Iamers presentation-2


Published on

Emerging Issues in Data Security, Data Privacy, & Employee Monitoring .

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Iamers presentation-2

  1. 1. IAMERs 8th Annual Meeting 2012Emerging Issues inData Security,Data Privacy, &EmployeeMonitoringDF LabsThe Lorenzi Group (c)2012 The Lorenzi Group & DF Labs
  2. 2. Data Security What data are we talking about?  Health  Financial  Product Innovation  Operations & Strategy (c)2012 The Lorenzi Group & DF Labs
  3. 3. Data Privacy – US vs. EU Main Difference:  EU – All about regulation & compliance protecting the rights of the individual.  USA – National security & the company interests are protected first. Patriot Act Safe Harbor Preventive Monitoring & Security Analytics (c)2012 The Lorenzi Group & DF Labs
  4. 4. Privacy in the EU:….possible modification soon No More Local Implementation Only one notification Under the new proposals national data protection authorities will be able to penalize data protection breaches by imposing fines of up to 2 percent of the global annual revenues of a business. Immediate data breach notification (c)2012 The Lorenzi Group & DF Labs
  5. 5. Security Analytics:The Next Frontier Proactive Monitoring of data traffic Internal monitoring more important than external monitoring Baselines Metrics Patterns, anomalies & Standard Deviation (c)2012 The Lorenzi Group & DF Labs
  6. 6. Discussion Points HIPAA/EU Healthcare Privacy (aka Directive) Insurance Companies & Data Theft Protection FCPA/UK Bribery Act 2010 Medical Fraud Employee Monitoring (c)2012 The Lorenzi Group & DF Labs
  7. 7. HIPAA & the EU Directive United States European Union Federal Mandate  EU Mandate (w/ Health related country-specific information regulators) Can encompass Financial Info (c)2012 The Lorenzi Group & DF Labs
  8. 8. Insurance Co’s & Data Theft More control over data theft claims Policies becoming more restrictive Coverage becoming more focused Moving away from typical coverage as add-on Immediate action required by insured (c)2012 The Lorenzi Group & DF Labs
  9. 9. US FCPA & UK Bribery Act 2010 ForeignCorrupt Practices Act Revenue generator for Federal Gov’ts Regulator base and depth growing “Double Jeopardy” does not apply Recently expanded to vendors, partners & consultants (c)2012 The Lorenzi Group & DF Labs
  10. 10. Medical Fraud Equipment being sold on Black Market/Gray Market Purchases made with false information:  Credit Cards  Federal Tax Id’s (Corporate ID Theft)  Unauthorized Personnel FBI issued report showing 40% Corporate Cybercrime is Employee Driven (c)2012 The Lorenzi Group & DF Labs
  11. 11. Employee Monitoring Key part of Security Analytics  US: Company owned  EU: Data owned German Unions seeing great success Sony vs. Lockheed Lockheed Martin, KaiserPermanente, USPS (c)2012 The Lorenzi Group & DF Labs
  12. 12. Employee Monitoring (pt2) In EU, Employee monitoring may not be allowed. In some cases, in fact:  Privacy Impact  Labor Law Cases where monitoring data and preventing incidents are mandatory  i.e. the Italian 231/01 (c)2012 The Lorenzi Group & DF Labs
  13. 13. Risk Mitigation FrameworkFonte: Dflabs&Terremark Incident Prevention and Preparation (Including Forensics and IT SecurityProcess Fraud) Management and Support, including vulnerability Pre-Incident management Preparation Enterprise Know where Business your data are Security Application SecurityIncident Response and Management investigation (Including Forensics Test Your Tech and Fraud) Business Risk Management, Use the Right Policy, standards, Technologies, Legal and Technology guidelines (c)2012 The Lorenzi Group & DF Labs
  14. 14. Risk Mitigation Framework:Example in the Medical Device World FDA: Which medical devices are covered by this guidance?  Medical devices that incorporate off-the-shelf (OTS) software  Medical Devices that can be connected to a private intranet or the public Internet  This information also may be useful to network administrators in health care organizations and information technology vendors.  Who is responsible for ensuring the safety and effectiveness of medical devices?  The device manufacturer bears the responsibility for the continued safe and effective performance of their medical device,  The device manufacturer does not bear responsibility for the Hospital Network Source: FDA 2012 (c)2012 The Lorenzi Group & DF Labs
  15. 15. Risk Mitigation Framework:Example in the Medical Device World A vendor in the medical devices arena asked DFLabs to perform the following tasks:  Code Audit on the Device Software  Security Assessment on the Device Itself  Security Guidelines for the Device setup  Contractual Technical Support Vs, Hospital RelationshipsSource: FDA 2012 (c)2012 The Lorenzi Group & DF Labs
  16. 16. Risk Mitigation Framework:Example in the Hospital World Prominent Hospital has a MAJOR/Gross data breach Post event Security Analysis ID’d  Lack of Controls  Too much & contradicting Information  Employee Monitoring would have ID threat risk prior to event Set it & Forget Security it is DEAD. Diligence is KEY to success. (c)2012 The Lorenzi Group & DF Labs
  17. 17. Questions? Robert Fitzgerald Dario Forte The Lorenzi Group DF Labs+1-866-632-9880 +39-0373-83196www.thelorenzigroup.com www.dflabs.cominfo@thelorenzigroup.com info@dflabs.com (c)2012 The Lorenzi Group & DF Labs