Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
© 2015 NAVEX Global, Inc. All Rights Reserved.
www.navexglobal.com © 2015 NAVEX Global, Inc. All Rights Reserved.
www.navexglobal.com © 2015 NAVEX Global, Inc. All Rights Reserved.
www.navexglobal.com
NAVEX Global Advisory Council Q3 Webinar: Cybersecurity
August 12, 2015
© 2015 NAVEX Global, Inc. All Rights Reserved.
www.navexglobal.com © 2015 NAVEX Global, Inc. All Rights Reserved.
www.navexglobal.com © 2015 NAVEX Global, Inc. All Rights Reserved.
www.navexglobal.com
Introductions
Benchmarking
Ridge Global • Building a Cybersecure and Resilient
Organization • Major Breaches – Not Just an IT Problem • Latest SEC Cyber Guidance • Training & Education Leidos
• Condition of Commercial Cybersecurity Market
• Cybersecurity and Compliance Lifecycle
• Recommendations
Panel Q&A
Today’s Agenda
© 2015 NAVEX Global, Inc. All Rights Reserved.
www.navexglobal.com © 2015 NAVEX Global, Inc. All Rights Reserved.
www.navexglobal.com © 2015 NAVEX Global, Inc. All Rights Reserved.
www.navexglobal.com
P R E S E N T E D B Y
Vice President, Online Learning Content Ingrid Fredeen
© 2015 NAVEX Global, Inc. All Rights Reserved.
www.navexglobal.com © 2015 NAVEX Global, Inc. All Rights Reserved.
www.navexglobal.com © 2015 NAVEX Global, Inc. All Rights Reserved.
www.navexglobal.com
P R E S E N T E D B Y Chris Furlow Lisa Roger Marcus Wu
Deputy Director of Investigations, Corporate Ethics and Compliance
Vice President and Commercial Cybersecurity Division Leader
President
© 2015 NAVEX Global, Inc. All Rights Reserved.
www.navexglobal.com © 2015 NAVEX Global, Inc. All Rights Reserved.
www.navexglobal.com © 2015 NAVEX Global, Inc. All Rights Reserved.
www.navexglobal.com
Does your organization have a group dedicated to IT security? • Yes
• No
• Our Organization is considering it
© 2015 NAVEX Global, Inc. All Rights Reserved.
www.navexglobal.com © 2015 NAVEX Global, Inc. All Rights Reserved.
www.navexglobal.com © 2015 NAVEX Global, Inc. All Rights Reserved.
www.navexglobal.com
Does your compliance team have any responsibility for cybersecurity in your organization?
• Yes
• No
• We are potentially going to assume some responsibility
Please send in a comment about what your team does with respect to cybersecurity.
© 2015 NAVEX Global, Inc. All Rights Reserved.
www.navexglobal.com © 2015 NAVEX Global, Inc. All Rights Reserved.
www.navexglobal.com © 2015 NAVEX Global, Inc. All Rights Reserved.
www.navexglobal.com
Does your organization do any training on cybersecurity?
• Yes, but it is done by another group
• Yes, the compliance group deploys it
• No
• We are considering it
Please send in a comment about what your organization does for cyber training: type, length,
frequency
© 2015 NAVEX Global, Inc. All Rights Reserved.
www.navexglobal.com © 2015 NAVEX Global, Inc. All Rights Reserved.
www.navexglobal.com © 2015 NAVEX Global, Inc. All Rights Reserved.
www.navexglobal.com
How many issues each year do you investigate that have a cyber component?
• 0-1
• 2-4
• 4-6
• 6-8
• 10+
© 2015 NAVEX Global, Inc. All Rights Reserved.
www.navexglobal.com © 2015 NAVEX Global, Inc. All Rights Reserved.
www.navexglobal.com © 2015 NAVEX Global, Inc. All Rights Reserved.
www.navexglobal.com
How do you measure the effectiveness of your cybersecurity program?
Please send in a comment about what your organization does for program effectiveness.
© 2015 NAVEX Global, Inc. All Rights Reserved.
www.navexglobal.com © 2015 NAVEX Global, Inc. All Rights Reserved.
www.navexglobal.com © 2015 NAVEX Global, Inc. All Rights Reserved.
www.navexglobal.com
C h r i s F u r l o w, P r e s i d e n t , R i d g e G l o b a l
The Human Element in Cybersecurity
© 2015 NAVEX Global, Inc. All Rights Reserved.
www.navexglobal.com © 2015 NAVEX Global, Inc. All Rights Reserved.
www.navexglobal.com © 2015 NAVEX Global, Inc. All Rights Reserved.
www.navexglobal.com
Building a Cyber Secure & Resilient Organization
Technology
Processes
People
© 2015 NAVEX Global, Inc. All Rights Reserved.
www.navexglobal.com © 2015 NAVEX Global, Inc. All Rights Reserved.
www.navexglobal.com © 2015 NAVEX Global, Inc. All Rights Reserved.
www.navexglobal.com
Major Breaches…Not Just an IT Problem
vendors
medIA
© 2015 NAVEX Global, Inc. All Rights Reserved.
www.navexglobal.com © 2015 NAVEX Global, Inc. All Rights Reserved.
www.navexglobal.com © 2015 NAVEX Global, Inc. All Rights Reserved.
www.navexglobal.com
Wyndam (Palkon v. Holmes
Advisen Cyber Risk Network
November 14, 2014:
“…the decision sets precedent as to the types of activities of which a board should be mindful when evaluating and implementing information governance and cybersecurity regimes as well as in responding to a cyber breach (including through public disclosures).”
© 2015 NAVEX Global, Inc. All Rights Reserved.
www.navexglobal.com © 2015 NAVEX Global, Inc. All Rights Reserved.
www.navexglobal.com © 2015 NAVEX Global, Inc. All Rights Reserved.
www.navexglobal.com
Latest SEC Cyber Guidance
Source: US Securities and Exchange Commission Division of Investment Management http://www.sec.gov/investment/im-guidance-2015-02.pdf
“Implement the strategy through written policies and procedures and training that provide guidance to officers and employees concerning applicable threats and measures to prevent, detect and respond to such threats, and that monitor compliance with cybersecurity policies and procedures. Firms may also wish to educate investors and clients about how to reduce their exposure to cyber security threats concerning their accounts.”
“Create a strategy that is designed to prevent, detect and respond to cybersecurity threats. Such a strategy could include: (1) controlling access to various systems and data via management of user credentials, authentication and authorization methods, firewalls and/or perimeter defenses, tiered access to sensitive information and network resources, network segregation, and system hardening; (2) data encryption; (3) protecting against the loss or exfiltration of sensitive data by restricting the use of removable storage media and deploying software that monitors technology systems for unauthorized intrusions, the loss or exfiltration of sensitive data, or other unusual events”
© 2015 NAVEX Global, Inc. All Rights Reserved.
www.navexglobal.com © 2015 NAVEX Global, Inc. All Rights Reserved.
www.navexglobal.com © 2015 NAVEX Global, Inc. All Rights Reserved.
www.navexglobal.com
NY State DFS Notifies Insurance Company CEOs, CIOs, and GCs about New Cyber Examination Requirements
MARCH 26, 2015
Source: New York State Department of Financial Services http://www.dfs.ny.gov/about/press2015/pr150326-ltr.pdf
© 2015 NAVEX Global, Inc. All Rights Reserved.
www.navexglobal.com © 2015 NAVEX Global, Inc. All Rights Reserved.
www.navexglobal.com © 2015 NAVEX Global, Inc. All Rights Reserved.
www.navexglobal.com
21st Century Risk Training & Education
C-Suite & Board Managers
(IT & Business Units) All Enterprise Users
Driving a culture of cybersecurity & resilience across the enterprise
C-Suite & Board members understand critical concepts for
management of cyber risk and lead a culture of resiliency backed by
appropriate resources
Managers: “The Glue” Both technical and business unit managers are trained in leading
cyber resilience within their areas of responsibility
All end-users are trained regularly on cyber policy and risk-avoidance
© 2015 NAVEX Global, Inc. All Rights Reserved.
www.navexglobal.com © 2015 NAVEX Global, Inc. All Rights Reserved.
www.navexglobal.com © 2015 NAVEX Global, Inc. All Rights Reserved.
www.navexglobal.com
Enterprise Cyber Education
Implementing Policy an Driving the Enterprise Culture of Cybersecurity & Resilience
© 2015 NAVEX Global, Inc. All Rights Reserved.
www.navexglobal.com © 2015 NAVEX Global, Inc. All Rights Reserved.
www.navexglobal.com © 2015 NAVEX Global, Inc. All Rights Reserved.
www.navexglobal.com
“Manage the Risk before the
risk manages you.” - Gov. Tom Ridge
© 2015 NAVEX Global, Inc. All Rights Reserved.
www.navexglobal.com © 2015 NAVEX Global, Inc. All Rights Reserved.
www.navexglobal.com © 2015 NAVEX Global, Inc. All Rights Reserved.
www.navexglobal.com
L i s a R o g e r & M a r c u s W u , L e i d o s
Cybersecurity and Compliance
© 2015 NAVEX Global, Inc. All Rights Reserved.
www.navexglobal.com © 2015 NAVEX Global, Inc. All Rights Reserved.
www.navexglobal.com © 2015 NAVEX Global, Inc. All Rights Reserved.
www.navexglobal.com
Introduction and Roles • Leidos
Fortune 500 defense contractor
Based out of Reston, Virginia
Recognized leader in National Security, Health, and Engineering
• Lisa Roger Vice President and Commercial Cybersecurity Division Manager
• Marcus Wu Deputy Director of Investigations, Corporate Ethics and Compliance
© 2015 NAVEX Global, Inc. All Rights Reserved.
www.navexglobal.com © 2015 NAVEX Global, Inc. All Rights Reserved.
www.navexglobal.com © 2015 NAVEX Global, Inc. All Rights Reserved.
www.navexglobal.com
Condition of Commercial Cybersecurity Market • Broad spectrum of sophistication across verticals
Finance to Health Care
Maintenance to foundational support
• How does compliance fit in?
Non-existent to fully integrated
Cybersecurity as input to compliance
© 2015 NAVEX Global, Inc. All Rights Reserved.
www.navexglobal.com © 2015 NAVEX Global, Inc. All Rights Reserved.
www.navexglobal.com © 2015 NAVEX Global, Inc. All Rights Reserved.
www.navexglobal.com
Cybersecurity and Compliance Lifecycle
Effective Monitoring
Incident Response
Investigative Response
Use case development
Cybersecurity Roles
Compliance Roles
Key:
© 2015 NAVEX Global, Inc. All Rights Reserved.
www.navexglobal.com © 2015 NAVEX Global, Inc. All Rights Reserved.
www.navexglobal.com © 2015 NAVEX Global, Inc. All Rights Reserved.
www.navexglobal.com
Recommendations • Cybersecurity basics
Establish policies and procedures
Monitoring and Incident Response are cornerstones
• Need for cross functional communication and collaboration
• Organizational legitimacy and cultural pervasiveness
© 2015 NAVEX Global, Inc. All Rights Reserved.
www.navexglobal.com © 2015 NAVEX Global, Inc. All Rights Reserved.
www.navexglobal.com © 2015 NAVEX Global, Inc. All Rights Reserved.
www.navexglobal.com
Questions?
© 2015 NAVEX Global, Inc. All Rights Reserved.
www.navexglobal.com © 2015 NAVEX Global, Inc. All Rights Reserved.
www.navexglobal.com © 2015 NAVEX Global, Inc. All Rights Reserved.
www.navexglobal.com
Thank you for your time!
Please join our next webinar, Thursday December 10th
NAVEX Global Advisory Council Q3 Webinar: CybersecurityToday’s AgendaIngrid FredeenSlide Number 4Does your organization have a group dedicated to IT security? Does your compliance team have any responsibility for cybersecurity in your organization? Does your organization do any training on cybersecurity? How many issues each year do you investigate that have a cyber component?How do you measure the effectiveness of �your cybersecurity program? The Human Element in CybersecurityBuilding a Cyber Secure & Resilient OrganizationMajor Breaches…Not Just an IT Problem Wyndam (Palkon v. HolmesLatest SEC Cyber GuidanceNY State DFS Notifies Insurance Company CEOs, CIOs, and GCs about New Cyber Examination Requirements21st Century Risk Training & Education Enterprise Cyber EducationSlide Number 18Cybersecurity and Compliance Introduction and RolesCondition of Commercial Cybersecurity MarketCybersecurity and Compliance LifecycleRecommendationsQuestions? Thank you for your time!