NAVEX Global Advisory Council Q3 Webinar: Cybersecurity · encryption; (3) protecting against the loss or exfiltration of sensitive data by restricting the use of removable storage

© 2015 NAVEX Global, Inc. All Rights Reserved.

www.navexglobal.com © 2015 NAVEX Global, Inc. All Rights Reserved.


www.navexglobal.com

NAVEX Global Advisory Council Q3 Webinar: Cybersecurity

August 12, 2015




www.navexglobal.com

Introductions

Benchmarking

Ridge Global • Building a Cybersecure and Resilient

Organization • Major Breaches – Not Just an IT Problem • Latest SEC Cyber Guidance • Training & Education Leidos

• Condition of Commercial Cybersecurity Market

• Cybersecurity and Compliance Lifecycle

• Recommendations

Panel Q&A

Today’s Agenda




www.navexglobal.com

P R E S E N T E D B Y

Vice President, Online Learning Content Ingrid Fredeen




www.navexglobal.com

P R E S E N T E D B Y Chris Furlow Lisa Roger Marcus Wu

Deputy Director of Investigations, Corporate Ethics and Compliance

Vice President and Commercial Cybersecurity Division Leader

President




www.navexglobal.com

Does your organization have a group dedicated to IT security? • Yes

• No

• Our Organization is considering it




www.navexglobal.com

Does your compliance team have any responsibility for cybersecurity in your organization?

• Yes

• No

• We are potentially going to assume some responsibility

Please send in a comment about what your team does with respect to cybersecurity.




www.navexglobal.com

Does your organization do any training on cybersecurity?

• Yes, but it is done by another group

• Yes, the compliance group deploys it

• No

• We are considering it

Please send in a comment about what your organization does for cyber training: type, length,

frequency




www.navexglobal.com

How many issues each year do you investigate that have a cyber component?

• 0-1

• 2-4

• 4-6

• 6-8

• 10+




www.navexglobal.com

How do you measure the effectiveness of your cybersecurity program?

Please send in a comment about what your organization does for program effectiveness.




www.navexglobal.com

C h r i s F u r l o w, P r e s i d e n t , R i d g e G l o b a l

The Human Element in Cybersecurity




www.navexglobal.com

Building a Cyber Secure & Resilient Organization

Technology

Processes

People




www.navexglobal.com

Major Breaches…Not Just an IT Problem

vendors

medIA




www.navexglobal.com

Wyndam (Palkon v. Holmes

Advisen Cyber Risk Network

November 14, 2014:

“…the decision sets precedent as to the types of activities of which a board should be mindful when evaluating and implementing information governance and cybersecurity regimes as well as in responding to a cyber breach (including through public disclosures).”




www.navexglobal.com

Latest SEC Cyber Guidance

Source: US Securities and Exchange Commission Division of Investment Management http://www.sec.gov/investment/im-guidance-2015-02.pdf

“Implement the strategy through written policies and procedures and training that provide guidance to officers and employees concerning applicable threats and measures to prevent, detect and respond to such threats, and that monitor compliance with cybersecurity policies and procedures. Firms may also wish to educate investors and clients about how to reduce their exposure to cyber security threats concerning their accounts.”

“Create a strategy that is designed to prevent, detect and respond to cybersecurity threats. Such a strategy could include: (1) controlling access to various systems and data via management of user credentials, authentication and authorization methods, firewalls and/or perimeter defenses, tiered access to sensitive information and network resources, network segregation, and system hardening; (2) data encryption; (3) protecting against the loss or exfiltration of sensitive data by restricting the use of removable storage media and deploying software that monitors technology systems for unauthorized intrusions, the loss or exfiltration of sensitive data, or other unusual events”




www.navexglobal.com

NY State DFS Notifies Insurance Company CEOs, CIOs, and GCs about New Cyber Examination Requirements

MARCH 26, 2015

Source: New York State Department of Financial Services http://www.dfs.ny.gov/about/press2015/pr150326-ltr.pdf




www.navexglobal.com

21st Century Risk Training & Education

C-Suite & Board Managers

(IT & Business Units) All Enterprise Users

Driving a culture of cybersecurity & resilience across the enterprise

C-Suite & Board members understand critical concepts for

management of cyber risk and lead a culture of resiliency backed by

appropriate resources

Managers: “The Glue” Both technical and business unit managers are trained in leading

cyber resilience within their areas of responsibility

All end-users are trained regularly on cyber policy and risk-avoidance




www.navexglobal.com

Enterprise Cyber Education

Implementing Policy an Driving the Enterprise Culture of Cybersecurity & Resilience




www.navexglobal.com

“Manage the Risk before the

risk manages you.” - Gov. Tom Ridge




www.navexglobal.com

L i s a R o g e r & M a r c u s W u , L e i d o s

Cybersecurity and Compliance




www.navexglobal.com

Introduction and Roles • Leidos

Fortune 500 defense contractor

Based out of Reston, Virginia

Recognized leader in National Security, Health, and Engineering

• Lisa Roger Vice President and Commercial Cybersecurity Division Manager

• Marcus Wu Deputy Director of Investigations, Corporate Ethics and Compliance




www.navexglobal.com

Condition of Commercial Cybersecurity Market • Broad spectrum of sophistication across verticals

Finance to Health Care

Maintenance to foundational support

• How does compliance fit in?

Non-existent to fully integrated

Cybersecurity as input to compliance




www.navexglobal.com

Cybersecurity and Compliance Lifecycle

Effective Monitoring

Incident Response

Investigative Response

Use case development

Cybersecurity Roles

Compliance Roles

Key:




www.navexglobal.com

Recommendations • Cybersecurity basics

Establish policies and procedures

Monitoring and Incident Response are cornerstones

• Need for cross functional communication and collaboration

• Organizational legitimacy and cultural pervasiveness




www.navexglobal.com

Questions?




www.navexglobal.com

Thank you for your time!

Please join our next webinar, Thursday December 10th

NAVEX Global Advisory Council Q3 Webinar: CybersecurityToday’s AgendaIngrid FredeenSlide Number 4Does your organization have a group dedicated to IT security? Does your compliance team have any responsibility for cybersecurity in your organization? Does your organization do any training on cybersecurity? How many issues each year do you investigate that have a cyber component?How do you measure the effectiveness of �your cybersecurity program? The Human Element in CybersecurityBuilding a Cyber Secure & Resilient OrganizationMajor Breaches…Not Just an IT Problem Wyndam (Palkon v. HolmesLatest SEC Cyber GuidanceNY State DFS Notifies Insurance Company CEOs, CIOs, and GCs about New Cyber Examination Requirements21st Century Risk Training & Education Enterprise Cyber EducationSlide Number 18Cybersecurity and Compliance Introduction and RolesCondition of Commercial Cybersecurity MarketCybersecurity and Compliance LifecycleRecommendationsQuestions? Thank you for your time!

Documents

NAVEX Global Advisory Council Q3 Webinar: Cybersecurity · encryption; (3) protecting against the loss or exfiltration of sensitive data by restricting the use of removable storage