On April 27th, Mitchell Hamline's Center for Law and Business hosted a lunch celebration and CLE program on Cybersecurity: The New Priority for Business. The program featured legal and privacy professionals who discussed the importance of strong measures in protecting and enforcing the proper use of data for businesses in 2016 and beyond.
Program Faculty:
Professor Sharon Sandeen, Mitchell Hamline School of Law
Andy Ubel, Chief Intellectual Property Counsel, Valspar Corp.
Ken Morris, Senior Advisor, RedPoint Advisors
Charlotte Tschider, Owner/Principal, Cybersimple Security, LLC
In March 2016, Mitchell Hamline announced plans to launch a Cybersecurity and Privacy Law Certificate program designed to help professionals deal effectively with the complex legal, policy, and compliance issues involved in this critically important area. For more information or to register for the program visit http://mitchellhamline.edu/cybersecurity/
The document discusses how human error is a major cause of data breaches and security incidents, despite malicious hacking being the primary threat. It notes that 97% of breaches were avoidable through basic controls and outlines strategies for organizations to help prevent accidental data leakage by employees, such as creating clear security policies, providing regular security awareness training, and avoiding overly long checklists of rules.
Heather Enlow & Chris Ingram - Cybersecurity Act of 2015 and Other Hot Privac...centralohioissa
This session will provide details on the new law and its requirements, as well as address the current threat landscape, summarize existing data security laws in the U.S., discuss the new EU cyber directive, and continued impact of the Safe Harbor decision. We will disentangle these regulatory changes and challenges and provide tips and tricks for compliance.
I’ve been hacked the essential steps to take nextBrian Pichman
It happens. A place you shop at frequently gets its data stolen. Someone was able to get access to one of your accounts. Or a system you manage gets compromised. No matter how the data breach happened, it is important be prepared ahead of time before the worst happens. Join Brian Pichman as he helps you put a proactive plan in place and what to do after you or your organization has been hacked. Attendees will walk away from this webinar with a toolbox for their library and to use to educate their users.
Cyber attacks and data breaches are increasing. Hackers are targeting smaller companies to access personal information like credit cards, social security numbers, and passwords. To reduce risk, companies should implement security measures like firewalls, encryption, training employees on security best practices, and establishing a computer security incident response team to respond effectively to any data breaches. Regular security assessments, software updates, and network monitoring can help organizations strengthen their cyber defenses.
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security ProsNicholas Van Exan
An overview of some contemporary topics related to privacy and data breaches, with a focus on how security professional can help mitigate privacy risks both before and after data breaches occur.
How to safe your company from having a security breachBaltimax
To prevent security breaches, companies must address root causes like human error, abuse/fraud, and problems in processes. The document recommends that companies get board support, identify risks, classify data, secure perimeters, implement policies, and provide user training. It also suggests choosing a security approach that fits the company's structure, finding and solving issues like access control and insider threats, and developing a culture of responsibility through openness and ongoing training.
University of Wisconsin-Madison, Information Security 365/765 Course Summary,...Nicholas Davis
This document summarizes the key points from a university lecture on information security. It discusses topics covered during the semester including a guest speaker from the FBI, security controls, CIA triad, categories of controls, ingredients of security, technical weaknesses, defense in depth, risk analysis, hiring and termination practices, security policies, cloud security, BYOD, and more. The document recaps the various assignments and presentations given throughout the course.
This document summarizes James McKinlay's presentation on "Cyber Hygiene at speed and scale - How to Clean a Datacenter". The presentation discusses the benefits of implementing vulnerability assessment and management (VMaaS) in managed datacenters to improve security. It recommends starting with quick wins like installing VMaaS agents, building a knowledgebase of patches, and linking VMaaS to configuration management databases. Long-term, security automation could be expanded to correlate software assets, maintain baselines, query systems, and collect security details. The takeaway is that datacenter operators should prioritize basic security hygiene and work with managed service providers to integrate more proactive security measures.
The document discusses how human error is a major cause of data breaches and security incidents, despite malicious hacking being the primary threat. It notes that 97% of breaches were avoidable through basic controls and outlines strategies for organizations to help prevent accidental data leakage by employees, such as creating clear security policies, providing regular security awareness training, and avoiding overly long checklists of rules.
Heather Enlow & Chris Ingram - Cybersecurity Act of 2015 and Other Hot Privac...centralohioissa
This session will provide details on the new law and its requirements, as well as address the current threat landscape, summarize existing data security laws in the U.S., discuss the new EU cyber directive, and continued impact of the Safe Harbor decision. We will disentangle these regulatory changes and challenges and provide tips and tricks for compliance.
I’ve been hacked the essential steps to take nextBrian Pichman
It happens. A place you shop at frequently gets its data stolen. Someone was able to get access to one of your accounts. Or a system you manage gets compromised. No matter how the data breach happened, it is important be prepared ahead of time before the worst happens. Join Brian Pichman as he helps you put a proactive plan in place and what to do after you or your organization has been hacked. Attendees will walk away from this webinar with a toolbox for their library and to use to educate their users.
Cyber attacks and data breaches are increasing. Hackers are targeting smaller companies to access personal information like credit cards, social security numbers, and passwords. To reduce risk, companies should implement security measures like firewalls, encryption, training employees on security best practices, and establishing a computer security incident response team to respond effectively to any data breaches. Regular security assessments, software updates, and network monitoring can help organizations strengthen their cyber defenses.
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security ProsNicholas Van Exan
An overview of some contemporary topics related to privacy and data breaches, with a focus on how security professional can help mitigate privacy risks both before and after data breaches occur.
How to safe your company from having a security breachBaltimax
To prevent security breaches, companies must address root causes like human error, abuse/fraud, and problems in processes. The document recommends that companies get board support, identify risks, classify data, secure perimeters, implement policies, and provide user training. It also suggests choosing a security approach that fits the company's structure, finding and solving issues like access control and insider threats, and developing a culture of responsibility through openness and ongoing training.
University of Wisconsin-Madison, Information Security 365/765 Course Summary,...Nicholas Davis
This document summarizes the key points from a university lecture on information security. It discusses topics covered during the semester including a guest speaker from the FBI, security controls, CIA triad, categories of controls, ingredients of security, technical weaknesses, defense in depth, risk analysis, hiring and termination practices, security policies, cloud security, BYOD, and more. The document recaps the various assignments and presentations given throughout the course.
This document summarizes James McKinlay's presentation on "Cyber Hygiene at speed and scale - How to Clean a Datacenter". The presentation discusses the benefits of implementing vulnerability assessment and management (VMaaS) in managed datacenters to improve security. It recommends starting with quick wins like installing VMaaS agents, building a knowledgebase of patches, and linking VMaaS to configuration management databases. Long-term, security automation could be expanded to correlate software assets, maintain baselines, query systems, and collect security details. The takeaway is that datacenter operators should prioritize basic security hygiene and work with managed service providers to integrate more proactive security measures.
This document discusses various options for information systems security education and training, including self-study programs, instructor-led programs, certificate programs, continuing education programs, postsecondary degree programs from associate's to doctoral levels, and information security training programs. It describes the advantages and disadvantages of self-study programs, characteristics of certificate and continuing education programs, and different types of postsecondary degrees including their focuses and durations.
As the European Union (EU) has enacted the General Data Protection Regulation (GDPR), it is easy to perceive this regulation would apply to only multinational or European companies. GDPR will certainly impact businesses in EU; but it will extend its applicability for international businesses, even those based in the United States.
In this webinar, Daniel Cohen-Dumani and Anupam Goradia of Withum cover what exactly GDPR is and why it is important to your business. We also share practical tips and best practice on how to ensure your compliance.
This document provides an overview of data protection impact assessments (DPIAs) and the role of the data protection officer (DPO) under the General Data Protection Regulation (GDPR). It discusses when DPIAs are required, the DPIA process, how to identify and assess risks, select controls, and ensure continuous monitoring. It also outlines the DPO requirements, including the need for independence and expertise. The DPO is responsible for enabling compliance and fostering a data protection culture.
A presentation about cyberwar basics, the past, present and future directions of cyberwar and some needed changes in technology and long standing societal attitudes, to combat this escalating threat
This document discusses preparations for the General Data Protection Regulation (GDPR) which takes effect in May 2018. It begins by outlining how GDPR compliance was previously viewed, with most companies believing they were unprepared. It then discusses key aspects of GDPR including higher fines, strengthened consent requirements, privacy by design, mandatory breach reporting, expanded obligations for processors, and mandatory data protection officers. Finally, it provides recommendations for steps companies can take to prepare such as forming a steering group, training, conducting data discovery and impact assessments, updating policies, and creating breach response plans. The overall message is that early preparation is important to avoid noncompliance under the new, stricter GDPR requirements.
Information Security Fall Semester 2016 - Course Wrap Up SummaryNicholas Davis
This presentation is a summary, for the students of the IS 365/765 course I teach, at the University of Wisconsin-Madison, providing a 104 slide reminder of the most important topics in Information Security, which we covered throughout the semester. Today is the last day of course material. We have 4 days of student team presentations, to follow.
Implementing and Auditing General Data Protection Regulation Jim Kaplan CIA CFE
Implementing and Auditing GDPR Series (1 of 10)
Protecting personal data has been an important issue for many years. The EU GDPR extends the data rights of individuals, and requires organizations to develop clear policies and procedures to protect personal data, and adopt appropriate technical and organizational measures. UK organizations have had to comply with the Regulation since 25 May 2018, or potentially face fines of up to 4% of annual turnover or €20 million – whichever is greater.
Learning Outcomes:
This 10 webinar series is intended to elicit a clear understanding of the core elements of the GDPR, with the ability to gain a deeper understanding by asking the trainer questions during the training.
It covers how each aspect of the Regulation can be translated into implementation actions in your organization and the auditor’s role.
Webinar 1 of 10
• Bands of penalties and range of awards for breaches
• Lawfulness of processing and consent
• The six data protection principles
While the use of Data Analytics produces excellent results, they’re commonly applied in a tactical way for specific functional areas within an organization. This tactical approach often falls short of realizing the full potential of Data Analytics. Going beyond initial results, a more systematic approach to Data Analytics can help drive organizational learning (human and machine) from the various remediation processes.
In this Webinar, we’ll discuss 3 areas of Analytics Automation: (1) Producing the findings, (2) Managing the findings, and (3) Learning from the findings.
Key takeaways:
· The value of Analytics Automation
· Understanding the various technologies (i.e. RPA, AI, etc.)
· Practical ideas for deploying and managing Analytics Automation
· Using a more structured approach to remediation exceptions
· Benefits of Root Cause Analysis
· Using Analytics Automation to get a broader, more complete view of your organization over time
Data Security: What Every Leader Needs to KnowRoger Hagedorn
This document summarizes a presentation on data security for organizational leaders. It covers the key components of an effective security program, including support from management, understanding your data and where it is stored, implementing proper IT controls and monitoring, establishing security policies and procedures, and gaining staff involvement through training. It also discusses how to identify if a breach has occurred based on network traffic and user activity anomalies, and the steps to take in response, such as identifying and quarantining the damage before disinfecting and resecuring the network. The presentation aims to educate leaders on security basics and preparing an incident response plan.
Organizations are increasingly looking to their Internal Auditors to provide independent assurance about cyber risks and the organization's ability to defend against cyber attacks. With information technology becoming an inherent critical success factor for every business and the emerging cyber threat landscape, every internal auditor needs to equip themselves on IT audit essentials and cyber issues.
In part 12 of our Cyber Security Series you will learn about the current cyber risks and attack methods from Richard Cascarino, including:
Where are we now and Where are we going?
Current Cyberrisks
• Data Breach and Cloud Misconfigurations
• Insecure Application User Interface (API)
• The growing impact of AI and ML
• Malware Attack
• Single factor passwords
• Insider Threat
• Shadow IT Systems
• Crime, espionage and sabotage by rogue nation-states
• IoT
• CCPA and GDPR
• Cyber attacks on utilities and public infrastructure
• Shift in attack vectors
IT Career Survey: March Madness 2013: How the nation's IT pros prepareModis
The survey of 502 IT professionals found that:
1) 48% said their company takes action to block, throttle or ban streaming non-work content, and 34% have taken action to prepare for March Madness such as banning or throttling sports video.
2) Exceptions are made for CEOs and senior employees for content streaming policies.
3) 30% said their department monitors employees who violate content policies, while others rely on reminding employees or an honor system.
4) Social media sites like Facebook and video sites like Netflix are commonly restricted by content policies.
5) Some IT professionals expect stricter policies in the future, while many already work overtime to maintain networks during high usage periods like March
Be More Secure than your Competition: MePush Cyber Security for Small BusinessArt Ocain
The document provides guidance on improving cybersecurity through basic training and awareness. It discusses how people are often the biggest vulnerability and outlines common social engineering tactics like playing on emotions, creating a sense of urgency, and using hyperlinks or attachments in emails. It recommends continuous education and emphasizes that antivirus alone is not sufficient, and that email filtering and training are important defenses against phishing attacks. Additional resources are provided to help test for phishing vulnerabilities and check if email addresses have been involved in data breaches. Physical security controls and separating financial duties are also recommended to reduce fraud risks.
Information Technology Policy for Corporates - Need of the Hour Vijay Dalmia
Information Technology Policy for Corporates is the need of the hour as organisations, are continuously at a stake for violation of information technology laws, commission of cyber crimes, sexual harassment, e-mail violations, and misuse of internet and intranet.
Protecting personal data has been an important issue for many years. The EU GDPR extends the data rights of individuals, and requires organizations to develop clear policies and procedures to protect personal data, and adopt appropriate technical and organizational measures. UK organizations have had to comply with the Regulation since 25 May 2018, or potentially face fines of up to 4% of annual turnover or €20 million – whichever is greater.
Learning Outcomes:
This 10 webinar series is intended to elicit a clear understanding of the core elements of the GDPR, with the ability to gain a deeper understanding by asking the trainer questions during the training.
It covers how each aspect of the Regulation can be translated into implementation actions in your organization and the auditor’s role.
Webinar 3
• Data protection by design
• Securing personal data
• Reporting data breaches
Organizations are increasingly looking to their Internal Auditors to provide independent assurance about cyber risks and the organization's ability to defend against cyber attacks. With information technology becoming an inherent critical success factor for every business and the emerging cyber threat landscape, every internal auditor needs to equip themselves on IT audit essentials and cyber issues.
In part 12 of our Cyber Security Series you will learn about the current cyber risks and attack methods from Richard Cascarino, including:
Where are we now and Where are we going?
Current Cyberrisks
• Data Breach and Cloud Misconfigurations
• Insecure Application User Interface (API)
• The growing impact of AI and ML
• Malware Attack
• Single factor passwords
• Insider Threat
• Shadow IT Systems
• Crime, espionage and sabotage by rogue nation-states
• IoT
• CCPA and GDPR
• Cyber attacks on utilities and public infrastructure
• Shift in attack vectors
Security threats are growing in volume, scale, and complexity. Not a day passes that we don’t hear about another data breach; and the average organization that’s hacked goes bankrupt within a year. From small and medium-size organizations to Fortune 500 companies, across every industry, no one is immune. It’s no longer enough to keep the bad stuff out (threat protection) or just keep the good stuff in (information protection). This session is a practical discussion on the ever evolving threat landscape, how you can keep up and protect yourself, your organization, and its reputation. It will help you build awareness about the types of resources and sensitive data that your nonprofit has, with tips on practical, accessible steps that you can take to ensure that information is safeguarded.
In 2015, phishing related breaches dominated security news headlines, and will likely remain the leading initial point-of-entry method for 2016. Not surprisingly an upswing in security awareness spending has paralleled the rise in phishing. In this presentation we dive deep into the largest data pool of human phishing susceptibility and also new research about phishing awareness. We will also look at phishing from the attacker’s point of view and look for opportunities to be better defenders.
Let’s examine the evidence and decide if awareness is the problem. Why do users who are aware of phishing continue to fall for it? What are some of the most successful phishing themes? What are some common response rates? And finally, what can conditioned informants (your co-workers) reporting suspicious emails bring to the table?
This document discusses managing insider threats and building a successful audit program. It emphasizes the importance of educating users about insider threats, as employees are often the biggest security risk. It outlines the key components of an insider threat program, including policies, processes, access controls, risk management, and auditing. It also provides tips for tool selection, governance, documentation, and implementation. Throughout, it stresses that insider threats are difficult to detect but can be mitigated through visibility and understanding risky behaviors.
How to use ai apps to unleash the power of your audit program Jim Kaplan CIA CFE
Artificial Intelligence (AI) is found in just about every industry today, and accounting and auditing are no exception. Auditors that aren’t already exploring the vast potential of AI-powered applications in their audit program will soon find these tools are the industry standard and will be left in the dust if they don’t adapt and adopt.
To learn how to easily use AI apps in audit today, join us as we welcome Deniz Appelbaum, Assistant Professor at Montclair State University, for this exclusive presentation. With deep experience in audit analytics, Big Data, blockchain, audit automation, and fraud detection, Appelbaum brings considerable practical experience with audit technology to the audit profession.
In this presentation, she will help guests:
● Gain a basic introductory understanding of AI in audit.
● Understand how AP applications can be used in the context of auditing.
● Learn how to use AI apps in an audit for specific, achievable, measurable results.
This is a presentation introducing the SANS Institute's 20 Security Controls and the Australian Government's Top 35 Mitigation Strategies that I gave to The Small Business Technology Consulting Group in St Paul MN on November 13, 2012
This 1510-hour program at Metro Technology Centers prepares students to plan, coordinate, and implement security measures for networking systems. Students first learn to repair, maintain, and install computer hardware, software, networks and operating systems, then are introduced to security principles, threats, vulnerabilities, policies, risk management, security architectures, incident handling and disaster recovery. The program includes courses in fundamentals of technology, computer repair, Unix/Linux, networking, information assurance, network security, enterprise security management, secure electronic commerce, cyber forensics, and CCNA network security, culminating in a capstone course. It is open to juniors, seniors and adults and offered Monday-Friday mornings and afternoons.
This document discusses various options for information systems security education and training, including self-study programs, instructor-led programs, certificate programs, continuing education programs, postsecondary degree programs from associate's to doctoral levels, and information security training programs. It describes the advantages and disadvantages of self-study programs, characteristics of certificate and continuing education programs, and different types of postsecondary degrees including their focuses and durations.
As the European Union (EU) has enacted the General Data Protection Regulation (GDPR), it is easy to perceive this regulation would apply to only multinational or European companies. GDPR will certainly impact businesses in EU; but it will extend its applicability for international businesses, even those based in the United States.
In this webinar, Daniel Cohen-Dumani and Anupam Goradia of Withum cover what exactly GDPR is and why it is important to your business. We also share practical tips and best practice on how to ensure your compliance.
This document provides an overview of data protection impact assessments (DPIAs) and the role of the data protection officer (DPO) under the General Data Protection Regulation (GDPR). It discusses when DPIAs are required, the DPIA process, how to identify and assess risks, select controls, and ensure continuous monitoring. It also outlines the DPO requirements, including the need for independence and expertise. The DPO is responsible for enabling compliance and fostering a data protection culture.
A presentation about cyberwar basics, the past, present and future directions of cyberwar and some needed changes in technology and long standing societal attitudes, to combat this escalating threat
This document discusses preparations for the General Data Protection Regulation (GDPR) which takes effect in May 2018. It begins by outlining how GDPR compliance was previously viewed, with most companies believing they were unprepared. It then discusses key aspects of GDPR including higher fines, strengthened consent requirements, privacy by design, mandatory breach reporting, expanded obligations for processors, and mandatory data protection officers. Finally, it provides recommendations for steps companies can take to prepare such as forming a steering group, training, conducting data discovery and impact assessments, updating policies, and creating breach response plans. The overall message is that early preparation is important to avoid noncompliance under the new, stricter GDPR requirements.
Information Security Fall Semester 2016 - Course Wrap Up SummaryNicholas Davis
This presentation is a summary, for the students of the IS 365/765 course I teach, at the University of Wisconsin-Madison, providing a 104 slide reminder of the most important topics in Information Security, which we covered throughout the semester. Today is the last day of course material. We have 4 days of student team presentations, to follow.
Implementing and Auditing General Data Protection Regulation Jim Kaplan CIA CFE
Implementing and Auditing GDPR Series (1 of 10)
Protecting personal data has been an important issue for many years. The EU GDPR extends the data rights of individuals, and requires organizations to develop clear policies and procedures to protect personal data, and adopt appropriate technical and organizational measures. UK organizations have had to comply with the Regulation since 25 May 2018, or potentially face fines of up to 4% of annual turnover or €20 million – whichever is greater.
Learning Outcomes:
This 10 webinar series is intended to elicit a clear understanding of the core elements of the GDPR, with the ability to gain a deeper understanding by asking the trainer questions during the training.
It covers how each aspect of the Regulation can be translated into implementation actions in your organization and the auditor’s role.
Webinar 1 of 10
• Bands of penalties and range of awards for breaches
• Lawfulness of processing and consent
• The six data protection principles
While the use of Data Analytics produces excellent results, they’re commonly applied in a tactical way for specific functional areas within an organization. This tactical approach often falls short of realizing the full potential of Data Analytics. Going beyond initial results, a more systematic approach to Data Analytics can help drive organizational learning (human and machine) from the various remediation processes.
In this Webinar, we’ll discuss 3 areas of Analytics Automation: (1) Producing the findings, (2) Managing the findings, and (3) Learning from the findings.
Key takeaways:
· The value of Analytics Automation
· Understanding the various technologies (i.e. RPA, AI, etc.)
· Practical ideas for deploying and managing Analytics Automation
· Using a more structured approach to remediation exceptions
· Benefits of Root Cause Analysis
· Using Analytics Automation to get a broader, more complete view of your organization over time
Data Security: What Every Leader Needs to KnowRoger Hagedorn
This document summarizes a presentation on data security for organizational leaders. It covers the key components of an effective security program, including support from management, understanding your data and where it is stored, implementing proper IT controls and monitoring, establishing security policies and procedures, and gaining staff involvement through training. It also discusses how to identify if a breach has occurred based on network traffic and user activity anomalies, and the steps to take in response, such as identifying and quarantining the damage before disinfecting and resecuring the network. The presentation aims to educate leaders on security basics and preparing an incident response plan.
Organizations are increasingly looking to their Internal Auditors to provide independent assurance about cyber risks and the organization's ability to defend against cyber attacks. With information technology becoming an inherent critical success factor for every business and the emerging cyber threat landscape, every internal auditor needs to equip themselves on IT audit essentials and cyber issues.
In part 12 of our Cyber Security Series you will learn about the current cyber risks and attack methods from Richard Cascarino, including:
Where are we now and Where are we going?
Current Cyberrisks
• Data Breach and Cloud Misconfigurations
• Insecure Application User Interface (API)
• The growing impact of AI and ML
• Malware Attack
• Single factor passwords
• Insider Threat
• Shadow IT Systems
• Crime, espionage and sabotage by rogue nation-states
• IoT
• CCPA and GDPR
• Cyber attacks on utilities and public infrastructure
• Shift in attack vectors
IT Career Survey: March Madness 2013: How the nation's IT pros prepareModis
The survey of 502 IT professionals found that:
1) 48% said their company takes action to block, throttle or ban streaming non-work content, and 34% have taken action to prepare for March Madness such as banning or throttling sports video.
2) Exceptions are made for CEOs and senior employees for content streaming policies.
3) 30% said their department monitors employees who violate content policies, while others rely on reminding employees or an honor system.
4) Social media sites like Facebook and video sites like Netflix are commonly restricted by content policies.
5) Some IT professionals expect stricter policies in the future, while many already work overtime to maintain networks during high usage periods like March
Be More Secure than your Competition: MePush Cyber Security for Small BusinessArt Ocain
The document provides guidance on improving cybersecurity through basic training and awareness. It discusses how people are often the biggest vulnerability and outlines common social engineering tactics like playing on emotions, creating a sense of urgency, and using hyperlinks or attachments in emails. It recommends continuous education and emphasizes that antivirus alone is not sufficient, and that email filtering and training are important defenses against phishing attacks. Additional resources are provided to help test for phishing vulnerabilities and check if email addresses have been involved in data breaches. Physical security controls and separating financial duties are also recommended to reduce fraud risks.
Information Technology Policy for Corporates - Need of the Hour Vijay Dalmia
Information Technology Policy for Corporates is the need of the hour as organisations, are continuously at a stake for violation of information technology laws, commission of cyber crimes, sexual harassment, e-mail violations, and misuse of internet and intranet.
Protecting personal data has been an important issue for many years. The EU GDPR extends the data rights of individuals, and requires organizations to develop clear policies and procedures to protect personal data, and adopt appropriate technical and organizational measures. UK organizations have had to comply with the Regulation since 25 May 2018, or potentially face fines of up to 4% of annual turnover or €20 million – whichever is greater.
Learning Outcomes:
This 10 webinar series is intended to elicit a clear understanding of the core elements of the GDPR, with the ability to gain a deeper understanding by asking the trainer questions during the training.
It covers how each aspect of the Regulation can be translated into implementation actions in your organization and the auditor’s role.
Webinar 3
• Data protection by design
• Securing personal data
• Reporting data breaches
Organizations are increasingly looking to their Internal Auditors to provide independent assurance about cyber risks and the organization's ability to defend against cyber attacks. With information technology becoming an inherent critical success factor for every business and the emerging cyber threat landscape, every internal auditor needs to equip themselves on IT audit essentials and cyber issues.
In part 12 of our Cyber Security Series you will learn about the current cyber risks and attack methods from Richard Cascarino, including:
Where are we now and Where are we going?
Current Cyberrisks
• Data Breach and Cloud Misconfigurations
• Insecure Application User Interface (API)
• The growing impact of AI and ML
• Malware Attack
• Single factor passwords
• Insider Threat
• Shadow IT Systems
• Crime, espionage and sabotage by rogue nation-states
• IoT
• CCPA and GDPR
• Cyber attacks on utilities and public infrastructure
• Shift in attack vectors
Security threats are growing in volume, scale, and complexity. Not a day passes that we don’t hear about another data breach; and the average organization that’s hacked goes bankrupt within a year. From small and medium-size organizations to Fortune 500 companies, across every industry, no one is immune. It’s no longer enough to keep the bad stuff out (threat protection) or just keep the good stuff in (information protection). This session is a practical discussion on the ever evolving threat landscape, how you can keep up and protect yourself, your organization, and its reputation. It will help you build awareness about the types of resources and sensitive data that your nonprofit has, with tips on practical, accessible steps that you can take to ensure that information is safeguarded.
In 2015, phishing related breaches dominated security news headlines, and will likely remain the leading initial point-of-entry method for 2016. Not surprisingly an upswing in security awareness spending has paralleled the rise in phishing. In this presentation we dive deep into the largest data pool of human phishing susceptibility and also new research about phishing awareness. We will also look at phishing from the attacker’s point of view and look for opportunities to be better defenders.
Let’s examine the evidence and decide if awareness is the problem. Why do users who are aware of phishing continue to fall for it? What are some of the most successful phishing themes? What are some common response rates? And finally, what can conditioned informants (your co-workers) reporting suspicious emails bring to the table?
This document discusses managing insider threats and building a successful audit program. It emphasizes the importance of educating users about insider threats, as employees are often the biggest security risk. It outlines the key components of an insider threat program, including policies, processes, access controls, risk management, and auditing. It also provides tips for tool selection, governance, documentation, and implementation. Throughout, it stresses that insider threats are difficult to detect but can be mitigated through visibility and understanding risky behaviors.
How to use ai apps to unleash the power of your audit program Jim Kaplan CIA CFE
Artificial Intelligence (AI) is found in just about every industry today, and accounting and auditing are no exception. Auditors that aren’t already exploring the vast potential of AI-powered applications in their audit program will soon find these tools are the industry standard and will be left in the dust if they don’t adapt and adopt.
To learn how to easily use AI apps in audit today, join us as we welcome Deniz Appelbaum, Assistant Professor at Montclair State University, for this exclusive presentation. With deep experience in audit analytics, Big Data, blockchain, audit automation, and fraud detection, Appelbaum brings considerable practical experience with audit technology to the audit profession.
In this presentation, she will help guests:
● Gain a basic introductory understanding of AI in audit.
● Understand how AP applications can be used in the context of auditing.
● Learn how to use AI apps in an audit for specific, achievable, measurable results.
This is a presentation introducing the SANS Institute's 20 Security Controls and the Australian Government's Top 35 Mitigation Strategies that I gave to The Small Business Technology Consulting Group in St Paul MN on November 13, 2012
This 1510-hour program at Metro Technology Centers prepares students to plan, coordinate, and implement security measures for networking systems. Students first learn to repair, maintain, and install computer hardware, software, networks and operating systems, then are introduced to security principles, threats, vulnerabilities, policies, risk management, security architectures, incident handling and disaster recovery. The program includes courses in fundamentals of technology, computer repair, Unix/Linux, networking, information assurance, network security, enterprise security management, secure electronic commerce, cyber forensics, and CCNA network security, culminating in a capstone course. It is open to juniors, seniors and adults and offered Monday-Friday mornings and afternoons.
Copper is a soft, malleable metal with high thermal and electrical conductivity. It has a reddish-orange color and is used as a conductor as well as in building materials and alloys. Copper has been used for thousands of years, originally being mined on Cyprus. It is used in wiring, electronics, motors, and architecture.
Assessing IT Security and Compliance Risk for Acquisitions and MergersMelanie Brandt
The document discusses assessing security and compliance risks for acquisitions and mergers at EarthLink. It outlines an agenda for risk evaluation activities including prioritizing reviews of IT compliance, business continuity, and security risks. Specific areas of focus are identified such as evaluating defenses, qualifying risks, creating a risk action plan, and measuring success. Lessons learned include getting involved early, balancing business needs with security, and standardizing risk management processes.
The document discusses key challenges and considerations for implementing an Information Security Management System (ISMS) based on ISO/IEC 27001. It highlights that ISMS implementation requires commitment from top management and involvement across the entire organization. Common difficulties include maintaining processes, continual improvement, and engaging employees outside of IT. Survey results show ISMS provides value through improved security and reduced costs, though certification can take 6-12 months and many organizations struggle with risk assessments and using all ISO 27001 controls.
2-sec "A Day in the Life of a Cyber Security Professional" Interop London Jun...2-sec
Tim Holman, CEO of 2-sec, presents his average day including work on data breaches, penetration testing and security audits. He also discusses the skills gap in the information security industry and how ISSA-UK is attempting to coordinate training across the industry to improve the problem.
افتتحت فعاليات الأسبوع التوعوي في أمن المعلومات في الوزارة بحضور أصحاب السمو والمعالي والسعادة. أدناه العرض الذي تم تقديمه بعنوان "أمن المعلومات -- نظرة عامة".
Information Security Management System ISO/IEC 27001:2005ControlCase
The document provides an overview of the ISO/IEC 27001 standard for information security management systems. It defines what ISO 27001 is, its history and development over time. It outlines the key parts of ISO 27001 including establishing an ISMS framework, conducting risk assessments, implementing controls, and monitoring/reviewing the system. The document explains benefits of ISO 27001 certification include improving security, ensuring regulatory compliance, and gaining external validation of security practices. It provides examples of specific controls defined in Annex A of the standard related to security policies, asset management, access control, and more.
In this article I will provide an Overview of A new Information Security Management System
Standard ISO/IEC 27001:2013 , The new standard just Published from a few Days Earlier .
ISO/IEC 27001:2013 Provides requirements for Establishing, Implementing, Maintaining
and Continually Improving an Information Security Management System.
ISO/IEC 27001:2013 gives Organization a Perfect Information Security management framework for implementing
and maintaining security.
In this Article, I tried to shed some light on new standard and its Mandatory Requirements, Optional Requirements ,
Structure , Benefits , Certification Process and Estimated time for Implementation and Certification.
Jon Murphy, National Practice Lead, AOS
Top 10 Trends for 2015 in Information Tech Risk Management
ITRM is more than merely security hardware and apps under the control of an overworked network admin. It is strategic and tactical process, technology, and people in various roles and levels working collaboratively to protect vital organizational assets like data, information, ability to delivery timely, and reputation. Organizations need continuous, current, Actionable InsightSM about probable sources of majorly impactful risks and threats. Then and only then are they adequately prepared to make the smartest investments in continuing education, process improvement, and procedures for the proper use of the right technology for their situation. This multi-media, interactive presentation will cover the current top trends for 2015 in ITRM and that Actionable InsightSM - what your organization can and should do about likely and impactful IT risks and vulnerabilities.
This is a presentation I gave for the UQ Business School (in conjunction with Stan Gallo of KPMG) at the Urbane Restaurant to a group of Queensland CEO/C-Suite people. These dinners are part of UQ's engagement with the business community - a relationship we value. This engagement ensures we don't get all locked up in our ivory tower.
Adjusting Your Security Controls: It’s the New NormalPriyanka Aash
Most of us learned cybersecurity practices based on the application of controls that were part of a framework. Once the framework was implemented then the controls didn’t change often. It’s time to adjust our thinking and recognize that on-going adjustment of controls may be a better indicator of cyber-maturity than adherence to any framework.
(Source: RSA USA 2016-San Francisco)
This document provides an overview of information security best practices for small businesses. It discusses the importance of information security for small businesses, common threats such as cybercrime and malicious software. It outlines the key components of information security as people, processes, and technology. It provides recommendations for security policies, backups, access controls, firewalls, software updates, and secure practices for email, wireless networks, and online activities. The document emphasizes establishing security as a foundational part of running a successful small business.
2017-10-05 Mitigating Cybersecurity and Cyber Fraud risk in Your OrganizationRaffa Learning Community
An examination of ever growing cyber threats which continue to develop and successfully execute cyber attacks and fraud scams, which cost businesses billions of dollars globally. This session will step through different current and emerging cyber attacks and cyber fraud scenarios, and then discuss how basic but effective security controls can help to significantly reduce the risks.
Cyber security as a strategic imperative webSevenOf9
The document discusses cyber security as a strategic imperative for organizations. It highlights that cyber attacks are a global problem and everyone is now a target. The document provides statistics on common cyber attacks like spear phishing and outlines recommendations for improving cyber security defenses. This includes developing an incident response plan, managing third party access, and seeking resources from cyber security organizations.
Kemper W. Brown, Jr. Presentation on Cybersecurity at the 2017 WNC MMA Fall Conference.
I recently gave an IT security presentation at a fall conference for medical managers of physician practices in Western North Carolina. As the only speaker on the topic of technology, my goal was to help medical managers stay on top of IT security best practices and the current threat landscape.
Cybercrime and the Hidden Perils of Patient DataStephen Cobb
This document discusses the risks of cybercrime for healthcare organizations and patient data. It begins by outlining how cybercrime has increased risks to patient data and the liabilities organizations face for data breaches or non-compliance. It then provides examples of real data breaches and the large fines organizations have faced. The document recommends that organizations perform risk assessments, have outside security reviews, implement key security controls like strong authentication and encryption, and educate employees on security policies and controls. Regular re-assessments are also advised to address evolving threats.
Phish, Spoof, Scam: Insider Threats, the GDPR & Other RegulationsObserveIT
What in the world does insider threat have to do with the GDPR?
In this webinar, Neira Jones, one of Britain’s most well-known information security professionals, will discuss the major challenges presented by the new European General Data Protection Regulation (GDPR) with an emphasis on Insider Threats.
After viewing this informational webinar, you will understand:
• The new risk landscape and how working with European businesses will change
• The definition of insider threat and how it impacts the required preparations for the new GDPR
• Malicious vs. Unintentional risks
• How to enforce policies using ad-hoc education
• How the new regulation will force companies and employees into less risky behaviours
1) Risk assessment is the foundation of any security program and can help organizations avoid significant fines and penalties in the event of a data breach or audit findings.
2) A risk analysis involves identifying threats, vulnerabilities, and risks; assessing current security measures; determining the likelihood and impact of risks; and identifying security measures to address risks.
3) Tools and frameworks like NIST, HIPAA, OCTAVE, and those from CompTIA, DHS, and HHS can help organizations conduct thorough and effective risk analyses.
BYOD seems like it IT's Kobayashi Maru: the ultimate no-win scenario. Users and executives want unlimited choice with devices and access, while IT has to protect corporate data and find some way to support a grab-bag of hardware and operating systems. Can IT really balance these competing demands, or are we being set up to fail? In fact, you can do BYOD right, but it requires some groundwork. In this workshop we'll cover the motivation behind BYOD, because it's important to understand why it becomes such a divisive issue in organizations.
1. The document summarizes an interview with Malcolm Harkins, Chief Security and Trust Officer at Cylance, about preventing malware infections and how organizations struggle to keep up with prevention methods and identifying risks.
2. Harkins notes that organizations suffer from alert fatigue and are unable to keep up with the constant "whack-a-mole" of security issues. He suggests deploying lightweight prevention agents that can work both online and offline.
3. When asked about how customers struggle, Harkins says they need solutions to reduce risks, lower security costs, and decrease friction between security and business operations. Most organizations find it difficult to continuously manage all the new technologies, software, and third parties joining
This document provides information security recommendations and best practices for small businesses. It discusses identifying critical business assets, safeguarding people, processes, and technology. Specific recommendations include implementing policies, access controls, backups, antivirus software, firewalls, wireless security, software patching, and employee training. The document emphasizes establishing a strong security foundation through assessing risks and prioritizing asset protection based on confidentiality, integrity, and availability needs.
Final presentation january iia cybersecurity securing your 2016 audit planCameron Forbes Over
The January IIA meeting agenda covered cybersecurity topics including:
- A review of major 2015 cybersecurity incidents
- The 2015 Global Threat Index from the World Economic Forum
- Top cybersecurity risk predictions for 2016 such as the Internet of Things and insider threats
- Cybersecurity facts and figures on topics like data breaches and victims of cybercrime
- Potential risks of cyber-attacks including loss of data, interruptions, and costs
- The top 10 cybersecurity areas to consider auditing in 2016 including frameworks, assessments, third party risks, and business continuity
Join Kaseya and guest cybersecurity expert from Kaspersky, Cynthia James, to hear how companies like Target, eBay, and Home Depot are losing data, and how you can protect your company from suffering the same fate.
• The latest cybersecurity threats and vectors putting organizations at risk
• How your organization can avoid falling victim to a data breach
• Additional strategies to secure your organization and its data
Similar to Cybersecurity: The New Priority for Business (20)
What are the common challenges faced by women lawyers working in the legal pr...lawyersonia
The legal profession, which has historically been male-dominated, has experienced a significant increase in the number of women entering the field over the past few decades. Despite this progress, women lawyers continue to encounter various challenges as they strive for top positions.
Synopsis On Annual General Meeting/Extra Ordinary General Meeting With Ordinary And Special Businesses And Ordinary And Special Resolutions with Companies (Postal Ballot) Regulations, 2018
This document briefly explains the June compliance calendar 2024 with income tax returns, PF, ESI, and important due dates, forms to be filled out, periods, and who should file them?.
Defending Weapons Offence Charges: Role of Mississauga Criminal Defence LawyersHarpreetSaini48
Discover how Mississauga criminal defence lawyers defend clients facing weapon offence charges with expert legal guidance and courtroom representation.
To know more visit: https://www.saini-law.com/
Guide on the use of Artificial Intelligence-based tools by lawyers and law fi...Massimo Talia
This guide aims to provide information on how lawyers will be able to use the opportunities provided by AI tools and how such tools could help the business processes of small firms. Its objective is to provide lawyers with some background to understand what they can and cannot realistically expect from these products. This guide aims to give a reference point for small law practices in the EU
against which they can evaluate those classes of AI applications that are probably the most relevant for them.
Sangyun Lee, 'Why Korea's Merger Control Occasionally Fails: A Public Choice ...Sangyun Lee
Presentation slides for a session held on June 4, 2024, at Kyoto University. This presentation is based on the presenter’s recent paper, coauthored with Hwang Lee, Professor, Korea University, with the same title, published in the Journal of Business Administration & Law, Volume 34, No. 2 (April 2024). The paper, written in Korean, is available at <https://shorturl.at/GCWcI>.
Matthew Professional CV experienced Government LiaisonMattGardner52
As an experienced Government Liaison, I have demonstrated expertise in Corporate Governance. My skill set includes senior-level management in Contract Management, Legal Support, and Diplomatic Relations. I have also gained proficiency as a Corporate Liaison, utilizing my strong background in accounting, finance, and legal, with a Bachelor's degree (B.A.) from California State University. My Administrative Skills further strengthen my ability to contribute to the growth and success of any organization.
Lifting the Corporate Veil. Power Point Presentationseri bangash
"Lifting the Corporate Veil" is a legal concept that refers to the judicial act of disregarding the separate legal personality of a corporation or limited liability company (LLC). Normally, a corporation is considered a legal entity separate from its shareholders or members, meaning that the personal assets of shareholders or members are protected from the liabilities of the corporation. However, there are certain situations where courts may decide to "pierce" or "lift" the corporate veil, holding shareholders or members personally liable for the debts or actions of the corporation.
Here are some common scenarios in which courts might lift the corporate veil:
Fraud or Illegality: If shareholders or members use the corporate structure to perpetrate fraud, evade legal obligations, or engage in illegal activities, courts may disregard the corporate entity and hold those individuals personally liable.
Undercapitalization: If a corporation is formed with insufficient capital to conduct its intended business and meet its foreseeable liabilities, and this lack of capitalization results in harm to creditors or other parties, courts may lift the corporate veil to hold shareholders or members liable.
Failure to Observe Corporate Formalities: Corporations and LLCs are required to observe certain formalities, such as holding regular meetings, maintaining separate financial records, and avoiding commingling of personal and corporate assets. If these formalities are not observed and the corporate structure is used as a mere façade, courts may disregard the corporate entity.
Alter Ego: If there is such a unity of interest and ownership between the corporation and its shareholders or members that the separate personalities of the corporation and the individuals no longer exist, courts may treat the corporation as the alter ego of its owners and hold them personally liable.
Group Enterprises: In some cases, where multiple corporations are closely related or form part of a single economic unit, courts may pierce the corporate veil to achieve equity, particularly if one corporation's actions harm creditors or other stakeholders and the corporate structure is being used to shield culpable parties from liability.
Lifting the Corporate Veil. Power Point Presentation
Cybersecurity: The New Priority for Business
1.
2. Samantha Barriga
Michelle Bradley (Jan. 2016)
Katelyn Bounds
Nathan Dorschner
Brenna Finley Erdmann
Eythan Frandle
Ayn Gates
Barry Gronke
Matthew Hartranft (Jan. 2016)
Mitchell Hamline School of Law | 2April 27, 2016
2015-2016 MHSL Business Certificate Graduates
Sarah Holm
Abigail Lambert
Keith Larson
John Meyer
Ben Pflueger
Jungmin Ro
Briar Schnuckel
Ellen Tovo-Dwyer
3. Mitchell Hamline School of Law | 3April 27, 2016
“As I enter my final semester at Mitchell Hamline, it’s easy to list all of the
ways that the Law and Business program has guided and shaped my time
here.
I’ve been able to focus on my learning and development priorities both
academically and professionally through the program’s courses, networking
events, and externships. The coursework required for the Certificate along
with the variety of available elective offerings provide challenging and fulfilling
preparation for the “real world” expectations of business or corporate law.
Pursuit of the Law and Business Certificate was one of the best choices I’ve
made during law school. I’m proud to be finishing the Certificate this semester
and I will value the academic and professional experiences and connections
I’ve established through the program for years to come.”
-- Mitchell Hamline Student
4.
5. Program Faculty
• Professor Sharon Sandeen — Mitchell Hamline School of Law
• Andy Ubel – Chief Intellectual Property Counsel, Valspar Corp.
• Ken Morris – Senior Advisor, RedPoint Advisors
• Charlotte Tschider — Owner/Principal, Cybersimple Security, LLC
CLE Event Code 218968
Mitchell Hamline School of Law | 2April 27, 2016
Cybersecurity: The New Priority for Business
6. Valspar’s Story
Andy Ubel
Chief Intellectual Property Counsel
Valspar Corporation
Mitchell Hamline School of Law | 3April 27, 2016
7. A) There is really nothing you can do. IP protection in China is difficult
to obtain and this employee didn’t sign a “non-compete” agreement.
The manager should call HR and have them look for a replacement.
B) The employee should be terminated immediately. Computer access
by this employee should be severed and the employee’s laptop and
phone collected and quarantined. An immediate investigation should
be undertaken to assess whether any sensitive data has been
downloaded by the employee.
C) Fire the CIO when he tells you they don’t know if anything was taken,
because no logs are kept.
D) Fire anyone else that is nearby.
Answers
Mitchell Hamline School of Law | 4April 27, 2016
8. David Wen Lee was Valspar’s “#2
Technical Employee” in our Consumer
paints division.
Without any warning, he announced one
Monday morning that he was quitting. He
wouldn’t say where he was going.
Valspar faced this exact situation
Mitchell Hamline School of Law | 5April 27, 2016
9. Valspar had typical “security readiness.”
Like most companies Valspar had security
against outside intrusions (more about that
later), but little security against a “trusted
employee.”
Security wasn’t properly focused
Mitchell Hamline School of Law | 6April 27, 2016
10. Mitchell Hamline School of Law | 7
Lee was sent home the day he resigned. A
co-worker was asked to look at his
computer and see if there were any clues
as to where he might be headed.
We quickly uncovered some irregularities.
But we had no smoking gun at this point.
Our immediate response
April 27, 2016
11. Mitchell Hamline School of Law | 8
A co-worker looked at some “invisible files” and
uncovered a log file for a unauthorized program called
“Synch Toy.”
Lee had copied 44 Gigabytes of our sensitive data onto
an external hard drive.
We called the FBI for help. This was mid-day on
Wednesday.
We learned that David Lee was booked on a flight to
China in less than 10 days!
We got lucky
April 27, 2016
13. Lee’s theft woke us up.
Our IT systems were built with only a basic perimeter
security focus and little internal security.
1. Trusted insiders could steal a lot of information –
because they had wide access.
2. Outsiders, if they could get past the perimeter defenses,
would also be able to steal a lot of information.
Valspar’s new state of “readiness”
THIS MODEL IS OBVIOUSLY FLAWED
Mitchell Hamline School of Law | 10April 27, 2016
14. • Denial of Service attacks
• Hactivists
• “Insider” trade secret theft
• “Outsider” Cyber-thefts
– “APT” theft of information
• TS
• PII
• Etc.
– Bank transaction theft
– Ransomware
CyberSecurity – Attack Categories
Mitchell Hamline School of Law | 11April 27, 2016
15. • APT is an advanced hacking technique that permits an outsider to
infect a computer network and download sensitive data without
detection.
• APT hackers are well organized and will target specific company’s
data in exchange for a fee.
• APT hacking is a professional and profitable business.
• APT is not some bored teenager in his bedroom.
Advanced Persistent Threat –”APT”
Mitchell Hamline School of Law | 13April 27, 2016
16. Security measures were grouped in four main categories:
• Data Security
• End Point Device Security
• Network Security
• Policy & Training
“Points” are awarded when certain security measures
have been achieved.
Security “Scorecard”
Mitchell Hamline School of Law | 14April 27, 2016
18. Classify
• Special Control
• Confidential
• Internal Use Only
• Public
Protect
• “Need-to-know” access
• Focus on important Trade Secrets
Report
• Monitoring / security tool
Identify & Protect
Mitchell Hamline School of Law | 16April 27, 2016
19. After you identify and classify your most important
information you will then still need to identify all the
ways that that information moves throughout your
organization.
This will not be easy ….
Classification is only the first step
Mitchell Hamline School of Law | 17April 27, 2016
21. “DLP” - Data Loss Prevention
ACTIVITY
What is the User
Doing With It?
DISCOVERY
What & where is
Sensitive Data?
DESTINATION
Where Is the
Data Going?
CONTROL
What action is
appropriate?
Classification
-Persistent
-Inheritance
Context
-Location
-Type
- User
Content
-Similarity
-Keyword
-Dictionary
Email
-Attach
-Copy/Paste
-Compose/Send
Files
-Move
-Copy/Paste
-Burn/Print
-Upload
Application Data
-View
-Delete
-Modify
Devices
Applications
Networks
Printers
Internet
Recipients
Incident Alert
- Detection
Prompt User
- Intent/Educate
Warn User
- Awareness
Encrypt Data
- Protection
Block Action
- Prevention
Mitchell Hamline School of Law | 19April 27, 2016
22. 22
Digital Guardian
3. Download/Sync
Digital
Guardian
• Monitoring
• Controls
• Classification
• Encryption
Windows Workstations
Encrypt
Encrypt
Block
Prompt/
Justify
1. Extract
Windows File Servers
2. At Rest
Block
Mitchell Hamline School of Law | 20April 27, 2016
23. Sensitive data is accessed using “end point” devices.
MOST companies configure these devices with
negligible security and hackers can exploit known
weaknesses to gain access to these devices.
• Step 1 - BUILD a secure image for PCs, mobile
devices, and servers.
• Step 2 - MAINTAIN the secure configuration.
– Lock down the Admin Rights;
– Prevent the use of unauthorized software; and
– Patch the OS on a regular basis.
• Step 3 – DEPLOY the secure image on all
machines.
– Don’t trust the BYOD model.
End Point Device Security (Protect)
Mitchell Hamline School of Law | 21April 27, 2016
24. • Step 1 - BLOCK unauthorized devices (not just users) from gaining
network access through VPN, wireless and LAN connections.
• Step 2 - DEPLOY a secure configuration for firewalls, routers and
switches.
• Step 3 - ENABLE an Intrusion Prevention System that ALERTS
security in real time as to any anomalous traffic.
• Step 4 - DEPLOY a Security Event Incident Management tool where
all switch, router, firewall and critical server and database logs can be
analyzed.
Network Security – (Detect)
Mitchell Hamline School of Law | 22April 27, 2016
25. • Step 1 - PUBLISH simplified corporate policies – that are
SUPPORTED by the CEO.
• Step 2 - DEVELOP a robust incident response team.
• Step 3 - DESIGN and CONDUCT periodic penetration testing
and auditing.
Policy and Physical Security (Respond/Recover)
Mitchell Hamline School of Law | 23April 27, 2016
26. Information security is basically “free.”
Properly secured IT systems will:
• Be streamlined (with fewer different “versions” of software);
• Be more cost effective (deployment of software will take less
testing); and
• Require less field service.
Some good news
Mitchell Hamline School of Law | 24April 27, 2016
27. Cybersecurity is not about
Security
It is About Trust: Growth and Market Value
Ken Morris, J.D.
Redpoint Advisors
knectIQ Inc.
Mitchell Hamline School of Law | 25April 27, 2016
28. Forget any and all national/state data security
regulations and frameworks. Any computing
device capable of storing, processing,
receiving or transmitting PII/PHI/M2M
identifying information or other valuable
enterprise information will be targeted.
Bottom Line: Meeting a statutory, regulatory
or compliance provision is often suboptimal
when it comes to protecting PII/PHI/M2M
identifying or other valuable enterprise
information.
Mitchell Hamline School of Law | 26April 27, 2016
41. TRUST AS A SERVICE
• Managed security is still primarily a traditional security approach
– Proactive, learning systems instead of traditional reactive models
• Security needs new champions – beyond the CISO and CRO
– Board level leadership
• Innovation is nice but execution is what matters
– Anyone or any organization that touches the enterprise must be involved in
maintaining a trusted environment
• Satisfaction with Security is an Illusion (most enterprises in reactionary mode)
– Frame cybersecurity as a risk management matter
• Digital trust requires a commitment to an ecosystem approach
– Every entity in the ecosystem secures identifying and sensitive information
• Customer expectations, the growth of threat surfaces in mobile and the IoT are
disruptors that traditional and conventional cybersecurity approaches do not
adequately address.
– Agility and adaptability become paramount
Mitchell Hamline School of Law | 39April 27, 2016
42. Sender generates UID.
De-identified
encrypted data
sent with hashed
and salted UID.
Validation & authentication
Receiver removes salt from
transmitted UID. Generates
local UID.
Compare UID’s.
If matched, receive data,
authenticate, accept data,
eliminate UID’s.
A COMPLEMENTARY PROTOCOL
• NO SINGLE USE TOKENS
• NO STORED KEYS OR
CERTIFICATES
• UNIQUE & CONSISTENT
IDENTIFIER
• HARDENS
AUTHENTICATION
• ENABLES OPTIMAL USE
OF CONNECTED
DEVICES & DATA
Patent Pending…
Mitchell Hamline School of Law | 40April 27, 2016
43. CONSIDERATIONS
• Establish and Enforce Cyber Governance
– IAM
• Strong passwords
• MFA (Multi-factor authentication)
• Role based access
– Board led “security as risk management “ policy development
– Risk stratify digital and data assets
• Identify Vulnerabilities
• Protect the “Crown Jewels”
• Identify and monitor Threats
– Active, heuristic threat learning AI based platforms
• Collect, Analyze and Report Relevant Threat and Incident Information
• Do you have a “Trust as a Service Ecosystem”
– Vendors
– Suppliers
– Other affiliate business partners (professional services: outside counsel,
consulting firms, etc.)
– Customers
• Plan and Respond!
Mitchell Hamline School of Law | 41April 27, 2016
44. Investing in Preparation:
The Incident Response Process
Reducing business impact through an efficient
incident response process.
Charlotte Tschider, J.D.
Cybersimple Security, LLC
Mitchell Hamline School of Law | 42April 27, 2016
45. Mitchell Hamline School of Law | 43April 27, 2016
Is it a Data Breach?
Day 1, 11:45 AM
“Jay Stellant” has gathered information from social media about your company, a
provider of online timecard software. Jay calls your organization’s help desk, and
convinces the operator that Jay is a business associate of your organization. The
help desk operator gives Jay the director of finance’s business information.
Day 2, 9:00 AM
Jay calls the large business customers for your organization listed on your Website
and marketing materials, posing as the finance director for your organization and
is referred to their respective procurement departments.
Jay mentions that your organization has not yet received payment for their
subscription, and access to your software will be removed if payment is not
transferred within the next two business days. Jay provides an offshore account
number registered with your business name and provides an e-mail address that
is similar, but different from the finance director’s e-mail address.
46. Mitchell Hamline School of Law | 44April 27, 2016
Is it a Data Breach?
Day 3, 10:30 AM
The procurement contact searches records and discovers that your organization
has already been paid. He fears that the wrong account number was used for
payment and sends an email to Jay’s false email address arranging a phone call.
Jay calls the procurement contact and asks to validate the account number on
record and an associated PIN. Jay now has one of your organization’s bank
account numbers.
47. Mitchell Hamline School of Law | 45April 27, 2016
Is it a Data Breach?
Day 3, 12:30 PM
Jay sends an email to a finance supervisor for your company they discovered on
LinkedIn, after validating from a public Facebook account that the director of
finance is currently on vacation.
Jay sends an email, using a convincing email signature from his e-mail address
and listing the account number he gathered from the customer, mentioning that
he is validating the correct account numbers for payment purposes with one of
your customers, and would like to review the full account list directly in the
system but needs the user ID/password. He states that he is on vacation, and that
he needs this information as soon as possible.
Knowing the finance director is actually on vacation and wanting to impress him,
the finance supervisor sends the log-on information for the system to Jay, a
system that is managed by a third party and accessible outside of the corporate
network.
48. Mitchell Hamline School of Law | 46April 27, 2016
Is it a Data Breach?
Day 3, 5:30 PM
By the end of the day, the finance supervisor feels a bit unsettled with sending
the e-mail earlier, and he decides to talk to his manager about the director’s
request. The finance manager, who usually receives requests from the finance
director, knows this is not typical behavior.
The finance manager reports the situation immediately through the employee
relations hotline.
Day 4, 9:00 AM
An incident manager on the IT security team receives the report and calls the
finance manager to gather more information. Together, they call the bank
managing accounts, and the bank confirms that substantial amounts of money
have been transferred to an offshore account.
WHAT HAPPENS NEXT?
49. • Introduction to Incident Response
• Incident Response, the Law, and Industry
• The Incident Response Process
• The Incident Response Plan
• The Incident Response Management Team
• Collaborating with Government Officials
• Data Breach Obligations
• Key Takeaways
Mitchell Hamline School of Law | 47April 27, 2016
Agenda
50. DEFINING INCIDENT
An occurrence that actually or
potentially results in adverse
consequences to an information
system or the information that the
system processes, stores, or
transmits and that may require
a response action to mitigate the
consequences.
Mitchell Hamline School of Law | 48April 27, 2016
Introduction to Incident Response
An “Incident” includes potential future data breaches before they are
confirmed and other adverse consequences.
Incidents may affect the confidentiality of information, availability of
information, or integrity of information.
51. DEFINING DATA BREACH
The unauthorized movement or
disclosure of sensitive
information to a party, usually
outside the organization, that is
not authorized to have or see the
information.
Mitchell Hamline School of Law | 49April 27, 2016
Introduction to Incident Response
“Sensitive information” can be interpreted differently depending on industry,
but state data breach notification statutes usually apply to personal
information.
TERMINOLOGY MATTERS!
52. AN EFFECTIVE INCIDENT RESPONSE PROCESS:
• Can identify potential incidents through tools and self-reporting quickly,
reducing or avoiding damage
• Centralizes reporting for fast escalation and decision-making
• Does not define a situation too early; focuses on information gathering
• Prioritizes communication strategy, both external and internal
• Enables retention of accurate information for future litigation, involving civil
and criminal liability
Mitchell Hamline School of Law | 50April 27, 2016
Introduction to Incident Response
Incident response is a collaborative process, including a variety of business
leaders and government, depending on the incident.
53. Mitchell Hamline School of Law | 51April 27, 2016
Incident Response, the Law, and Industry
Organization Type Requirement*
Financial Institutions Interagency Guidance under the Gramm-Leach-Bliley Act
requires a security breach response program.
Healthcare HIPAA
Covered Entities
The HIPAA Security Rule at 45 CFR § 164.308(a)(6)(i)
requires a covered entity to “identify and respond to
suspected or known security incidents.”
Government Contractors Government contractors may be required to follow NIST
guidelines within a government contract under FISMA.
Organizations with
customers in specific
states/territories
51 U.S. state and territory data breach notification
statutes require notification upon discovery of a
reasonably suspected data breach.
Retailers/
Organizations Accepting
Payment Cards
Payment Card Industry requirements specify
“implement[ion of] an incident response plan [and to] be
prepared to respond immediately to a system breach.”
*Contracts may also require incident response efforts and notification.
54. Mitchell Hamline School of Law | 52April 27, 2016
The Incident Response Process
Plan
Detect
Contain
Notify
Recover
Improve
• One employee should be
responsible for Incident
Response.
• Cybersecurity controls should
be in place to detect intrusion
and unauthorized use.
• The Incident Response Team
should use repeatable
procedures to contain and
preserve incident details.
• Continuous learning is critical to
timely response.
55. An Incident Response Plan Should Include:
• Mission, strategies, and goals statements
• Organizational approach
• Details of senior leadership involvement and approval
• Approach for communication within and outside the organization
• References to procedures (which then include checklists, technical
processes, forms, or playbooks)
• Effectiveness metrics
• Maturity Roadmap
Mitchell Hamline School of Law | 53April 27, 2016
The Incident Response Plan
Incident response plans should be tested at least annually. Tabletop exercises
and true readiness testing ensure plans are useful during an incident.
56. Mitchell Hamline School of Law | 54April 27, 2016
The Incident Response Management Team
CEO
Chief Information
Security Officer
General Counsel
Chief Information
Officer
Public Relations
Chief Risk Officer
(or CFO)
Incident Response
Manager
Human
Relations
Marketing
Technology
Architect
Internal
Communications
External
Counsel
CORE INCIDENT
RESPONSE TEAM
ADDITIONAL
TEAM MEMBERS
57. Mitchell Hamline School of Law | 55April 27, 2016
Collaborating with Government Officials
ADVANTAGES DISADVANTAGES
• Officials may be able to “connect
the dots” across other information
sources
• Early assistance with correct
forensic procedures
• May reduce damage with more
complete, efficient response
• Benefit of the doubt if
administrative action taken
• Better positioned to stop a
particular actor from attacking
again
• Future partnership and information
sharing
• Once engaged, the government will
typically take control to manage a
situation
• Administrative agency notification
may be required sooner than an
organization might feel comfortable
• Disclosing information to the
government may necessitate
involvement of external counsel
earlier in the process
58. Data breach notification obligations may include:
• Administrative agencies overseeing federal regulations to which the
organization must comply (i.e. FTC, FCC, OCR, OMB)
• Affected consumers under specific regulations (e.g. HIPAA)
• Shareholders, if a data breach is considered “material”
• Customers or insurers that are owed notification under contract
Based on affected person’s residence, notification to:
• International authorities (e.g. the EU Data Protection Authorities)
• Consumers whose personal information has likely been compromised in a
state with a statute requiring notification
• Major credit monitoring agencies and state AGs when required
• The media as an alternative to direct consumer notice over a specific
volume
Mitchell Hamline School of Law | 56April 27, 2016
Data Breach Obligations
59. • Incident response is an effective risk management technique to
protect organizational assets.
• Incident response plans must be exercised to ensure they are
effective when used.
• Organizations must include executives early in the incident
response process.
• Organizations should decide government involvement on a case-
by-case basis.
• Organizations must be reasonably certain of exposure before
labeling an incident a “data breach.”
Mitchell Hamline School of Law | 57April 27, 2016
Key Takeaways
60. BOARD OF GOVERNORS OF THE FEDERAL RESERVE SYSTEMS, Interagency Guidelines
Establishing Information security Standards (AUG. 2, 2013),
HTTPS://WWW.FEDERALRESERVE.GOV/BANKINFOREG/INTERAGENCYGUIDELINES.HTM.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY, Computer Security Incident
Handling Guide, Special Publication 800-61-Revision 2 (Aug 2012),
http:dx.doi.org/10.6028/NIST.SP.800-61r2.
NATIONAL INITIATIVE FOR CYBERSECURITY CAREERS AND STUDIES, A Glossary of
Common Cybersecurity Terminology, https://niccs.us-cert.gov/glossary.
NATIONAL CONFERENCE OF STATE LEGISLATURES, Security Breach Notification Laws
(Jan. 4, 2016), http://www.ncsl.org/research/telecommunications-and-information-
technology/security-breach-notification-laws.aspx.
UNITED STATES COMPUTER EMERGENCY READINESS TEAM, US-CERT Federal
Incident Notification Guidelines (Oct. 1, 2014), https://www.us-
cert.gov/sites/default/files/publications/Federal_Incident_Notification_Guidelines.pdf
Mitchell Hamline School of Law | 58April 27, 2016
More Information
61. Panel Discussion and Q&A
Program Faculty
• Professor Sharon Sandeen — Mitchell Hamline School of Law
• Andy Ubel – Chief Intellectual Property Counsel, Valspar Corp.
• Ken Morris – Senior Advisor, RedPoint Advisors
• Charlotte Tschider — Owner/Principal, Cybersimple Security, LLC
Mitchell Hamline School of Law | 59April 27, 2016