• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Leading Practices in Information Security & Privacy
 

Leading Practices in Information Security & Privacy

on

  • 1,923 views

Many not-for-profits are operating in an environment in which there is a tremendous amount of electronic documents, communications, and confidential data sits on computers and networks that are ...

Many not-for-profits are operating in an environment in which there is a tremendous amount of electronic documents, communications, and confidential data sits on computers and networks that are connected to the Internet. Privacy and security threats are also increasing, putting Internet communications and computer data at risk at an alarming rate. At the same time, laws and regulations with significant penalties have been passed or are being passed by states, the Federal government, and industry groups (e.g. PCI DSS) increasing the consequences of data breaches and privacy violations.

Whether you’re an executive director, program manager, or IT manager, this non-technical presentation will help you learn about the threats, requirements, and leading practices related to information security you need to help protect your donors and constituents.

Statistics

Views

Total Views
1,923
Views on SlideShare
1,905
Embed Views
18

Actions

Likes
0
Downloads
51
Comments
0

4 Embeds 18

http://www.slideshare.net 10
http://www.techgig.com 3
http://www.linkedin.com 3
https://www.linkedin.com 2

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Leading Practices in Information Security & Privacy Leading Practices in Information Security & Privacy Presentation Transcript

    • INTRAPRISETECHKNOWLOGIES LLC Leading Practices in Information Security & Privacy NTEN Nonprofit Technology Conference Atlanta, Georgia April 9, 2010 Presented by Donny C. Shimamoto, CPA.CITP
    • Today’s Agenda About the Presenter About the Audience Information Risks and Losses are Increasing Information Security Requirements – ID Theft & Privacy Laws – Payment Card Industry Data Security Standard Your Role in Protecting Information – A SAS 70 is not enough – Risk Assessment Methodology – Generally Accepted Privacy Principles (GAPP)
    • How Was this Session? Call In Text Online Call 404.939.4909 Text 165 to Visit nten.org/ntc-eval nten.org/ntc ntc- Enter Code 165 69866 Enter Code 165 Session feedback powered by: Tell Us and You Could Win a Free 2011 NTC Registration!
    • Donny C. Shimamoto, CPA.CITP Background & Experience BBA from University of Hawaii at Manoa – Accounting – Management Information Systems Alumni of PricewaterhouseCoopers LLP – Strategic Technology Group – Financial Audit and IT Audit – Washington Consulting Practice Founder of IntrapriseTechKnowlogies LLC – Organizational Development advisor with a focus on Business Intelligence and Performance Management – Business Process Improvement with emphasis on internal controls and technology risk management – IT Outsourcing for small and middle market organizations
    • Donny C. Shimamoto, CPA.CITP Involvement, Awards, and Recognition American Institute of CPAs – Assurance Services Executive Committee (2009+) – Co-Chair, Business Intelligence Workgroup (2009+) – IT Executive Committee (2006-2009) Association of IT Professionals – Honolulu : Director (2008), Treasurer (2009), President (2010) – National: Chair, Governance Task Force (2009+), National Strategic Planning Committee (2009) Awards & Recognition – Top “40 Under 40” Accounting Professionals in the US 2007 & 2009, CPA Technology Advisor Magazine – Top High Tech Leaders in Hawaii 2004, Pacific Technology Foundation & Technology News Network 5
    • Audience Poll #1 What part of the organization are you from? – Executive Director – Finance – IT / IS – Programs / Other Management – Staff – Vendors / Consultants 6
    • Audience Poll #12 What size of the organization are you from? – Very Large (multiple offices, geographically disbursed) – Large (multiple offices, 250+ staff) – Large (single office, 250+ staff) – Mid-sized (100 – 250 staff) – Small (<100 staff) 7
    • Information Risks and Losses are Increasing Banking laws leave business customers vulnerable to Internet fraud – March 21, 2010 – Los Angeles Times – 32% of 500 small business owners surveyed had been victimized; >50% more than once – Federal law doesn’t protect business customers Data Theft Creates Notification Nightmare for BlueCross – March 1, 2010 – CIO.com – 57 hard drives stolen, 1M customer support calls – Which of 3M customers to notify?
    • Information Risks and Losses are Increasing Wanted: Defense Against Online Bank Fraud – February 8, 2010 – Wall Street Journal – Smaller businesses rich target for hackers because the smaller banks they utilize aren’t as sophisticated in their protections Study: Hacking Passwords Easy As 123456 – January 21, 2010 – CIO.com – 2009 Data Breach Study: 30% had passwords <=6 characters 60% use limited set of alpha-numeric characters 50% use names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keys)
    • Information Risks and Losses are Increasing 2009 AICPA Top Technology Initiatives Survey (http://www.aicpa.org/toptech) 1. Information Security Management 2. Privacy Management 3. Secure Data File Storage, Transmission and Exchange 4. Business Process Improvement, Workflow, and Process Exception Alerts 5. Mobile and Remote Computing
    • Information Risks and Losses are Increasing 2009 AICPA Top Technology Initiatives Survey (http://www.aicpa.org/toptech) 1. Information Security Management 2. Privacy Management 3. Secure Data File Storage, Transmission and Exchange 4. Business Process Improvement, Workflow, and Process Exception Alerts 5. Mobile and Remote Computing
    • Information Risks and Losses are Increasing 2008 CSI/FBI Computer Crime and Security Survey – Greatest source of financial loss Financial Fraud moved to the top in 2007 – Displaced Viruses, which as been top for last 7 yrs Financial Fraud stayed at the top in 2008 – Average loss per respondent: $463,100 – Other high loss areas Bots within the Organization: $345,600 Loss of customer/employee data: $268,000 Loss of proprietary information: $241,000
    • Information Risks and Losses are Increasing Losses from Mobile Device risks: $8,429,150 Losses from Virus: $8,391,800 Source: 2007 CSI/FBI Computer Crime and Security Survey
    • Information Risks and Losses are Increasing Losses from outsider: $6,875,000 Losses from insider: $6,802,000 Source: 2007 CSI/FBI Computer Crime and Security Survey
    • Information Risks and Losses are Increasing Federal Trade Commission – ID Theft is the #1 concern of consumers contacting the FTC US Dept of Justice Statistics – ID Theft has overtaken drug trafficking 2006 Gartner Study – 28 ½ people become new victims every minute – new victim almost every 2 seconds Source: Identity Theft Resource Center
    • Information Risks and Losses are Increasing Common Sources of Data Leaks – 45% Lost or stolen laptop computers – 29% Records lost by 3rd party business partners or outsourcing companies – 26% Misplaced or stolen backup files – 10% Malware programs (e.g. viruses/spyware) Source: Identity Theft Resource Center
    • Information Risks and Losses are Increasing Hawaii was 25th in ID Theft instances per Capita in 2005
    • Massachusetts Data Privacy Law Requirements – Written Information Security Program (WISP) Must be appropriate for the size, scope, and type of business conducted by the entity Must address administrative, technical, and physical safeguards Applies to both consumer and employee information Applies to all forms of media (paper & electronic) and the devices that contain them (laptop/phone/ext-HD) – Designated employee must be assigned to Evaluate reasonably foreseeable internal and external risks to personal information being managed
    • Massachusetts Data Privacy Law Requirements – Employee training program – Monitoring of employee compliance To ensure that the WISP is operating in a manner that can be reasonably assumed to prevent unauthorized access to or use of personal information – Incident management Identification of potential incidents Assessment of breach and potential data loss Documentation of actions taken in response to breaches
    • Massachusetts Data Privacy Law Additional Technical Requirements for Electronically Stored Information (ESI) – Secure authentication protocols – Control of user IDs and other identifiers – Password security – Restriction of access to personal information to active users and active user accounts Limit access to a need-to-know basis – Must encrypt personal info transmitted over public networks – Must encrypt personal info at rest on portable devices
    • Massachusetts Data Privacy Law I’m not in Massachusetts, why should I care? State Privacy Laws protect the information of the residents of that state – If you have information about a state’s resident, you are often then subject to the state’s privacy law and compliance with the law The European Union and State of California also have very stringent privacy laws
    • Personal Information Protection Laws
    • Hawaii’s ID Theft Laws Internal costs – $197 per compromised record 2007 estimate by Ponemon Institute (per Journal of Accountancy, January 2009) State penalties – Up to $2,500 for EACH violation/record Additional costs – Liability to injured parties for actual damages sustained
    • Payment Card Industry Data Security Standard Payment Card Industry Data Security Standard (PCI DSS) – Best practice security standards for protecting cardholder data – Compliance REQUIRED for “Merchants” = Companies who accept credit/debit card information (cardholder data) “Service providers” = Companies the provide services to merchants and have access to cardholder data http://www.PCISecurityStandards.org
    • Payment Card Industry Data Security Standard Penalties for Non-compliance – Potential fines of up to $500,000 (in the discretion of Visa, MasterCard, Discover Network or other card companies). – All fraud losses incurred from the use of the compromised account numbers from the date of compromise forward. – Cost of re-issuing cards associated with the compromise. – Cost of any additional fraud prevention/detection activities required by the card associations (i.e. a forensic audit) or costs incurred by credit card issuers associated with the compromise (i.e. additional monitoring of system for fraudulent activity). From: Wells Fargo Merchant Services https://www.wellsfargo.com/biz/help/merchant/faqs/pci#Q25
    • Payment Card Industry Data Security Standard 6 Principles + 12 Requirements 1. Build and Maintain a Secure Network 2. Protect Cardholder Data 3. Maintain a Vulnerability Management Program 4. Implement Strong Access Control Measures 5. Regularly Monitor and Test Networks 6. Maintain and Information Security Policy http://www.PCISecurityStandards.org
    • Payment Card Industry Data Security Standard Common PCI Myth #3 From: Ten Common Myths of PCI DSS © 2008 PCI Security Standards Council https://www.pcisecuritystandards.org/pdfs/pciscc_ten_common_myths.pdf
    • Payment Card Industry Data Security Standard Compliance Requirements – Level 1 = must have onsite audit performed by a QSA or internal auditor – Level 2-4 = must complete Self-Assessment Questionnaire (SAQ) SAQ Type 1 = card not present SAQ Type 2 = Imprint-only SAQ Type 3 = Stand-alone merchant terminals SAQ Type 4 = POS connected to Internet SAQ Type 5 = All others
    • Payment Card Industry Data Security Standard Sample SAQ Type 3 questions: (Req 9) – Are all paper and electronic media that contain cardholder data physically secure? – Is strict control maintained over the internal or external distribution of any kind of media that contains cardholder data? Is the media identified so that it can be identified as confidential? Is the media sent by secured courier or other delivery method that can be accurately tracked? – Is strict control maintained over the storage and accessibility of media that contains cardholder data?
    • Payment Card Industry Data Security Standard Sample SAQ Type 3 questions: (Req 12) – Is a security policy established, published, maintained and disseminated? Is it reviewed at least once a year and updated when the environment changes? – Is a formal security awareness program in place to make all employees aware of the importance of cardholder data security? These are all basically control points/objectives and should be “easy” for a CPA to answer.
    • Your Role in Protecting Information NPOs must protect personal information – Donors – Clients/customers – Employees NPOs must be sure that service providers are protecting personal information too – Capital campaigns / Fundraising – Donor management – Financial data processing A breach on the part of the service provider is a breach of the NPO
    • Your Role in Protecting Information A Common Myth: I use a SAS 70 certified vendor, I don’t need to worry. Wrong!! SAS 70 only covers the internal controls and operations of a service provider as it relates to accounting processes and financial reporting It does not cover operations related to non- accounting/non-financial statement data It does not include any coverage of confidentiality or privacy controls
    • Your Role in Protecting Information Instead of a SAS 70 you need to request a – Trust Services report that specifically covers a review of confidentiality and privacy This is available from CPA firms that have IT audit specialists – Previously this was a very specialized area – Education is being conducted to increase the number of CPAs trained to provide this service So what do I do until I can get this report?
    • Risk Assessment Methodology Inventory places in your organization with Personally Identifying Information (PII) – Electronic Files/Databases AND Physical Files Identify the safeguards in place Identify applicable security requirements Determine compliance gap Assess risk of non-compliance Develop risk remediation plan – Work with IT to identify and evaluate options
    • Generally Accepted Privacy Principles Provides criteria and related material for protecting the privacy of personal information Incorporates concepts from significant domestic and international privacy laws, regulations, and guidelines Used to guide and assist organizations in implementing privacy programs http://www.aicpa.org/privacy
    • Generally Accepted Privacy Principles 1. Management 7. Disclosure to 2. Notice Third Parties 3. Choice & Consent 8. Security for 4. Collection Privacy 9. Quality 5. Use & Retention 10. Monitoring and 6. Access Enforcement http://www.aicpa.org/privacy
    • You Must Be Proactive for Privacy! Identify and understand the Privacy Requirements that you are subject to Conduct a Privacy Risk Assessment Determine the acceptable level of risk for your organization Develop an enterprise privacy policy Enact an enterprise privacy program Get your privacy program evaluated by a qualified CPA and get a Trust Services report – use this to your advantage!
    • INTRAPRISETECHKNOWLOGIES LLC Thank you for your attention and participation! Feedback and questions are welcome Donny C. Shimamoto, CPA.CITP donny@myitk.com (808) 735-8324 Any Questions or Comments?
    • How Was this Session? Call In Text Online Call 404.939.4909 Text 165 to Visit nten.org/ntc-eval nten.org/ntc ntc- Enter Code 165 69866 Enter Code 165 Session feedback powered by: Tell Us and You Could Win a Free 2011 NTC Registration!