gbroadbent67, profile picture
Uploaded bygbroadbent67
460 views

M014 Confluence Presentation 08 15 06

The document outlines a session focused on ISO 17799 and its implications for information security and records management. Key topics include the importance of establishing security policies, managing risks, handling security breaches, and aligning records management with information security objectives. It also emphasizes compliance with various regulations and standards to protect personal and sensitive information.

Embed presentation

Confluence with Information Security – ISO 17799 Ellie Myler, CRM, CBCP Senior Records Management Analyst Entium Technology Partners, LLC 303-684-0496, emyler@entium.com George Broadbent, Director, Enterprise Solutions Entium Technology Partners, LLC 610-415-7216, gbroadbent@entium.com Session #M014
Learning Objectives Upon completion of this session, participants will be able to: Outline ISO 17799 components, applications, and implications Review Security Breach notification requirements and e-commerce reporting issues Link information security objectives with records management (RM) components
How Secure Is Your Data? Zero day attacks SQL injections Bots and botnets Insider infractions Click fraud Denial of service Identity theft Lost laptops and handhelds
Costs Are Rising Ted Humphreys Convener of ISO 18043:2006 International Standards Organization June 30 2006 “ It is estimated that intentional attacks on information systems are costing businesses worldwide around 15 billion each year and the cost is rising.”
Information Security Defined Continuous interconnected environment Emerging weaknesses and vulnerabilities Attacks, incidents, and threats Multiple and diverse formats Policies, processes, procedures
Objective 1 – Outline ISO 17799 Components Applications Implications
ISO 17799 Framework 11 Security control clauses 39 Main security categories Control objective One or more controls to achieve objective
ISO 17799 Framework Control descriptions Control definitions Implementation guidance Other information
Benefits Of Using A Framework Provides consistent asset management Establishes policies & operational procedures Furnishes program documentation Prepares for business continuity Defines roles and responsibilities Demonstrates compliance
ISO 17799 Steps and Tasks
Cross-Reference For Compliance
Conduct Risk Assessments Types and likelihood of risks Internal External ISO 13335-3 - Risk assessment methodologies Acceptance and non-acceptance levels Risk treatment and controls Business and regulatory considerations
Establish A Security Policy Sets a precedent for the program Demonstrates management intent Outlines control objectives and controls
Establish A Security Policy Provides brief program explanations Defines responsibilities Refers to related documentation
Compile An Asset Inventory Assets Types (tangible and intangibles) Locations Owners Asset use rules e-mail Internet devices
Compile An Asset Inventory Classification of asset value Labeling and handling procedures Metadata and properties
Define Accountability Security roles and responsibilities Employees Contractors Third parties Pre-employment processes Condition of employment & job descriptions
Define Accountability Clearly communicating expectations Terminations and exit interviews Asset return Asset rights removals
Address Physical Security Building and office premises Perimeters, barriers, entries, access, alarms Intruder detection systems (ISO 18043)
Address Physical Security Environmental considerations Natural Human Political Equipment Utilities, Power, Telecommunications Contingency Plans Maintenance, Disposition
Document Operating Procedures Procedures System activities and processes Change management controls, duty assignments Rules for development, test, operational facilities Third-party agreements Monitoring, review, audits
Document Operating Procedures System use and capacity Desktops ERP (enterprise resource planning) Patch management Malicious and mobile code
Document Operating Procedures Back-up and restoration Remote equipment, connections Public and wireless networks Authentication and encryption controls Firewalls
Document Operating Procedures Back-up and restoration Intrusion detection systems Media handling and transit processes Information classification, distribution Retention, disposition Information relay etiquette
Document Operating Procedures eCommerce Messaging systems Cryptographics On-line transactions Electronic signatures Authentication and authorization Electronic publishing systems EDI (electronic data interchange)
Document Operating Procedures Monitoring controls Audit logs, contents, retention
Determine Access Control Rules and rights Registration Privileges Passwords Clear desk and clear screen policy
Determine Access Control Management of Unattended equipment Virtual private network (VPN) solutions, routing, connections Wireless networks, virtual spaces Cryptographic keys/procedures Software development, source code
Determine Access Control Test and production environments Change control procedures Patches Updates and Service packs
Coordinate Business Continuity Incidents, breaches, weaknesses Timely reporting, forms, and feedback Formal procedures, contacts, user awareness ISO 18044 – incident management techniques
Coordinate Business Continuity Business continuity plans Define risks and possible occurrences Conduct business impact analyses Prioritize critical business functions Develop countermeasures Compile plans, identify owners Set up regular testing to evaluate effectiveness
Demonstrate Compliance Laws, regulations, and requirements IPR (Intellectual Property Rights) Records management
Demonstrate Compliance Laws, regulations, and requirements
Demonstrate Compliance IPR (Intellectual Property Rights) Rules and use, licenses Asset registers, copyrights Insider theft – the “Coke” incident (7-6-06)
Demonstrate Compliance Records management Inventory, classification, media stability Retention schedule and authorities ISO 15489– records management Transborder flow for import/export Protective controls
Objective 2 – Review eCommerce California S.B. 1386 precedent Reporting security & information breaches Federal mandates and other states Links to ISO 17799 clauses
Consequences of Stolen Data CSI/FBI Computer Crime and Security Survey 2005 “ 639 of 700 companies and governmental agencies surveyed lost $31 million worth of proprietary data and spent $43 million to clean up computer viruses.”
Definitions Personal information Individual’s name in combination with; Social security number Driver’s license number Account number
Definitions Breach of the security of the system Unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information.
California’s Original Precedent Disclose breaches of the security of data Sources of personal information Credit card transactions, magazine subscriptions Social security and telephone numbers Real estate records, automobile registrations Consumer surveys Warranty registrations, credit reports
California’s Original Precedent Notice methods Written, electronic, substitute methods (e-mail, web site posting, media) Civil actions to recover damage
Federal Mandates Identity theft protection act (s.1408) Security breach report and publication Consumer notification and methods Not later than 45 days after breach Security freeze $11 Million in fines for failing to meet requirements
Federal Mandates Data accountability & trust act (h.r. 4127) Security policy for personal information Mitigation processes for vulnerabilities
Other States Security freeze laws (15 states) Consumer can freeze credit any time (CA, CT, LA, ME, NJ, NC, NV, UT) To go into effect (CO, WI) Once consumers become identity theft victims (IL, TX, VT, WA) Similar freeze safeguard (SD)
Links to ISO 17799 Clauses Clause 10.9 - sensitive customer data eCommerce countermeasures Cryptographic controls Clause 13.1 - reporting Incident report methodology Appropriate response and behavior Disciplinary processes
Objective 3 – RM Components Vital records programs Intellectual property protection Retention and disposition issues Compliance and documentation
Vital Records (VR) Programs VR identification and locations Master list, media capture, associated systems Back-up and document restoration procedures Imaging and/or microfilm processes Off-site and third-party agreements
Vital Records (VR) Programs Overall information security program Update VR program and processes Clear desk and clear screen initiative Trans-border flow/encryption
Intellectual Property Protection Intellectual Property (IP) Registers Licenses Copyrights, trademarks, and patents
Intellectual Property Protection Version control issues Corporate seals Controlled distribution and access Limited publication and sharing
Information Lifecycle Information Flows through an Organization yet Information Security is Omnipresent
Retention and Disposition Issues Inventories of the content of all information Standard classifications and taxonomies Retention schedules and authorities Defined retention periods Disposition issues for all media
Compliance and Documentation Source registries and due diligence Audit log for evidence requirements Information security program documentation Inception and establishment Implementation Evaluation Change control procedures Compliance program/audit controls
The Old Adage Still Stands Any organizational initiative always needs: Senior management support Funding Resources
Staying Ahead Of The Curve Keeping up with newest developments, threats and possibilities can be overwhelming! However, without this knowledge you can’t beat the bad guys....... Avoid working alone in a vacuum Tap everyone’s talents and ensure a cohesive program
Confluence with Information Security - 17799 Session #M014 Ellie Myler, CRM, CBCP Senior Records Management Analyst Entium Technology Partners, LLC 303-684-0496, emyler@entium.com George Broadbent, Director, Enterprise Solutions Entium Technology Partners, LLC 610-415-7216, gbroadbent@entium.com Please Complete Your Session Evaluation

More Related Content

PPT
Implementing an Information Security Program
byRaymond Cunningham
 
PPTX
Security management and tools
byVibhor Raut
 
PPT
Protecting Donor Privacy
byRaymond Cunningham
 
PPT
CyberCoverage basics
byPhilip Eifert
 
PPT
The Legal Aspects of Cyberspace
bytimmcguinness
 
DOCX
Security Management Strategies and Defense and their uses.
byComputer engineering company
 
DOCX
Final Exam Case Study (3)
byKathy_67
 
DOC
Information security
bySanjay Tiwari
 
Implementing an Information Security Program
byRaymond Cunningham
 
Security management and tools
byVibhor Raut
 
Protecting Donor Privacy
byRaymond Cunningham
 
CyberCoverage basics
byPhilip Eifert
 
The Legal Aspects of Cyberspace
bytimmcguinness
 
Security Management Strategies and Defense and their uses.
byComputer engineering company
 
Final Exam Case Study (3)
byKathy_67
 
Information security
bySanjay Tiwari
 

What's hot

PPTX
Byod
bystormshadow24
 
PPT
Information Security Background
byNicholas Davis
 
PPT
Understand Risk in Communications and Data Breach
byJon Gatrell
 
PDF
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
bySafeNet
 
PDF
Leading Practices in Information Security & Privacy
byDonny Shimamoto
 
PPTX
20100224 Presentation at RGIT Mumbai - Information Security Awareness
byDinesh O Bareja
 
PPT
Critical Security And Compliance Issues In Internet Banking
byThomas Donofrio
 
PPT
Insider Breaches and Data Theft by Employees and Contractors
byButlerRubin
 
PPTX
Information security management best practice
byparves kamal
 
PPT
Database & Data Security
byCloudbells.com
 
PPTX
Gartner Security & Risk Management Summit 2014 - Defending the Enterprise Aga...
byFasoo
 
PPTX
Kristina Tanasichuk: Presentation of GTSC/InfraGard Cyber Survey
byGovernment Technology and Services Coalition
 
PDF
Emerging Trends in Information Security and Privacy
bylgcdcpas
 
PPTX
GDPR & IBM i Security
byPrecisely
 
PDF
needforsecurity
byDavid Joao Vieira Carvalho
 
PPT
Security Management Practices
byamiable_indian
 
PPTX
Security and Control Issues in Information System
byDaryl Conson
 
PPT
Clifford wilke
byLanka Praneeth
 
DOCX
Task 3
byBIBEKCHAUDHARYBScHon
 
PDF
IT vs. Users? How Law Firms Can Maximize Security While Granting Access to th...
byAuthentic8
 
Byod
bystormshadow24
 
Information Security Background
byNicholas Davis
 
Understand Risk in Communications and Data Breach
byJon Gatrell
 
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
bySafeNet
 
Leading Practices in Information Security & Privacy
byDonny Shimamoto
 
20100224 Presentation at RGIT Mumbai - Information Security Awareness
byDinesh O Bareja
 
Critical Security And Compliance Issues In Internet Banking
byThomas Donofrio
 
Insider Breaches and Data Theft by Employees and Contractors
byButlerRubin
 
Information security management best practice
byparves kamal
 
Database & Data Security
byCloudbells.com
 
Gartner Security & Risk Management Summit 2014 - Defending the Enterprise Aga...
byFasoo
 
Kristina Tanasichuk: Presentation of GTSC/InfraGard Cyber Survey
byGovernment Technology and Services Coalition
 
Emerging Trends in Information Security and Privacy
bylgcdcpas
 
GDPR & IBM i Security
byPrecisely
 
needforsecurity
byDavid Joao Vieira Carvalho
 
Security Management Practices
byamiable_indian
 
Security and Control Issues in Information System
byDaryl Conson
 
Clifford wilke
byLanka Praneeth
 
Task 3
byBIBEKCHAUDHARYBScHon
 
IT vs. Users? How Law Firms Can Maximize Security While Granting Access to th...
byAuthentic8
 

Viewers also liked

PPTX
USWNT Sponsorship
byLiliauna Bonora
 
PPT
Ministerio del Interior - Presentación norma iso 17799
byCuidando mi Automovil
 
PPT
Gestao da politica de segurança e operação da informacao
byRui Gomes
 
PPTX
Iso 17799
byrcm_007
 
PDF
Healthcare Security Essentials jean pawluk april 28 2011
byslides2010
 
PDF
Information security in healthcare - a perspective on EMR Security
byMadhav Chablani
 
PPTX
Norma iso 27000
byHaroll Suarez
 
PDF
ISO 27001
byn|u - The Open Security Community
 
PPTX
Welingkar Presentation On Cobit And Iso 1799 And Bs 7799
byAbhinav Goyal
 
USWNT Sponsorship
byLiliauna Bonora
 
Ministerio del Interior - Presentación norma iso 17799
byCuidando mi Automovil
 
Gestao da politica de segurança e operação da informacao
byRui Gomes
 
Iso 17799
byrcm_007
 
Healthcare Security Essentials jean pawluk april 28 2011
byslides2010
 
Information security in healthcare - a perspective on EMR Security
byMadhav Chablani
 
Norma iso 27000
byHaroll Suarez
 
ISO 27001
byn|u - The Open Security Community
 
Welingkar Presentation On Cobit And Iso 1799 And Bs 7799
byAbhinav Goyal
 

Similar to M014 Confluence Presentation 08 15 06

PPT
Cyber crime with privention
byManish Dixit Ceh
 
PPTX
Information Security Management System ISO/IEC 27001:2005
byControlCase
 
PPTX
2011 hildebrandt institute cio forum data privacy and security presentation...
byDavid Cunningham
 
PDF
Iso 17799 checklist
bylogfusion
 
PDF
Iso 17799 checklist
byDeearenaa Ismail
 
PPTX
EMC SourceOne for SharePoint
byJ. David Morris
 
PPT
Introduction to Information Security CSE
byBurhanKhan774154
 
PPT
Intro.ppt
byRamaNingaiah
 
PPT
S nandakumar
byIPPAI
 
PPT
S nandakumar_banglore
byIPPAI
 
PPT
Info Security & PCI(original)
byNCTechSymposium
 
PPTX
Security Baselines and Risk Assessments
byPriyank Hada
 
PPT
Intro kavindu rasanjahshdjdhhjxjxuxgxjdjs
byrasanjakavindu54
 
PPT
iindaor aodhf ashdfasljasjbfassdfasdfasdf asdfasdfasdvasdv asvasv
byHarshSenawat
 
PPT
Information Security Program & PCI Compliance Planning for your Business
byLaura Perry
 
PPTX
Infosec policies to appsec standards ed final
byeadams2330
 
PDF
Security Awareness Training
byDaniel P Wallace
 
PPTX
Database development and security certification and accreditation plan pitwg
byJohn M. Kennedy
 
PDF
Compliance poster
byRui Gomes
 
PDF
Information security for dummies
byIvo Depoorter
 
Cyber crime with privention
byManish Dixit Ceh
 
Information Security Management System ISO/IEC 27001:2005
byControlCase
 
2011 hildebrandt institute cio forum data privacy and security presentation...
byDavid Cunningham
 
Iso 17799 checklist
bylogfusion
 
Iso 17799 checklist
byDeearenaa Ismail
 
EMC SourceOne for SharePoint
byJ. David Morris
 
Introduction to Information Security CSE
byBurhanKhan774154
 
Intro.ppt
byRamaNingaiah
 
S nandakumar
byIPPAI
 
S nandakumar_banglore
byIPPAI
 
Info Security & PCI(original)
byNCTechSymposium
 
Security Baselines and Risk Assessments
byPriyank Hada
 
Intro kavindu rasanjahshdjdhhjxjxuxgxjdjs
byrasanjakavindu54
 
iindaor aodhf ashdfasljasjbfassdfasdfasdf asdfasdfasdvasdv asvasv
byHarshSenawat
 
Information Security Program & PCI Compliance Planning for your Business
byLaura Perry
 
Infosec policies to appsec standards ed final
byeadams2330
 
Security Awareness Training
byDaniel P Wallace
 
Database development and security certification and accreditation plan pitwg
byJohn M. Kennedy
 
Compliance poster
byRui Gomes
 
Information security for dummies
byIvo Depoorter
 

Recently uploaded

PDF
Title Installing Windows, Linux, MacOS.pdf
byGeraldAbadajos
 
PDF
Parental Control App for Phones_ The Complete 2026 Guide for Safer, Smarter P...
byRyan Cooper
 
PDF
Taxonomy Alignment for SDG Tagging - ASHA Case Study
byEnterprise Knowledge
 
PDF
Quick Learn Laravel for Beginner from Zero to Survive
byiDev Semarang
 
PDF
Computer-Based Training (CBT) The Backbone of Modern Technical & Defence Trai...
bycomputerbasedtrainin1
 
PPTX
Jisc Equipment Data Service Update Workshop 3 December 2025
byJisc
 
PPTX
The Lex Wire Precedent: A Technical Standard for Machine-Mediated Authority ...
byJeff Howell
 
PPTX
Software Engineering in the Age of AI Agents
byHusseinMalikMammadli
 
PDF
Why AI Girlfriends Are the Future of Digital Companionship
byAi Angels
 
PDF
January 2026 OpenMetadata Community Spotlight - OpenMetadata @ Wix.pdf
byOpenMetadata
 
PDF
OpenCharacter AI Reviews: Features, Plans, and Best Alternative
byOpenCharacter AI
 
PPTX
Introduction to Artificial Intelligence (AI).pptx
byammar414783
 
PDF
"When every team does things "right", but together it turns into chaos", Yozh...
byFwdays
 
PDF
EU regulations for the North American book supply chain - Tech Forum 2026
byBookNet Canada
 
PPTX
2026 SCORM Troubleshooting Rustici + dominKnow.pptx
byRustici Software
 
PDF
Real-Time AI Masterclass: Vector Search at Scale
byScyllaDB
 
PDF
Agentic-Document-Extraction-2026-Presentation.pdf
byTamanna
 
PDF
Certified AI-Native Foundations Professional.pdf
byMarc Entsminger SPC6, RTE, SSM, SA, SDP
 
PDF
"Painless Major Upgrade: A Strategy for Updating Large Codebases", Andrii Yat...
byFwdays
 
PDF
Build Next-Gen Spatial & Sensor Workflows: Secure, Scalable Processing in Sno...
bySafe Software
 
Title Installing Windows, Linux, MacOS.pdf
byGeraldAbadajos
 
Parental Control App for Phones_ The Complete 2026 Guide for Safer, Smarter P...
byRyan Cooper
 
Taxonomy Alignment for SDG Tagging - ASHA Case Study
byEnterprise Knowledge
 
Quick Learn Laravel for Beginner from Zero to Survive
byiDev Semarang
 
Computer-Based Training (CBT) The Backbone of Modern Technical & Defence Trai...
bycomputerbasedtrainin1
 
Jisc Equipment Data Service Update Workshop 3 December 2025
byJisc
 
The Lex Wire Precedent: A Technical Standard for Machine-Mediated Authority ...
byJeff Howell
 
Software Engineering in the Age of AI Agents
byHusseinMalikMammadli
 
Why AI Girlfriends Are the Future of Digital Companionship
byAi Angels
 
January 2026 OpenMetadata Community Spotlight - OpenMetadata @ Wix.pdf
byOpenMetadata
 
OpenCharacter AI Reviews: Features, Plans, and Best Alternative
byOpenCharacter AI
 
Introduction to Artificial Intelligence (AI).pptx
byammar414783
 
"When every team does things "right", but together it turns into chaos", Yozh...
byFwdays
 
EU regulations for the North American book supply chain - Tech Forum 2026
byBookNet Canada
 
2026 SCORM Troubleshooting Rustici + dominKnow.pptx
byRustici Software
 
Real-Time AI Masterclass: Vector Search at Scale
byScyllaDB
 
Agentic-Document-Extraction-2026-Presentation.pdf
byTamanna
 
Certified AI-Native Foundations Professional.pdf
byMarc Entsminger SPC6, RTE, SSM, SA, SDP
 
"Painless Major Upgrade: A Strategy for Updating Large Codebases", Andrii Yat...
byFwdays
 
Build Next-Gen Spatial & Sensor Workflows: Secure, Scalable Processing in Sno...
bySafe Software
 

M014 Confluence Presentation 08 15 06

  • 1.
    Confluence with InformationSecurity – ISO 17799 Ellie Myler, CRM, CBCP Senior Records Management Analyst Entium Technology Partners, LLC 303-684-0496, emyler@entium.com George Broadbent, Director, Enterprise Solutions Entium Technology Partners, LLC 610-415-7216, gbroadbent@entium.com Session #M014
  • 2.
    Learning Objectives Uponcompletion of this session, participants will be able to: Outline ISO 17799 components, applications, and implications Review Security Breach notification requirements and e-commerce reporting issues Link information security objectives with records management (RM) components
  • 3.
    How Secure IsYour Data? Zero day attacks SQL injections Bots and botnets Insider infractions Click fraud Denial of service Identity theft Lost laptops and handhelds
  • 4.
    Costs Are RisingTed Humphreys Convener of ISO 18043:2006 International Standards Organization June 30 2006 “ It is estimated that intentional attacks on information systems are costing businesses worldwide around 15 billion each year and the cost is rising.”
  • 5.
    Information Security DefinedContinuous interconnected environment Emerging weaknesses and vulnerabilities Attacks, incidents, and threats Multiple and diverse formats Policies, processes, procedures
  • 6.
    Objective 1 –Outline ISO 17799 Components Applications Implications
  • 7.
    ISO 17799 Framework11 Security control clauses 39 Main security categories Control objective One or more controls to achieve objective
  • 8.
    ISO 17799 FrameworkControl descriptions Control definitions Implementation guidance Other information
  • 9.
    Benefits Of UsingA Framework Provides consistent asset management Establishes policies & operational procedures Furnishes program documentation Prepares for business continuity Defines roles and responsibilities Demonstrates compliance
  • 10.
    ISO 17799 Stepsand Tasks
  • 11.
  • 12.
    Conduct Risk AssessmentsTypes and likelihood of risks Internal External ISO 13335-3 - Risk assessment methodologies Acceptance and non-acceptance levels Risk treatment and controls Business and regulatory considerations
  • 13.
    Establish A SecurityPolicy Sets a precedent for the program Demonstrates management intent Outlines control objectives and controls
  • 14.
    Establish A SecurityPolicy Provides brief program explanations Defines responsibilities Refers to related documentation
  • 15.
    Compile An AssetInventory Assets Types (tangible and intangibles) Locations Owners Asset use rules e-mail Internet devices
  • 16.
    Compile An AssetInventory Classification of asset value Labeling and handling procedures Metadata and properties
  • 17.
    Define Accountability Securityroles and responsibilities Employees Contractors Third parties Pre-employment processes Condition of employment & job descriptions
  • 18.
    Define Accountability Clearlycommunicating expectations Terminations and exit interviews Asset return Asset rights removals
  • 19.
    Address Physical SecurityBuilding and office premises Perimeters, barriers, entries, access, alarms Intruder detection systems (ISO 18043)
  • 20.
    Address Physical SecurityEnvironmental considerations Natural Human Political Equipment Utilities, Power, Telecommunications Contingency Plans Maintenance, Disposition
  • 21.
    Document Operating ProceduresProcedures System activities and processes Change management controls, duty assignments Rules for development, test, operational facilities Third-party agreements Monitoring, review, audits
  • 22.
    Document Operating ProceduresSystem use and capacity Desktops ERP (enterprise resource planning) Patch management Malicious and mobile code
  • 23.
    Document Operating ProceduresBack-up and restoration Remote equipment, connections Public and wireless networks Authentication and encryption controls Firewalls
  • 24.
    Document Operating ProceduresBack-up and restoration Intrusion detection systems Media handling and transit processes Information classification, distribution Retention, disposition Information relay etiquette
  • 25.
    Document Operating ProcedureseCommerce Messaging systems Cryptographics On-line transactions Electronic signatures Authentication and authorization Electronic publishing systems EDI (electronic data interchange)
  • 26.
    Document Operating ProceduresMonitoring controls Audit logs, contents, retention
  • 27.
    Determine Access ControlRules and rights Registration Privileges Passwords Clear desk and clear screen policy
  • 28.
    Determine Access ControlManagement of Unattended equipment Virtual private network (VPN) solutions, routing, connections Wireless networks, virtual spaces Cryptographic keys/procedures Software development, source code
  • 29.
    Determine Access ControlTest and production environments Change control procedures Patches Updates and Service packs
  • 30.
    Coordinate Business ContinuityIncidents, breaches, weaknesses Timely reporting, forms, and feedback Formal procedures, contacts, user awareness ISO 18044 – incident management techniques
  • 31.
    Coordinate Business ContinuityBusiness continuity plans Define risks and possible occurrences Conduct business impact analyses Prioritize critical business functions Develop countermeasures Compile plans, identify owners Set up regular testing to evaluate effectiveness
  • 32.
    Demonstrate Compliance Laws,regulations, and requirements IPR (Intellectual Property Rights) Records management
  • 33.
    Demonstrate Compliance Laws,regulations, and requirements
  • 34.
    Demonstrate Compliance IPR(Intellectual Property Rights) Rules and use, licenses Asset registers, copyrights Insider theft – the “Coke” incident (7-6-06)
  • 35.
    Demonstrate Compliance Recordsmanagement Inventory, classification, media stability Retention schedule and authorities ISO 15489– records management Transborder flow for import/export Protective controls
  • 36.
    Objective 2 –Review eCommerce California S.B. 1386 precedent Reporting security & information breaches Federal mandates and other states Links to ISO 17799 clauses
  • 37.
    Consequences of StolenData CSI/FBI Computer Crime and Security Survey 2005 “ 639 of 700 companies and governmental agencies surveyed lost $31 million worth of proprietary data and spent $43 million to clean up computer viruses.”
  • 38.
    Definitions Personal informationIndividual’s name in combination with; Social security number Driver’s license number Account number
  • 39.
    Definitions Breach ofthe security of the system Unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information.
  • 40.
    California’s Original PrecedentDisclose breaches of the security of data Sources of personal information Credit card transactions, magazine subscriptions Social security and telephone numbers Real estate records, automobile registrations Consumer surveys Warranty registrations, credit reports
  • 41.
    California’s Original PrecedentNotice methods Written, electronic, substitute methods (e-mail, web site posting, media) Civil actions to recover damage
  • 42.
    Federal Mandates Identitytheft protection act (s.1408) Security breach report and publication Consumer notification and methods Not later than 45 days after breach Security freeze $11 Million in fines for failing to meet requirements
  • 43.
    Federal Mandates Dataaccountability & trust act (h.r. 4127) Security policy for personal information Mitigation processes for vulnerabilities
  • 44.
    Other States Securityfreeze laws (15 states) Consumer can freeze credit any time (CA, CT, LA, ME, NJ, NC, NV, UT) To go into effect (CO, WI) Once consumers become identity theft victims (IL, TX, VT, WA) Similar freeze safeguard (SD)
  • 45.
    Links to ISO17799 Clauses Clause 10.9 - sensitive customer data eCommerce countermeasures Cryptographic controls Clause 13.1 - reporting Incident report methodology Appropriate response and behavior Disciplinary processes
  • 46.
    Objective 3 –RM Components Vital records programs Intellectual property protection Retention and disposition issues Compliance and documentation
  • 47.
    Vital Records (VR)Programs VR identification and locations Master list, media capture, associated systems Back-up and document restoration procedures Imaging and/or microfilm processes Off-site and third-party agreements
  • 48.
    Vital Records (VR)Programs Overall information security program Update VR program and processes Clear desk and clear screen initiative Trans-border flow/encryption
  • 49.
    Intellectual Property ProtectionIntellectual Property (IP) Registers Licenses Copyrights, trademarks, and patents
  • 50.
    Intellectual Property ProtectionVersion control issues Corporate seals Controlled distribution and access Limited publication and sharing
  • 51.
    Information Lifecycle InformationFlows through an Organization yet Information Security is Omnipresent
  • 52.
    Retention and DispositionIssues Inventories of the content of all information Standard classifications and taxonomies Retention schedules and authorities Defined retention periods Disposition issues for all media
  • 53.
    Compliance and DocumentationSource registries and due diligence Audit log for evidence requirements Information security program documentation Inception and establishment Implementation Evaluation Change control procedures Compliance program/audit controls
  • 54.
    The Old AdageStill Stands Any organizational initiative always needs: Senior management support Funding Resources
  • 55.
    Staying Ahead OfThe Curve Keeping up with newest developments, threats and possibilities can be overwhelming! However, without this knowledge you can’t beat the bad guys....... Avoid working alone in a vacuum Tap everyone’s talents and ensure a cohesive program
  • 56.
    Confluence with InformationSecurity - 17799 Session #M014 Ellie Myler, CRM, CBCP Senior Records Management Analyst Entium Technology Partners, LLC 303-684-0496, emyler@entium.com George Broadbent, Director, Enterprise Solutions Entium Technology Partners, LLC 610-415-7216, gbroadbent@entium.com Please Complete Your Session Evaluation