Effective Strategies for Managing Cybersecurity Risks

Similar documents
01.0 Policy Responsibilities and Oversight

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

Altius IT Policy Collection Compliance and Standards Matrix

Altius IT Policy Collection Compliance and Standards Matrix

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

The Common Controls Framework BY ADOBE

What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards

Cybersecurity The Evolving Landscape

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

Locking Down the Cloud Security is Not a Myth

Exploring Emerging Cyber Attest Requirements

University of Pittsburgh Security Assessment Questionnaire (v1.7)

10 FOCUS AREAS FOR BREACH PREVENTION

Security Policies and Procedures Principles and Practices

Information Security Risk Strategies. By

Total Security Management PCI DSS Compliance Guide

Security In A Box. Modular Security Services Offering - BFSI. A new concept to Security Services Delivery.

Juniper Vendor Security Requirements

To Audit Your IAM Program

Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist

How NOT To Get Hacked

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

CYBERSECURITY. Recent OCR Actions & Cyber Awareness Newsletters. Claire C. Rosston

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

CYBER SECURITY AIR TRANSPORT IT SUMMIT

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

NCUA IT Exam Focus. By Tom Schauer, Principal CliftonLarsonAllen

PROFESSIONAL SERVICES (Solution Brief)

Cyber Security Guidelines for Public Wi-Fi Networks

Will you be PCI DSS Compliant by September 2010?

HITRUST CSF Assurance Program HITRUST, Frisco, TX. All Rights Reserved.

Digital Healthcare. Yordan Iliev Director R&D Healthcare. Regional Cybersecurity Forum, November 2016, Grand Hotel Sofia, Bulgaria

The Honest Advantage

DeMystifying Data Breaches and Information Security Compliance

FFIEC Guidance: Mobile Financial Services

External Supplier Control Obligations. Cyber Security

HITRUST Common Security Framework - Are you prepared?

Payment Card Industry Internal Security Assessor: Quick Reference V1.0

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

Ingram Micro Cyber Security Portfolio

UPDATE: HEALTHCARE CYBERSECURITY & INCIDENT RESPONSE Lindsay M. Johnson, Esq. Partner, Freund, Freeze & Arnold, LPA

Ian Speller CISM PCIP MBCS. Head of Corporate Security at Sopra Steria

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Cybersecurity in Higher Ed

NCSF Foundation Certification

QuickBooks Online Security White Paper July 2017

Art of Performing Risk Assessments

mhealth SECURITY: STATS AND SOLUTIONS

Mobile Devices prioritize User Experience

DIRECTIVE ON INFORMATION TECHNOLOGY SECURITY FOR BANK PERSONNEL. June 14, 2018

CoreMax Consulting s Cyber Security Roadmap

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

Cybersecurity Auditing in an Unsecure World

Cybersecurity Risk Mitigation: Protect Your Member Data. Introduction

Title: Planning AWS Platform Security Assessment?

Internet of Things. Internet of Everything. Presented By: Louis McNeil Tom Costin

Protecting your data. EY s approach to data privacy and information security

Avoiding an Information Security Mismanagement Program through Fundamentals. Bill Curtis, SynerComm

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Welcome ControlCase Conference. Kishor Vaswani, CEO

Gujarat Forensic Sciences University

Sage Data Security Services Directory

Checklist: Credit Union Information Security and Privacy Policies

CYBERSECURITY: E-COMMERCE, GOVERNANCE AND APPLIED CERTIFICATIONS A ROUNDTABLE DISCUSSION 15 DECEMBER 2015

SECURITY & PRIVACY DOCUMENTATION

90% of data breaches are caused by software vulnerabilities.

Aligning Your Organization s Business Units to Achieve a Cohesive Cybersecurity Strategy

ForeScout CounterACT. Continuous Monitoring and Mitigation. Real-time Visibility. Network Access Control. Endpoint Compliance.

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Addressing penetration testing and vulnerabilities, and adding verification measures

6 Vulnerabilities of the Retail Payment Ecosystem

What every IT professional needs to know about penetration tests

Privacy Implications Guide. for. the CIS Critical Security Controls (Version 6)

Automating the Top 20 CIS Critical Security Controls

IoT & SCADA Cyber Security Services

How To Establish A Compliance Program. Richard E. Mackey, Jr. SystemExperts Corporation

ACM Retreat - Today s Topics:

Establishing a Credible Cybersecurity Program. September 2016

Avanade s Approach to Client Data Protection

Addressing PCI DSS 3.2

T11: Incident Response Clinic Kieran Norton, Deloitte & Touche

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Information Security Policy

Information Technology General Control Review

SECURITY ON PUBLIC WI-FI New Zealand. A guide to help you stay safe online while using public Wi-Fi

Cybersecurity Best Practices

REGULATORY COMPLIANCE REGULATORY COMPLIANCE SERVICES. Dynamic Solutions. Superior Results.

VANGUARD WHITE PAPER VANGUARD INSURANCE INDUSTRY WHITEPAPER

HIPAA in 2017: Hot Topics You Can t Ignore. Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017

PCI Compliance. What is it? Who uses it? Why is it important?

Putting It All Together:

WHITE PAPERS. INSURANCE INDUSTRY (White Paper)

Auditing the Cloud. Paul Engle CISA, CIA

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

Manchester Metropolitan University Information Security Strategy

Transcription:

October 6, 2015 Effective Strategies for Managing Cybersecurity Risks Larry Hessney, CISA, PCI QSA, CIA 1

Everybody s Doing It! 2

Top 10 Cybersecurity Risks Storing, Processing or Transmitting Sensitive Data Non-public Personally Identifiable Information (PII) Protected Health Information (PHI) Credit Card Holder Data (CHD) Employees intentional and unintentional actions Weaknesses in your IT Risk Assessment and InfoSec Planning Weaknesses in your Information Security Program Weaknesses in your Vulnerability Management Program Weaknesses in your Web Applications Weaknesses in your perimeter e-security layers Weaknesses in your internal e-security layers Weaknesses in your Change Management, e.g. patches and updates Access by Third Party Vendors 3

Most Effective Strategies to Overcome the Top Cybersecurity Risks Annual IT/InfoSec Risk Assessment and Planning Adopt and implement an IT Security Framework Conduct Regular Audits and/or Compliance Reviews IT Security Policies and Awareness Training Effective Vulnerability Management and Penetration Testing Program Web Application Security Reviews Proactive Third Party Vendors Security Compliance Programs 4

IT Risk Assessment Framework 5

IT Risk Universe and Risk Assessment Information Asset Threats & Vulnerabiliti es Threat / Vuln Rating Inherent Risk Data Characteris tics Data Char Rating Inherent Risk Rating Financial Business Criticality Operational Strategic Legal / Regulatory Business Crit Rating Composite Risk Rating Process & App Control Plan & Organize Control Environment Acquire & Implement Deliver & Support Monitor & Evaluate CobiT Control % Mitigation Residual Risk Rating Technology Service Provider Management 1, 2, 5, 6, 7, 8 6 1, 2, 3, 4, 5, 6, 7, 8, 9, 10 10 16 3 2 1 3 9 144 M W M W W 35% 93.60 Core Applications 1, 2, 5, 6, 7, 9, 10 7 1, 2, 3, 4, 5, 6, 7, 8, 9, 10 10 17 3 3 3 2 11 187 S W M M S 55% 84.15 SDLC and Program Change Controls 1, 5, 6, 7 4 Internet Banking Controls 1, 3,4,6,7,9 6 External Network Security Internal Network Security 1, 2, 5, 6, 7, 8, 10 1, 2, 5, 6, 7, 8, 9, 10 ATM Network Compliance 1, 2, 6, 7, 10 5 Systems Administration 6, 7, 9 3 Physical Security and Environmental Controls Mobile Computing Devices / Removable Media Business Continuity Planning 7 8 1, 2, 7, 8, 9 5 1, 2, 3, 4, 5, 6, 7, 8, 9, 10 1, 2, 3, 4, 5, 6 1, 2, 3, 4, 5, 6, 7, 9, 10 1, 2, 3, 5, 6, 7, 9, 10 1, 2, 3, 4, 5, 6, 7, 9 1, 2, 3, 5, 6, 7, 9 1, 2, 3, 4, 7, 9 10 14 3 3 2 1 9 126 M M M M W 35% 81.90 6 12 2 2 3 3 10 120 W M M W W 35% 78.00 9 16 3 3 3 2 11 176 M M M S S 60% 70.40 8 16 3 3 2 2 10 160 S M M M S 60% 64.00 8 13 2 3 2 2 9 117 M M M M M 50% 58.50 7 10 3 3 2 2 10 100 M M M S W 50% 50.00 6 11 1 2 2 1 6 66 M S M M W 50% 33.00 1, 5, 6, 7,10 5 1, 2, 3, 4 4 9 2 2 2 2 8 72 S W M M S 55% 32.40 2, 6, 8, 9, 10 5 2, 4, 7,9, 10 5 10 2 3 2 1 8 80 M M S S S 65% 28.00 Compliance Review (GLBA) 7 1 1, 2, 3, 4, 5 5 6 3 3 1 3 10 60 M S M M M 55% 27.00 IT Governance (Management and Administration) Desktop Management and Support 5, 7 2 4, 5, 7, 9, 10 5 7 2 2 2 2 8 56 S S M M M 60% 22.40 1, 5, 6, 7 4 4, 5, 7, 9, 10 5 9 1 2 1 1 5 45 M M M M S 55% 20.25 6

Adopt and Implement an Information Security Framework Select 1 framework (or 2 at most) based on relevance to your industry, customers, and/or key stakeholders Conduct a gap assessment Develop an gap remediation or implementation plan Harden your systems and networks, improving secutiry Conduct annual audits and/or compliance reviews Achieve compliance or certification Provide assurance to customers and stakeholders that your systems are secure Meet regulatory requirements (HIPAA, GLBA, PCI, etc.) Avoid breaches, fines, lost business/reputation, etc. Marketing tool strong compliance can be a differentiator 7

Example Frameworks PCI Data Security Standard 3.1 credit card security Service Organization Controls (SOC) 1, 2 or 3 Reports AICPA standards, widely accepted for internal control assurance SOC 2 Trust Service Principles Security, Confidentiality, Privacy, Availability, Processing Integrity ISO27000 COBIT 5.0 ITIL NIST Cybersecurity Framework HIPAA HITECH Helathcare, PHI HITRUST Common Security Framework V7 ISO, NIST, PCI, HIPAA, and COBIT 8

The COBIT Framework 9

COBIT Harmonises Other Standards COBIT is often used at the highest level of IT governance It harmonises practices and standards such as ITIL, ISO 27001 and 27002, and PMBOK Improves their alignment to business needs Covers full spectrum of IT-related activities 27001/2 10

I M P L E M E N T A T I O N P R O C E S S C Y C L E SECURITY ORGANISATION ASSET IDENTIFICATION & CLASSIFICATION CONTROL SELECTION & IMPLEMENTATION DO Implement & Operate the ISMS IS POLICY PLAN Establish ISMS CHECK Monitor & Review ISMS OPERATIONALIZE THE PROCESES ACT Maintain & Improve MANAGEMENT REVIEW CHECK PROCESSES CORRECTIVE & PREVENTIVE ACTIONS 11 11

Establish an Effective Vulnerability and Penetration Testing Program Answer questions for management: Is our network secure? How do we know that our network is secure? Were we able to compromise any systems to gain unauthorized access? Where are the weakest points in our network and do we have a plan to remediate those weaknesses? Provide a baseline to help improve security Find configuration mistakes or missing security updates Determine whether an attack would be detected 12

Establish an Effective Vulnerability and Penetration Testing Program Best Practices: Methodology Proper Scoping Use variety of tools External V&P Internal V&P Web Applications 13

Web Application Security Review The most widespread vulnerabilities: Cross-Site Scripting, Information Leakage, SQL Injection, Insufficient Transport Layer Protection, Fingerprinting and HTTP Response Splitting. As a rule, Cross-Site Scripting, SQL Injection and HTTP Response Splitting vulnerabilities are caused by design errors, while Information Leakage, Insufficient Transport Layer Protection and Fingerprinting are often caused by insufficient administration (e.g., access control). 14

Mobile Device Risks 1. Most smartphone and tablet users don t even have a basic passcode set up on their device 2. Some web apps store user ID and password information for faster authentication, which can be obtained if phone is lost or stolen 3. Device s physical security can sometimes be easily by-passed 4. Service provider authentication is unencrypted or uses weak encryption 6. Average smartphone or tablet user has installed no security software - only a fraction of the security of a laptop or desktop 7. Detected malware developed for the Android platform alone has increased by 400% in the past year 8. Most app stores (e.g., Android Marketplace) don t review apps for security, it is very easy for criminals to post malicious apps that steal information from your mobile device 9. Technology that keeps apps separate on your smartphone or tablet doesn t separate that data accessible by other apps 10. The temptation to use free WiFi hotspots at cafes, airports and hotels lures people into banking over insecure networks. 15

Mobile Device Risk Mitigation Strategies Communicate your authorized, official apps Provide best practice guidance to customers Don t use public Wi-Fi to conduct mobile banking use a secure access point Never send personal information via text or email Require use of secure PIN codes Allow downloading mobile apps only from institution websites or proven safe sources Separate credentials for Internet and mobile apps 16

Third Party Service Provider Management Frequently one of the highest risk attack vectors Target HVAC! Much higher focus in updated PCI DSS 3.1 and in Banking Industry FFIEC regulatory requirements for Vendor Management What you need to do about 3 rd party security: Contractually require SP s to provide documented security certification e.g. SOC report(s), PCI AOC Lock down their access to your network and systems Consider using only temporary FireFighter UIDs rather than allowing them continuous access Monitor, monitor, monitor their access IDS, centralized sys logging, include them in annual or quarterly user access reviews Consider including in V&P testing and/or auditing scope 17

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback