Overcoming Hidden Risks in a Shared Security Model

1. Overcoming Hidden Risks in a Shared Security Model

2. Agenda • Introduction • Compliance and Security Landscape • Evolution to a 3rd Party Ecosystem • Data Risks and Challenges • Deep Dive Into Shared Responsibilities • Best Practices • Q&A

3. Speakers Chad Kissinger Founder OnRamp OnRamp is a leading HITRUST-certified data center services company that guides businesses through the complexities of data security and compliance. Our solutions help organizations in healthcare, financial services and education services meet compliance standards. OnRamp operates multiple enterprise-class SSAE16/AICPA SOC 2 Type 2 and SOC 3 data centers, where we deploy hybrid computing solutions that enable our customers to blend secure cloud computing, managed hosting, and colocation service to best meet their unique requirements. Our team’s consultative approach helps you develop the right mix of solutions to free your resources to focus on agility and differentiation in your industry.

4. Speakers Maria Horton CEO EmeSec EmeSec uses cybersecurity and privacy practices to build competitive advantage in today’s connected world for clients. Our intuitive, adaptive and game-changing solutions are designed to help organizations protect their reputation and growth engines while harnessing the power of security and automated technologies. The company is an accredited Third Party Assessor (3PAO) under the Federal Risk and Authorization Management Program (FedRAMP). EmeSec Incorporated is a Woman-Owned Service Disabled Veteran Owned Small Business (SDVOSB), founded in 2003. EmeSec holds certifications in ISO 9001:2015, ISO 20000-1:2011, ISO/IEC 27001:2013, ISO/IEC 17020:2012.

5. Speakers Michael Casey Managing Director & Chief Payments Officer EPMG Advisors EPMG Advisors was founded in 2008 with the purpose of providing clients the best payments management and advisory services with boutique customer care. Our firm is driven to provide our clients with the understanding and ability to build and maintain a truly transparent payments environment. Whether your objective is to identify new opportunities for growth or to maximize profits from existing operations, EPMG Payment Advisors can deliver the enterprise-wide solutions you require.

6. Current Landscape Ponemon Institute, Cost of Data Breach Study: 2017 Global Analysis https://healthitsecurity.com/news/mobile-security-at-center-of-2.5m-ocr-hipaa-settlement The average consolidated cost of a data breach reached $3.62 million in 2017 50% $4M 2017 The risk of non-compliance is significant. Ignorance is not excused. Pennsylvania-based CardioNet agreed to a $2.5 million OCR HIPAA settlement stemming from improper safeguards of PII data. 50% of organizations don’t know who has access to their data, how they’re using it, or what safeguards are in place to mitigate a security incident.

7. Multi-Vendor Management Agility and Responsiveness Retaining Talent Patient or Customer Engagement Team Skillsets Cybersecurity Managing Budgets Evolution to 3rd Party Ecosystem Ability to Innovate & Differentiate Leadership offloads their IT infrastructure and computing needs in order to: • Increase Operational Efficiency • Rely on Subject Matter Experts • Gain a Competitive Advantage • Reduce Costs C-LEVEL RESPONSIBILITIES

8. Compliance regulations are written as though one party is responsible for compliance and security. Regulators Leadership Talent Providers/ Suppliers THE PLAYERS Where is the Breakdown?

9. Data Risks and Top Challenges with Shared Responsibilities • Confusing Guidance • Insufficient Policies and Processes • Unclear Roles and Responsibilities • No Accountability • Lack of Due Diligence (Choosing & Monitoring 3rd Parties) • Insufficient Technology THE FUMBLES

10. Guidance is Not Prescriptive www.hhs.gov; https://www.pcicomplianceguide.org/faq/http s://www2.ed.gov/ NIST publications (800-145, 800-66, 800-52); FIPS 140-2 Office for Civil Rights (OCR) HIPAA FISMA Cloud Council Security Rule Breach Notification Rule PCI Data Security Standards (DSS) U.S. Department of Education- FERPA (20 U.S.C. § 1232g; 34 CFR Part 99) The Privacy Act FedRAMP THE PLAYBOOK: GOVERNING BODIES AND FRAMEWORKS Guidance is vague and up for interpretation. (i.e. "reasonable and appropriate ” measures for HIPAA Certain regulations do not require or recognize audits or certifications. (i.e. FERPA)

11. Establishing the Right Policies and Processes • Aren’t able to determine the number of 3rd parties with access to confidential information. • Lack of confidence in third parties’ data safeguards, security policies and procedures. • Rarely conduct reviews of vendor management policies and procedures to ensure they address 3rd party data risk. • Rely on contractual agreements instead of audits and assessments to evaluate the security and privacy practices of their vendors. Standard Policies • Information Classification Policy • Risk Management Policy • Information Systems Security Policy • Ongoing Management • Clearly Defined Roles Symptoms

12. Why Are Companies Unable to Determine Who Has Access to Their Data? • No accountability for 3rd party risk management • No one department or function owns this responsibility • Not a priority • Lack of resources to track third parties • Complexity in vendor relationships • Frequent turnover in partners Ponemon Institute, Data Risk in the Third Party Ecosystem

13. Roles, Responsibility, & Accountability Senior leadership and boards of directors are rarely involved in third-party risk management. 36% of CEOs play a key role in security & compliance strategy 79% Of CEOs cited over- regulation as a top threat to their organizations’ growth. PWC State of Compliance 2016 Only 16% of respondents indicated that they view their CEO as the compliance and champion at their organizations.

14. Roles, Responsibility, & Accountability INTERNAL – SHARED ACROSS DEPARTMENTS

15. Shared Responsibility Varies by Model Responsibility Colocation IaaS PaaS SaaS Data Classification End-point Protection Identity & Access Management Application Controls Network Controls Infrastructure Physical Security Customer Customer Customer Customer Provider Provider Provider Customer Customer Customer Customer Customer Customer Both Parties Both Parties Both Parties Both Parties Customer Customer Both Parties Provider Provider Both Parties Provider Provider Provider Both Parties Provider

16. Accountability and Ownership Organizations admit they are sharing sensitive data with third parties that might have poor security policies. Ponemon Institute, Data Risk in the Third Party Ecosystem Figure 2: Perceptions about vendors’ security policies and procedures

17. Beware of These 3rd Party Risk Indicators • Turnover of the vendor’s key personnel • IT glitches, operational failures and stoppages • Outdated IT systems and equipment • History of frequent data breach incidents • Legal actions against the vendor • Poorly written security and privacy policies and procedures

18. Case Studies • Target breach due to HVAC vendor hack. Ultimately, two- factor authentication and anti-malware would have mitigated the breach. • Hackers breach Equifax’s portal, stealing W-2 data. Only a PIN code was used to protect sensitive data. • Uber pays hackers $100,000 to hide year-old breach of 57 million users. Hackers accessed Github.com, a third-party cloud storage website used by Uber software engineers. Employee training could have prevented passwords from being published on a public forum. ZDN Forbes.com USA today.com

19. Best Practices: Risk Management Life Cycle DUE DILLIGENCE CONTRACT ONGOING MONITORING TERMINATION PLANNING OVERSIGHT AND ACCOUNTABILITY

20. Best Practices: Technology, People, Processes Technology • Data encryption in transit and at rest • Firewalls • Multi-factor authentication • Cloud encryption • Audit logs showing access to data • Vulnerability scanning, intrusion detection/prevention • Hardware and OS patching • Security Audits • Contingency Planning People & Processes • Audit operational and business processes • Audit access management • Enforce privacy policies • Ensure cloud networks and connections are secure • Evaluate security controls: physical infrastructure and facilities • Data decommissioning process • Be prepared for incidents 1 -Risk Assessment 3-Vendor Security Alignment 2 –Assign Owners

21. Best Practices: Choosing a Vendor Understands Your Business Goals Credentials & Certifications Service Level Agreements (SLAs) & Business Associate Agreements (BAAs) Security Availability & Scalability Expertise in Your Industry

22. Questions?

23. Thank you! Contact Us: Sales@onr.com 888.667.2660 www.onr.com

Overcoming Hidden Risks in a Shared Security Model

Overcoming Hidden Risks in a Shared Security Model

Recommended

More Related Content

What's hot

What's hot(20)

Similar to Overcoming Hidden Risks in a Shared Security Model

Similar to Overcoming Hidden Risks in a Shared Security Model(20)

More from OnRamp

More from OnRamp(6)

Recently uploaded

Recently uploaded(20)

Overcoming Hidden Risks in a Shared Security Model

Editor's Notes