Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Creating a Security Plan for Your Agency - Laird Rixford

281 views

Published on

From ITC Agent Conference 2016...
You need to take the security of your data seriously. You hold critical personally identifiable information about your clients that hackers want. Learn how to create a security plan to keep your agency and client information safe.

Published in: Business
  • Be the first to comment

  • Be the first to like this

Creating a Security Plan for Your Agency - Laird Rixford

  1. 1. Creating a Security Plan Agent Conference Advanced Track Laird Rixford @lrixford/ President
  2. 2. Data What is it worth?
  3. 3. Security Plan Why do you need one?
  4. 4. Creating a Security Plan • Inventory Assessment • Risk Assessment • Checklist • Evaluation and Audit • Certification
  5. 5. Inventory Assessment What do you need to protect?
  6. 6. Inventory Assessment • Hardware (name the equipment) • Software (name the applications and provide quantity...make sure they're licensed) • System interfaces (e.g., internal and external connectivity; who do you connect to?) • Type of Information (what type of information do your systems hold) • Critical & Confidential information (is the department in receipt of confidential, private, or identity bearing data) • "Owner“ (who uses or manages) • Processes (the processes performed by the IT system)
  7. 7. Risk Assessment What is the impact of breach?
  8. 8. Risk Assessment • Probability & Impact • +2 – High • +1 – Medium • +0 – Low • Security Level • +3 – High • +1 – Medium • +0 – Low • Categories • Confidentiality of information • Data (or information) integrity (corruption of data) • Availability
  9. 9. Confidential Information • Low • General workstation security • Passwords • Antivirus protection • Encrypted Devices • Medium • Firewall • High • One-time passwords (DUO or similar) • Intrusion Detection System
  10. 10. Data Integrity • Low • Antivirus protection • Medium • Firewall • High • One-time passwords (DUO or similar) • Intrusion Detection System • File Integrity & Versioning
  11. 11. Availability • Low • Alternate Power Source • UPS • Medium • Disaster recovery and business continuity • Secondary connectivity • High • Backup and recovery • Antivirus protection • Replication
  12. 12. Checklist Things to cover.
  13. 13. Checklist • Hardware Risks • Software Risks • Environmental Failures • Network Failures • Security Policy • Password • Retention • Usage policy. • Internet Usage • Computer Usage • Federal and State Compliance and Privacy
  14. 14. Checklist • Physical Security • Computer & Network Policy • Firewalls • Group Policy • Business Continuity & Disaster Planning • Backup & Recovery • Change Management • Patching of OS and Software • Software Licensing • User Awareness Training • Network Security Reviews • Anti-Virus/Antimalware
  15. 15. Evaluation & Audit Executing your plan.
  16. 16. Evaluation & Audit • Test • Evaluate • Report • Rectify • Repeat • Certification of Audit • Request from vendors.
  17. 17. When it goes wrong. What do you do when it happens.
  18. 18. Don’t Panic • Take immediate audit of the infrastructure. • Retain logs. • Contact law enforcement. • Commit forensic analysis • Determine impact. • If notification is required, contact your lawyer, not your insurance company.
  19. 19. Questions? Comments. Live Tweet on Twitter @lrixford / #AgentCon16

×