WHO HAS YOUR DATA? - Accretive Solutions HAS YOUR DATA? DATA SECURITY AND ... Presentation / Panel Overview ... WorldVentures is moving to a vaultless format preserving tokenization

WHO HAS YOUR DATA?

DATA SECURITY AND PRIVACY IN THE REAL WORLD

JUNE 16, 2016

Introduction (Moderator)

Part I (Panelist)

• Data Security and Privacy Defined

• Current Market Outlook

• Data Security and Privacy Requirements

Part II (Panelist)

• Addressing Data Security and Privacy

• Most Common Findings/Issues

• Best Practices for Remediation

• Future Expectations for Data Security and Privacy

Presentation / Panel Overview

Proprietary & Confidential – Accretive Solutions, Inc.2

Did you know…?

On FBI’s Most Wanted List for cyber criminals you will currently find 19 individuals, each being responsible for consumer losses ranging from $350,000 to more than $100 million. They are from all over the world and huge rewards are offered for their capture.


May 12, 2016 https://heimdalsecurity.com/blog/10-surprising-cyber-security-facts-that-may-affect-your-online-safety/

http://www.fbi.gov/wanted/cyber

Biography – Sajeev Prelis

Over 20 years of IT Risk, Compliance, and Data Security experience

MBA, MS, QSA, PCIP, CCSFP, CISA, CGEIT, CRISC

Director of Risk Management and Security

Ten and a half years with Accretive Solutions

Industries: banking, healthcare, retail, manufacturing, marketing, education/school district, entertainment, oil & gas, telecom, and service providers.


Company Overview – Accretive Solutions


Program, Project & Organizational Change Management

Technical Accounting Advisory / SEC Reporting

IPO Readiness / Audit Support

Pre- and Post-Acquisition Integration

General Accounting / Finance Leadership

Startup Services

Risk Management & Compliance

Compliance(SOX, PCI, SSAE 16, HIPAA)

Risk and Vulnerability Assessments

IT Security Strategy

Internal Audit

Vendor Audits

CIO / IT Strategy & Roadmap

Operational Assessments & Process Improvement

ERP, Supply Chain and HRIS

Systems Selection & Implementation

Business Intelligence Strategy

Accounting & FinanceInformation Technology & Business Transformation

Program, Project & Organizational Change Management

Current Data Security Outlook

5 Cybersecurity Trends in 2016

– Cloud Services

– Ransomware

– Spear Phishing

– Known Vulnerabilities

– Internet of Things (IoT)

Data Security is being discussed in every board room

Companies cannot pass on the responsibility for protecting their data – due your due diligence


Current Data Privacy Outlook


Security & Privacy Compliance Defined

SSAE16 (SOC 1) - The Statement on Standards for AttestationEngagements No. 16

SOC 2 & 3 – Service Organization Control 2 & 3

PCI DSS – Payment Card Industry Data Security Standard

SOX – Sarbanes-Oxley 404

HIPAA – Health Insurance Portability and Accountability Act

HITRUST - Common Security Framework (CSF) for Healthcare

ISO – International Organization for Standardization

FCPA – Foreign Corrupt Practices Act

FISMA – Federal Information Security Management Act

FFIEC - The Federal Financial Institutions Examination Council

EU Data Shield – Replacement to Safe Harbor

State Privacy Laws – Varies by state


Did you know…?

MyDoom is considered to be the most expensive virus in the worldand in cyber security history, having caused an estimated financial damage of $38.5 billion!



http://en.wikipedia.org/wiki/Mydoom

Panelist 1 – Dave Johnson

Chief Security Officer for WorldVentures LLC– 34 Yrs. In Technology– Started working in IT Security in the 1980s for Northrup on

the MX missile system

Prior Experience– General Electric Nuclear (GE) IT Security – CGI- Federal GSA, US Courts, DOD Dept. of the Army, Dept.

of the Agriculture… – CGI- Director Information Security US Enterprise Markets

• Fannie Mae Corporation• Obama Care “State Health Index”• All of United States -- State and Local Government • All Private Sector Contracts


Company Overview – WorldVentures (WV)

WorldVentures “Dream Trips”

– MLM Business Model

– Travel

– Globe Company

– Very Fast Growth

E - Commerce

– PCI Payment Card Data

– PII Personal Identifiable Information / Protected Identifiable Information


Data Security and Privacy Requirements

Pacific Rim– Taiwan Personal Information Protection Act. PDPA

– Hong Kong Privacy Commissioner for Personal Data PCPD

• Personal Data (Privacy) Ordinance (Cap. 486)

Canada– Personal Information Protection and Electronic Documents Act ('PIPEDA')

– Personal Information Protection Act ('PIPA Alberta')

– Personal Information Protection Act ('PIPA BC'),

– Personal Information Protection and Identity Theft Prevention Act ('PIPITPA') (not yet in force), and

– An Act Respecting the Protection of Personal Information in the Private Sector ('Quebec Privacy Act'),(collectively, 'Canadian Privacy Statutes').

12


EU Data Shield

Australia– Information Privacy Act 2014 (Australian Capital Territory)

– Information Act 2002 (Northern Territory)

– Privacy and Personal Information Protection Act 1998 (New South Wales)

– Information Privacy Act 2009 (Queensland)

– Personal Information Protection Act 2004 (Tasmania), and

– Privacy and Data Protection Act 2014 (Victoria)

13


Reasons

– It’s the right thing to do

– It’s the Law in many jurisdictions

Other area’s of Compliance - Cookie Laws

– You must tell people if you set cookies, and clearly explainwhat the cookies do and why. You must also get the user’sconsent. Consent can be implied, but must be knowinglygiven.

14

Did you know…?Currently, according to in depth statistics, there are more than 1.6 billion social network users worldwide with more than 64% of internet users accessing social media services online. Because social media users usually trust their circles of online friends. The result: more than 600.000 Facebook accounts are compromised every single day!



http://www.statista.com/markets/424/topic/540/social-media-user-generated-content/

Panelist 2 – Chuck Springer

~20 years experience of information security, security consulting, auditing, and GRC;

CISSP, CISA, CISM, C|CISO, QSA (former)

Sample Projects:– Computer Emergency Response / Forensics Team

– Policy Development

– Risk Assessment

– Framework Review, Implementation and/or Audit:• COBIT

• FISMA

• HIPAA/HITRUST

• ISO 27001/2


• NIST 800-53r4 (FedRAMP)

• PCI DSS

• SSAE Type2

Company Overview - Armor

100X SHORTER

DWELL TIMES

BLOCKS OVER

250,000,000 ATTACKS

PER MONTH

PROTECTED BY

WORLD-CLASS SOC

GUARDED BY

ELITE

CYBERSECURITY

PROS

CHOOSE SECURITY

SOLUTIONS HOSTED IN

OUR CLOUD OR YOURS

REAL-TIME THREAT

INTELLIGENCE & MITIGATIONArmor keeps companies withsensitive, regulated datasafe and compliantin the cloud.


EU-US Data Shield

PCI DSS v3.1

HIPAA HITRUST

ISO 27001:2013

SOC Type2

18

Founded on Trust. Fueled by Passion.

TRUSTED BY

19

CUSTOMERS IN

45 COUNTRIES

4 OF THE TOP 10

HEALTHCARE IT

COMPANIES

OVER $200 BILLION

IN SECURE

PAYMENT

TRANSACTIONS

Did you know…?

Cyber security fact: Oracle Java, Adobe Reader or Adobe Flash is present on 99% of computers. That means that 99% of computer users are vulnerable to exploit kits(software vulnerabilities).



Panelist 3 – John Wilson

AmerisourceBergen Corporation

Director of Information Security, Data Governance

AmerisourceBergen BISO

Certifications: CISSP, CISM, CRISC, CCSK, CHSP

20 years overall IT experience

14 years specific experience in IT Security and Information Security


Company Overview - AmerisourceBergen

– Leading global healthcare solutions company

– Shaping healthcare delivery with solutions that improve product access, increase supply chain efficiency and enhance patient care

– 135B in annual revenue with 18,000 associates

– Daily delivery to 50,000 healthcare facilities with 140+ ABC offices

– 1.5M product lines delivered from 30+ distribution centers in 50+ countries

Types of Data in our environments:

Riches, Ruins and Regulations



Data and Security compliance requirements for ABC come from many sources

– SOX, SOC, URAC, PCI, HIPAA/HITECH, FDA, Internal Audit, client contractual, PII and IP

Requirements are very well documented and audited frequently by external and internal teams

Many requirements overlap and are duplicate

Objective - “Audit Once and Report Many”

23

Did you know…?

Maybe you’ll be surprised to find out that a shocking 59% of employees steal proprietary corporate data when they quit or are fired. But there are more types of insider threats to get protection against:

Malicious Insiders

Exploited Insiders

Careless insiders.



Addressing Data Security and Privacy


Where to start – Data Security Risk Assessment

Common Findings

Lack of trained resources / adequate staffing levels

Not consistently practicing basic controls – patching; change management; testing; segregation of duties

Lack of budget

Implementing minimum controls to pass an audit versus secure the data

Outdated policy / procedure / standards documentation

Old habits die hard


Best Practices

Strengthening the weakest link: Security awareness –educating the entire work force

Dedicated Roles: CISO, Risk Officer, Data Protection Officers

Patching: Keep up with patching systems and applications

Be proactive: Plan for when not if (incident responses, DR/BCP, media messaging)

Data Inventory: storage locations / who has access / how is it transmitted / how long is it kept

Know your limits: In-house or outsource


Did you know…?

People are the weakest link whenit comes to cyber security, which iswhy psychological manipulation ofcyber attack victims is so common.

For example, in a recent attack, aninternational cyber crime ringbased out of Eastern Europemanaged to steal $1 billion in 2years from 100 different banks innearly 30 countries using spearphishing emails targeting bankemployees.



http://www.darkreading.com/operations/why-security-awareness-alone-wont-stop-hackers-/a/d-id/1319258?

http://www.firmex.com/thedealroom/spear-phishing-whos-getting-caught/

WorldVentures - Common Issues

Changes to the individual Privacy Laws around the world and compliance with those Laws.

– Complexity of Implementation of Controls

– Cost of Compliance

Mobile Devices and Applications

BYOD

Advanced Attack Vectors


Remediation and Prevention

WorldVentures is moving to a vaultless format preserving tokenization solution.

– Allows us to move and process Tokens not Data around the world.

– Solution is in Amazon AWS, Global foot print.

– Solution uses API’s no changes to the Application or Database.


What does the future hold…

Roadmap for the future related to your business

Vision for Data Security and Privacy over the next five years and beyond:– Flexible controls hierarchy

– Support for multiple compliance frameworks

– Comprehensive controls testing capabilities such as inspections, audits, manual and automated assessments

– Flexible scheduling of testing of controls


Did you know…?

Ever wondered how cyber attacks look at a global scale? Now you have the chance to do it with this real-time map put together by Norse.



http://map.ipviking.com/

Common Issues – Chuck Springer

New European Union Privacy Directive One proposed law is to boost the protection of

individuals' personal data and to increase their level of trust in the digital environment.

Another proposed is to step up the level of protection of individuals' personal data when it is being used to tackle crime. The law also aims to boost trust among law enforcement authorities so that they can exchange personal data in order to tackle crime.

“War” on Encryption Zero-Knowledge services allow users to encrypt data

and communications with their own generated keys that service providers can't unlock. (UK looking to ban)

Renewed efforts to require that Internet companies and service providers make it possible to break encryption if served with a court order. (FBI vs Apple)


Defending the Landscape

34

• Don’t Understand My Data Landscape

• Poor Authentication

• Weak Role-Based Controls

• Stubborn End-User Adoption

• Compliance Isn’t Prescriptive

Objectives Challenges

• Protect ePHI, PCI, Privacy Data

• Build Secure Infrastructure

• Secure End Points

• Enable Seamless Processes

• Make Security Easy for End-Users

(e.g., doctors, nurses, administrators, customers)

FOR EVERY

35,000,000ATTACKS BLOCKED

OVER 250,000,000 ATTACKS PER MONTH

JUST 1 ATTACK GETS THROUGH

• Hypervisor Firewall• Anti-Malware Protection• OS File Integrity Monitoring• Log Management & SIEM• Vulnerability Scans• Hardened Operating System• Patch Management

• IPRM •

• DDOS •

• WAF •

• NIDS •

ARMOR AVERAGES ~2 DAYS OF DWELL TIME

INDUSTRY AVERAGES ~205 DAYS OF DWELL TIME

VS

THREAT INTELLIGENCEReduce noise with Armor’s proprietary

threat intelligence platform, talented team and layered edge defense

SECURITY OPERATIONSReduce dwell time utilizing secure

architecture and forged in battle techniques managed by Armor’s

proactive relentless SOC

MISSION

MISSION

Armor Prevention Strategy

What does the Future hold for Data Security and Privacy?

Monitor privacy regulations for risks and opportunities– EU-US Data Privacy Shield

– State Data Breach and Privacy Laws

Security and privacy policy are create by a cross-functional teams– Higher Adoption Rates = Less Conflict

– Better Alignment to Business Requirements

Move your controls closer to the data itself.– Data Classification and Handling

– More Effective Line of Defense



Control your encryption keys– Keep Encryption Methods and Keys Safeguarded

Clearly define your data retention and data disposal – Identify The Time Frames Which You Must Keep The Data

– Reduce your Data Volume (less you have, less you have to safeguard/worry)

Conscientiously control access to data resources– Implement Least Privilege data access (no more unfettered access)

– Watch User Behavior


Did you know…?

Hacktivism accounts for half of the cyber attacks launched in the world. The term represents a subversive use of computers and computer networks to promote a political agenda. With roots in hacker culture and hacker ethics, its ends are often related to the free speech, human rights, or freedom of information.



http://www.go-gulf.com/blog/cyber-crime/

http://en.wikipedia.org/wiki/Hacktivism

AmerisourceBergen - Common Issues

Need to be able to illustrate due care

Periodic control checks – Quarterly is best

Aligning security control as it relates to business risk

Communication of risk to business

SIPOCS with other teams such as HR, business, legal and development


Remediation and Prevention

Training is one of the best. The weakest link of security are people

Identification of risk via risk assessment and risk response

Risk response agreed up by all parties (product owners, business, Info Security)

Cost as it relates to risk

Risk acceptance or policy exception tracking



Not all vulnerabilities are created equal

Understanding Threats more as it relates to overall risk (Cyber)

Realizing that traditional security perimeters are gone with mobility advancement

Shift in pendulum from server security to endpoint

Digitation of health records


Did you know…?

Research conducted by the PonemonInstitute found the average annualized cost of cyber crime incurred by a benchmark sample of U.S. organizations was $12.7 million, representing a 96% increase since the study was initiated 5 years ago.

As a result, organizations experienced a 176% increase in the number of cyber attacks, with an average of 138 successful attacks per week, compared to 50 attacks per week when the study was initially conducted in 2010.



Conclusion and Questions


Thank You