SlideShare a Scribd company logo

{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_FINAL

T
Taiye Lambo
1 of 23
Download to read offline
City of Atlanta A bold vision for cyber security October 6, 2015
1 What we’ll talk about today Elon Ginzburg Operational Risk Manager Wells Fargo Bank Mario Paez National Practice Advisor Wells Fargo Insurance Taiye Lambo Chief Information Security Officer City of Atlanta Rob Callahan Host and Moderator Wells Fargo Bank Today’s cybersecurity landscape City of Atlanta’s bold vision for cyber security
Today’s cybersecurity landscape
33 18.8% crimeware 18% cyber espionage 10.6% insider misuse 28.5% POS intrusions 2,122 confirmed data breaches (up from 1,367 in 2014) 79,790 reported security incidents (up from 63,437 in 2014) 61 countries represented (down from 95 in 2015) Verizon: 2015 Data Breach Investigations Report using 50 contributing global organizations. By the numbers Verizon 2015 data breach investigations report
4 Data  Sample size – 160 insured claims Company size  Nano-cap (under $50M revenue): 28% of incidents  Micro-cap ($50M-$300M revenue): 18% of incidents  Small-revenue ($300M-$2B revenue): 25% of incidents  Large-revenue ($10-$100 billion) lost the most records (60%) Additional notes  The average cost of a claim was $673,767  Third parties accounted for 25% of the claims submitted Findings Data type Cause of loss Business sectors  PII - 45%  PCI - 27%  PHI - 14%  Hackers - 31%  Malware virus – 14%  Staff mistakes – 11%  Rogue employees - 11%  Lost/Stolen Laptop/Device – 10%  Paper Records – 5%  System Glitch – 5% *In 2013, stolen laptops were #1  Healthcare sector - 21%  Financial services - 17%  Retail – 13%  Technology – 9%  Professional Services – 8%  Hospitality – 4%  Restaurants – 4% NetDiligence 2015 claims study
5 Percentage of breaches by cause of loss •Cyber Risk Claims: A Review of Industry Losses Paid Out - NetDilligence® 2015 Study (Sample size = 160 insured claims) NetDiligence 2015 claims study
6 Percentage of breaches by business sector •Cyber Risk Claims: A Review of Industry Losses Paid Out - NetDilligence® 2015 Study (Sample size = 160 insured claims) NetDiligence 2015 claims study
77 Threat actors and their objectives
8 Key types of fraud attacks – Low tech – Operational gaps – Awareness Imposter fraud / social engineering / social media – Coding vulnerabilities – Misconfigured equipment – Holistic cyber security Cyber security – Weakest link – Challenges with outsourcing (cloud, 4th party outsourcing, others) – Importance of a third party service provider management program Breaches that originate through 3rd party service providers
99 Vision Mission A trusted steward of information technology and catalyst for innovation. Enabling city operations by consistently delivering reliable and secure services, innovative solutions, and best-in-class customer service.
10 AIM Future Service Delivery Model  Mayor’s Office  Department of Finance/Risk  Department of Procurement  Department of HR  Department of Law  Department of Audit  Department of Law  Department of Ethics  City Council  Department. of Public Works  Department of Planning & Com Dev.  Department of Parks & Recreation  Office of Ent. Assets Mgmt.  Department of Entertainment  Department of Sustainability  Atlanta Workforce Dev. Agency  Atlanta 311  Invest Atlanta  Department of Aviation – Hartsfield-Jackson International Airport  Department of Watershed Management  Atlanta Police Department  Atlanta Fire/Rescue Department  Department of Corrections  Judicial Agencies  Public Defenders Office  Solicitors Office
11 AIM supported assets 1,352 servers 8 data centers 3,848 network devices 168 active IT vendors6,336 PCs & laptops 165 supported city sites 133 city apps 33,000 e-mails received per day 6,000 mobile devices 1 to 3 million attacks blocked per month 282 PCs & laptops per tech supported 4,344 service tickets per month
12 Ensure IT Infrastructure Reliability & Security Enhance IT Customer Service Quality & Delivery Improve IT Operational Efficiency Achieve IT Operational Excellence Run IT like a service business providing reliable, scalable, and secure technology solutions aligned with “best-in- class” customer service Ensure Data Confidentiality Ensure Data Integrity Ensure Data Availability AIM Objective Enterprise AIMGoals Information SecurityGoals Strategic Plan: Objectives & Goals
13 Compliance ≠ Security – Example A safety engineer approves the appropriate number of lifeboats on a new capacity line of cruise ships. Regulatory Compliance Requirement:  Passenger and Crew Capacity: 3,600  Lifeboats: 16  Occupancy: 1,100 Actual:  Passengers and Crew: 2,224  Lifeboats: 20  Occupancy: 1,178 Determination, “Compliant” *Compliance + Continual Improvement Process through ongoing Risk Assessments would have identified the need for protection against physical factors such as weather and icebergs! Maiden Voyage April 15, 1912 RMS Titanic Passengers and Crew Lost: 1,514
14 The need for frameworks  An extensible structure for documenting and implementing a set of concepts, processes, methods, technologies, procedures and cultural changes necessary for a complete product.  By aligning the framework controls to business goals and objectives, the framework helps focus on achieving the goals of the business.
15 The need for frameworks (cont.) Frameworks direct your focus on the four basic elements of good governance;  Participation: Aligning IT with the strategic business goals and providing a common frame of reference and vocabulary;  Accountability: Meeting compliance requirements;  Predictability: Efficiently managing IT resources and risks. The common frame of reference produces predictability;  Transparency: Implementing consistent tools and processes throughout the organization
16 Criteria common to frameworks Effectiveness Information being relevant and pertinent to the business process and delivered in a timely, correct, consistent, and usable manner. Efficiency Providing information through the optimal ─ most productive and economical ─ use of resources. Confidentiality The protection of sensitive information from unauthorized disclosure. Integrity The accuracy and completeness of information as well as to its validity in accordance with business values and expectations. Availability Information being available, when required by the business process, present and future and safeguarding necessary resources and associated capabilities. Compliance Achieving externally imposed business criteria (laws, regulations, and contractual obligations) to which the business process is subject and internal policies. Reliability Providing appropriate information for management to operate the entity and exercise its fiduciary and governance responsibilities.
17 5 characteristics of a control framework Provides sharper business focus Defines a common language Helps meet regulatory requirements General acceptability among organizations Ensures process orientation
18 A holistic integrated control framework COSO CobiT ITIL ISO/IEC 27001 NIST/ FISMA FedRAMP Privacy Laws US, CA, EU GLBA, HIPAA, PCI, SOX, Basel III, Breach Laws, Trade Agreements Corporate Governance IT & Service Management Governance Security Governance Information Security Management System ISMS Security Guidance Emerging Requirements Key Risks and Risk Assessment Aligns governing body to selection of legally required business and entity controls. Framework is adopted by the main governing body, such as SEC / PCAOB in the US, or OGC in the UK. Guides implementation and recommendation of control programs and establishes independent criteria for assessment, goals and performance. Establishes specific measures and methods for implementing security programs, risk assessment, conformity and allowable business policy. Industry, region, country and trade requirements for business and systems.
19 Critical success factors  Visible support & commitment from top management; a top down approach  Information security policies, objectives & activities that reflect business objectives  An approach to implementing information security that is consistent with organizational culture  A good understanding of the security requirements, risk assessment & risk management  Effective marketing of security to all managers and employees  Distribution of guidance on information security policy & standards to all employees and contractors  Provide appropriate training & education  A comprehensive & balanced system of measurement which is used to evaluate performance in information security management & feedback suggestions for improvement
20 Continual improvement process Plan Do CheckAct Implement a remediation plan / roadmap for fixing gaps identified. Perform risk based audits such as HISPI ISO 27001 Top 20 critical controls Perform risk assessment and gap assessment of current environment against legal, contractual and regulatory, requirements. Fix gaps identified from risk based audits
21 High level strategic roadmap FY2015 FY2016 FY2017 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Develop CISO’s 90-day Strategic Plan for Information Security Perform risk & gap assessment of current environment against legal, contractual, regulatory requirements. Information Security Policies and Organization of Information Security Establish a management framework to initiate and control the implementation and operation of information security within the organization. Information Security Training & Awareness Ensure that employees and contractors understand their responsibilities and are suitable for the roles for which they are considered. Asset Management and Supplier Relationships Identify organizational assets and define appropriate protection responsibilities. Maintain an agreed level of information security and service delivery in line with supplier agreements. Access Control and Cryptography Limit access to information and information processing facilities. Ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information. Physical and Environmental Security Prevent unauthorized physical access, damage and interference to the organization’s information and information processing facilities. Operations Security and Communications Security Ensure correct and secure operations of information processing facilities. Maintain the security of information transferred within an organization and with any external entity. Systems Acquisition, Development and Maintenance Ensure that information security is an integral part of information systems across the entire lifecycle, including the requirements for systems which provide services over public networks. Information Security Incident Management Ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses. Information Security Compliance + Continual Improvement Avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements. Ensure IT Infrastructure Reliability & Security Ensure the Reliability, Security, and Scalability of COA Systems & Infrastructure
Questions?

Recommended

Implementing a Security Management Framework
Implementing a Security Management FrameworkImplementing a Security Management Framework
Implementing a Security Management Framework
Joseph Wynn
 
MCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service PresentationMCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service Presentation
William McBorrough
 
Cybersecurity solution-guide
Cybersecurity solution-guideCybersecurity solution-guide
Cybersecurity solution-guide
AdilsonSuende
 
Cyber Security Risk Management
Cyber Security Risk ManagementCyber Security Risk Management
Cyber Security Risk Management
Shaun Sloan
 
[ON-DEMAND WEBINAR] Managed Service Providers vs Managed Security Service Pro...
[ON-DEMAND WEBINAR] Managed Service Providers vs Managed Security Service Pro...[ON-DEMAND WEBINAR] Managed Service Providers vs Managed Security Service Pro...
[ON-DEMAND WEBINAR] Managed Service Providers vs Managed Security Service Pro...
Rea & Associates
 
Business impact of new EU General Data Protection Regulation (GDPR) on organi...
Business impact of new EU General Data Protection Regulation (GDPR) on organi...Business impact of new EU General Data Protection Regulation (GDPR) on organi...
Business impact of new EU General Data Protection Regulation (GDPR) on organi...
PECB
 
Convince your board - cyber attack prevention is better than cure
Convince your board - cyber attack prevention is better than cureConvince your board - cyber attack prevention is better than cure
Convince your board - cyber attack prevention is better than cure
Dave James
 
Security Framework for Digital Risk Managment
Security Framework for Digital Risk ManagmentSecurity Framework for Digital Risk Managment
Security Framework for Digital Risk Managment
Securestorm
 

Recommended

Implementing a Security Management Framework
Implementing a Security Management FrameworkImplementing a Security Management Framework
Implementing a Security Management Framework
Joseph Wynn
 
MCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service PresentationMCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service Presentation
William McBorrough
 
Cybersecurity solution-guide
Cybersecurity solution-guideCybersecurity solution-guide
Cybersecurity solution-guide
AdilsonSuende
 
Cyber Security Risk Management
Cyber Security Risk ManagementCyber Security Risk Management
Cyber Security Risk Management
Shaun Sloan
 
[ON-DEMAND WEBINAR] Managed Service Providers vs Managed Security Service Pro...
[ON-DEMAND WEBINAR] Managed Service Providers vs Managed Security Service Pro...[ON-DEMAND WEBINAR] Managed Service Providers vs Managed Security Service Pro...
[ON-DEMAND WEBINAR] Managed Service Providers vs Managed Security Service Pro...
Rea & Associates
 
Business impact of new EU General Data Protection Regulation (GDPR) on organi...
Business impact of new EU General Data Protection Regulation (GDPR) on organi...Business impact of new EU General Data Protection Regulation (GDPR) on organi...
Business impact of new EU General Data Protection Regulation (GDPR) on organi...
PECB
 
Convince your board - cyber attack prevention is better than cure
Convince your board - cyber attack prevention is better than cureConvince your board - cyber attack prevention is better than cure
Convince your board - cyber attack prevention is better than cure
Dave James
 
Security Framework for Digital Risk Managment
Security Framework for Digital Risk ManagmentSecurity Framework for Digital Risk Managment
Security Framework for Digital Risk Managment
Securestorm
 
Information Security Benchmarking 2015
Information Security Benchmarking 2015Information Security Benchmarking 2015
Information Security Benchmarking 2015
Capgemini
 
Defensible cybersecurity-jan-25th-
Defensible cybersecurity-jan-25th-Defensible cybersecurity-jan-25th-
Defensible cybersecurity-jan-25th-
IT Strategy Group
 
Emerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and SecurityEmerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and Security
Jessica Santamaria
 
A guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityA guide to Sustainable Cyber Security
A guide to Sustainable Cyber Security
Ernest Staats
 
Sans 20 CSC: Connecting Security to the Business Mission
Sans 20 CSC: Connecting Security to the Business MissionSans 20 CSC: Connecting Security to the Business Mission
Sans 20 CSC: Connecting Security to the Business Mission
Tripwire
 
Cyber Security Organizational Operating Model and Governance
Cyber Security Organizational Operating Model and GovernanceCyber Security Organizational Operating Model and Governance
Cyber Security Organizational Operating Model and Governance
Srinidhi Aithal
 
Approche intégrée de la gestion des risques, de la sécurité de l’information,...
Approche intégrée de la gestion des risques, de la sécurité de l’information,...Approche intégrée de la gestion des risques, de la sécurité de l’information,...
Approche intégrée de la gestion des risques, de la sécurité de l’information,...
PECB
 
Data Risks In A Digital Age
Data Risks In A Digital Age Data Risks In A Digital Age
Data Risks In A Digital Age
padler01
 
Don't let them take a byte
Don't let them take a byteDon't let them take a byte
Don't let them take a byte
lgcdcpas
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk Management
Daren Dunkel
 
Information security governance
Information security governanceInformation security governance
Information security governance
Koen Maris
 
What it Takes to be a CISO in 2017
What it Takes to be a CISO in 2017What it Takes to be a CISO in 2017
What it Takes to be a CISO in 2017
Doug Copley
 
MCGlobalTech Service Presentation
MCGlobalTech Service PresentationMCGlobalTech Service Presentation
MCGlobalTech Service Presentation
William McBorrough
 
How an ISO/IEC 27001 Based ISMS Will Support the EU GDPR
How an ISO/IEC 27001 Based ISMS Will Support the EU GDPRHow an ISO/IEC 27001 Based ISMS Will Support the EU GDPR
How an ISO/IEC 27001 Based ISMS Will Support the EU GDPR
PECB
 
Cyber Risk in the Energy Industry
Cyber Risk in the Energy IndustryCyber Risk in the Energy Industry
Cyber Risk in the Energy Industry
Tim Christ Executive Leadership
 
Emerging Trends in Information Security and Privacy
Emerging Trends in Information Security and PrivacyEmerging Trends in Information Security and Privacy
Emerging Trends in Information Security and Privacy
lgcdcpas
 
Get Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security SolutionGet Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security Solution
Precisely
 
Supply Chain Risk Management corrected - Whitepaper
Supply Chain Risk Management corrected - WhitepaperSupply Chain Risk Management corrected - Whitepaper
Supply Chain Risk Management corrected - Whitepaper
NIIT Technologies
 
Simplifying Security for Cloud Adoption - Defining your game plan
Simplifying Security for Cloud Adoption - Defining your game planSimplifying Security for Cloud Adoption - Defining your game plan
Simplifying Security for Cloud Adoption - Defining your game plan
Securestorm
 
The Security Circle- Services Offered
The Security Circle- Services OfferedThe Security Circle- Services Offered
The Security Circle- Services Offered
Rachel Anne Carter
 
Rickettsias chlamydias micoplasma
Rickettsias chlamydias micoplasmaRickettsias chlamydias micoplasma
Rickettsias chlamydias micoplasma
Cecilia Bogado
 
Rickettsia rickettsi
Rickettsia rickettsiRickettsia rickettsi
Rickettsia rickettsi
vialuci13
 

More Related Content

What's hot

Information Security Benchmarking 2015
Information Security Benchmarking 2015Information Security Benchmarking 2015
Information Security Benchmarking 2015
Capgemini
 
Sans 20 CSC: Connecting Security to the Business Mission
Sans 20 CSC: Connecting Security to the Business MissionSans 20 CSC: Connecting Security to the Business Mission
Sans 20 CSC: Connecting Security to the Business Mission
Tripwire
 
Data Risks In A Digital Age
Data Risks In A Digital Age Data Risks In A Digital Age
Data Risks In A Digital Age
padler01
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk Management
Daren Dunkel
 
Emerging Trends in Information Security and Privacy
Emerging Trends in Information Security and PrivacyEmerging Trends in Information Security and Privacy
Emerging Trends in Information Security and Privacy
lgcdcpas
 
Get Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security SolutionGet Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security Solution
Precisely
 
The Security Circle- Services Offered
The Security Circle- Services OfferedThe Security Circle- Services Offered
The Security Circle- Services Offered
Rachel Anne Carter
 

What's hot (20)

Information Security Benchmarking 2015
Information Security Benchmarking 2015Information Security Benchmarking 2015
Information Security Benchmarking 2015
 
Defensible cybersecurity-jan-25th-
Defensible cybersecurity-jan-25th-Defensible cybersecurity-jan-25th-
Defensible cybersecurity-jan-25th-
 
Emerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and SecurityEmerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and Security
 
A guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityA guide to Sustainable Cyber Security
A guide to Sustainable Cyber Security
 
Sans 20 CSC: Connecting Security to the Business Mission
Sans 20 CSC: Connecting Security to the Business MissionSans 20 CSC: Connecting Security to the Business Mission
Sans 20 CSC: Connecting Security to the Business Mission
 
Cyber Security Organizational Operating Model and Governance
Cyber Security Organizational Operating Model and GovernanceCyber Security Organizational Operating Model and Governance
Cyber Security Organizational Operating Model and Governance
 
Approche intégrée de la gestion des risques, de la sécurité de l’information,...
Approche intégrée de la gestion des risques, de la sécurité de l’information,...Approche intégrée de la gestion des risques, de la sécurité de l’information,...
Approche intégrée de la gestion des risques, de la sécurité de l’information,...
 
Data Risks In A Digital Age
Data Risks In A Digital Age Data Risks In A Digital Age
Data Risks In A Digital Age
 
Don't let them take a byte
Don't let them take a byteDon't let them take a byte
Don't let them take a byte
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk Management
 
Information security governance
Information security governanceInformation security governance
Information security governance
 
What it Takes to be a CISO in 2017
What it Takes to be a CISO in 2017What it Takes to be a CISO in 2017
What it Takes to be a CISO in 2017
 
MCGlobalTech Service Presentation
MCGlobalTech Service PresentationMCGlobalTech Service Presentation
MCGlobalTech Service Presentation
 
How an ISO/IEC 27001 Based ISMS Will Support the EU GDPR
How an ISO/IEC 27001 Based ISMS Will Support the EU GDPRHow an ISO/IEC 27001 Based ISMS Will Support the EU GDPR
How an ISO/IEC 27001 Based ISMS Will Support the EU GDPR
 
Cyber Risk in the Energy Industry
Cyber Risk in the Energy IndustryCyber Risk in the Energy Industry
Cyber Risk in the Energy Industry
 
Emerging Trends in Information Security and Privacy
Emerging Trends in Information Security and PrivacyEmerging Trends in Information Security and Privacy
Emerging Trends in Information Security and Privacy
 
Get Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security SolutionGet Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security Solution
 
Supply Chain Risk Management corrected - Whitepaper
Supply Chain Risk Management corrected - WhitepaperSupply Chain Risk Management corrected - Whitepaper
Supply Chain Risk Management corrected - Whitepaper
 
Simplifying Security for Cloud Adoption - Defining your game plan
Simplifying Security for Cloud Adoption - Defining your game planSimplifying Security for Cloud Adoption - Defining your game plan
Simplifying Security for Cloud Adoption - Defining your game plan
 
The Security Circle- Services Offered
The Security Circle- Services OfferedThe Security Circle- Services Offered
The Security Circle- Services Offered
 

Viewers also liked

Rickettsia & chlamydia presentation.
Rickettsia & chlamydia presentation.Rickettsia & chlamydia presentation.
Rickettsia & chlamydia presentation.
Bruno Mmassy
 

Viewers also liked (14)

Rickettsias chlamydias micoplasma
Rickettsias chlamydias micoplasmaRickettsias chlamydias micoplasma
Rickettsias chlamydias micoplasma
 
Rickettsia rickettsi
Rickettsia rickettsiRickettsia rickettsi
Rickettsia rickettsi
 
Rickettsias
RickettsiasRickettsias
Rickettsias
 
Rickettsia Chlamydia Mycoplasma
Rickettsia Chlamydia MycoplasmaRickettsia Chlamydia Mycoplasma
Rickettsia Chlamydia Mycoplasma
 
Rickettsia
RickettsiaRickettsia
Rickettsia
 
Rickettsias
RickettsiasRickettsias
Rickettsias
 
Presentacion lista rickettsias
Presentacion lista rickettsiasPresentacion lista rickettsias
Presentacion lista rickettsias
 
RICKETTSIA
RICKETTSIARICKETTSIA
RICKETTSIA
 
Rickettsia
RickettsiaRickettsia
Rickettsia
 
Rickettsia & chlamydia presentation.
Rickettsia & chlamydia presentation.Rickettsia & chlamydia presentation.
Rickettsia & chlamydia presentation.
 
Rickettsias
RickettsiasRickettsias
Rickettsias
 
Rickettsias
RickettsiasRickettsias
Rickettsias
 
Rickettsias
RickettsiasRickettsias
Rickettsias
 
Rickettsia
RickettsiaRickettsia
Rickettsia
 

Similar to {d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_FINAL

Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & Recommendations
Ulf Mattsson
 
eCrime-report-2011-accessible
eCrime-report-2011-accessibleeCrime-report-2011-accessible
eCrime-report-2011-accessible
Charmaine Servado
 
Don't risk it presentation
Don't risk it presentationDon't risk it presentation
Don't risk it presentation
Vincent Kwon
 
Meraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless worldMeraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless world
nooralmousa
 
10 Security Essentials Every CxO Should Know
10 Security Essentials Every CxO Should Know10 Security Essentials Every CxO Should Know
10 Security Essentials Every CxO Should Know
IBM Security
 

Similar to {d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_FINAL (20)

A Major Revision of the CISRCP Program
A Major Revision of the CISRCP ProgramA Major Revision of the CISRCP Program
A Major Revision of the CISRCP Program
 
New technologies - Amer Haza'a
New technologies - Amer Haza'aNew technologies - Amer Haza'a
New technologies - Amer Haza'a
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & Recommendations
 
Risk Product.pptx
Risk Product.pptxRisk Product.pptx
Risk Product.pptx
 
eCrime-report-2011-accessible
eCrime-report-2011-accessibleeCrime-report-2011-accessible
eCrime-report-2011-accessible
 
CCA study group
CCA study groupCCA study group
CCA study group
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdf
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdf
 
Don't risk it presentation
Don't risk it presentationDon't risk it presentation
Don't risk it presentation
 
PCI DSS Compliance and Security: Harmony or Discord?
PCI DSS Compliance and Security: Harmony or Discord?PCI DSS Compliance and Security: Harmony or Discord?
PCI DSS Compliance and Security: Harmony or Discord?
 
Internal Audit
Internal AuditInternal Audit
Internal Audit
 
Iso 27001 2005- by netpeckers consulting
Iso 27001 2005- by netpeckers consultingIso 27001 2005- by netpeckers consulting
Iso 27001 2005- by netpeckers consulting
 
Six Degrees: Securing your business data - Nov 29 2018
Six Degrees: Securing your business data - Nov 29 2018Six Degrees: Securing your business data - Nov 29 2018
Six Degrees: Securing your business data - Nov 29 2018
 
Security as a Strategy
Security as a Strategy Security as a Strategy
Security as a Strategy
 
Introduction to RESILIA and Cyber Resilience
Introduction to RESILIA and Cyber ResilienceIntroduction to RESILIA and Cyber Resilience
Introduction to RESILIA and Cyber Resilience
 
S Rod Simpson Resume
S Rod Simpson ResumeS Rod Simpson Resume
S Rod Simpson Resume
 
Standards in Third Party Risk - DVV Solutions ISACA North May 19
Standards in Third Party Risk - DVV Solutions ISACA North May 19 Standards in Third Party Risk - DVV Solutions ISACA North May 19
Standards in Third Party Risk - DVV Solutions ISACA North May 19
 
Iso 27001 whitepaper
Iso 27001 whitepaperIso 27001 whitepaper
Iso 27001 whitepaper
 
Meraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless worldMeraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless world
 
10 Security Essentials Every CxO Should Know
10 Security Essentials Every CxO Should Know10 Security Essentials Every CxO Should Know
10 Security Essentials Every CxO Should Know
 

{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_FINAL

  • 1. City of Atlanta A bold vision for cyber security October 6, 2015
  • 2. 1 What we’ll talk about today Elon Ginzburg Operational Risk Manager Wells Fargo Bank Mario Paez National Practice Advisor Wells Fargo Insurance Taiye Lambo Chief Information Security Officer City of Atlanta Rob Callahan Host and Moderator Wells Fargo Bank Today’s cybersecurity landscape City of Atlanta’s bold vision for cyber security
  • 4. 33 18.8% crimeware 18% cyber espionage 10.6% insider misuse 28.5% POS intrusions 2,122 confirmed data breaches (up from 1,367 in 2014) 79,790 reported security incidents (up from 63,437 in 2014) 61 countries represented (down from 95 in 2015) Verizon: 2015 Data Breach Investigations Report using 50 contributing global organizations. By the numbers Verizon 2015 data breach investigations report
  • 5. 4 Data  Sample size – 160 insured claims Company size  Nano-cap (under $50M revenue): 28% of incidents  Micro-cap ($50M-$300M revenue): 18% of incidents  Small-revenue ($300M-$2B revenue): 25% of incidents  Large-revenue ($10-$100 billion) lost the most records (60%) Additional notes  The average cost of a claim was $673,767  Third parties accounted for 25% of the claims submitted Findings Data type Cause of loss Business sectors  PII - 45%  PCI - 27%  PHI - 14%  Hackers - 31%  Malware virus – 14%  Staff mistakes – 11%  Rogue employees - 11%  Lost/Stolen Laptop/Device – 10%  Paper Records – 5%  System Glitch – 5% *In 2013, stolen laptops were #1  Healthcare sector - 21%  Financial services - 17%  Retail – 13%  Technology – 9%  Professional Services – 8%  Hospitality – 4%  Restaurants – 4% NetDiligence 2015 claims study
  • 6. 5 Percentage of breaches by cause of loss •Cyber Risk Claims: A Review of Industry Losses Paid Out - NetDilligence® 2015 Study (Sample size = 160 insured claims) NetDiligence 2015 claims study
  • 7. 6 Percentage of breaches by business sector •Cyber Risk Claims: A Review of Industry Losses Paid Out - NetDilligence® 2015 Study (Sample size = 160 insured claims) NetDiligence 2015 claims study
  • 8. 77 Threat actors and their objectives
  • 9. 8 Key types of fraud attacks – Low tech – Operational gaps – Awareness Imposter fraud / social engineering / social media – Coding vulnerabilities – Misconfigured equipment – Holistic cyber security Cyber security – Weakest link – Challenges with outsourcing (cloud, 4th party outsourcing, others) – Importance of a third party service provider management program Breaches that originate through 3rd party service providers
  • 10. 99 Vision Mission A trusted steward of information technology and catalyst for innovation. Enabling city operations by consistently delivering reliable and secure services, innovative solutions, and best-in-class customer service.
  • 11. 10 AIM Future Service Delivery Model  Mayor’s Office  Department of Finance/Risk  Department of Procurement  Department of HR  Department of Law  Department of Audit  Department of Law  Department of Ethics  City Council  Department. of Public Works  Department of Planning & Com Dev.  Department of Parks & Recreation  Office of Ent. Assets Mgmt.  Department of Entertainment  Department of Sustainability  Atlanta Workforce Dev. Agency  Atlanta 311  Invest Atlanta  Department of Aviation – Hartsfield-Jackson International Airport  Department of Watershed Management  Atlanta Police Department  Atlanta Fire/Rescue Department  Department of Corrections  Judicial Agencies  Public Defenders Office  Solicitors Office
  • 12. 11 AIM supported assets 1,352 servers 8 data centers 3,848 network devices 168 active IT vendors6,336 PCs & laptops 165 supported city sites 133 city apps 33,000 e-mails received per day 6,000 mobile devices 1 to 3 million attacks blocked per month 282 PCs & laptops per tech supported 4,344 service tickets per month
  • 13. 12 Ensure IT Infrastructure Reliability & Security Enhance IT Customer Service Quality & Delivery Improve IT Operational Efficiency Achieve IT Operational Excellence Run IT like a service business providing reliable, scalable, and secure technology solutions aligned with “best-in- class” customer service Ensure Data Confidentiality Ensure Data Integrity Ensure Data Availability AIM Objective Enterprise AIMGoals Information SecurityGoals Strategic Plan: Objectives & Goals
  • 14. 13 Compliance ≠ Security – Example A safety engineer approves the appropriate number of lifeboats on a new capacity line of cruise ships. Regulatory Compliance Requirement:  Passenger and Crew Capacity: 3,600  Lifeboats: 16  Occupancy: 1,100 Actual:  Passengers and Crew: 2,224  Lifeboats: 20  Occupancy: 1,178 Determination, “Compliant” *Compliance + Continual Improvement Process through ongoing Risk Assessments would have identified the need for protection against physical factors such as weather and icebergs! Maiden Voyage April 15, 1912 RMS Titanic Passengers and Crew Lost: 1,514
  • 15. 14 The need for frameworks  An extensible structure for documenting and implementing a set of concepts, processes, methods, technologies, procedures and cultural changes necessary for a complete product.  By aligning the framework controls to business goals and objectives, the framework helps focus on achieving the goals of the business.
  • 16. 15 The need for frameworks (cont.) Frameworks direct your focus on the four basic elements of good governance;  Participation: Aligning IT with the strategic business goals and providing a common frame of reference and vocabulary;  Accountability: Meeting compliance requirements;  Predictability: Efficiently managing IT resources and risks. The common frame of reference produces predictability;  Transparency: Implementing consistent tools and processes throughout the organization
  • 17. 16 Criteria common to frameworks Effectiveness Information being relevant and pertinent to the business process and delivered in a timely, correct, consistent, and usable manner. Efficiency Providing information through the optimal ─ most productive and economical ─ use of resources. Confidentiality The protection of sensitive information from unauthorized disclosure. Integrity The accuracy and completeness of information as well as to its validity in accordance with business values and expectations. Availability Information being available, when required by the business process, present and future and safeguarding necessary resources and associated capabilities. Compliance Achieving externally imposed business criteria (laws, regulations, and contractual obligations) to which the business process is subject and internal policies. Reliability Providing appropriate information for management to operate the entity and exercise its fiduciary and governance responsibilities.
  • 18. 17 5 characteristics of a control framework Provides sharper business focus Defines a common language Helps meet regulatory requirements General acceptability among organizations Ensures process orientation
  • 19. 18 A holistic integrated control framework COSO CobiT ITIL ISO/IEC 27001 NIST/ FISMA FedRAMP Privacy Laws US, CA, EU GLBA, HIPAA, PCI, SOX, Basel III, Breach Laws, Trade Agreements Corporate Governance IT & Service Management Governance Security Governance Information Security Management System ISMS Security Guidance Emerging Requirements Key Risks and Risk Assessment Aligns governing body to selection of legally required business and entity controls. Framework is adopted by the main governing body, such as SEC / PCAOB in the US, or OGC in the UK. Guides implementation and recommendation of control programs and establishes independent criteria for assessment, goals and performance. Establishes specific measures and methods for implementing security programs, risk assessment, conformity and allowable business policy. Industry, region, country and trade requirements for business and systems.
  • 20. 19 Critical success factors  Visible support & commitment from top management; a top down approach  Information security policies, objectives & activities that reflect business objectives  An approach to implementing information security that is consistent with organizational culture  A good understanding of the security requirements, risk assessment & risk management  Effective marketing of security to all managers and employees  Distribution of guidance on information security policy & standards to all employees and contractors  Provide appropriate training & education  A comprehensive & balanced system of measurement which is used to evaluate performance in information security management & feedback suggestions for improvement
  • 21. 20 Continual improvement process Plan Do CheckAct Implement a remediation plan / roadmap for fixing gaps identified. Perform risk based audits such as HISPI ISO 27001 Top 20 critical controls Perform risk assessment and gap assessment of current environment against legal, contractual and regulatory, requirements. Fix gaps identified from risk based audits
  • 22. 21 High level strategic roadmap FY2015 FY2016 FY2017 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Develop CISO’s 90-day Strategic Plan for Information Security Perform risk & gap assessment of current environment against legal, contractual, regulatory requirements. Information Security Policies and Organization of Information Security Establish a management framework to initiate and control the implementation and operation of information security within the organization. Information Security Training & Awareness Ensure that employees and contractors understand their responsibilities and are suitable for the roles for which they are considered. Asset Management and Supplier Relationships Identify organizational assets and define appropriate protection responsibilities. Maintain an agreed level of information security and service delivery in line with supplier agreements. Access Control and Cryptography Limit access to information and information processing facilities. Ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information. Physical and Environmental Security Prevent unauthorized physical access, damage and interference to the organization’s information and information processing facilities. Operations Security and Communications Security Ensure correct and secure operations of information processing facilities. Maintain the security of information transferred within an organization and with any external entity. Systems Acquisition, Development and Maintenance Ensure that information security is an integral part of information systems across the entire lifecycle, including the requirements for systems which provide services over public networks. Information Security Incident Management Ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses. Information Security Compliance + Continual Improvement Avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements. Ensure IT Infrastructure Reliability & Security Ensure the Reliability, Security, and Scalability of COA Systems & Infrastructure