL SERVICES ACCELERATE TIME-TO-VALUE & MAXIMIZE ROI

Certified Information Security Manager (CISM) Course Overview

Cybersecurity Conference Presentation North Bay Business Journal. September 27, 2016

Background FAST FACTS

University of Pittsburgh Security Assessment Questionnaire (v1.7)

CISO as Change Agent: Getting to Yes

Defensible and Beyond

Security and Privacy Governance Program Guidelines

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

Protecting your data. EY s approach to data privacy and information security

Tackling Cybersecurity with Data Analytics. Identifying and combatting cyber fraud

CCISO Blueprint v1. EC-Council

Internet of Things. Internet of Everything. Presented By: Louis McNeil Tom Costin

Hacking and Cyber Espionage

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

2016 Nationwide Cyber Security Review: Summary Report. Nationwide Cyber Security Review: Summary Report

Cybersecurity What Companies are Doing & How to Evaluate. Miguel Romero - NAIC David Gunkel & Dan Ford Rook Security

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

Post-Secondary Institution Data-Security Overview and Requirements

CYBER INSURANCE: MANAGING THE RISK

Sirius Security Overview

Cyber Hygiene: A Baseline Set of Practices

NY State s Cybersecurity Legislation Requirements for Risk Management, Security of Applications, and the Appointed CISO

NYDFS Cybersecurity Regulations

Engaging Executives and Boards in Cybersecurity Session 303, Feb 20, 2017 Sanjeev Sah, CISO, Texas Children s Hospital Jimmy Joseph, Senior Manager,

RIMS Perk Session Protecting the Crown Jewels A Risk Manager's guide to cyber security March 18, 2015

GDPR: A QUICK OVERVIEW

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Cyber Security. February 13, 2018 (webinar) February 15, 2018 (in-person)

Checklist: Credit Union Information Security and Privacy Policies

PONEMON INSTITUTE RESEARCH REPORT 2018 STUDY ON GLOBAL MEGATRENDS IN CYBERSECURITY

COPE-ing with Cyber Risk Exposures

Altius IT Policy Collection Compliance and Standards Matrix

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

Cyber Security. It s not just about technology. May 2017

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

Transcription:

Protect Your Institution with Effective Cybersecurity Governance 1

Your presenter Mike Cullen, Senior Manager, Baker Tilly CISA, CISSP, CIPP/US > Leads the firm s Higher Education Technology Risk Services team, focused on IT audit and cybersecurity > Collaborates with institutions to assess IT risks, review practices, meet compliance requirements, and recommend practical, pragmatic improvements > Presents to a variety of audiences, including ACUA, various IIA conferences, and at multiple universities 2

Objectives > How the cybersecurity risk landscape has changed > Why cybersecurity risk must be managed as an enterprise-wide concern, not just an IT issue > What the key foundational elements are of an effective cybersecurity program > How to audit and present on cybersecurity program effectiveness to the institution s board and leadership 3

Cybersecurity landscape 4

IT changes PAST Mostly physical assets (plants, equipment) - relatively few digitized assets Simple, unsophisticated attacks (e.g., web site defacement to embarrass) IT budgeted HW/SW expenditures; managed deployment and use Self-contained IT environment with limited complexity; limited use of 3rd parties Limited use of mobile data access PRESENT Highly digitized assets (IP, financial, PII), mobile and cloud technologies Advanced Persistent Threats (APTs) involve high degree of complexity and sophistication Ability of IT to manage alone may be insufficient; budgets increasing Extended digital ecosystem involving outside stakeholders and 3rd parties/vendors Mobile access to apps containing personal/financial data and use of BYOD 5

Information protection changes 6

Complex threat landscape APT Cybercrime DDOS Insider Malware Ransomware Social Engineering Unpatched Systems 7

Regulatory changes 1996 HIPAA 1999 GLBA 2006 PCI DSS v1 2009 HITECH 2014 Kentucky 47 th State Data Breach Law 1974 Privacy Act & FERPA 1998 Safe Harbor European Union 2001 Cybersecurity Enhancement Act 2010 Massachusetts Privacy Law 2003 California Data Breach Law 2015 PCI DSS v3 & Safe Harbor Ended 8

Higher education regulatory changes FERPA HIPAA/ HITECH GLBA State laws PCI DSS 9

Changes in required disclosures Constituents (Faculty, Staff, Students, Alumni, Donors) Timeliness Content Methods Governments (Federal & State) Partners Media 10

Cybersecurity as an enterprise-wide concern 11

Cyber attacks in the news MAY 2015 AUG 2015 Chinese hackers force Penn State to unplug engineering computers UCLA sued over recent hospital records hacking JAN 2016 Bloomberg FEB 2016 LA Times FBI alerts UVA to employee information data breach UCF grads file suit in federal court over 63,000-person data hack NBC 29 WVIR-TV Orlando Sentinel 12

Litigation involving cybersecurity and data breaches > Boards have a duty to monitor and oversee risk, including cybersecurity > A question is whether Boards utterly failed to implement any information system reporting, or consciously failed to monitor or oversee operations thus disabling themselves from being informed > Litigation involving Boards and Officers for cybersecurity and data breaches is pending and there will be more data breaches and litigation going forward 13

Five principles boards should consider (NACD) I Boards need to understand and approach cybersecurity as an enterprisewide risk management issue, not just an IT issue II Boards should understand the legal implications of cyber risks as they related to their company s specific circumstances III Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on the board meeting agenda 14

Five principles boards should consider (NACD) IV Boards should set the expectation that management will establish an enterprise-wide cyber-risk management framework with adequate staffing and budget V Board-management discussion of cyber-risk should include identification of which risks to avoid, accept, mitigate, or transfer through insurance, as well as specific plans associated with each approach 15

Cybersecurity frameworks 16

Common Frameworks 01 NIST Cybersecurity 02 ISO 27002 03 CIS Critical Security Controls 17

NIST Cybersecurity Framework IDENTIFY PROTECT DETECT RESPOND RECOVER Asset Management Business Environment Governance Risk Assessment Risk Management Strategy Access Control Awareness and Training Data Security Information Protection Processes and Procedures Maintenance Protective Technology Anomalies and Events Detection Processes Security Continuous Monitoring Communications Improvements Mitigation Response Planning Communications Improvements Recovery Planning Analysis 18

ISO 27002 Information Security Policies Organization of Information Security Human Resource Security Asset Management Access Control Cryptology Physical and Environmental Security Operations Security Communications Security System Acquisition, Development, and Maintenance Supplier Relationships Information Security Incident Management Information Security Aspects of Business Continuity Compliance 19

Center for Internet Security Critical Security Controls #1: Inventory of Authorized and Unauthorized Devices #2: Inventory of Authorized and Unauthorized Software #3: Secure Configurations for Hardware and Software #4: Continuous Vulnerability Assessment and Remediation #5: Controlled Use of Administrative Privileges #6: Maintenance, Monitoring, and Analysis of Audit Logs #7: Email and Web Browser Protections #8: Malware Defenses #9: Limitation and Control of Network Ports #10: Data Recovery Capability #11: Secure Configurations for Network Devices #12: Boundary Defense #13: Data Protection #14: Controlled Access Based on the Need to Know #15: Wireless Access Control #16: Account Monitoring and Control #17: Security Skills Assessment and Appropriate Training to Fill Gaps #18: Application Software Security #19: Incident Response and Management #20: Penetration Tests and Red Team Exercises 20

Key elements of a cybersecurity program 21

Cybersecurity program elements Governance and policies Program framework Training & communication Education and roles Monitoring Reporting on program PROGRAM ELEMENTS Cyber risk assessment Annual process to address threats Incident response management Plan to respond and recover Cybersecurity countermeasures Processes and tools implemented 22

Cybersecurity program element example > Embed security within key business processes > IT topics must be translated into meaningful information (common language) Training and communication > Involve everyone; education and building consensus is critical among all stakeholders > Train continually, and look for active learning scenarios > Leadership must establish the tone at the top > Put messages in context of audience (e.g., faculty, staff, student workers, researchers) 23

Cybersecurity program element example > Figure out which assets really matter (e.g., crown jewels) > Understand all information systems at a granular level Governance and policies > Must have documented and approved policies > A clear definition of risk tolerance levels is required > Program must be tailored to the institution and higher education environment > Process must be iterative, dynamic to adapt to constant change 24

Cybersecurity program element example > Policies and procedures are foundational > Layered security is critical (e.g., defense in depth) Cybersecurity countermeasures > Must use automated and modern systems to monitor and alert > Use a combination of preventative and detective controls in both IT and business processes > Technologies must address modern threats (e.g., APT, DDOS) > Ultimately, controls that are commensurate with the value of the assets you are trying to protect must be deployed 25

Cybersecurity audit and reporting 26

Example board and audit activities Board questions Audit checklists > What do we consider our most valuable assets? > How does our IT system interact with those assets? > Do we believe we can fully protect those assets? > If not, what would it take to feel comfortable that our assets were protected? > Review data and system inventories for completeness and relationships > Review data classification and records retention practices > Review procedures and standards for securing data and systems against standards (e.g., NIST, SANS, CIS) 27

Example board and audit activities Board questions Audit checklists > Are we considering the cybersecurity aspects of our major decisions, such as partnerships, new programs, international expansion, and new vendors in a timely fashion? > What is the institution doing to monitor and address cybersecurity legal, regulatory, and industry developments? > Assess cybersecurity roles and responsibilities for proactive involvement in major decisions > Assess compliance with various cybersecurity related regulatory requirements (e.g., PCI, HIPAA) 28

Example board and audit activities Board questions Audit checklists > What training do employees receive regarding cybersecurity? > What are criteria for a cyber incident to be communicated to the Board? > When was institution s cyber liability insurance coverage last reviewed, who reviewed it, and what were results of the review? > Review training program and participation rates > Assess cyber incident reporting for type and amount of information at issue; legal, regulatory, and industry requirements and practices; financial amount at issue > Review cyber liability insurance coverage for deductibles, amount, coverage 29

Potential metrics for reporting Cybersecurity Governance Sample Metrics Organizational & performance Operational Technological Business process Business value Compliance Employee training participation Number of incidents per security events Number of systems not current with security reqs. Number of business processes with sensitive data Value of critical data by area Number and status of regulatory reqs. controls Status of cybersecurity plan objectives Number of successful and unsuccessful attacks Number of vulnerabilities enumerated and remediated Processes using vendor vs. in-house systems Cyber liability insurance coverage Number of policy exceptions implemented 30

Evolving areas of cybersecurity in higher education 31

Evolving cyber areas Multi-factor authentication Implementing twofactor for all Cyber liability insurance Adding or increasing coverage Cyber-to-physical systems Securing access, power, HVAC, fire, cameras CYBER Cloud integration Maintaining confidentiality and integrity across sys IT risk management Formalizing assessments, actions Mobile devices and apps Implementing MDM, securing data via apps 32

Summary 33

Summary Cybersecurity is now a more impactful enterprise-wide risk Threats and regulatory requirements are more complex, especially in shared governance environment Board, management, and internal audit all have a role in effective cybersecurity governance Regardless of framework, there are key foundational elements for an effective cybersecurity program 34

Presenter contact info Mike Cullen mike.cullen@bakertilly.com 703 923 8339 35

Required disclosure and Circular 230 Prominent Disclosure The information provided here is of a general nature and is not intended to address the specific circumstances of any individual or entity. In specific circumstances, the services of a professional should be sought. Pursuant to the rules of professional conduct set forth in Circular 230, as promulgated by the United States Department of the Treasury, nothing contained in this communication was intended or written to be used by any taxpayer for the purpose of avoiding penalties that may be imposed on the taxpayer by the Internal Revenue Service, and it cannot be used by any taxpayer for such purpose. No one, without our express prior written permission, may use or refer to any tax advice in this communication in promoting, marketing, or recommending a partnership or other entity, investment plan or arrangement to any other party. Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. 2016 Baker Tilly Virchow Krause, LLP. 36

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback