2. Approach
• Understand the issues
• Evaluate your risks
• Protect your company
• React to a breach
Title of Slide Deck 2
3. Technology Profile
• IT as a strategic asset not a cost
• IT Spending levels
• Security
• Governance
• Your place on the adoption curve
• Training
• Constituent touch points
Title of Slide Deck 3
4. Security Profile
• Risk aversion
• User technical expertise
• Presence of PII
• Security budget
– Outsourced services
– Equipment
• Use of remote access and
the cloud
• Number of In-house IT staff
and expertise
• Whether laptops are used
• Physical characteristics of
offices; stand alone, high
rise
• Specific password policy:
– Length
– Complexity
– Expiration
– Number of attempts before
lockout
– Lockout time length
– Number of password
changes before reuse
Title of Slide Deck 4
5. Anatomy Of A Breach
• Compromise credentials
• Escalate permissions
• Search and access data
• Exfiltration
• Sale of data
Cyber Security 5
6. Know The Basics
• Security is all about perception
• Balance – Cost, user access, protection complexity
• Physical, logical, social
• Data at rest, and data in transit
• Components – Inventory, Risk, Assessment
Title of Slide Deck 6
7. Security Plan Components
• Inventory
– Data
– Hardware
– Software
– Policies
– Skills and Knowledge
• Internal, consultants
• Risks
• Assessment
– Action Items
– Policy Changes
– User Education
• Breach Response Plan
• Ongoing Maintenance
– Priorities
– Accountability
Title of Slide Deck 7
8. Data Inventory
• Where is the data and who has access to it?
– Low risk vs. High business impact (HBI)
– Personally Identifiable Information (PII)
– Product designs
– Customer database, AR
– Financial information
– E-mail
– Vendor contracts
– Software configurations
Title of Slide Deck 8
9. Cloud
• Inventory
• AICPA SOC 2 report (formerly SAS70, now SSAE16 )
• Pass-through reports
• Applications’ data locations
Title of Slide Deck 9
10. Mobile
• Inventory
• Device encryption
• Password
• Time out
• Ability to wipe device
Title of Slide Deck 10
11. Mitigation Examples – Before And After
• Account retry lockout
• Pass phrases instead of complex passwords
• Signed security policies
• Two factor authentication
• Training
• Hard drive encryption
• Web site certificates
• Inactivity timeout with password required
• Disallowing personally identifiable information (PII)
Title of Slide Deck 11
12. Data Breach Insurance
• Identify the cause and the individuals affected
• Notification
• Credit monitoring for individuals affected
• Public relations management
• Legal expenses to work with regulators
Title of Slide Deck 12
13. Action Items
• Inventory personally identifiable information (PII)
• Assess the likelihood of a breach of PII
• Encrypt all laptops and other selected computers
• Have an outside security assessment performed
• Implement an Intrusion Detection System
• Purchase insurance
• Develop an after-breach plan – tech and non-tech
• Training, awareness
Title of Slide Deck 13
15. Resources
•
Washington state notification law:
http://apps.leg.wa.gov/rcw/default.aspx?cite=19.255
.010
• Sample privacy policy:
http://www.privacyaffiliates.com/ps/ps0709192337.
html
• Sample IT policy: http://slideshare.net/peterhenley
Title of Slide Deck 15
16. Logical Security Terms
• Confidentiality—who should have access to the data?
– Username and password (pass phrase)
– Encryption
• Authorization—what permissions does the user have for
working with the data?
– Data classification
• Accountability—what has the recipient done with the data?
– System logs, policy
• Integrity—how do you know if the data has been altered?
– Data attributes – time stamp, size, author
• Authenticity—how do you know where the data came from?
Title of Slide Deck 16
17. More Security Terms
• Physical Security, "In the Room" - the ability to
physically protect and secure systems and
components from theft
• User Security, "At the Keyboard" - the processes and
policies used to assure user authentication
• System Security, "In the Box" - the ability to protect
the integrity of a system from malicious attack
• Network Security, "On the Net" - the ability to
interact with internal and external users and remote
systems in a secure manner
Title of Slide Deck 17