Understanding Risk Management “ The Process of identifying, categorizing, measuring, monitoring and mitigating risk in your Company”
Questions to determine how exposed the company is to Risk <ul><li>Questions when speaking with Senior Executives </li></ul><ul><li>As Executive Management are you aware of risks, their severity, and the potential penalties and damaging impact that they could have on the business, and themselves? </li></ul><ul><li>Does your Executive team contain individuals with diverse professional backgrounds that can focus on Risk management across the company? </li></ul><ul><ul><li>Does information provide a true risk picture, or are you insulated from the true risk picture? </li></ul></ul><ul><ul><li>As head of your company are you comfortable that it has the correct combination of quantitative and qualitative information for an accurate risk analysis? </li></ul></ul>
Question for the Senior IT Executive Are your Data Sources Secure? What is the source of the information provided to Senior Management in your reports ? How reliable are these sources, how are they validated? When was the last time someone audited the information? Have you met with your people and are you sure that they clearly understands the potential risks associated with not protecting the confidentiality of information within the company systems? According to Deloitte Financial Advisory Services, 24.3 percent of survey respondents in 2009 indicated that they view the risk of a government investigation as being higher today than a year ago, yet only 20.8 percent of these executives say their organizations are “ very ready ” to handle a government or regulatory investigation. Worse: A 2008 study conducted by Aon Risk Services found that among 320 corporations in 29 countries, a shocking 42 percent of respondents identified risk only through intuition.
What we have Identified from working with our Customers: Many Business don’t understand how technology can be used. They don ’ t have a technology view of their business. IT is often accuse of not being business-focused , technology gets blamed for things that business people are not actually doing themselves. The management of strategic risk and regulatory compliance can not be delegated it must reside at the board level. The strategic importance of information and the nature of current business technologies have raised the stakes regarding the privacy, security and confidentiality of information. In particular, there is heightened sensitivity to safeguarding not just sensitive corporate transaction data, but also data about customers, employees and business partners. The pervasiveness of business technologies has made it far easier for unauthorized pilferage of such information and data. In addition, with heightened concerns about terror, regulations increasingly compel organizations to furnish more data than before.
The Management of Compliance Requires Attention to the following: <ul><li>P revailing regulations; </li></ul><ul><li>• Maintaining and protecting data about transactions, customers, employees, and business partners; </li></ul><ul><li>• Alerting stakeholders about incidents of unauthorized access; </li></ul><ul><li>• Providing the affected stakeholders with assistance; </li></ul><ul><li>• Understanding the potential for economic sanctions and the threats to business continuity due to noncompliance; </li></ul><ul><li>• Effectiveness with regard to managing data in conformance with the regulations and stakeholder expectations; and </li></ul><ul><li>• The cost of responding to the compliance expectations. </li></ul><ul><li>According to the Ponemon Institute, a leading organization dedicated to independent research and education that advances responsible information and privacy management practices in business and government: </li></ul><ul><li>85% of businesses have experienced a data security breach . </li></ul><ul><li>46% of businesses fail to implement encryption solutions even after suffering a data breach. </li></ul><ul><li>82% did not seek legal counsel prior to responding to the incident despite not having a prior response plan in place. </li></ul><ul><li>95% of businesses suffering a data breach were required to notify data subjects whose information was lost or stolen. </li></ul>
What is the Financial Implications of A Breach? <ul><li>What Would a Breach Cost Your Company? 1 </li></ul><ul><li>It is estimated that the average cost of a security/privacy breach is $197 per record. </li></ul><ul><li>The average cost is $6.3 million per breach. </li></ul><ul><li>The average cost to defend a claim is 8% of the average cost per breach, or $504,000. </li></ul><ul><li>The total cost of a breach ranged from $225,000 to almost $35 million. Therefore, defense costs ranged from $18,000 to $2.8 million. </li></ul><ul><li>Additional Costs Per Record 2 </li></ul><ul><li>As high as $50 per record for Discovery and Notification </li></ul><ul><li>As high as $30 per record for Credit Monitoring </li></ul><ul><li>As high as $150 per record for Customer Attrition, cost to meet new audit requirements, lost productivity </li></ul><ul><li>As high as $115 per record for Consumer Redress imposed by the regulators </li></ul><ul><li>What Comprises Response Costs? </li></ul><ul><li>Notification costs </li></ul><ul><li>Credit monitoring costs </li></ul><ul><li>Forensic investigations </li></ul><ul><li>Call center support </li></ul><ul><li>Identity theft education </li></ul><ul><li>Public relations </li></ul>Source: 2007 Annual Study: U.S. Cost of a Data Breach, Understanding Financial Impact, Customer Turnover, and Preventative Solutions, by The Ponemon Institute, PGP Corporation, and Vontu, Inc. Source: Forrester Research
Worldwide Laws and Regulations Increases Need for Protecting Data New, more prescriptive laws and regulations affording greater protection to personal information are based on the very real threats posed by identity thieves, scam artists and crooks who are stealing credit- and debit-card numbers, health plan data and bank account information and the like that reside in disparate databases and are transmitted over the Internet.
Two Main Watch Dog Organizations The two federal agencies with privacy and security laws that impact most U.S. organizations are the Department of Health and Human Services (HHS) and the Federal Trade Commission (FTC). The HHS is pushing the health care industry to use electronic medical records (EMRs), health information exchanges (HIEs) and health information technology (HIT) to improve health care and reduce costs. Organizations that have health plans are affected by the privacy and security requirements of the Health Insurance Portability and Accountability Act (HIPAA), and they could potentially benefit from the use of EMRs, HIEs and HIT if health care costs are reduced. The FTC is the consumer watchdog agency that oversees a number of federal laws and regulations that protect personal information from inappropriate use or disclosure, enforce implicit and explicit privacy and security promises of organizations to consumers, and restrict how credit information may be used and disclosed. Both the HHS and the FTC have been busy on a number of fronts in 2008, including the following:
Recent Regulations • The FTC introduced the “Red Flags Rule” (meant to address red flags that are indicators of identity theft), which will go into effect on May 1, 2009. It requires creditors (and financial institutions through applicable regulatory agencies with a Nov. 1, 2008, date) to have identity-theft-prevention programs in place. The Red Flags Rule also requires boards of directors and senior management oversight of programs, as well as company oversight of third-party service providers. • The HHS stepped up enforcement of HIPAA security regulations that require security controls to protect electronic-protected health information. Additionally, it is moving from a solely complaints-driven process to one that is also proactive. • Different HHS entities are providing guidance and proposals that advance the use of EMRs, HIEs and HIT by the health care industry, and address related functionality, interoperability, and privacy and security issues. In 2008, certain states expanded the scope of information security breach notification laws (in effect in 44 states, the District of Columbia, Puerto Rico and the Virgin Islands) to include not only financial and other identifying information, but also medical information, as well as requiring notification in case of a breach when such information is unencrypted. Other states are now or will be requiring that certain personal
Phishing Targets: In 2008, financial institutions were unquestionably the dominant target of phishing e-mails. In the first half of 2009, financial institutions are still the number one target. Along with the decline in phishing and the change in phishing origins, the actual targets of phishing have changed significantly. Financial institutions now only represent 66.3 percent of the targets, allowing Online Payment institutions to consume 31.4 percent of the share. This change in percentage is not necessarily indicative of more phishing directed towards Online Payment organizations, but more accurately represents the decline in North American and European financial targets when it comes to phishing. The other 2.3 percent of phishing targets is comprised of other industries such as online auction Websites, communication services, and online stores : Phishing Targets by Industry, 2009 H1
Why Outsourcing all or part of Risk management can help their company remain compliant in today's world In addition to the complexities of an ever changing economy, the requirements to provide quicker, accurate information has come at a time when penalties for not protecting consumer data are sky rocketing as seen in the TJ Max court decisions. As a result companies are not properly organized within both business and IT to keep up with the almost daily mandates on data protection. When factoring the increased cost of new systems technologies, data integration requirements, and the growing costs of maintaining and educating an in-house staff, outsourcing risk analysis and management has become the logical choice. In the 2009 Accenture Global risk Management study, 63% of the 250 companies executives surveyed believed that some aspects of risk management can be outsourced to deliver better efficiencies .
Our Focus 1 Business Risk: This consists of actual threats to the organization, including its products, services, intellectual property and records. Business leaders must communicate to IT leaders what issues exist and where data might reside. 2 Technology Risk: It’s important to understand what pieces of information need to be protected in what way, so that an organization can build the right IT infrastructure 3 Legal/Regulatory Risk: An organization must establish processes and systems that match legal requirements, whether that involves an e-discovery system that must comply with an e-mail retention rule or storage and encryption standards for managing credit card data. 4 External Risk: IT must address all external threats related to data storage and retention, life-cycle management. IT needs to play a central role in protecting and disposing of data properly. Understanding Risk Enterprise risk management can touch all corners of an enterprise. However, governance, risk and compliance (GRC) typically addresses four primary challenges:
Our Strategy for Security Management <ul><li>Along with our partners we work with your team to review current business work flows to identify vulnerable areas </li></ul><ul><li>Conduct an Impact analysis – what effect / cost to the business operation </li></ul><ul><li>Validate and verify that your network applications can only communicate with trusted, verified applications </li></ul><ul><li>Test and Validate the process of the exchange of digital documents inside and outside of the companies firewalls </li></ul><ul><li>Review current policy and procedures for exchanging confidential information via Email </li></ul><ul><li>Identify weak links within the information flow, the security is only as good as it’s weakest link. </li></ul>Security Strategy requires implementing a combination of technical and organizational controls:
Strategema Has Selected Only The Best As Their Partner:
"Stratagema’s Channel Solutions Partner; IBM Internet Security Solutions Group ISS
Best Security Award SAN FRANCISCO, - 04 Mar 2010: IBM (NYSE: IBM ) today announced it has been named Best Security Company by SC Magazine. The award, recognizing IBM's leadership in IT and its outstanding security solutions, was presented yesterday at the SC Awards Gala, held in conjunction with the annual RSA Conference in San Francisco. For nearly 50 years, IBM has helped businesses and governments secure their critical infrastructures with solutions that go beyond just collections of niche products. IBM's customers rely on the most comprehensive security solutions and services addressing compliance mandates, applications, data, identity and access management, networks, threat prevention, systems security, email, encryption, virtualization and cloud security. "With the Best Security Company Award, our judges have recognized IBM as a leader in the constant battle to protect businesses, customers and data
<ul><li>IBM's excellence in security includes: </li></ul><ul><li>IBM software and services manage more than seven billion security events daily </li></ul><ul><li>The IBM X-Force® research and development database tracks more than 48,000 vulnerabilities and advises clients and the general public on how to respond to emerging and critical threats </li></ul><ul><li>15,000 IBM researchers, developers and subject matter experts from around the world are committed to security initiatives </li></ul><ul><li>IBM monitors and manages the security infrastructures of more than 4,000 customers at IBM Security Operations Centers around the world </li></ul><ul><li>IBM holds more than 3,000 patented inventions that enable clients to secure their business information and processes </li></ul>
<ul><li>Proventia Network MFS combines some of the world's most effective security technologies into a single, "all-in-one" appliance: </li></ul><ul><li>IBM Proventia Intrusion Prevention: IBM is one of the worldwide market leaders in intrusion prevention technology. </li></ul><ul><li>IBM Virtual Patch® Technology: Virtual Patch technology allows you to shield vulnerabilities at the network level. </li></ul><ul><li>IBM Proventia Firewall: This ICSA-certified firewall includes allow/deny rules by address/port, named lists of objects and complete connectivity. </li></ul><ul><li>Anti-Virus and Anti-Spyware - Offers protection against malicious files, viruses and spyware that degrade network performance and threaten the privacy of customer data. With comprehensive in-the-wild coverage for over 340,000 known viruses and state of the art behavioral detection for unknown viruses, this anti-virus technology analyzes files from Web sites, Web mail, download sites and e-mail in real time. </li></ul><ul><li>IBM Proventia Web Filter: With more than 70 million catalogued Web sites, the Proventia Web filter database is exponentially larger than most other such databases and adds 100,000 new/updated Web pages daily. </li></ul><ul><li>IBM Proventia Anti-Spam: This powerful technology incorporates ten methods of detection and is 95 percent effective in detecting spam with 1/10,000 false positives. </li></ul><ul><li>IBM Proventia Web Application Security : Integrated into the IBM Proventia family of network and server security products, this feature offers proactive Web application, Web 2.0 and database protection to limit potential business interruptions and exposures. </li></ul>
Last Word on Reduced Risk, and Compliance There is no Guarantee that a company will remain compliant, with each new regulatory compliance adds another layer of IT risk. Businesses today must contend with an increasing number of government and non-government regulations. The risks of non-compliance are serious and can include fines often in the hundreds of millions of dollars, prosecution of key corporate officers, or loss of business when forced to shut down. But maintaining an effective data protection strategy is not just for the yearly audit, it must be incorporated into the highest levels of the business and it’s strategy, viewed by the company as an living ongoing project. The recent Data Breach of “ Heartland Payment Systems” echoed this throughout the payment card industry demonstrating even the most staunch supporter of PCI compliance can never let their guard down.
What Does This Mean to the Resnick Druckman Group LLC: Strategema Consulting will partner to make your data secure, so you in return will be able to assure your accounts that the same security measures you are recommending are part of normal operation procedures for your group: We will educate your people on the current security climate, new developments, white papers and webinars: Strategema Consulting will continue to grow and be your one stop source to present real world solutions to your clients: Strategema Consulting becomes an integrated resource to develop a risk management practice included as part of your accounting practice: Working with Strategema consulting provides both you and your accounts the premier Security solution supported by the largest provider IBM ISS: