Successfully reported this slideshow.
Your SlideShare is downloading. ×

How to Build and Implement Your Company's Information Security Program (Series: Cyber Security & Data Privacy 2020)

Ad

1

Ad

2
Practical and entertaining education for
attorneys, accountants, business owners and
executives, and investors.

Ad

3
Thank You To Our Sponsor

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Loading in …3
×

Check these out next

1 of 54 Ad
1 of 54 Ad

How to Build and Implement Your Company's Information Security Program (Series: Cyber Security & Data Privacy 2020)

Does your business need an established information security program? Probably. Does it have one? Probably not.

Information security programs are designed to protect the confidentiality, integrity, and availability of your company’s data and information technology assets. Depending on your industry and your clientele, you may also be required by federal, state, or international law to have an information security program.

This webinar will introduce you to the basics of how to put one in place, starting with identifying your incident response team, putting applicable insurance policies into place, and closing any gaps in the security of your data.

To view the accompanying webinar, go to: https://www.financialpoise.com/financial-poise-webinars/how-to-build-and-implement-information-security-program-2020/

Does your business need an established information security program? Probably. Does it have one? Probably not.

Information security programs are designed to protect the confidentiality, integrity, and availability of your company’s data and information technology assets. Depending on your industry and your clientele, you may also be required by federal, state, or international law to have an information security program.

This webinar will introduce you to the basics of how to put one in place, starting with identifying your incident response team, putting applicable insurance policies into place, and closing any gaps in the security of your data.

To view the accompanying webinar, go to: https://www.financialpoise.com/financial-poise-webinars/how-to-build-and-implement-information-security-program-2020/

Advertisement
Advertisement

More Related Content

Similar to How to Build and Implement Your Company's Information Security Program (Series: Cyber Security & Data Privacy 2020) (20)

Advertisement

How to Build and Implement Your Company's Information Security Program (Series: Cyber Security & Data Privacy 2020)

  1. 1. 1
  2. 2. 2 Practical and entertaining education for attorneys, accountants, business owners and executives, and investors.
  3. 3. 3 Thank You To Our Sponsor
  4. 4. "I am so in love with the awards. I only wish everyone could walk away with one. Amazing job! They are perfect." -Jessica C, European Wax Center Mention “Financial Poise” and get 10% OFF your entire order!
  5. 5. Disclaimer The material in this webinar is for informational purposes only. It should not be considered legal, financial or other professional advice. You should consult with an attorney or other appropriate professional to determine what may be best for your individual needs. While Financial Poise™ takes reasonable steps to ensure that information it publishes is accurate, Financial Poise™ makes no guaranty in this regard. 5
  6. 6. Meet the Faculty MODERATOR: Kathryn Nadro - Sugar Felsenthal Grais & Helsinger LLP PANELISTS: Michael Riela - Tannenbaum Helpern Syracuse & Hirschtritt LLP Mark Trembacki - Risk Management Levers, Inc. J. Eduardo Campos - Embedded-Knowledge, Inc. 6
  7. 7. About This Webinar – How to Build and Implement your Company's Information Security Program Does your business need an established information security program? Probably. Does it have one? Probably not. Information security programs are designed to protect the confidentiality, integrity, and availability of your company’s data and information technology assets. Depending on your industry and your clientele, you may also be required by federal, state, or international law to have an information security program. This webinar will introduce you to the basics of how to put one in place, starting with identifying your incident response team, putting applicable insurance policies into place, and closing any gaps in the security of your data. 7
  8. 8. About This Series – Cybersecurity and Data Privacy Data security, data privacy, and cybersecurity are critical issues for your company to consider in today’s business landscape. Data breaches from high profile companies, including law firms, generate worldwide headlines and can severely damage your business’s reputation. In certain industries, a patchwork of state and federal laws and regulations may cover your business, leading to compliance headaches. This series explores the various laws and regulations which govern businesses both in the US and abroad, as well as how to implement and enforce an information security policy to protect your company and limit any damage from a data breach. Each Financial Poise Webinar is delivered in Plain English, understandable to investors, business owners, and executives without much background in these areas, yet is of primary value to attorneys, accountants, and other seasoned professionals. Each episode brings you into engaging, sometimes humorous, conversations designed to entertain as it teaches. Each episode in the series is designed to be viewed independently of the other episodes so that participants will enhance their knowledge of this area whether they attend one, some, or all episodes. 8
  9. 9. Episodes in this Series #1: Introduction to US Privacy and Data Security: Regulations and Requirements Premiere date: 9/24/20 #2: Introduction to EU General Data Protection Regulation: Planning, Implementation, and Compliance Premiere date: 10/22/20 #3: How to Build and Implement your Company's Information Security Program Premiere date: 11/19/20 #4: Data Breach Response: Before and After the Breach Premiere date: 12/17/20 9
  10. 10. Episode #3 How to Build and Implement your Company's Information Security Program 10
  11. 11. Introduction • Information security programs are a documented set of a company or agency’s information security policies, guidelines and procedures • Majority of security programs aim to assess risk, monitor threats, and mitigate cyber security attacks • Massachusetts and New York are the only states with strict information security requirements  Other states starting to implement similar laws • Implemented in any industry that deals with personally identifiable information 11
  12. 12. Information Security Programs – Then and Now • Early information security efforts identified confidentiality, integrity, and availability (“CIA Triad”) as primary security factors • The rise of information security programs -  1967 - military computers were hacked and CIA Triad found to be inadequate - not much was changed  1970s - “phreakers” exploit vulnerabilities in telephone network to make free long distance calls  1980s - First National Bank of Chicago hacked for $70 million  1990s & 2000s - computers become targets as more people provide personal information online 12
  13. 13. Information Security Programs – Then and Now • Today, the CIA Triad eventually evolved into “Parkerian Hexad”  Parkerian Hexad factors - o Confidentiality/control o Information integrity o Authenticity o Availability o Utility 13
  14. 14. What is Information Security? • Information security refers to processes and methodologies designed and implemented to protect print, electronic, or any other form of information or data, including -  Confidential, private, and sensitive information; or  Data derived from unauthorized access, use, misuse, disclosure, destruction, modification, or disruption 14
  15. 15. Information Security vs. Computer Security vs. Information Assurance • Share the common goals of protecting confidentiality, integrity, and availability of information • Terms used interchangeably but do not have the exact same meaning  Differences lie in the approach to subject, methodologies used, and areas of concentration • Information security is concerned with the protection of the CIA Triad regardless of the form the data may take: print, electronic, or other 15
  16. 16. What Information is Protected? • Personally identifiable information (PII) or sensitive personal information (SPI)  Home address  Social security #  Credit card #  Date birth • Health information  Medical records • Other proprietary information  Financial data • Trade secrets 16
  17. 17. Key Elements of an Effective Information Systems Program (ISP) • Purpose • Scope • Information security objectives  CIA Triad • Authority and access control policy • Classification of data • Data support and operations • Security awareness sessions • Responsibilities and duties of personnel • Relevant laws 17
  18. 18. The Purpose • Different institutions may create ISPs for various reasons, but they generally share few similarities, including -  Establish a general approach to information security  Detect and forestall the compromise of information security o i.e. misuse of data, networks, computer systems and applications  Protect reputation of the company with respect to its ethical and legal obligations  Recognize the rights of customers o i.e. providing effective mechanism for responding to complaints 18
  19. 19. The Scope • Generally, ISPs address:  All data  Programs  Systems  Facilities, and  Other tech infrastructure 19
  20. 20. Information Security Objectives • An organization looking to implement ISP needs to have well-defined objectives • Information security systems are deemed to safeguard 3 main objectives -  Confidentiality  Integrity  Availability 20
  21. 21. Confidentiality, Integrity, and Availability: The CIA Triad Link: https://www.edureka.co/blog/what-is-cybersecurity/ 21
  22. 22. The CIA Triad • Confidentiality  Controlling who gets to read information  Ensuring only individuals who need access to this information to do their jobs get to see it  Access restricted to only authorized individuals • Integrity  Ensuring information and programs are changed only in a specified and authorized manner o E.g. information has not been tampered with or deleted by those with unauthorized access 22
  23. 23. The CIA Triad • Availability  Ensuring authorized users have continued access to information and resources o Information is readily available to those who need it to successfully conduct an organization’s business 23
  24. 24. The CIA Triad • Donn Parker, one of the pioneers in the field of IT security, expanded the threefold paradigm by suggesting also “authenticity” and “utility” Link: https://resources.infosecinstitute.com/key-elements-information-security-policy/#gref 24
  25. 25. Authority Access & Control Policy • Typically, a security policy has a hierarchical pattern  Junior staff usually bound not to share the little amount of information they have unless explicitly authorized  Senior manager may have enough authority to make a decision on what data can be shared and with whom  Policies governing senior employees may not be the same policy governing junior employees  ISP should address every basic position in the organization with specifications that will clarify their authoritative status 25
  26. 26. Classification of Data • Data can have different value and thus may impose separation and specific handling regimes/procedures for each kind of data • Information classification system is commonly sorted as:  High right class  Confidential class  Class public 26
  27. 27. Classification of Data • High risk class - generally data protected by state and federal legislation  Information covered under The Data Protection Act, HIPAA, FERPA  Financial,  Payroll, and  Personnel (privacy requirements) 27
  28. 28. Classification of Data • Confidential class  Data in this class may not enjoy the privilege of being under the wing of law, but the data owner judges that it should be protected against unauthorized disclosure • Class public  Information freely distributed • Data owners should determine both the data classification and the exact measures a data custodian needs to take to preserve integrity in accordance to that level 28
  29. 29. Data Support and Operations • The regulation of general system mechanisms responsible for data protection  Data backup  Movement of data 29
  30. 30. Security Awareness Employee Meetings • Security awareness training could help provide employees with information regarding how to collect/use/delete data, maintain data quality, records management, confidentiality, privacy, appropriate utilization of IT systems, correct usage social networking, etc. 30
  31. 31. Responsibilities and Duties of Personnel • Not unusual for institutions to hire an ISP person with the sole responsibility of…  implementation,  education,  incident response,  user access reviews, and  periodic updates of an ISP 31
  32. 32. Relevant Laws and Other ISP Items • An ISP is likely to include reference to relevant laws  i.e. The Data Protection Act (1998) • ISP may also include -  Virus Protection Procedure,  Intrusion Detection Procedure,  Remote Work Procedure,  Technical Guidelines,  Consequences for Non-compliance,  Disciplinary Actions,  Terminated Employees 32
  33. 33. Massachusetts Information System Law • 201 C.M.R. 17: Standards for the Protection of Personal Information of Residents of the Commonwealth • Implemented in 2010 - considered the top personal information protection law in the US • Makes every person or entity that owns personal information of a Massachusetts resident to adopt a written information security program (WISP) designed with appropriate safeguards 33
  34. 34. Massachusetts Information System Law • In Massachusetts, every information security program must include:  At least one employee maintaining the information security program;  Identify foreseeable security risks, both internal and external;  Employee security policies dealing with access and transportation of personal information outside of the business;  Disciplinary measures for violations;  Methods of how to prevent terminated employees from reaching personal information; 34
  35. 35. Massachusetts Information System Law  Oversee third-party service providers by taking reasonably steps to adopt and maintain security measures consistent with the entity;  Restrictions on stored personal information access;  Regular monitoring to ensure compliance with the implemented information security program and stop unauthorized access;  Annual review of the security program, or whenever there is a material change in the business practices; and  Document any incident involving a security breach and actions taken in response to breaches, and any review of business practices to protect personal information, if necessary. 35
  36. 36. California Consumer Privacy Act • Effective January 1, 2020 • Mandates companies do the following:  Inform consumers about the categories of personal information collected and the purposes for which the information is being used;  Respond to verifiable consumer requests to access certain information;  Allow customers to opt-out of the sale of their personal information; and  Enable consumers (subject to carve outs) to request that businesses delete their personal information 36
  37. 37. California Consumer Privacy Act • Applies to business if they are for-profit businesses that collect and control California residents’ personal information, do business in California, and satisfy one of the following:  Have annual gross revenues in excess of $25 million, or  Receive or disclose the personal information of 50,000 or more California residents, households, or devices on an annual basis, or  Derive 50 percent or more of their annual revenues from selling California residents’ personal information. 37
  38. 38. CCPA Private Right of Action • Limited private right of action for consumers when there is an “unauthorized access and exfiltration, theft, disclosure of a consumer’s nonencrypted or nonredacted personal information” for a business’s violation of “the duty to implement and maintain reasonable security procedures and practices” • Consumer has to give the business 30 days to cure the alleged violation and to respond with a written statement that the violation has been cured  Consumers can then bring a civil suit for statutory damages of between $100 and $750 “per consumer per incident or actual damages, whichever is greater.” o Cal. Civ. Code § 1798.150(a)(1)(A) • Attorney General may also issue fines of up to $7,500 per violation, with maximum penalties reserved for intentional noncompliance 38
  39. 39. What Businesses Subject to CCPA Should Do • While there is no explicit requirement for an information security program in the CCPA, having one in place will help defend a business from an accusation that it didn’t “maintain reasonable security procedures and practices” prior to any data breach  In 2016, the California Attorney General issued a “Data Breach Report” which identified safeguards the then-Attorney General viewed as constituting reasonable security practices, including data security controls published by the Center for Internet Security  Those controls include a written information security program, oversight by a dedicated security officer or supervisor, employee training, vendor management, an incident response plan, and ongoing risk assessment and management 39
  40. 40. Employee Maintaining the Information Security Program • Employee is the designated officer for handling every aspect of the program.  A designated security officer is responsible for coordinating and maintaining the security program. • This person should maintain independence by reporting to someone outside of the IT department. 40
  41. 41. Assessing Risk • What risks could your organization face?  Examples: loss of data, unauthorized access, data corruption, hack, third-party data sharing, etc. • What would be appropriate, cost-effective management techniques for these risks? 41
  42. 42. NY Information Systems Law for Financial Service Companies • Requires that all financial service companies maintain an ISP  Any company regulated by the Department of Financial Services  Exceptions - o Organization with fewer than 10 employees, less than $5 million in gross annual revenue for three years, or less than $10 million in year-end total assets 42
  43. 43. NY Information Systems Law for Financial Service Companies • The ISP must address:  information security;  data governance and classification;  asset inventory and device management;  access controls and identity management;  business continuity and disaster recovery planning and resources;  systems operations and availability concerns;  systems and network security;  systems and network monitoring; 43
  44. 44. NY Information Systems Law for Financial Service Companies • The ISP must address:  systems and application development and quality assurance;  physical security and environmental controls;  customer data privacy;  vendor and Third Party Service Provider management;  risk assessment; and  incident response. 44
  45. 45. Additional Elements of a Good Information Security Program • Designated security officer (DSO) • Risk Assessment • Policies and Procedures • Organizational security awareness • Regulatory standards compliance • Audit compliance plan 45
  46. 46. Sources https://kirkpatrickprice.com/blog/why-every-company-needs-an-information- security-program/ https://www.villanovau.com/resources/iss/history-of-information- security/#.W-jc8VMvzEY https://www.sans.org/information-security/ http://www.mada.org/userfiles/fck/file/SimplifiedSafeguardsPolicy.pdf http://examples.complianceforge.com/example-nist-800-53-written- information-security-program-it-security-policy-example.pdf https://www.ncua.gov/Resources/DocumentsGrants/Information%20Security %20Policy.pdf 46
  47. 47. Sources University of Iowa’s Information Security Program: https://itsecurity.uiowa.edu/resources/faculty-staff/enterprise-information- security-program https://resources.infosecinstitute.com/key-elements-information-security- policy/#gref 47
  48. 48. About the Faculty 48
  49. 49. About The Faculty Kathryn Nadro - knadro@sfgh.com Kathryn (“Katie”) Nadro advises clients on a diverse array of business matters, including commercial and business disputes, employment issues, and data security and privacy compliance. Katie works with individuals and businesses of all sizes to craft successful resolutions tailored to each individual matter. Katie has broad experience representing companies and individuals in contract, non-compete, discrimination, harassment, fiduciary duty, and trade secret litigation in state and federal court. With a background as both in-house and outside counsel, Katie understands that business objectives, time, and resources play an important role in reaching a favorable outcome for each client. Katie assists clients in navigating employment issues ranging from employee handbooks and FMLA policies to litigating discrimination and harassment claims, all while ensuring business needs and objectives are met. She also counsels clients on data security and privacy issues, including policy drafting and compliance with state, federal, and international law. 49
  50. 50. About The Faculty Michael Riela - Riela@thsh.com Mike Riela is a partner in Tannenbaum Helpern’s Creditors’ Rights and Business Reorganization practice. With more than 15 years of experience, Mike advises companies on complex restructuring, distressed M&A, loan transactions and bankruptcy related litigation matters. Mike has in-depth experience in advising clients on corporate and real estate bankruptcies, workouts, Chapter 11 and Chapter 7 bankruptcy cases, debtor-in-possession (DIP) and bankruptcy exit loan facilities, secondary market trading of distressed debt and trade claims, Section 363 sales and bankruptcy retention and fee agreements and disputes. His clients include banks, administrative agents, indenture trustees, hedge funds, private equity firms, professional services firms, trade creditors, contract counterparties, shareholders, debtors and investors. Mike has represented buyers of assets in Section 363 and out-of- court sales from sellers such as Evergreen Solar, Inc., Sonic Telecommunications International, Ltd, Urban Communicators PCS Limited Partnership, US Aggregate, Inc., and Vectrix Corporation, as well as representing lenders, trustees and administrative agents in major Chapter 11 cases and workouts such as Delta Air Lines, Inc., Extended Stay Inc., Buffets Inc., Legends Gaming LLC, Nortel Networks, Premier International Holdings Inc., and many others. 50
  51. 51. About The Faculty Mark Trembacki – marktrembacki@gmail.com As Managing Principal of Risk Management Levers, Mark Trembacki provides organizations with practical value-added solutions in strategy development and execution, enterprise risk management, acquisition integration and governance. Mark enjoyed a diverse career at BMO Financial Group, holding a variety of executive risk management and business leadership roles. He has also served as an instructor teaching Enterprise Risk Management in the Masters of Finance program at the University of Illinois, Urbana-Champaign. Mark graduated from the University of Illinois, earned an MBA in Finance from The University of Chicago Booth School of Business, and is a CPA. He earned a Cyber Security Management Graduate Certificate from the University of Virginia and is recognized as a National Association of Corporate Directors (NACD) Governance Fellow. Mark serves as Board Chair of the DuPage Children’s Museum and Treasurer of the Chicago History Museum. 51
  52. 52. About The Faculty J. Eduardo Campos – jeduardo.campos@embedded-knowledge.com After creating business growth opportunities on four continents, J. Eduardo Campos spent thirteen years at Microsoft, first as a cybersecurity advisor, then leading innovative projects at the highest levels of government in the U.S. and abroad. Today, Eduardo is living his dream of building a better tomorrow through his consulting firm, Embedded-Knowledge, Inc. Working with organizations and entrepreneurs, he develops customized business strategies and forms partnerships focused on designing creative solutions to complex problems. 52
  53. 53. Questions or Comments? If you have any questions about this webinar that you did not get to ask during the live premiere, or if you are watching this webinar On Demand, please do not hesitate to email us at info@financialpoise.com with any questions or comments you may have. Please include the name of the webinar in your email and we will do our best to provide a timely response. IMPORTANT NOTE: The material in this presentation is for general educational purposes only. It has been prepared primarily for attorneys and accountants for use in the pursuit of their continuing legal education and continuing professional education. 53
  54. 54. About Financial Poise 54 Financial Poise™ has one mission: to provide reliable plain English business, financial, and legal education to individual investors, entrepreneurs, business owners and executives. Visit us at www.financialpoise.com Our free weekly newsletter, Financial Poise Weekly, updates you on new articles published on our website and Upcoming Webinars you may be interested in. To join our email list, please visit: https://www.financialpoise.com/subscribe/

×