Cyber Risk Emerging Trends and Regulatory Update

Similar documents
Protect Your Institution with Effective Cybersecurity Governance. Baker Tilly Virchow Krause, LLP

Cyber Risks in the Boardroom Conference

Developing Issues in Breach Notification and Privacy Regulations: Risk Managers Are you having the right conversation with the C Suite?

Putting It All Together:

Breach Notifications: How to Handle Breaches Across Jurisdictions. Moderated by: Zach Warren, Editor-in-Chief, Legaltech News

DeMystifying Data Breaches and Information Security Compliance

Cybersecurity in Higher Ed

Post-Secondary Institution Data-Security Overview and Requirements

Don t Be the Next Headline! PHI and Cyber Security in Outsourced Services.

HIPAA Privacy, Security and Breach Notification

PREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice

The HIPAA Omnibus Rule

Subject: University Information Technology Resource Security Policy: OUTDATED

1 Privacy Statement INDEX

Exploring Emerging Cyber Attest Requirements

by Robert Hudock and Patricia Wagner April 2009 Introduction

A SERVICE ORGANIZATION S GUIDE SOC 1, 2, & 3 REPORTS

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

Cybersecurity Conference Presentation North Bay Business Journal. September 27, 2016

T11: Incident Response Clinic Kieran Norton, Deloitte & Touche

Data Compromise Notice Procedure Summary and Guide

Information Security Issues in Research

SOC 3 for Security and Availability

SOC for cybersecurity

GDPR: A QUICK OVERVIEW

01.0 Policy Responsibilities and Oversight

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Protecting your data. EY s approach to data privacy and information security

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance

Performing HIPAA Security Reviews

UTAH VALLEY UNIVERSITY Policies and Procedures

Virginia Commonwealth University School of Medicine Information Security Standard

ISACA Cincinnati Chapter March Meeting

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010

Engaging Executives and Boards in Cybersecurity Session 303, Feb 20, 2017 Sanjeev Sah, CISO, Texas Children s Hospital Jimmy Joseph, Senior Manager,

Data Privacy & Protection

How to Respond to a HIPAA Breach. Tuesday, Oct. 25, 2016

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

CERT Symposium: Cyber Security Incident Management for Health Information Exchanges

Privacy & Information Security Protocol: Breach Notification & Mitigation

Hacking and Cyber Espionage

SOC Updates: Understanding SOC for Cybersecurity and SSAE 18. May 23, 2017

2016 SC REGIONAL HOUSING AUTHORITY NO. 3 S EIV SECURITY POLICY

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

Secret Server HP ArcSight Integration Guide

ADIENT VENDOR SECURITY STANDARD

DETAILED POLICY STATEMENT

University of Wisconsin-Madison Policy and Procedure

CRIMINAL NETWORK INTRUSION AND DATA THEFT: Today s Security Landscape and What to Do If You ve Been Compromised

SERVICE ORGANIZATION CONTROL (SOC) REPORTS: WHAT ARE THEY?

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

INFORMATION TECHNOLOGY DATA MANAGEMENT PROCEDURES AND GOVERNANCE STRUCTURE BALL STATE UNIVERSITY OFFICE OF INFORMATION SECURITY SERVICES

General Data Protection Regulation April 3, Sarah Ackerman, Managing Director Ross Patz, Consultant

Security and Privacy Breach Notification

Google Cloud & the General Data Protection Regulation (GDPR)

WHICH SOC REPORT IS RIGHT FOR YOUR CLIENT?

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

COBIT 5 With COSO 2013

December 10, Statement of the Securities Industry and Financial Markets Association. Senate Committee on Banking, Housing, and Urban Development

locuz.com SOC Services

Compliance with CloudCheckr

Bringing cyber to the Board of Directors & C-level and keeping it there. Dirk Lybaert, Proximus September 9 th 2016

Is Your Compliance Strategy Putting Your Business at Risk?

CISO View: Top 4 Major Imperatives for Enterprise Defense

Mastering Data Privacy, Social Media, & Cyber Law

SOC Lessons Learned and Reporting Changes

2017 RIMS CYBER SURVEY

PCI Policy Compliance Using Information Security Policies Made Easy. PCI Policy Compliance Information Shield Page 1

HIPAA / HITECH Overview of Capabilities and Protected Health Information

All Aboard the HIPAA Omnibus An Auditor s Perspective

[DATA SYSTEM]: Privacy and Security October 2013

IT Audit Process Prof. Liang Yao Week Two IT Audit Function

Understanding and Evaluating Service Organization Controls (SOC) Reports

Aon Service Corporation Law Global Privacy Office. Aon Client Data Privacy Summary

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Cybersecurity The Evolving Landscape

New Data Protection Laws

HIPAA FOR BROKERS. revised 10/17

Integrating HIPAA into Your Managed Care Compliance Program

A Global Look at IT Audit Best Practices

Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI

Government Privacy. Julie Smith McEwen, CIPP/G, CISSP Principal Information Systems Privacy and Security Engineer

General Data Protection Regulation Frequently Asked Questions (FAQ) General Questions

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

Security and Privacy Governance Program Guidelines

HITRUST Common Security Framework - Are you prepared?

A Checklist for Compliance in the Cloud 1. A Checklist for Compliance in the Cloud

HIPAA-HITECH: Privacy & Security Updates for 2015

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

Cloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015

WHITE PAPER. Title. Managed Services for SAS Technology

SECURITY & PRIVACY DOCUMENTATION

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

Data Use and Reciprocal Support Agreement (DURSA) Overview

WHITE PAPER. HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty

HIPAA COMPLIANCE CALIFORNIA STATE UNIVERSITY, LOS ANGELES. Audit Report October 29, 2010

Data Processing Agreement for Oracle Cloud Services

Data Security: Public Contracts and the Cloud

Transcription:

Cyber Risk Emerging Trends and Regulatory Update June 12, 2013 1

Webinar Moderator Phil Hurd ACUA President 2

Your Presenters Mike Cullen, Senior Manager CISA, CISSP, CIPP/US > Leads the firm s Technology Risk Services team in Washington, DC, focused on IT risk consulting and internal auditing. > Performs IT risk assessments and audits, developed information privacy and security programs, performed ethical hacking of IT systems, and conducted digital forensic investigations. > Presents to a variety of audiences, including ACUA, various IIA chapters and regional conferences, and at multiple universities. 3

Your Presenters Jennifer Zanone, Manager CISA, PMP > Performs IT risk assessments, IT audits, system implementation reviews, and application control reviews for a variety of higher education, not for profit, and research institution IT environments of varying sizes. > Strategically analyzes clients mission, systems, and risks by applying best practice standards such as Control Objectives for Information and Related Technology (COBIT). 4

Contents/Agenda > Overview of cyber risk and its importance > Emerging trends in cyber security > Changes to data privacy/security laws and regulations > Resources 5

Objectives > Provide an overview of cyber risk and describe its importance > Describe emerging cyber security trends > Describe new or changed data privacy/security laws or regulations > Describe potential strategies that can be incorporated into audits 6

Polling Question #1 Cyber is derived from cybernetics, which was originally defined as the theory of what? A. Brain wave patterns B. Baseball statistics used in Moneyball C. Communication and control in the animal and the machine D. Computer warfare tactics 7

Cyber Fun Facts > The term was coined in 1948 by U.S. mathematician Norbert Wiener to mean the theory/science of communication and control in the animal and the machine. (Source: Wiktionary) > By the 1970s, the Control Data Corporation sold the "Cyber" range of supercomputers, establishing the word cyber- as synonymous with computing. (Source: Wikipedia) 8

Overview of cyber risk and its importance 9

Definitions Cyber Liability > The responsibility that any organization who connects to or utilizes the Internet has to protect business and consumer data 10

Definitions Privacy > The rights and obligations of individuals and organizations with respect to the collection, use, retention, and disclosure of personal information. Source: American Institute of Certified Public Accountants (AICPA) Generally Accepted Privacy Principles 11

Definitions Security > The processes and methodologies which are designed and implemented to protect print, electronic, or any other form of confidential, private and sensitive information or data from unauthorized access, use, misuse, disclosure, destruction, modification, or disruption. Source: SANS Information Security Resources: www.sans.org/information_security.php 12

Are Privacy and Security Synonymous? > Privacy is concerned with enabling individuals to have say over how their personal information is collected, used, retained, and disclosed. > Security is concerned with protecting information from inappropriate access, modification, or destruction. > To achieve privacy, you must have security. > Both security and privacy are business issues. 13

Privacy in Higher Education > An exceptional volume and variety of personal information (e.g., transcripts, financial aid, health centers, retail operations). > Increased complexity and oversight challenges in a decentralized environment. > Subject to many privacy and security laws and regulations due to: > Breadth and nature of business operations > Faculty, staff, students, and alumni from many states and countries 14

Landscape Privacy and Security Laws/Regulations There are several regulations related to privacy and security with which institutions need to be familiar: > FERPA > GLBA > HIPAA / HITECH > Identity Theft Red Flags > FISMA > PCI DSS > International Laws > US Data Breach Notification Laws > 46 states + DC, Puerto Rico and others 15

Polling Question #2 How does your institution manage cyber risk today? A. It is IT s problem B. We don t manage it all C. In some areas we attempt to manage it, in others we do not D. We have a comprehensive, multi-faceted approach 16

Emerging trends in cyber security 17

Cloud Security What is it? > The growing challenge of securing data and information systems through collaboration with third parties providing services to the organization

Cloud Security What are the issues? > Is Cloud security different than other Information Security? > How can you be sure that data is secure in the Cloud? > Who is responsible for what during a security breach? > The Big Question: Is the Cloud more or less secure?

Cloud Security How can you audit/provide value? > Conduct a Risk Assessment before moving a service to the cloud > Review Vendor s Independent Certifications (e.g., SSAE 16, PCI) > Ensure there are strong internal Data Security policies and procedures > Thought: What is the right amount of due diligence to perform for a cloud provider?

Hacktivism What is it? > Hacking + Activism: The use of computers and computer networks as a means of protest to promote political ends (Wikipedia).

Hacktivism What are the issues? > Universities are both targets of hacktivism AND ideal incubators for those wishing to participate in these movements.

Hacktivism How can you audit/provide value? > Ensure traditional information security controls are maintained and up to date with emergent threats > Ensure there is an incident response team trained and prepared to engage with law enforcement officials in the event of student, faculty, or staff involvement in criminal hactivism

Mobile Devices What is it? > 56% of American adults now own a smartphone of some kind; Android and iphone owners account for half of the cell phone user population (Source: Pew Research Center) > By the end of 2013, the number of mobile-connected devices will exceed the number of people on earth, and by 2017 there will be nearly 1.4 mobile devices per capita (Source: Cisco)

Mobile Devices What are the issues? > People > Devices > Applications > Data > Thought: Portability is the biggest risk and biggest benefit, does one outweigh the other?

Mobile Devices How can you audit/provide value? > Bring Your Own Device (BYOD) is becoming standard > Help develop a comprehensive mobile device policy including: > Full device lifecycle support program > Data protections based on data classifications > Desktop virtualization > User awareness of their personal risks & responsibilities

Polling Question #3 Which of the following emerging trends do think is most likely to impact your institution? A. Cloud Security B. Hacktivism C. Mobile Devices 27

Changes to data privacy/security laws and regulations 28

HIPAA and HITECH Act Health Information Technology for Economic and Clinical Health Act > Enacted as part of the American Recovery and Reinvestment Act of 2009. > Subtitle D addresses privacy and security concerns related to the electronic transmission of health information, including extending HIPAA Privacy and Security Provisions to business associates of covered entities. > The HITECH Act also imposes new protected health information breach notification requirements on HIPAA covered entities, business associates, vendors of personal health records, and related entities. 29

HIPAA and HITECH Act HIPAA Data Breach Notification Requirements > Covered entities must provide individuals notice in written form by first class mail or email if the individual has agreed to receive such notices electronically > Notifications must be provided no later than 60 days following the discovery of the breach > If the entities have out of date contact information for 10 or more individuals, the entity must post notice on the homepage of its website or provide the notice in major print or broadcast media 30

HIPAA and HITECH Act HIPAA Data Breach Notification Requirements (continued) > If the breach affects more than 500 residents of a state, the entity is required to provide notice to prominent media outlets serving the state or jurisdiction > Entities must notify the State Secretary of all data breaches annually for breaches affecting less than 500 residents, or within 60 days for breaches greater than 500 residents 31

Data Protection and Breach Notification > All states, plus Washington, D.C., have security breach notification laws of some form, except Alabama, Kentucky, New Mexico, and South Dakota. > Minnesota, Nevada, and Washington have all passed laws that codify some or all aspects of PCI DSS. > Generally these laws apply to all entities that have data about the respective state s residents, regardless if the entity does business in that state. > Current trend is addition of medical information 32

FISMA > Federal Information Security Management Act, became law as part of the E-Government Act of 2002 > Requires federal agencies to strengthen information security programs and report on an annual basis > Goal is to protect federal information (the data in both electronic and paper forms) and information systems (the computers and networks) > Government contractors and grantees organizations may have to comply if they: collect or maintain information on behalf of the agency that use or operate information systems on behalf of the agency have FISMA requirements in contract and grant terms and conditions 33

FISMA > Federal Information Security Management Act, became law as part of the E-Government Act of 2002 > Requires federal agencies to strengthen information security programs and report on an annual basis > Goal is to protect federal information (the data in both electronic and paper forms) and information systems (the computers and networks) > Government contractors and grantees organizations may have to comply if they: collect or maintain information on behalf of the agency that use or operate information systems on behalf of the agency have FISMA requirements in contract and grant terms and conditions 34

Polling Question #4 What law or regulatory change concerns you the most? A. HIPAA / HITECH B. Data Protection and Breach Notification Laws C. FISMA 35

SIDEBAR ON SERVICE ORGANIZATION CONTROLS (SOC) REPORTING

SOC Reports Purpose SOC 1 SOC 2 SOC 3 Reports on the controls of the service organization that are relevant to the user organization s financial reporting Reports on the effectiveness of the controls of the service organization related to compliance or operations, including trust services principles and criteria* Same purpose as SOC 2 *Trust services principles and criteria are security, availability, processing integrity, confidentiality, and/or privacy. The security, availability, and processing integrity criteria are related to the controls system and the confidentiality and privacy criteria are related to the information processed by the system.

SOC Reports Info required Audience SOC 1 SOC 2 SOC 3 Details on the system, controls, and tests performed by the service auditor, and results of those tests User organization s controllers, compliance officers, CFO, CIO, and financial statement auditors Details on the system, controls, and tests performed by the service auditor, and results of those tests User organization s controllers, compliance officers, CFO, CIO, vendor management executives, regulators, other specified parties, and appropriate business partners Same information as SOC 2, but with a less detailed description of the controls of the service organization Unrestricted and can be viewed by anyone who would like confidence in the controls of the service organization

Resources 39

Resources > AICPA www.aicpa.org > SANS www.sans.org > Ponemon Institute www.ponemon.org > NCSL www.ncsl.org > NACUBO www.nacubo.org > NACUA www.nacua.org > Higher Ed Compliance Alliance www.higheredcompliance.org 40

Resources > EDUCAUSE www.educause.edu > URMIA www.urmia.org > Privacy Rights Clearinghouse www.privacyrights.org > Identity Theft Resource Center www.idtheftcenter.org 41

Upcoming Webinars Webinars resume August 2013 Enjoy your summer! 42

ACUA Annual Conference September 22-26, 2013 Norfolk Waterside Marriott Norfolk, Virginia Register at: www.acua.org 43

Additional Resources ACUA > Promoting Internal Audit: www.acua.org/movie > Listserv: acua-l@associationlists.com > Forums: www.acua.org Baker Tilly > www.bakertilly.com/acua 44

Presenter Contact Info Thank you for participating today! Remember CPE certificates will be emailed to you by ACUA Headquarters in about three weeks. Mike Cullen mike.cullen@bakertilly.com 703-923-8339 Jennifer Zanone Jennifer.zanone@bakertilly.com 312-729-8193 45

Required disclosure and Circular 230 Prominent Disclosure The information provided here is of a general nature and is not intended to address the specific circumstances of any individual or entity. In specific circumstances, the services of a professional should be sought. Pursuant to the rules of professional conduct set forth in Circular 230, as promulgated by the United States Department of the Treasury, nothing contained in this communication was intended or written to be used by any taxpayer for the purpose of avoiding penalties that may be imposed on the taxpayer by the Internal Revenue Service, and it cannot be used by any taxpayer for such purpose. No one, without our express prior written permission, may use or refer to any tax advice in this communication in promoting, marketing, or recommending a partnership or other entity, investment plan or arrangement to any other party. Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. 2012 Baker Tilly Virchow Krause, LLP. 46

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback