Upload
letram
View
215
Download
0
Embed Size (px)
Citation preview
Introduction (Moderator)
Part I (Panelist)
• Data Security and Privacy Defined
• Current Market Outlook
• Data Security and Privacy Requirements
Part II (Panelist)
• Addressing Data Security and Privacy
• Most Common Findings/Issues
• Best Practices for Remediation
• Future Expectations for Data Security and Privacy
Presentation / Panel Overview
Proprietary & Confidential – Accretive Solutions, Inc.2
Did you know…?
On FBI’s Most Wanted List for cyber criminals you will currently find 19 individuals, each being responsible for consumer losses ranging from $350,000 to more than $100 million. They are from all over the world and huge rewards are offered for their capture.
Proprietary & Confidential – Accretive Solutions, Inc.3
May 12, 2016 https://heimdalsecurity.com/blog/10-surprising-cyber-security-facts-that-may-affect-your-online-safety/
Biography – Sajeev Prelis
Over 20 years of IT Risk, Compliance, and Data Security experience
MBA, MS, QSA, PCIP, CCSFP, CISA, CGEIT, CRISC
Director of Risk Management and Security
Ten and a half years with Accretive Solutions
Industries: banking, healthcare, retail, manufacturing, marketing, education/school district, entertainment, oil & gas, telecom, and service providers.
Proprietary & Confidential – Accretive Solutions, Inc.4
Company Overview – Accretive Solutions
Proprietary & Confidential – Accretive Solutions, Inc.5
Program, Project & Organizational Change Management
Technical Accounting Advisory / SEC Reporting
IPO Readiness / Audit Support
Pre- and Post-Acquisition Integration
General Accounting / Finance Leadership
Startup Services
Risk Management & Compliance
Compliance(SOX, PCI, SSAE 16, HIPAA)
Risk and Vulnerability Assessments
IT Security Strategy
Internal Audit
Vendor Audits
CIO / IT Strategy & Roadmap
Operational Assessments & Process Improvement
ERP, Supply Chain and HRIS
Systems Selection & Implementation
Business Intelligence Strategy
Accounting & FinanceInformation Technology & Business Transformation
Program, Project & Organizational Change Management
Current Data Security Outlook
5 Cybersecurity Trends in 2016
– Cloud Services
– Ransomware
– Spear Phishing
– Known Vulnerabilities
– Internet of Things (IoT)
Data Security is being discussed in every board room
Companies cannot pass on the responsibility for protecting their data – due your due diligence
Proprietary & Confidential – Accretive Solutions, Inc.6
Security & Privacy Compliance Defined
SSAE16 (SOC 1) - The Statement on Standards for AttestationEngagements No. 16
SOC 2 & 3 – Service Organization Control 2 & 3
PCI DSS – Payment Card Industry Data Security Standard
SOX – Sarbanes-Oxley 404
HIPAA – Health Insurance Portability and Accountability Act
HITRUST - Common Security Framework (CSF) for Healthcare
ISO – International Organization for Standardization
FCPA – Foreign Corrupt Practices Act
FISMA – Federal Information Security Management Act
FFIEC - The Federal Financial Institutions Examination Council
EU Data Shield – Replacement to Safe Harbor
State Privacy Laws – Varies by state
Proprietary & Confidential – Accretive Solutions, Inc.8
Did you know…?
MyDoom is considered to be the most expensive virus in the worldand in cyber security history, having caused an estimated financial damage of $38.5 billion!
Proprietary & Confidential – Accretive Solutions, Inc.9
May 12, 2016 https://heimdalsecurity.com/blog/10-surprising-cyber-security-facts-that-may-affect-your-online-safety/
Panelist 1 – Dave Johnson
Chief Security Officer for WorldVentures LLC– 34 Yrs. In Technology– Started working in IT Security in the 1980s for Northrup on
the MX missile system
Prior Experience– General Electric Nuclear (GE) IT Security – CGI- Federal GSA, US Courts, DOD Dept. of the Army, Dept.
of the Agriculture… – CGI- Director Information Security US Enterprise Markets
• Fannie Mae Corporation• Obama Care “State Health Index”• All of United States -- State and Local Government • All Private Sector Contracts
Proprietary & Confidential – Accretive Solutions, Inc.10
Company Overview – WorldVentures (WV)
WorldVentures “Dream Trips”
– MLM Business Model
– Travel
– Globe Company
– Very Fast Growth
E - Commerce
– PCI Payment Card Data
– PII Personal Identifiable Information / Protected Identifiable Information
Proprietary & Confidential – Accretive Solutions, Inc.11
Data Security and Privacy Requirements
Pacific Rim– Taiwan Personal Information Protection Act. PDPA
– Hong Kong Privacy Commissioner for Personal Data PCPD
• Personal Data (Privacy) Ordinance (Cap. 486)
Canada– Personal Information Protection and Electronic Documents Act ('PIPEDA')
– Personal Information Protection Act ('PIPA Alberta')
– Personal Information Protection Act ('PIPA BC'),
– Personal Information Protection and Identity Theft Prevention Act ('PIPITPA') (not yet in force), and
– An Act Respecting the Protection of Personal Information in the Private Sector ('Quebec Privacy Act'),(collectively, 'Canadian Privacy Statutes').
12
Data Security and Privacy Requirements
EU Data Shield
Australia– Information Privacy Act 2014 (Australian Capital Territory)
– Information Act 2002 (Northern Territory)
– Privacy and Personal Information Protection Act 1998 (New South Wales)
– Information Privacy Act 2009 (Queensland)
– Personal Information Protection Act 2004 (Tasmania), and
– Privacy and Data Protection Act 2014 (Victoria)
13
Data Security and Privacy Requirements
Reasons
– It’s the right thing to do
– It’s the Law in many jurisdictions
Other area’s of Compliance - Cookie Laws
– You must tell people if you set cookies, and clearly explainwhat the cookies do and why. You must also get the user’sconsent. Consent can be implied, but must be knowinglygiven.
14
Did you know…?Currently, according to in depth statistics, there are more than 1.6 billion social network users worldwide with more than 64% of internet users accessing social media services online. Because social media users usually trust their circles of online friends. The result: more than 600.000 Facebook accounts are compromised every single day!
Proprietary & Confidential – Accretive Solutions, Inc.15
May 12, 2016 https://heimdalsecurity.com/blog/10-surprising-cyber-security-facts-that-may-affect-your-online-safety/
Panelist 2 – Chuck Springer
~20 years experience of information security, security consulting, auditing, and GRC;
CISSP, CISA, CISM, C|CISO, QSA (former)
Sample Projects:– Computer Emergency Response / Forensics Team
– Policy Development
– Risk Assessment
– Framework Review, Implementation and/or Audit:• COBIT
• FISMA
• HIPAA/HITRUST
• ISO 27001/2
Proprietary & Confidential – Accretive Solutions, Inc.16
• NIST 800-53r4 (FedRAMP)
• PCI DSS
• SSAE Type2
Company Overview - Armor
100X SHORTER
DWELL TIMES
BLOCKS OVER
250,000,000 ATTACKS
PER MONTH
PROTECTED BY
WORLD-CLASS SOC
GUARDED BY
ELITE
CYBERSECURITY
PROS
CHOOSE SECURITY
SOLUTIONS HOSTED IN
OUR CLOUD OR YOURS
REAL-TIME THREAT
INTELLIGENCE & MITIGATIONArmor keeps companies withsensitive, regulated datasafe and compliantin the cloud.
Data Security and Privacy Requirements
EU-US Data Shield
PCI DSS v3.1
HIPAA HITRUST
ISO 27001:2013
SOC Type2
18
Founded on Trust. Fueled by Passion.
TRUSTED BY
19
CUSTOMERS IN
45 COUNTRIES
4 OF THE TOP 10
HEALTHCARE IT
COMPANIES
OVER $200 BILLION
IN SECURE
PAYMENT
TRANSACTIONS
Did you know…?
Cyber security fact: Oracle Java, Adobe Reader or Adobe Flash is present on 99% of computers. That means that 99% of computer users are vulnerable to exploit kits(software vulnerabilities).
Proprietary & Confidential – Accretive Solutions, Inc.20
May 12, 2016 https://heimdalsecurity.com/blog/10-surprising-cyber-security-facts-that-may-affect-your-online-safety/
Panelist 3 – John Wilson
AmerisourceBergen Corporation
Director of Information Security, Data Governance
AmerisourceBergen BISO
Certifications: CISSP, CISM, CRISC, CCSK, CHSP
20 years overall IT experience
14 years specific experience in IT Security and Information Security
Proprietary & Confidential – Accretive Solutions, Inc.21
Company Overview - AmerisourceBergen
– Leading global healthcare solutions company
– Shaping healthcare delivery with solutions that improve product access, increase supply chain efficiency and enhance patient care
– 135B in annual revenue with 18,000 associates
– Daily delivery to 50,000 healthcare facilities with 140+ ABC offices
– 1.5M product lines delivered from 30+ distribution centers in 50+ countries
Types of Data in our environments:
Riches, Ruins and Regulations
Proprietary & Confidential – Accretive Solutions, Inc.22
Data Security and Privacy Requirements
Data and Security compliance requirements for ABC come from many sources
– SOX, SOC, URAC, PCI, HIPAA/HITECH, FDA, Internal Audit, client contractual, PII and IP
Requirements are very well documented and audited frequently by external and internal teams
Many requirements overlap and are duplicate
Objective - “Audit Once and Report Many”
23
Did you know…?
Maybe you’ll be surprised to find out that a shocking 59% of employees steal proprietary corporate data when they quit or are fired. But there are more types of insider threats to get protection against:
Malicious Insiders
Exploited Insiders
Careless insiders.
Proprietary & Confidential – Accretive Solutions, Inc.24
May 12, 2016 https://heimdalsecurity.com/blog/10-surprising-cyber-security-facts-that-may-affect-your-online-safety/
Addressing Data Security and Privacy
Proprietary & Confidential – Accretive Solutions, Inc.25
Where to start – Data Security Risk Assessment
Common Findings
Lack of trained resources / adequate staffing levels
Not consistently practicing basic controls – patching; change management; testing; segregation of duties
Lack of budget
Implementing minimum controls to pass an audit versus secure the data
Outdated policy / procedure / standards documentation
Old habits die hard
Proprietary & Confidential – Accretive Solutions, Inc.26
Best Practices
Strengthening the weakest link: Security awareness –educating the entire work force
Dedicated Roles: CISO, Risk Officer, Data Protection Officers
Patching: Keep up with patching systems and applications
Be proactive: Plan for when not if (incident responses, DR/BCP, media messaging)
Data Inventory: storage locations / who has access / how is it transmitted / how long is it kept
Know your limits: In-house or outsource
Proprietary & Confidential – Accretive Solutions, Inc.27
Did you know…?
People are the weakest link whenit comes to cyber security, which iswhy psychological manipulation ofcyber attack victims is so common.
For example, in a recent attack, aninternational cyber crime ringbased out of Eastern Europemanaged to steal $1 billion in 2years from 100 different banks innearly 30 countries using spearphishing emails targeting bankemployees.
Proprietary & Confidential – Accretive Solutions, Inc.28
May 12, 2016 https://heimdalsecurity.com/blog/10-surprising-cyber-security-facts-that-may-affect-your-online-safety/
WorldVentures - Common Issues
Changes to the individual Privacy Laws around the world and compliance with those Laws.
– Complexity of Implementation of Controls
– Cost of Compliance
Mobile Devices and Applications
BYOD
Advanced Attack Vectors
Proprietary & Confidential – Accretive Solutions, Inc.29
Remediation and Prevention
WorldVentures is moving to a vaultless format preserving tokenization solution.
– Allows us to move and process Tokens not Data around the world.
– Solution is in Amazon AWS, Global foot print.
– Solution uses API’s no changes to the Application or Database.
Proprietary & Confidential – Accretive Solutions, Inc.30
What does the future hold…
Roadmap for the future related to your business
Vision for Data Security and Privacy over the next five years and beyond:– Flexible controls hierarchy
– Support for multiple compliance frameworks
– Comprehensive controls testing capabilities such as inspections, audits, manual and automated assessments
– Flexible scheduling of testing of controls
Proprietary & Confidential – Accretive Solutions, Inc.31
Did you know…?
Ever wondered how cyber attacks look at a global scale? Now you have the chance to do it with this real-time map put together by Norse.
Proprietary & Confidential – Accretive Solutions, Inc.32
May 12, 2016 https://heimdalsecurity.com/blog/10-surprising-cyber-security-facts-that-may-affect-your-online-safety/
Common Issues – Chuck Springer
New European Union Privacy Directive One proposed law is to boost the protection of
individuals' personal data and to increase their level of trust in the digital environment.
Another proposed is to step up the level of protection of individuals' personal data when it is being used to tackle crime. The law also aims to boost trust among law enforcement authorities so that they can exchange personal data in order to tackle crime.
“War” on Encryption Zero-Knowledge services allow users to encrypt data
and communications with their own generated keys that service providers can't unlock. (UK looking to ban)
Renewed efforts to require that Internet companies and service providers make it possible to break encryption if served with a court order. (FBI vs Apple)
Proprietary & Confidential – Accretive Solutions, Inc.33
Defending the Landscape
34
• Don’t Understand My Data Landscape
• Poor Authentication
• Weak Role-Based Controls
• Stubborn End-User Adoption
• Compliance Isn’t Prescriptive
Objectives Challenges
• Protect ePHI, PCI, Privacy Data
• Build Secure Infrastructure
• Secure End Points
• Enable Seamless Processes
• Make Security Easy for End-Users
(e.g., doctors, nurses, administrators, customers)
FOR EVERY
35,000,000ATTACKS BLOCKED
OVER 250,000,000 ATTACKS PER MONTH
JUST 1 ATTACK GETS THROUGH
• Hypervisor Firewall• Anti-Malware Protection• OS File Integrity Monitoring• Log Management & SIEM• Vulnerability Scans• Hardened Operating System• Patch Management
• IPRM •
• DDOS •
• WAF •
• NIDS •
ARMOR AVERAGES ~2 DAYS OF DWELL TIME
INDUSTRY AVERAGES ~205 DAYS OF DWELL TIME
VS
THREAT INTELLIGENCEReduce noise with Armor’s proprietary
threat intelligence platform, talented team and layered edge defense
SECURITY OPERATIONSReduce dwell time utilizing secure
architecture and forged in battle techniques managed by Armor’s
proactive relentless SOC
MISSION
MISSION
Armor Prevention Strategy
What does the Future hold for Data Security and Privacy?
Monitor privacy regulations for risks and opportunities– EU-US Data Privacy Shield
– State Data Breach and Privacy Laws
Security and privacy policy are create by a cross-functional teams– Higher Adoption Rates = Less Conflict
– Better Alignment to Business Requirements
Move your controls closer to the data itself.– Data Classification and Handling
– More Effective Line of Defense
Proprietary & Confidential – Accretive Solutions, Inc.36
What does the future hold…
Control your encryption keys– Keep Encryption Methods and Keys Safeguarded
Clearly define your data retention and data disposal – Identify The Time Frames Which You Must Keep The Data
– Reduce your Data Volume (less you have, less you have to safeguard/worry)
Conscientiously control access to data resources– Implement Least Privilege data access (no more unfettered access)
– Watch User Behavior
Proprietary & Confidential – Accretive Solutions, Inc.37
Did you know…?
Hacktivism accounts for half of the cyber attacks launched in the world. The term represents a subversive use of computers and computer networks to promote a political agenda. With roots in hacker culture and hacker ethics, its ends are often related to the free speech, human rights, or freedom of information.
Proprietary & Confidential – Accretive Solutions, Inc.38
May 12, 2016 https://heimdalsecurity.com/blog/10-surprising-cyber-security-facts-that-may-affect-your-online-safety/
AmerisourceBergen - Common Issues
Need to be able to illustrate due care
Periodic control checks – Quarterly is best
Aligning security control as it relates to business risk
Communication of risk to business
SIPOCS with other teams such as HR, business, legal and development
Proprietary & Confidential – Accretive Solutions, Inc.39
Remediation and Prevention
Training is one of the best. The weakest link of security are people
Identification of risk via risk assessment and risk response
Risk response agreed up by all parties (product owners, business, Info Security)
Cost as it relates to risk
Risk acceptance or policy exception tracking
Proprietary & Confidential – Accretive Solutions, Inc.40
What does the future hold…
Not all vulnerabilities are created equal
Understanding Threats more as it relates to overall risk (Cyber)
Realizing that traditional security perimeters are gone with mobility advancement
Shift in pendulum from server security to endpoint
Digitation of health records
Proprietary & Confidential – Accretive Solutions, Inc.41
Did you know…?
Research conducted by the PonemonInstitute found the average annualized cost of cyber crime incurred by a benchmark sample of U.S. organizations was $12.7 million, representing a 96% increase since the study was initiated 5 years ago.
As a result, organizations experienced a 176% increase in the number of cyber attacks, with an average of 138 successful attacks per week, compared to 50 attacks per week when the study was initially conducted in 2010.
Proprietary & Confidential – Accretive Solutions, Inc.42
May 12, 2016 https://heimdalsecurity.com/blog/10-surprising-cyber-security-facts-that-may-affect-your-online-safety/