Upload
lorin-letitia-casey
View
214
Download
0
Tags:
Embed Size (px)
Citation preview
How Secure Is Your Data?
Financial Management and Human Resources ForumAtlanta – October 7, 2013
Data Security – Essential for Trust
Robert E. Berdelle2013 Finance and HR Forum
“Trust is the currency that United Way’s use to Trade”
Brian A. Gallagher
Atlanta October 7, 20133
The Speed of Trust by Stephen M R CoveyThe 5 Waves of Trust
Self Trust
Relationship Trust
Organizational Trust
Market Trust
Societal Trust
Trust begins with each of us personally, continues to our relationships, expands to our organizations, extends into our marketplace relationships and encompasses our global society at large. To build trust with others, we must first start with ourselves.
Atlanta October 7, 20134
The Speed of Trust
CHARACTER
• Integrity: honesty, walking your talk, ethics
• Intent: motives, agendas, mutual benefit
COMPETENCE
• Capabilities: talents, skills, knowledge to produce results
• Results: track record, performance, getting the right things done
Atlanta October 7, 20135
6
U.S. Trust Trends – United Way, Red Cross, Salvation Army, and the Charitable Sector
Tracker: Q. For the next list of charitable organizations that I read, I would like you to tell me how much trust you have in the organization to accomplish what they say they will do. (Top 2 Box, 4-point scale, General Population, age 18+)
Edelman: Q. Below is a list of institutions. For each one, please indicate how much you trust that institution to do what is right using a 9-point scale where one means that you “do not trust them at all” and nine means that you “trust them a great deal”. (NGOs, Top 4 Box, Informed Publics ages 25-64)
2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012
United Way
NaN 0.793 0.751 0.765 0.755 0.789 0.747 0.806 0.707 0.704 0.688 0.703
Chari-table Organi-zations
NaN 0.817 0.842 0.864 0.822 0.828 0.788 0.826 0.712 0.737 0.696 0.735
Red Cross
NaN 0.861 0.84 0.887 0.847 0.861 0.846 0.878 0.89 0.891 0.863 0.889
Salva-tion Army
NaN 0.925 0.921 0.914 0.915 0.915 0.889 0.896 0.898 0.901 0.895 0.893
U.S. NGO's (Edel-man's Trust Barom-eter)
0.36 0.41 0.49 0.47 0.55 0.54 0.57 0.63 0.45 0.63 0.55 0.58
40%
50%
60%
70%
80%
90%
Organizational Metric - Trust
Atlanta October 7, 20136
Data Security - Essential for Trust
• United Way Strategy – Enhance Corporate and Individual Engagement
More personal donor information is essential
Companies require employee information to be secure and confidential
Imperative for United Ways to competently handle donor information
• Two United Way Initiatives:
1) UWW data security assessment
Engaged Clifton Larson Allen
Controls review and penetration/vulnerability testing
Recommend corrective actions
2) FIC initiative to create best practices document for UW network
Atlanta October 7, 20137
United Way Worldwide Financial Issues Committee (FIC) Data Security Update
Financial Management and Human Resources ForumAtlanta – October 7, 2013
What Led to the Work?
FIC Meeting – New Orleans March 2013
As United Ways, we want more information about our donors – are we being proactive enough to show the companies we are going to “secure” it?
Companies who are running our United Way campaigns are asking what steps are being taken to secure their employee information
Higher expectations/demand for protection of personal information (not just credit card information – PCI Compliance)
Atlanta October 7, 20139
Scope of Project
Document Structure
Best Practice Not a Policy
What Information Is At Risk?
Atlanta October 7, 201310
Scope of Project (cont.)
Table of Contents – DRAFT
Executive Summary – Donor Expectations and Trust
What Information Is At Risk?o Information Protected by Federal and State Laws (US focused)
o Constituent Information
o United Way (Local or Worldwide) Information
o Information Governed by Contracts, Grants, etc., with Companies/Agencies
Risk Assessmento Physical Data Center
o Access to Local Information
o Third Party Service Providers
o Storage Media
o PCI Compliance
Atlanta October 7, 201311
Scope of Project (cont.)
Table of Contents – DRAFT
Internal Controls to Mitigate Riskso Limiting Access to Information
o Encryption
o Internal Controls
o Antivirus Deployment
o Employee Onboarding/Offboarding Policy
o Mobile Devices
Other Risk Management Issueso Insurance
o Response to an Information Breach
o Security Awareness Training
o Security Review Plan
o Incident Response Plan
Atlanta October 7, 201312
Scope of Project (cont.)
Table of Contents – DRAFT
Other Risk Management Issues (cont.)o IT Policies and Procedures Document
o Network Diagram and Documentation
o Business Continuity/Disaster Recovery Plan
Assessment Tools o Self-Assessment Questionnaire
o Performance Matrix
o Resources
Appendix o Sample Polices
Atlanta October 7, 201313
Team Assigned
Finance Professionals o Amy Maziarka, Co-Chair, United Way of the Greater Chippewa Valley
o Mark Erickson, Co-Chair, United Way of Palm Beach County
o Ray Berry, United Way of Pioneer Valley
o Kathy Doty, United Way of Greater Toledo
o Patricia Latimore, United Way of Massachusetts Bay & Merrimack Valley
o Darren Minks, United Way of the Plains
o Taryn Vidovich, Orange County United Way
IT Professionals o Chris Keightley, United Way Worldwide
o Michael Parker, United Way for Southeastern Michigan
o Chris Reese, Orange County United Way
o Javier Torner, CSU San Bernardino
o Brian Weber, United Way Worldwide
Atlanta October 7, 201314
©2012 CliftonLarsonAllen LLP15151515
©20
12 C
lifton
Lars
onAl
len
LLP
Data Security Awareness Presentation
Gil Bohene CISA, CRISC, CISM – Partner
Laura Faulkner - Senior IT Consultant, CliftonLarsonAllen, LLP
Atlanta October 7, 2013
©2012 CliftonLarsonAllen LLP16
General Control Reviews
• Information Technology General Control Review (IT GCR): – An IT General Controls Review is focused on processes that support the proper
management of information technology assets and the protection of information from a best practices perspective
• Benefits: – Provide an overview of the operating environment including locations, contacts,
personnel resources, services, business processes, application systems and technical infrastructure.
– Identify IT control weaknesses and breakdowns i.e. perform gap analysis for desired controls
– Improve overall IT infrastructure• Deliverable:
– Detailed GCR report that contains specific finding and recommended remediation for one aspect of application access controls including assignment of risk, priority, and level of effort.
©2012 CliftonLarsonAllen LLP17
Technical IT Services
• Internal Vulnerability Assessments (IVA): – The Internal Vulnerability Assessment will be a technical evaluation of the key
devices (file servers, mail servers, production servers, routers, switches, etc.) that reside on your trusted business networkPromotes deeper knowledge of the client’s business.
• External Penetration Testing (EPT): – The External Network Penetration Test is designed to aggressively test your
network perimeter to identify exposure to security breaches from outside your network.
• Deliverable: – Our deliverable report will provide your network administrators with detailed
recommendations for how to address specific findings and harden IT infrastructure.– Identify potential vulnerabilities inside/outside the network that might be used to:
– Gain unauthorized access to sensitive confidential information.– Modify or destroy data.– Operate trusted business systems for non-business purposes.
©2012 CliftonLarsonAllen LLP18
IT General Control Approach
• Approach and execution– Interview key staff– Review documentation– Observe current processes and testing controls within the organization.
• Scope – 10 Key Information Technology domains were assessed– Governance controls– Server controls– Network controls– Software controls– Application controls– Workstations – User Access controls– Business Continuity Planning (BCP)– Disaster Recovery Planning (DRP)– Physical Security & Environmental controls
©2012 CliftonLarsonAllen LLP19
General Control Reviews - Scope
©2012 CliftonLarsonAllen LLP20
Internal Vulnerability Assessment Approach
• Approach and execution - Based on two (2) phases:
1. Penetration Testing – based on limited access, we apply hacker like tools and techniques
2. Configuration auditing - validates the issues identified during the first phase and further tests system configurations
• Scope – 3 Information Technology domains are assessed◊ Authentication◊ Patch management◊ Configuration
©2012 CliftonLarsonAllen LLP21
External Penetration Testing Approach
• Approach and execution - Based on four (4) phases:
1. Discovery– find your “entry” points2. Reconnaissance- gather specifics about the systems3. Scanning- locate potential vulnerabilities that would allow access4. Penetrate- try to gain access by exploiting the vulnerabilities
• Scope – 3 Information Technology domains are assessed◊ Authentication◊ Patch Management◊ Configuration
©2012 CliftonLarsonAllen LLP22
What does this mean for your Organization?
• You’re only as strong as your weakest link– Employees– Vendors– Customers/Donors
• Have an ongoing discussion about RISK– Review your controls– Identify weaknesses– Secure what you can– Knowledge is key
©2012 CliftonLarsonAllen LLP23
Best Practices to consider…
• Access Control– Assign access permissions based on the theory of least privilege– Segregation of duties
• Assign user accountability– Limit generic or shared accounts
• Implement strong password policies– Minimum 8 characters– 24 passwords remembered i.e. no re-use of last 24 passwords– Expiration of 90 days– Complexity enabled– Lockout policy
©2012 CliftonLarsonAllen LLP24
Best Practices, etc.
• Vendor Management– Identify your critical vendors – Assign risk – Perform due diligence
• Change Management– Changes should be documented and approved prior to
implementation
• Network Administration– Stay current on patches/updates– Restrict external access as much as possible– Implement monitoring
©2012 CliftonLarsonAllen LLP25
Best Practices, etc.
• Disaster Recovery/Business Continuity– Identify the critical processes that drive your business– Develop your “what if” scenarios– Determine your recovery strategies
• Physical Security– Restrict physical access to data center– Implement environmental controls
©2012 CliftonLarsonAllen LLP26
Conclusion
• Identify what’s critical
• Be PROACTIVE, not reactive
• Use a different perspective
• Educate yourself and your employees
THANK YOU!
Presenter - Laura Faulkner
©2012 CliftonLarsonAllen LLP27
CONTACT INFORMATION
Laura Faulkner – 612.397.3090
Gil Bohene – 571.227.9500
Security Awareness Training
Michael ParkerUW for Southeastern Michigan
Financial Management and Human Resources ForumAtlanta – October 7, 2013
What is “Security Awareness”?
Security awareness is “the knowledge and attitude members of an organization possess regarding the protection of the physical and especially, information assets of that organization.”
• Organizational-wide culture, with behavioral change component
• Includes people, process and technology
Atlanta October 7, 201329
Why do we need Security Awareness Training?
• Organizational value statement – drives credibility and transparency
• Ethical responsibility to our constituents
• Compliance with federal and state laws (HIPAA, PCI, PII, etc.)
• Contractual mandates by companies we work with
• Risk management
Atlanta October 7, 201330
Elements of successful security awareness programs
• C-Level support – buy-in is critical
• Partnering with key departments – mutual interests can drive support
• Creativity – materials, communication, events
• Metrics – use of attitude surveys, # of security related incidents
• Emphasize “how to” rather than “don’t do this”
• 90 day plans focusing on 3 topics vs. annual plan – reinforces knowledge, changes behaviors
• Multiple forms of training materials – online systems, newsletters, posters, games, etc.; tailored to generational differences
Atlanta October 7, 201331
Typical topics covered in awareness training programs
• The nature of sensitive material and physical assets individuals may come in contact with
• Employee and contractor responsibilities in handling sensitive information, including review of nondisclosure agreements
• Requirements for proper handling of sensitive material in physical form, including marking, transmission, storage and destruction
• Proper methods for protecting sensitive information on computer systems, including password policies, encryption and network access
• Other computer security concerns, including malware, phishing, social engineering etc.
• Workplace security, including building access, wearing of security badges, reporting of incidents, forbidden articles, websites, etc.
• Consequences of failure to properly protect information, including potential loss of employment, economic consequences to the firm, damage to individuals whose private records are divulged, and possible civil and criminal penalties
Atlanta October 7, 201332
Typical content covered in training
General security awareness (all employees)
• High level review of network logins/passwords, viruses/malware, mobile data, physical security, phishers, acceptable use policies, incident response, security services, risk management, encryption, backups
Security awareness for managers
• Lead by example, security management practices, legal issues
Security awareness for IT professionals
• Common forms of attack, network security, disaster recovery, best practices
Security awareness for web application developers
• Open Web Application Security Project (OWASP) Top Ten list
Atlanta October 7, 201333
Typical content covered in training, continued
Physical security
• Workplace violence, theft, physical access controls, emergencies
Data and records retention
• Document creation, laws, best practices for retention and destruction
Privacy awareness - public/non-public information, laws, best practices
PCI requirements and compliance
HIPAA/HITECH – PHI (protected health information)
Atlanta October 7, 201334
Handling Security Breaches
Notification considerations
• Legal requirements
• UWW requirements
• Constituent response
• Media response
Incident Response Plans – covers physical and network breaches
• Notification contact lists
• Assessment phase
• Response determination
• Containment phase
Atlanta October 7, 201335
Handling Security Breaches, continued
• Documentation – logs of who, what, where, pictures, etc.
• Evidence preservation – pictures, damage
• Damage assessment – costs/values
• Notification – insurance, legal, police
• Evaluation of plan
Atlanta October 7, 201336
Questions??