Financial Poise, profile picture
Uploaded byFinancial Poise
77 views

CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company's Information Security Program

This webinar aims to guide businesses on building and implementing effective information security programs to protect valuable data from unauthorized access. It discusses the importance of cybersecurity in the current environment, compliance with various regulations, and key elements of a security program such as risk management and employee training. The series includes informative episodes designed for professionals across legal, financial, and business sectors, emphasizing practical, engaging insights into data privacy and cybersecurity.

Embed presentation

2 Practical and entertaining education for attorneys, accountants, business owners and executives, and investors.
Disclaimer The material in this webinar is for informational purposes only. It should not be considered legal, financial or other professional advice. You should consult with an attorney or other appropriate professional to determine what may be best for your individual needs. While Financial Poise™ takes reasonable steps to ensure that information it publishes is accurate, Financial Poise™ makes no guaranty in this regard. 3
4 Thank You To Our Sponsors
Meet the Faculty MODERATOR: Kathryn Nadro - Sugar, Felsenthal, Grais & Helsinger LLP PANELISTS: Jeff Sauntry – Risk Neutral Alison Schaffer - Jump Trading Group Alex Sharpe - Sharpe LLC 5
About This Webinar- How to Build and Implement your Company's Information Security Program Data is one of your business’s most valuable assets and requires protection like any other asset. How can you protect your data from unauthorized access or inadvertent disclosure? An information security program is designed to protect the confidentiality, integrity, and availability of your company’s data and information technology assets. Federal, state, or international law may also require your business to have an information security program in place. This webinar will provide the basics of how to create and implement an information security program, beginning with identifying your incident response team, putting applicable insurance policies into place, and closing any gaps in the security of your data. 6
About This Series Cyber Security & Data Privacy 2022 Cybersecurity and data privacy are critical topics of concern for every business in today’s environment. Data breaches are a threat to every business and can cause both direct losses from business interruption and loss of data to indirect losses from unwanted publicity and damage to your business’s reputation. Compliance with a patchwork of potentially applicable state and federal laws and regulations may cost your business in terms of money and time. This series discusses the various laws and regulations that affect businesses in the United States and in Europe, as well as the best practices to use in creating an information security program and preparing for and responding to data breaches. Each Financial Poise Webinar is delivered in Plain English, understandable to investors, business owners, and executives without much background in these areas, yet is of primary value to attorneys, accountants, and other seasoned professionals. Each episode brings you into engaging, sometimes humorous, conversations designed to entertain as it teaches. Each episode in the series is designed to be viewed independently of the other episodes so that participants will enhance their knowledge of this area whether they attend one, some, or all episodes. 7
Episodes in this Series #1 Introduction to US Privacy and Data Security: Regulations and Requirements Premiere date: 08/03/22 #2: Introduction to EU General Data Protection Regulation: Planning, Implementation, and Compliance Premiere date: 9/07/22 #3: How to Build and Implement your Company's Information Security Program Premiere date: 10/12/22 #4: Data Breach Response: Before and After the Breach Premiere date: 11/09/22 8
Episode #3: How to Build and Implement your Company's Information Security Program 9
Introduction • Information security programs are a documented set of a company or agency’s information security policies, guidelines and procedures • Majority of security programs aim to assess risk, monitor threats, and mitigate cyber security attacks • Implemented in any industry that deals with personally identifiable information or other sensitive information or systems
What is Information Security (INFOSEC)? • The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability of information - Intellectual Property (IP) - Confidential, private, and sensitive information, or - information in all forms, both digital and physical • Protection important during storage, processing, transmission
Information Security (INFOSEC) vs. Cybersecurity vs. Information Assurance (IA) • Share the common goals of protecting the confidentiality, integrity, and availability of information • Terms are often used interchangeably but do not have the exact same meaning • All three terms are concerned with the CIA Triad • INFOSEC scope is information in all forms (i.e., digital and paper) • Cybersecurity is information in digital form • IA are the measures that protect and defend information and information systems by ensuring their availability, integrity, authentication - Basically, a term for INFOSEC used in select committees
Motivation to Create an Information Security Program (ISP) • 60% of global revenues are from digital sources • More than 50% of corporate valuations are based on intangible assets • Cyber risk is intrinsic to the modern business world • Cyber risk is now a board conversation • Required by: - regulation - legislation - customers - vendors - suppliers
The Purpose • Different institutions may create ISPs for various reasons, but they generally share few similarities, including - √ Establish a general approach to information security √ Detect and forestall the compromise of information security (i.e. misuse of data, networks, computer systems and applications √ Protect reputation of the company with respect to its ethical and legal obligations √ Recognize the rights of customers o i.e. providing effective mechanism for responding to complaints
The Scope • Generally, ISPs address: √ All data √ Programs √ Systems √ Facilities √ Other tech infrastructure
Information Security Objectives • An organization looking to implement ISP needs to have well-defined objectives • Information security systems are deemed to safeguard 3 main objectives - √ Confidentiality √ Integrity √ Availability
Information Security Programs – Then and Now • Early information security efforts identified confidentiality, integrity, and availability (“CIA Triad”) as primary security factors • The rise of information security programs - √ 1967 - military computers were hacked and CIA Triad found to be inadequate - not much was changed √ 1970s - “phreakers” exploit vulnerabilities in telephone network to make free long- distance calls √ 1980s - First National Bank of Chicago hacked for $70 million √ 1990s & 2000s - computers become targets as more people provide personal information online
The CIA Triad • Confidentiality √ Controlling who gets to access information √ Ensuring only individuals who need access to this information to do their jobs get that access √ Access restricted to only authorized individuals • Integrity √ Ensuring information and programs are changed only in a specified and authorized manner o i.e. information has not been tampered with or deleted by those with unauthorized access
The CIA Triad (cont’d) • Availability √ Ensuring authorized users have continued access to information and resources o Information is readily available to those who need it to successfully conduct an organization’s business
What Information is Protected? • Anything of value or any information required to be protected by law or regulation • Examples: - Intellectual Property (IP) and proprietary information - Operational data (i.e., data which businesses cannot run without) - Required by: - law - regulation - contracts • Types of protected information can include: - private information - personally identifiable information - health information - information protected by GDPR, other data protection laws
Proposed Regulation and Rule Changes • SEC Proposed Rule Changes • Cyber Incidents • Board Composition • Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), March 2022 • Creates legal protections • Provides guidance to companies that operate in critical infrastructure sectors, including a required reporting of cyber incidents within 72 hours • Requires ransom payments to be reported  Federal data laws that look a lot like a federal privacy law
SEC Proposed Rule In May 2022, SEC proposed amendments to its rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies. Proposed amendments in 17 CFR 229, 232, 239, 240 and 249 would require: - Current reporting about material cybersecurity incidents - Periodic reporting to provide updates about previously reported cybersecurity incidents - Periodic reporting about cybersecurity policies and procedures - Reporting about board oversight of cybersecurity risk - Reporting about management’s role and expertise in assessing and managing cybersecurity risk and implementing cybersecurity policies and procedures
Relevant Laws and Other ISP Items • An ISP is likely to include reference to relevant laws √ i.e. HIPAA, GLBA, international data protection laws like the EU General Data Protection Regulation (GDPR) • ISP may also include - √ Virus Protection Procedure √ Intrusion Detection Procedure √ Remote Work Procedure √ Technical Guidelines √ Consequences for Non-compliance √ Disciplinary Actions √ Terminated Employees
Massachusetts Standard: 201 C.M.R. 17 • Standards for the Protection of Personal Information of Residents of the Commonwealth • Implemented in 2010 - the top personal information protection law in the US when enacted • Makes every person or entity that owns personal information of a Massachusetts resident to adopt a written information security program (WISP) designed with appropriate safeguards
Massachusetts Information System Law • In Massachusetts, every information security program must include: √ At least one employee maintaining the information security program; √ Identify foreseeable security risks, both internal and external; √ Employee security policies dealing with access and transportation of personal information outside of the business; √ Disciplinary measures for violations; √ Methods of how to prevent terminated employees from reaching personal information.
Massachusetts Information System Law (cont’d) √ Oversee third-party service providers by taking reasonably steps to adopt and maintain security measures consistent with the entity; √ Restrictions on stored personal information access; √ Regular monitoring to ensure compliance with the implemented information security program and stop unauthorized access; √ Annual review of the security program, or whenever there is a material change in the business practices; and √ Document any incident involving a security breach and actions taken in response to breaches, and any review of business practices to protect personal information, if necessary.
NY Department of Financial Services Cybersecurity Regulation, 23 NYCRR Part 500 • Requires that all financial service companies maintain an ISP √ Any company regulated by the Department of Financial Services √ Exceptions - o Organization with fewer than 10 employees, less than $5 million in gross annual revenue for three years, or less than $10 million in year-end total assets
NY Department of Financial Services Cybersecurity Regulation • The ISP must address: √ information security; √ data governance and classification; √ asset inventory and device management; √ access controls and identity management; √ business continuity and disaster recovery planning and resources; √ systems operations and availability concerns; √ systems and network security; √ systems and network monitoring;
NY Department of Financial Services Cybersecurity Regulation (cont’d) • The ISP must address: √ systems and application development and quality assurance; √ physical security and environmental controls; √ customer data privacy; √ vendor and Third Party Service Provider management; √ risk assessment; and √ incident response.
NY Stop Hacks and Improve Electronic Data Act (“SHIELD Act”) • Expands NY breach notification law and imposes data security program requirements on businesses that possess the private information of New York State residents - Applies regardless of whether the businesses have any physical presence in New York State • Program requirements include administrative, technical, and physical safeguards for detecting and responding to intrusions and maintaining security of information • Businesses subject to and in compliance with Gramm-Leach-Bliley, HIPAA, or the NY Dept. of Financial Services Cybersecurity Requirements are exempted from this requirement under the SHIELD Act
NY Stop Hacks and Improve Electronic Data Act (“SHIELD Act”) (cont’d) • Limited reprieve for “small businesses” with fewer than fifty employees, less than $3 million in gross revenues in the last three fiscal years, or less than $5 million in year-end total assets • Expands the definition of “private information” subject to NY data breach notification law • NY Attorney General can pursue civil penalties, but there is no private right of action
California Consumer Privacy Act • Effective January 1, 2020 (amendment called the California Privacy Rights Act effective January 1, 2023) • CCPA/CPRA mandated companies do the following: √ Inform consumers about the categories of personal information collected and the purposes for which the information is being used; √ Respond to verifiable consumer requests to access certain information; √ Allow customers to opt-out of the sale of their personal information; and √ Enable consumers (subject to carve outs) to request that businesses delete their personal information • CPRA will require annual cybersecurity audits for certain companies processing personal information that might present a “significant risk” to consumer privacy and security
California Consumer Privacy Act (cont’d) • Applies to business if they are businesses that collect and control California residents’ personal information, do business in California, and satisfy one of the following: √ Have annual gross revenues in excess of $25 million, or √ Receive or disclose the personal information of 50,000 or more California residents, households, or devices on an annual basis (increased to 100,000 as of January 1, 2023), or √ Derive 50 percent or more of their annual revenues from selling California residents’ personal information.
CCPA Private Right of Action • Limited private right of action for consumers whose information is exposed in a data breach if the business failed to take reasonable and appropriate security measures • Consumers may receive statutory damages of between $100 and $750 per consumer per incident or actual damages, whichever is greater • California Privacy Protection Agency enforces the CCPA/CPRA and may also issue fines of up to $7,500 per violation
Key Elements of an Effective Information Security Program (ISP) • Purpose • Scope • Information security objectives √ CIA Triad • Authority and access control policy • Classification of data • Data support and operations • Security awareness sessions • Responsibilities and duties of personnel • Relevant laws
Domains A domain is a distinct set or group of security practices (controls) which have similar attributes to each other. Source: Sharpe Consulting LLC
Integration into Existing Governance, Risk, and Compliance (GRC) Principles First Line of Defense - technical and operational controls - largely the responsibility of IT - IT audit is Line of Defense 1.5 Second Line of Defense - Risk Management, Compliance, Finance, etc. - Training, awareness, and incident response - Policies and risk appetite Third Line of Defense - Internal audit Fourth Line of Defense - External audit (assurance to the Board) Source: Sharpe42 LLC STRONG The Purse Strings Ultimate defense is ALWAYS between the keyboard and the back of the chair
Authority Access & Control Policy • Typically, a security policy has a hierarchical pattern: √ Junior staff usually bound not to share the little amount of information they have unless explicitly authorized √ Senior manager may have enough authority to make a decision on what data can be shared and with whom √ Policies governing senior employees may not be the same policy governing junior employees √ ISP should address every basic position in the organization with specifications that will clarify their authoritative status
Classification of Data • Data can have different value and thus may impose separation and specific handling regimes/procedures for each kind of data • Information classification system is commonly sorted as: √ High risk or highly confidential class √ Confidential class √ Public class
Classification of Data (cont’d) • High risk class - generally data protected by state and/or federal legislation or regulations √ Information covered under HIPAA, FERPA, or other federal regulations √ Financial data √ Payroll √ Personnel (privacy requirements) • Confidential Class √ Data in this class may not be covered by any laws or regulations, but the data owner judges that it should be protected against unauthorized disclosure √ Information protected by NDAs, trade secrets, confidential business information •
Classification of Data (cont’d) • Public Class √ Information freely distributed • Data owners should determine both the data classification and the exact measures a data custodian needs to take to preserve integrity in accordance to that level
Data Support and Operations • The regulation of general system mechanisms responsible for data protection n √ Data backup √ Movement of data
Critical Infrastructure and Physical Security • Presidential Policy Directive 21 (PPD-21) • Originally defined in 1998 (Clinton Administration) under Presidential Decision Directive 63 • In practice the term refers to utilities that affects the population – gas, electric, water, wastewater • Historically outages are from Weather, Physical, Cyber is growing • Greatest concern is IT effect on Operational Technology (OT) like Colonial Pipeline
Critical Infrastructure Sectors Chemical Communications Dams Emergency Services Financial Services Government Facilities Information Technology Transportation • Commercial Facilities • Critical Manufacturing • Defense Industrial Base • Energy • Food and Agricultural • Healthcare and Public Health • Nuclear Reactors, Materials and Waste • Water and Wastewater Systems • Social Media?
Oldsmar (Tampa) Water Treatment • Tampa’s water treatment system was accessed remotely • Increased the amount of lye (aka drain cleaner) • Supervisor saw the concentration being changed on his computer screen and immediately reverted • Other safeguards are in place • What if APT disabled safeguards first? • Kudos to Homeland Security
Cyber Attack on Power Grid • First documented case, 2015 in Ukraine • Still not fully operational two months after the attack • Threat grows with IoT adoption • Big time cyber target Factoid: Russia unleashed more cyber attacks on Ukraine in the first day of the invasion than we typically see from all cyber actors in a year
National Defense Responses “Israel is under constant threat in the cyber dimension, and attacks are sometimes carried out against it. We are able to deal with most of the threats through advanced defense capabilities,” Maj. Gen. Tamir Hayman said at a conference at Tel Aviv University
Security Awareness Employee Training • Security awareness training could help provide employees with information regarding how to collect/use/delete data, maintain data quality, records management, confidentiality, privacy, appropriate utilization of IT systems, correct usage of social networking, etc. • Security awareness training has the highest Return on Investment (ROI) for companies
Responsibilities and Duties of Personnel • Not unusual for institutions to hire an ISP person with the sole responsibility for √ implementation √ education and training √ incident response √ user access reviews √ periodic updates of an ISP
Employee Maintaining the Information Security Program • Employee is the designated officer for handling every aspect of the program. √ A designated security officer is responsible for coordinating and maintaining the security program. • This person should maintain independence by reporting to someone outside of the IT department.
Assessing Risk • What risks could your organization face? √ Examples: loss of data, unauthorized access, data corruption, hack, third-party data sharing, etc. • What would be appropriate, cost-effective management techniques for these risks?
Additional Elements of a Good Information Security Program • Designated security officer (DSO) • Risk Assessment • Policies and Procedures • Organizational security awareness • Regulatory standards compliance • Audit compliance plan
About the Faculty 53
About The Faculty Kathryn Nadro - knadro@sfgh.com Kathryn (“Katie”) Nadro leads Sugar Felsenthal Grais & Helsinger’s Data Security and Privacy practice. Katie advises clients on a diverse array of business matters, including data security and privacy compliance, commercial and business disputes, and employment issues. Katie works with individuals and businesses of all sizes to craft successful resolutions tailored to each individual matter. Katie is a Certified Information Privacy Professional (CIPP/US) and counsels clients on a variety of data security and privacy issues, including breach response, policy drafting, program management, data collection, vendor management, and compliance with ever-changing state, federal, and international privacy law. Katie also has broad litigation experience representing companies and individuals in contract, non-compete, discrimination, harassment, fiduciary duty, and trade secret litigation in state and federal court. With a background as both in-house and outside counsel, Katie understands that business objectives, time, and resources play an important role in reaching a favorable outcome for each client. 54
About The Faculty Jeff Sauntry - jsauntry@goriskneutral.com Jeff Sauntry is the CEO and Founder of Risk Neutral. Jeff has led professional services and engineering organizations at multiple publicly traded Fortune 500 companies as part of executive leadership teams. His operational and technical experience spans strategy development, technology, enterprise software, risk, compliance, fraud, cyber, and physical security. Jeff is a serial entrepreneur who has founded four private companies in his home state of Florida. Jeff is the CoPresident of the Tampa Bay Chapter of the Professional Directors Association (PDA). Jeff is a National Association of Corporate Directors (NACD) member and is recognized as a Leadership Fellow and Certified Director. He completed the Chief Risk Officer (CRO) program at Carnegie Mellon University to complement his numerous professional, technical, and cybersecurity certifications. Jeff is an AM&AA Certified Merger & Acquisition Advisor and EPI Certified Exit Planning Advisor. His ESG (Environment, Social, Governance) passions focus on preserving the world’s oceans and increasing board of director cognitive diversity. Jeff is a US Coast Guard certified Captain in the US Merchant Marine (Master 50GT) and has 20 years of active participation with PADI (Professional Association of Dive Instructors), where he holds a rating of MSDT (Master Scuba Diver Trainer). He is a licensed Florida unlimited electrical contractor & qualifier (EC13008900) and an active member of the Comm-ISAC (Communications – Information Sharing and Analysis Center). Jeff brings an informed and balanced perspective to private/public critical infrastructure, diversity-equity-inclusion, data privacy, cybersecurity, environmental, and sustainability corporate governance programs. 55
About The Faculty Alison Schaffer - aschaffer@jumptrading.com Alison Schaffer Bloom is Legal and Regulatory Counsel at the Jump Trading Group in Chicago. Alison works extensively in the areas of trading, technology, human resources, venture capital, and data protection and privacy. Specifically, Alison leads data protection and privacy application for all of the Jump Trading Group’s business lines globally. Alison graduated from Northwestern University with Honors in Legal Studies and Communication Studies and a Certificate in Service Learning and attained a Masters in Education while a Teach For America corps member in New York. Alison obtained her Juris Doctor from Chicago-Kent College of Law, where she was an avid member of the Trial Team. She is a member of the International Association of Privacy Professionals and holds the Certified Information Privacy Professional/Europe (CIPP/E), a preeminent certification for advanced concentration in European data protection laws, standards and practices. 56
About The Faculty Alex Sharpe - alex@sharpellc.com Alex Sharpe is a long-time Cybersecurity, Governance, and Digital Transformation expert with real-world operational experience. He has spent much of his career helping corporations and government agencies reap the rewards afforded by advances in technology while mitigating risk. He began his career at the NSA before moving into the Management Consulting ranks building practices at Booz Allen and KPMG. He subsequently co-founded two firms with successful exits, including The Hackett Group. Alex holds degrees in Business from Columbia Business School, Systems Engineering from Johns Hopkins University, and Electrical Engineering from New Jersey Institute of Technology (NJIT). He is a published author, speaker, instructor, and advisor. 57
Questions or Comments? If you have any questions about this webinar that you did not get to ask during the live premiere, or if you are watching this webinar On Demand, please do not hesitate to email us at info@financialpoise.com with any questions or comments you may have. Please include the name of the webinar in your email and we will do our best to provide a timely response. IMPORTANT NOTE: The material in this presentation is for general educational purposes only. It has been prepared primarily for attorneys and accountants for use in the pursuit of their continuing legal education and continuing professional education. 58
59
About Financial Poise 61 DailyDAC LLC, d/b/a Financial Poise™ provides continuing education to attorneys, accountants, business owners and executives, and investors. It’s websites, webinars, and books provide Plain English, entertaining, explanations about legal, financial, and other subjects of interest to these audiences. Visit us at www.financialpoise.com Our free weekly newsletter, Financial Poise Weekly, updates you on new articles published on our website and Upcoming Webinars you may be interested in. To join our email list, please visit: https://www.financialpoise.com/subscribe/

More Related Content

PPT
chapter 1. Introduction to Information Security
byelmuhammadmuhammad
 
PDF
How to Build and Implement your Company's Information Security Program
byFinancial Poise
 
PPTX
Information security: importance of having defined policy & process
byInformation Technology Society Nepal
 
PDF
Information Security - Goals, Challenges, and Best Practices Discussed | USCSI®
byUnited States Cybersecurity Institute (USCSI®)
 
PDF
(eBook PDF) Information Security: Principles and Practices 2nd Edition
byrrnohojhxx852
 
PPTX
Introduction to Information security ppt
bykrishkiran2408
 
PPTX
Introduction to Information security ppt
bykrishkiran2408
 
PPTX
ch1.pptx Chapter 1 of CISSP ch1.pptx Chapter 1 of CISSPch1.pptx Chapter 1 of ...
bydrsajjad13
 
chapter 1. Introduction to Information Security
byelmuhammadmuhammad
 
How to Build and Implement your Company's Information Security Program
byFinancial Poise
 
Information security: importance of having defined policy & process
byInformation Technology Society Nepal
 
Information Security - Goals, Challenges, and Best Practices Discussed | USCSI®
byUnited States Cybersecurity Institute (USCSI®)
 
(eBook PDF) Information Security: Principles and Practices 2nd Edition
byrrnohojhxx852
 
Introduction to Information security ppt
bykrishkiran2408
 
Introduction to Information security ppt
bykrishkiran2408
 
ch1.pptx Chapter 1 of CISSP ch1.pptx Chapter 1 of CISSPch1.pptx Chapter 1 of ...
bydrsajjad13
 

Similar to CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company's Information Security Program

PDF
1. Security and Risk Management
bySam Bowne
 
PDF
CNIT 125: Ch 2. Security and Risk Management (Part 1)
bySam Bowne
 
PDF
1 info sec+risk-mgmt
bymadunix
 
PDF
1. Security and Risk Management
bySam Bowne
 
PPTX
What is Information Security and why you should care ...
byJames Mulhern
 
PDF
Fundamentals of Information Security..pdf
byZahid Hussain
 
PPT
Information Security
bychenpingling
 
PPTX
Security Foundation and Incident Mgmt and BCMS.pptx
byMohsenMojabi1
 
PPTX
12 security policies
bySaqib Raza
 
PPTX
information system and infor,ation management .pptx
byalok1936556sahu
 
PPT
InfoSec Mangement Network and Information Security
bycsmaharma
 
PPTX
ISM-CS5750-01.pptx
byRashidSahito1
 
PDF
Introduction-to-Information-Security-and-Management (2).pdf
bypatriciajulienetolen2
 
PPTX
Lect 1 slides Scope of Information Security.pptx
byMuhammad Fahad Bashir
 
PPTX
Information Security and Indian IT Act 2000
byDr. Prashant Vats
 
PDF
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
bySam Bowne
 
PPT
Information security
byPraveen Minz
 
PPTX
Mis mbp is very important topic you will
bychinmaychordiya006
 
PDF
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
byFinancial Poise
 
PPTX
CS5300 class presentation on managing information systems
byzenhubris
 
1. Security and Risk Management
bySam Bowne
 
CNIT 125: Ch 2. Security and Risk Management (Part 1)
bySam Bowne
 
1 info sec+risk-mgmt
bymadunix
 
1. Security and Risk Management
bySam Bowne
 
What is Information Security and why you should care ...
byJames Mulhern
 
Fundamentals of Information Security..pdf
byZahid Hussain
 
Information Security
bychenpingling
 
Security Foundation and Incident Mgmt and BCMS.pptx
byMohsenMojabi1
 
12 security policies
bySaqib Raza
 
information system and infor,ation management .pptx
byalok1936556sahu
 
InfoSec Mangement Network and Information Security
bycsmaharma
 
ISM-CS5750-01.pptx
byRashidSahito1
 
Introduction-to-Information-Security-and-Management (2).pdf
bypatriciajulienetolen2
 
Lect 1 slides Scope of Information Security.pptx
byMuhammad Fahad Bashir
 
Information Security and Indian IT Act 2000
byDr. Prashant Vats
 
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
bySam Bowne
 
Information security
byPraveen Minz
 
Mis mbp is very important topic you will
bychinmaychordiya006
 
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
byFinancial Poise
 
CS5300 class presentation on managing information systems
byzenhubris
 

More from Financial Poise

PDF
IP-301 POST-GRANT REVIEW TRIALS 2022 - Things to Consider Before You File
byFinancial Poise
 
PDF
IP-301 POST-GRANT REVIEW TRIALS 2022 - PGRT Basics
byFinancial Poise
 
PDF
THE NUTS & BOLTS OF BANKRUPTCY LAW 2022: The Nuts & Bolts of a First Day Hearing
byFinancial Poise
 
PDF
RESTRUCTURING, INSOLVENCY & TROUBLED COMPANIES 2022: Bad Debtor Owes Me Money!
byFinancial Poise
 
PDF
PERSUASIVE BRIEF WRITING 2022 - Style
byFinancial Poise
 
PDF
CYBER SECURITY and DATA PRIVACY 2022: Data Breach Response - Before and After...
byFinancial Poise
 
PDF
NEWBIE LITIGATOR SCHOOL - 101 Part 3 2022 - Enforcement: Post-Judgment Procee...
byFinancial Poise
 
PDF
NEWBIE LITIGATOR SCHOOL - 101 Part 3 2022 -Appellate Practice- 101
byFinancial Poise
 
PDF
MARKETING TIPS FOR THE NEW (OR OLD!) BUSINESS OWNER 2022: Learn How to Do Con...
byFinancial Poise
 
PDF
CHAPTER 11 - INDUSTRY FOCUS 2022 - Focus on Oil and Gas
byFinancial Poise
 
PDF
BUSINESS LAW REVIEW- 2022: Selling a Business
byFinancial Poise
 
PDF
BUSINESS LAW REVIEW- 2022: Immigration Law for Business-101
byFinancial Poise
 
PDF
NEWBIE LITIGATOR SCHOOL - Part I 2022: Working With Experts
byFinancial Poise
 
PDF
CORPORATE REGULATORY COMPLIANCE BOOT CAMP 2022 - PART 2: Executive Compensat...
byFinancial Poise
 
PDF
CORPORATE REGULATORY COMPLIANCE BOOT CAMP 2022 - PART 2: Securities Law Comp...
byFinancial Poise
 
PDF
M&A BOOT CAMP - 2022: Post-Closing Issues -Integration & Potential Buyer Sell...
byFinancial Poise
 
PDF
M&A BOOT CAMP 2022 - Key Provisions in M&A Agreements
byFinancial Poise
 
PDF
M&A BOOT CAMP 2022 - The M&A Process
byFinancial Poise
 
PDF
CROWDFUNDING 2022 - Crowdfunding from the Investor's Perspective
byFinancial Poise
 
PDF
CROWDFUNDING 2022 - Securities Crowdfunding for Intermediaries
byFinancial Poise
 
IP-301 POST-GRANT REVIEW TRIALS 2022 - Things to Consider Before You File
byFinancial Poise
 
IP-301 POST-GRANT REVIEW TRIALS 2022 - PGRT Basics
byFinancial Poise
 
THE NUTS & BOLTS OF BANKRUPTCY LAW 2022: The Nuts & Bolts of a First Day Hearing
byFinancial Poise
 
RESTRUCTURING, INSOLVENCY & TROUBLED COMPANIES 2022: Bad Debtor Owes Me Money!
byFinancial Poise
 
PERSUASIVE BRIEF WRITING 2022 - Style
byFinancial Poise
 
CYBER SECURITY and DATA PRIVACY 2022: Data Breach Response - Before and After...
byFinancial Poise
 
NEWBIE LITIGATOR SCHOOL - 101 Part 3 2022 - Enforcement: Post-Judgment Procee...
byFinancial Poise
 
NEWBIE LITIGATOR SCHOOL - 101 Part 3 2022 -Appellate Practice- 101
byFinancial Poise
 
MARKETING TIPS FOR THE NEW (OR OLD!) BUSINESS OWNER 2022: Learn How to Do Con...
byFinancial Poise
 
CHAPTER 11 - INDUSTRY FOCUS 2022 - Focus on Oil and Gas
byFinancial Poise
 
BUSINESS LAW REVIEW- 2022: Selling a Business
byFinancial Poise
 
BUSINESS LAW REVIEW- 2022: Immigration Law for Business-101
byFinancial Poise
 
NEWBIE LITIGATOR SCHOOL - Part I 2022: Working With Experts
byFinancial Poise
 
CORPORATE REGULATORY COMPLIANCE BOOT CAMP 2022 - PART 2: Executive Compensat...
byFinancial Poise
 
CORPORATE REGULATORY COMPLIANCE BOOT CAMP 2022 - PART 2: Securities Law Comp...
byFinancial Poise
 
M&A BOOT CAMP - 2022: Post-Closing Issues -Integration & Potential Buyer Sell...
byFinancial Poise
 
M&A BOOT CAMP 2022 - Key Provisions in M&A Agreements
byFinancial Poise
 
M&A BOOT CAMP 2022 - The M&A Process
byFinancial Poise
 
CROWDFUNDING 2022 - Crowdfunding from the Investor's Perspective
byFinancial Poise
 
CROWDFUNDING 2022 - Securities Crowdfunding for Intermediaries
byFinancial Poise
 

Recently uploaded

PPTX
A detailed notes on Conjugate Vaccine and its mechanism.
byDr. R. Ram
 
PPTX
Math 8 Quarter 4 Week 3 PRIMARY DATA.pptx
byshahanieabbat3
 
PPTX
Chapter 1: Introduction to Economics - Macroeconomics and Microeconomics.pptx
byFJ M
 
PDF
Artificial Intelligence in Research and Academic Writing, Workshop on Researc...
byProf. Vinod Kumar Kanvaria
 
PPTX
Modeling Simple Equation using Bar Model.pptx
byshahanieabbat3
 
PPTX
EYE IRRIGATION AND INSTILLATION....pptx
byAneetaSharma15
 
PPTX
How to Easily Track Appraisal Analysis Report in Odoo 18 Appraisal
byCeline George
 
PPTX
Guidelines for reporting social networks and personal networks data
byisidromj
 
PPTX
ECP Demo ppt.pptx Visualizing and Identifying solid figures using concrete an...
byireneodechavez1
 
PDF
Bones by Sadu Kassam (play) story ppt pdf
byRonnieMaeBorres
 
DOCX
Q4_-LE_PEH8_Lesson1_Week1 pls don't docx
bymirajaneee00
 
PDF
Why Projects Fail – The Need to “Do the Right Project” and “Do the Project Ri...
byAssociation for Project Management
 
PPTX
Lesson_1 Acceleration.pptx_Science 8-4th quarter
byAnnabelAlarcon
 
PPTX
Complete Overview of Revamp in Odoo 18 Debug
byCeline George
 
PPTX
GRADE 8 - QUARTER 4 TYPES AND PARTS OF LETTER.pptx
byvillariasjazminercai
 
PDF
Tetracycline Class of Antibiotics: SAR, MOA and Uses
bymominzarinamdnajeeb
 
PPTX
Math 8 Quarter 4 Week 4-SECONDARY DATA.pptx
byshahanieabbat3
 
PPTX
Biological source, chemical constituents, and therapeutic efficacy of the fol...
bySai Meer College of Pharmacy
 
PDF
Pratishta Educational Society., Courses & Opportunities
byGanapathiVankudoth
 
PDF
Using T-Test to Analyze Research Data.pdf
byThelma Villaflores
 
A detailed notes on Conjugate Vaccine and its mechanism.
byDr. R. Ram
 
Math 8 Quarter 4 Week 3 PRIMARY DATA.pptx
byshahanieabbat3
 
Chapter 1: Introduction to Economics - Macroeconomics and Microeconomics.pptx
byFJ M
 
Artificial Intelligence in Research and Academic Writing, Workshop on Researc...
byProf. Vinod Kumar Kanvaria
 
Modeling Simple Equation using Bar Model.pptx
byshahanieabbat3
 
EYE IRRIGATION AND INSTILLATION....pptx
byAneetaSharma15
 
How to Easily Track Appraisal Analysis Report in Odoo 18 Appraisal
byCeline George
 
Guidelines for reporting social networks and personal networks data
byisidromj
 
ECP Demo ppt.pptx Visualizing and Identifying solid figures using concrete an...
byireneodechavez1
 
Bones by Sadu Kassam (play) story ppt pdf
byRonnieMaeBorres
 
Q4_-LE_PEH8_Lesson1_Week1 pls don't docx
bymirajaneee00
 
Why Projects Fail – The Need to “Do the Right Project” and “Do the Project Ri...
byAssociation for Project Management
 
Lesson_1 Acceleration.pptx_Science 8-4th quarter
byAnnabelAlarcon
 
Complete Overview of Revamp in Odoo 18 Debug
byCeline George
 
GRADE 8 - QUARTER 4 TYPES AND PARTS OF LETTER.pptx
byvillariasjazminercai
 
Tetracycline Class of Antibiotics: SAR, MOA and Uses
bymominzarinamdnajeeb
 
Math 8 Quarter 4 Week 4-SECONDARY DATA.pptx
byshahanieabbat3
 
Biological source, chemical constituents, and therapeutic efficacy of the fol...
bySai Meer College of Pharmacy
 
Pratishta Educational Society., Courses & Opportunities
byGanapathiVankudoth
 
Using T-Test to Analyze Research Data.pdf
byThelma Villaflores
 

CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company's Information Security Program

  • 2.
    2 Practical and entertainingeducation for attorneys, accountants, business owners and executives, and investors.
  • 3.
    Disclaimer The material inthis webinar is for informational purposes only. It should not be considered legal, financial or other professional advice. You should consult with an attorney or other appropriate professional to determine what may be best for your individual needs. While Financial Poise™ takes reasonable steps to ensure that information it publishes is accurate, Financial Poise™ makes no guaranty in this regard. 3
  • 4.
    4 Thank You ToOur Sponsors
  • 5.
    Meet the Faculty MODERATOR: KathrynNadro - Sugar, Felsenthal, Grais & Helsinger LLP PANELISTS: Jeff Sauntry – Risk Neutral Alison Schaffer - Jump Trading Group Alex Sharpe - Sharpe LLC 5
  • 6.
    About This Webinar- Howto Build and Implement your Company's Information Security Program Data is one of your business’s most valuable assets and requires protection like any other asset. How can you protect your data from unauthorized access or inadvertent disclosure? An information security program is designed to protect the confidentiality, integrity, and availability of your company’s data and information technology assets. Federal, state, or international law may also require your business to have an information security program in place. This webinar will provide the basics of how to create and implement an information security program, beginning with identifying your incident response team, putting applicable insurance policies into place, and closing any gaps in the security of your data. 6
  • 7.
    About This Series CyberSecurity & Data Privacy 2022 Cybersecurity and data privacy are critical topics of concern for every business in today’s environment. Data breaches are a threat to every business and can cause both direct losses from business interruption and loss of data to indirect losses from unwanted publicity and damage to your business’s reputation. Compliance with a patchwork of potentially applicable state and federal laws and regulations may cost your business in terms of money and time. This series discusses the various laws and regulations that affect businesses in the United States and in Europe, as well as the best practices to use in creating an information security program and preparing for and responding to data breaches. Each Financial Poise Webinar is delivered in Plain English, understandable to investors, business owners, and executives without much background in these areas, yet is of primary value to attorneys, accountants, and other seasoned professionals. Each episode brings you into engaging, sometimes humorous, conversations designed to entertain as it teaches. Each episode in the series is designed to be viewed independently of the other episodes so that participants will enhance their knowledge of this area whether they attend one, some, or all episodes. 7
  • 8.
    Episodes in thisSeries #1 Introduction to US Privacy and Data Security: Regulations and Requirements Premiere date: 08/03/22 #2: Introduction to EU General Data Protection Regulation: Planning, Implementation, and Compliance Premiere date: 9/07/22 #3: How to Build and Implement your Company's Information Security Program Premiere date: 10/12/22 #4: Data Breach Response: Before and After the Breach Premiere date: 11/09/22 8
  • 9.
    Episode #3: Howto Build and Implement your Company's Information Security Program 9
  • 10.
    Introduction • Information securityprograms are a documented set of a company or agency’s information security policies, guidelines and procedures • Majority of security programs aim to assess risk, monitor threats, and mitigate cyber security attacks • Implemented in any industry that deals with personally identifiable information or other sensitive information or systems
  • 11.
    What is InformationSecurity (INFOSEC)? • The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability of information - Intellectual Property (IP) - Confidential, private, and sensitive information, or - information in all forms, both digital and physical • Protection important during storage, processing, transmission
  • 12.
    Information Security (INFOSEC)vs. Cybersecurity vs. Information Assurance (IA) • Share the common goals of protecting the confidentiality, integrity, and availability of information • Terms are often used interchangeably but do not have the exact same meaning • All three terms are concerned with the CIA Triad • INFOSEC scope is information in all forms (i.e., digital and paper) • Cybersecurity is information in digital form • IA are the measures that protect and defend information and information systems by ensuring their availability, integrity, authentication - Basically, a term for INFOSEC used in select committees
  • 13.
    Motivation to Createan Information Security Program (ISP) • 60% of global revenues are from digital sources • More than 50% of corporate valuations are based on intangible assets • Cyber risk is intrinsic to the modern business world • Cyber risk is now a board conversation • Required by: - regulation - legislation - customers - vendors - suppliers
  • 14.
    The Purpose • Differentinstitutions may create ISPs for various reasons, but they generally share few similarities, including - √ Establish a general approach to information security √ Detect and forestall the compromise of information security (i.e. misuse of data, networks, computer systems and applications √ Protect reputation of the company with respect to its ethical and legal obligations √ Recognize the rights of customers o i.e. providing effective mechanism for responding to complaints
  • 15.
    The Scope • Generally,ISPs address: √ All data √ Programs √ Systems √ Facilities √ Other tech infrastructure
  • 16.
    Information Security Objectives •An organization looking to implement ISP needs to have well-defined objectives • Information security systems are deemed to safeguard 3 main objectives - √ Confidentiality √ Integrity √ Availability
  • 17.
    Information Security Programs– Then and Now • Early information security efforts identified confidentiality, integrity, and availability (“CIA Triad”) as primary security factors • The rise of information security programs - √ 1967 - military computers were hacked and CIA Triad found to be inadequate - not much was changed √ 1970s - “phreakers” exploit vulnerabilities in telephone network to make free long- distance calls √ 1980s - First National Bank of Chicago hacked for $70 million √ 1990s & 2000s - computers become targets as more people provide personal information online
  • 18.
    The CIA Triad •Confidentiality √ Controlling who gets to access information √ Ensuring only individuals who need access to this information to do their jobs get that access √ Access restricted to only authorized individuals • Integrity √ Ensuring information and programs are changed only in a specified and authorized manner o i.e. information has not been tampered with or deleted by those with unauthorized access
  • 19.
    The CIA Triad(cont’d) • Availability √ Ensuring authorized users have continued access to information and resources o Information is readily available to those who need it to successfully conduct an organization’s business
  • 20.
    What Information isProtected? • Anything of value or any information required to be protected by law or regulation • Examples: - Intellectual Property (IP) and proprietary information - Operational data (i.e., data which businesses cannot run without) - Required by: - law - regulation - contracts • Types of protected information can include: - private information - personally identifiable information - health information - information protected by GDPR, other data protection laws
  • 21.
    Proposed Regulation andRule Changes • SEC Proposed Rule Changes • Cyber Incidents • Board Composition • Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), March 2022 • Creates legal protections • Provides guidance to companies that operate in critical infrastructure sectors, including a required reporting of cyber incidents within 72 hours • Requires ransom payments to be reported  Federal data laws that look a lot like a federal privacy law
  • 22.
    SEC Proposed Rule InMay 2022, SEC proposed amendments to its rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies. Proposed amendments in 17 CFR 229, 232, 239, 240 and 249 would require: - Current reporting about material cybersecurity incidents - Periodic reporting to provide updates about previously reported cybersecurity incidents - Periodic reporting about cybersecurity policies and procedures - Reporting about board oversight of cybersecurity risk - Reporting about management’s role and expertise in assessing and managing cybersecurity risk and implementing cybersecurity policies and procedures
  • 23.
    Relevant Laws andOther ISP Items • An ISP is likely to include reference to relevant laws √ i.e. HIPAA, GLBA, international data protection laws like the EU General Data Protection Regulation (GDPR) • ISP may also include - √ Virus Protection Procedure √ Intrusion Detection Procedure √ Remote Work Procedure √ Technical Guidelines √ Consequences for Non-compliance √ Disciplinary Actions √ Terminated Employees
  • 24.
    Massachusetts Standard: 201C.M.R. 17 • Standards for the Protection of Personal Information of Residents of the Commonwealth • Implemented in 2010 - the top personal information protection law in the US when enacted • Makes every person or entity that owns personal information of a Massachusetts resident to adopt a written information security program (WISP) designed with appropriate safeguards
  • 25.
    Massachusetts Information SystemLaw • In Massachusetts, every information security program must include: √ At least one employee maintaining the information security program; √ Identify foreseeable security risks, both internal and external; √ Employee security policies dealing with access and transportation of personal information outside of the business; √ Disciplinary measures for violations; √ Methods of how to prevent terminated employees from reaching personal information.
  • 26.
    Massachusetts Information SystemLaw (cont’d) √ Oversee third-party service providers by taking reasonably steps to adopt and maintain security measures consistent with the entity; √ Restrictions on stored personal information access; √ Regular monitoring to ensure compliance with the implemented information security program and stop unauthorized access; √ Annual review of the security program, or whenever there is a material change in the business practices; and √ Document any incident involving a security breach and actions taken in response to breaches, and any review of business practices to protect personal information, if necessary.
  • 27.
    NY Department ofFinancial Services Cybersecurity Regulation, 23 NYCRR Part 500 • Requires that all financial service companies maintain an ISP √ Any company regulated by the Department of Financial Services √ Exceptions - o Organization with fewer than 10 employees, less than $5 million in gross annual revenue for three years, or less than $10 million in year-end total assets
  • 28.
    NY Department ofFinancial Services Cybersecurity Regulation • The ISP must address: √ information security; √ data governance and classification; √ asset inventory and device management; √ access controls and identity management; √ business continuity and disaster recovery planning and resources; √ systems operations and availability concerns; √ systems and network security; √ systems and network monitoring;
  • 29.
    NY Department ofFinancial Services Cybersecurity Regulation (cont’d) • The ISP must address: √ systems and application development and quality assurance; √ physical security and environmental controls; √ customer data privacy; √ vendor and Third Party Service Provider management; √ risk assessment; and √ incident response.
  • 30.
    NY Stop Hacksand Improve Electronic Data Act (“SHIELD Act”) • Expands NY breach notification law and imposes data security program requirements on businesses that possess the private information of New York State residents - Applies regardless of whether the businesses have any physical presence in New York State • Program requirements include administrative, technical, and physical safeguards for detecting and responding to intrusions and maintaining security of information • Businesses subject to and in compliance with Gramm-Leach-Bliley, HIPAA, or the NY Dept. of Financial Services Cybersecurity Requirements are exempted from this requirement under the SHIELD Act
  • 31.
    NY Stop Hacksand Improve Electronic Data Act (“SHIELD Act”) (cont’d) • Limited reprieve for “small businesses” with fewer than fifty employees, less than $3 million in gross revenues in the last three fiscal years, or less than $5 million in year-end total assets • Expands the definition of “private information” subject to NY data breach notification law • NY Attorney General can pursue civil penalties, but there is no private right of action
  • 32.
    California Consumer PrivacyAct • Effective January 1, 2020 (amendment called the California Privacy Rights Act effective January 1, 2023) • CCPA/CPRA mandated companies do the following: √ Inform consumers about the categories of personal information collected and the purposes for which the information is being used; √ Respond to verifiable consumer requests to access certain information; √ Allow customers to opt-out of the sale of their personal information; and √ Enable consumers (subject to carve outs) to request that businesses delete their personal information • CPRA will require annual cybersecurity audits for certain companies processing personal information that might present a “significant risk” to consumer privacy and security
  • 33.
    California Consumer PrivacyAct (cont’d) • Applies to business if they are businesses that collect and control California residents’ personal information, do business in California, and satisfy one of the following: √ Have annual gross revenues in excess of $25 million, or √ Receive or disclose the personal information of 50,000 or more California residents, households, or devices on an annual basis (increased to 100,000 as of January 1, 2023), or √ Derive 50 percent or more of their annual revenues from selling California residents’ personal information.
  • 34.
    CCPA Private Rightof Action • Limited private right of action for consumers whose information is exposed in a data breach if the business failed to take reasonable and appropriate security measures • Consumers may receive statutory damages of between $100 and $750 per consumer per incident or actual damages, whichever is greater • California Privacy Protection Agency enforces the CCPA/CPRA and may also issue fines of up to $7,500 per violation
  • 35.
    Key Elements ofan Effective Information Security Program (ISP) • Purpose • Scope • Information security objectives √ CIA Triad • Authority and access control policy • Classification of data • Data support and operations • Security awareness sessions • Responsibilities and duties of personnel • Relevant laws
  • 36.
    Domains A domain isa distinct set or group of security practices (controls) which have similar attributes to each other. Source: Sharpe Consulting LLC
  • 37.
    Integration into ExistingGovernance, Risk, and Compliance (GRC) Principles First Line of Defense - technical and operational controls - largely the responsibility of IT - IT audit is Line of Defense 1.5 Second Line of Defense - Risk Management, Compliance, Finance, etc. - Training, awareness, and incident response - Policies and risk appetite Third Line of Defense - Internal audit Fourth Line of Defense - External audit (assurance to the Board) Source: Sharpe42 LLC STRONG The Purse Strings Ultimate defense is ALWAYS between the keyboard and the back of the chair
  • 38.
    Authority Access &Control Policy • Typically, a security policy has a hierarchical pattern: √ Junior staff usually bound not to share the little amount of information they have unless explicitly authorized √ Senior manager may have enough authority to make a decision on what data can be shared and with whom √ Policies governing senior employees may not be the same policy governing junior employees √ ISP should address every basic position in the organization with specifications that will clarify their authoritative status
  • 39.
    Classification of Data •Data can have different value and thus may impose separation and specific handling regimes/procedures for each kind of data • Information classification system is commonly sorted as: √ High risk or highly confidential class √ Confidential class √ Public class
  • 40.
    Classification of Data(cont’d) • High risk class - generally data protected by state and/or federal legislation or regulations √ Information covered under HIPAA, FERPA, or other federal regulations √ Financial data √ Payroll √ Personnel (privacy requirements) • Confidential Class √ Data in this class may not be covered by any laws or regulations, but the data owner judges that it should be protected against unauthorized disclosure √ Information protected by NDAs, trade secrets, confidential business information •
  • 41.
    Classification of Data(cont’d) • Public Class √ Information freely distributed • Data owners should determine both the data classification and the exact measures a data custodian needs to take to preserve integrity in accordance to that level
  • 42.
    Data Support andOperations • The regulation of general system mechanisms responsible for data protection n √ Data backup √ Movement of data
  • 43.
    Critical Infrastructure andPhysical Security • Presidential Policy Directive 21 (PPD-21) • Originally defined in 1998 (Clinton Administration) under Presidential Decision Directive 63 • In practice the term refers to utilities that affects the population – gas, electric, water, wastewater • Historically outages are from Weather, Physical, Cyber is growing • Greatest concern is IT effect on Operational Technology (OT) like Colonial Pipeline
  • 44.
    Critical Infrastructure Sectors Chemical Communications Dams EmergencyServices Financial Services Government Facilities Information Technology Transportation • Commercial Facilities • Critical Manufacturing • Defense Industrial Base • Energy • Food and Agricultural • Healthcare and Public Health • Nuclear Reactors, Materials and Waste • Water and Wastewater Systems • Social Media?
  • 45.
    Oldsmar (Tampa) WaterTreatment • Tampa’s water treatment system was accessed remotely • Increased the amount of lye (aka drain cleaner) • Supervisor saw the concentration being changed on his computer screen and immediately reverted • Other safeguards are in place • What if APT disabled safeguards first? • Kudos to Homeland Security
  • 46.
    Cyber Attack onPower Grid • First documented case, 2015 in Ukraine • Still not fully operational two months after the attack • Threat grows with IoT adoption • Big time cyber target Factoid: Russia unleashed more cyber attacks on Ukraine in the first day of the invasion than we typically see from all cyber actors in a year
  • 47.
    National Defense Responses “Israelis under constant threat in the cyber dimension, and attacks are sometimes carried out against it. We are able to deal with most of the threats through advanced defense capabilities,” Maj. Gen. Tamir Hayman said at a conference at Tel Aviv University
  • 48.
    Security Awareness EmployeeTraining • Security awareness training could help provide employees with information regarding how to collect/use/delete data, maintain data quality, records management, confidentiality, privacy, appropriate utilization of IT systems, correct usage of social networking, etc. • Security awareness training has the highest Return on Investment (ROI) for companies
  • 49.
    Responsibilities and Dutiesof Personnel • Not unusual for institutions to hire an ISP person with the sole responsibility for √ implementation √ education and training √ incident response √ user access reviews √ periodic updates of an ISP
  • 50.
    Employee Maintaining theInformation Security Program • Employee is the designated officer for handling every aspect of the program. √ A designated security officer is responsible for coordinating and maintaining the security program. • This person should maintain independence by reporting to someone outside of the IT department.
  • 51.
    Assessing Risk • Whatrisks could your organization face? √ Examples: loss of data, unauthorized access, data corruption, hack, third-party data sharing, etc. • What would be appropriate, cost-effective management techniques for these risks?
  • 52.
    Additional Elements ofa Good Information Security Program • Designated security officer (DSO) • Risk Assessment • Policies and Procedures • Organizational security awareness • Regulatory standards compliance • Audit compliance plan
  • 53.
  • 54.
    About The Faculty KathrynNadro - knadro@sfgh.com Kathryn (“Katie”) Nadro leads Sugar Felsenthal Grais & Helsinger’s Data Security and Privacy practice. Katie advises clients on a diverse array of business matters, including data security and privacy compliance, commercial and business disputes, and employment issues. Katie works with individuals and businesses of all sizes to craft successful resolutions tailored to each individual matter. Katie is a Certified Information Privacy Professional (CIPP/US) and counsels clients on a variety of data security and privacy issues, including breach response, policy drafting, program management, data collection, vendor management, and compliance with ever-changing state, federal, and international privacy law. Katie also has broad litigation experience representing companies and individuals in contract, non-compete, discrimination, harassment, fiduciary duty, and trade secret litigation in state and federal court. With a background as both in-house and outside counsel, Katie understands that business objectives, time, and resources play an important role in reaching a favorable outcome for each client. 54
  • 55.
    About The Faculty JeffSauntry - jsauntry@goriskneutral.com Jeff Sauntry is the CEO and Founder of Risk Neutral. Jeff has led professional services and engineering organizations at multiple publicly traded Fortune 500 companies as part of executive leadership teams. His operational and technical experience spans strategy development, technology, enterprise software, risk, compliance, fraud, cyber, and physical security. Jeff is a serial entrepreneur who has founded four private companies in his home state of Florida. Jeff is the CoPresident of the Tampa Bay Chapter of the Professional Directors Association (PDA). Jeff is a National Association of Corporate Directors (NACD) member and is recognized as a Leadership Fellow and Certified Director. He completed the Chief Risk Officer (CRO) program at Carnegie Mellon University to complement his numerous professional, technical, and cybersecurity certifications. Jeff is an AM&AA Certified Merger & Acquisition Advisor and EPI Certified Exit Planning Advisor. His ESG (Environment, Social, Governance) passions focus on preserving the world’s oceans and increasing board of director cognitive diversity. Jeff is a US Coast Guard certified Captain in the US Merchant Marine (Master 50GT) and has 20 years of active participation with PADI (Professional Association of Dive Instructors), where he holds a rating of MSDT (Master Scuba Diver Trainer). He is a licensed Florida unlimited electrical contractor & qualifier (EC13008900) and an active member of the Comm-ISAC (Communications – Information Sharing and Analysis Center). Jeff brings an informed and balanced perspective to private/public critical infrastructure, diversity-equity-inclusion, data privacy, cybersecurity, environmental, and sustainability corporate governance programs. 55
  • 56.
    About The Faculty AlisonSchaffer - aschaffer@jumptrading.com Alison Schaffer Bloom is Legal and Regulatory Counsel at the Jump Trading Group in Chicago. Alison works extensively in the areas of trading, technology, human resources, venture capital, and data protection and privacy. Specifically, Alison leads data protection and privacy application for all of the Jump Trading Group’s business lines globally. Alison graduated from Northwestern University with Honors in Legal Studies and Communication Studies and a Certificate in Service Learning and attained a Masters in Education while a Teach For America corps member in New York. Alison obtained her Juris Doctor from Chicago-Kent College of Law, where she was an avid member of the Trial Team. She is a member of the International Association of Privacy Professionals and holds the Certified Information Privacy Professional/Europe (CIPP/E), a preeminent certification for advanced concentration in European data protection laws, standards and practices. 56
  • 57.
    About The Faculty AlexSharpe - alex@sharpellc.com Alex Sharpe is a long-time Cybersecurity, Governance, and Digital Transformation expert with real-world operational experience. He has spent much of his career helping corporations and government agencies reap the rewards afforded by advances in technology while mitigating risk. He began his career at the NSA before moving into the Management Consulting ranks building practices at Booz Allen and KPMG. He subsequently co-founded two firms with successful exits, including The Hackett Group. Alex holds degrees in Business from Columbia Business School, Systems Engineering from Johns Hopkins University, and Electrical Engineering from New Jersey Institute of Technology (NJIT). He is a published author, speaker, instructor, and advisor. 57
  • 58.
    Questions or Comments? Ifyou have any questions about this webinar that you did not get to ask during the live premiere, or if you are watching this webinar On Demand, please do not hesitate to email us at info@financialpoise.com with any questions or comments you may have. Please include the name of the webinar in your email and we will do our best to provide a timely response. IMPORTANT NOTE: The material in this presentation is for general educational purposes only. It has been prepared primarily for attorneys and accountants for use in the pursuit of their continuing legal education and continuing professional education. 58
  • 59.
  • 61.
    About Financial Poise 61 DailyDACLLC, d/b/a Financial Poise™ provides continuing education to attorneys, accountants, business owners and executives, and investors. It’s websites, webinars, and books provide Plain English, entertaining, explanations about legal, financial, and other subjects of interest to these audiences. Visit us at www.financialpoise.com Our free weekly newsletter, Financial Poise Weekly, updates you on new articles published on our website and Upcoming Webinars you may be interested in. To join our email list, please visit: https://www.financialpoise.com/subscribe/