Jessica Santamaria, profile picture
Uploaded byJessica Santamaria
PDF, PPTX197 views

Emerging Trends in Information Privacy and Security

The document discusses emerging trends in information privacy and security, emphasizing the high costs of data breaches, including an average of $6.5 million per incident and various causes such as malicious attacks and human errors. It highlights the increasing importance of cybersecurity practices, integrated processes, and technology to protect sensitive data, along with legal and regulatory frameworks governing data protection. Additionally, it addresses the growing risks companies face due to interconnectivity, data privacy regulations, and the need for proactive risk management strategies.

Embed presentation

Download as PDF, PPTX
1 / 104
2 / 104
3 / 104
4 / 104
5 / 104
6 / 104
7 / 104
8 / 104
9 / 104
10 / 104
11 / 104
12 / 104
13 / 104
14 / 104
15 / 104
16 / 104
17 / 104
18 / 104
19 / 104
20 / 104
21 / 104
22 / 104
23 / 104
24 / 104
25 / 104
26 / 104
27 / 104
28 / 104
29 / 104
30 / 104
31 / 104
32 / 104
33 / 104
34 / 104
35 / 104
36 / 104
37 / 104
38 / 104
39 / 104
40 / 104
41 / 104
42 / 104
43 / 104
44 / 104
45 / 104
46 / 104
47 / 104
48 / 104
49 / 104
50 / 104
51 / 104
52 / 104
53 / 104
54 / 104
55 / 104
56 / 104
57 / 104
58 / 104
59 / 104
60 / 104
61 / 104
62 / 104
63 / 104
64 / 104
65 / 104
66 / 104
67 / 104
68 / 104
69 / 104
70 / 104
71 / 104
72 / 104
73 / 104
74 / 104
75 / 104
76 / 104
77 / 104
78 / 104
79 / 104
80 / 104
81 / 104
82 / 104
83 / 104
84 / 104
85 / 104
86 / 104
87 / 104
88 / 104
89 / 104
90 / 104
91 / 104
92 / 104
93 / 104
94 / 104
95 / 104
96 / 104
97 / 104
98 / 104
99 / 104
100 / 104
101 / 104
102 / 104
103 / 104
104 / 104
EMERGING TRENDS IN INFORMATION PRIVACY AND SECURITY November 18, 2015 Presentation
Logistics CPE Credit Requirements Takeaways
 Full service professional services firm:  Attest services  Tax preparation and compliance  IT audit  Data security and design  IT compliance  Internal control  Internal audit outsourcing  SSAE 16 services (SOC 1-3)  Over 80 professionals  Highly qualified in variety of specializations:  CPA, CIA, CFE, CISA, MCSE, ABV, CVA, MST  Affiliations:  AICPA, PCAOB, ACFEI, ISACA, PCAOB, TANGO, CICPAC, Practicewise, VACO Risk Solutions
 Vaco Risk Solutions  Specializing in helping our clients reduce their risks  30 locations strong  Highly qualified consultants ▪ CHS, CISA, CISM, CISSP, CITP, CPA, PMP, QSA, PA QSA, PCIP, JD, Six-Sigma Black Belt  We belong to: ▪ Member of Information System Audit and Controls Association (ISACA) ▪ Member of American College of Forensic Examiners Institute (ACFEI) ▪ Association of Credit Union Internal Auditors (ACUIA) ▪ PCI Qualified Security Assessors certified by PCI Security Standards Council ▪ Payment Application Qualified Security Assessors certified by PCI Security Standards Council ▪ Member of Petroleum Convenience Alliance for Technology Standards (PCATS) ▪ Member of National Association of Convenience Stores (NACS) 4
• Averages: • Cost per incident - $6,500,000 • Records compromised - 28,070 • Cost per record - $217 • Average cost per record by industry: • Healthcare - $398 (highest) • Financial - $259 • Industrial - $190 • Retail - $189 • Public - $73 (lowest) • Cause of breaches: • 49% - Malicious or criminal attack • 19% - Human error • 32% - System glitch • Averages: • Cost per incident - $6,500,000 • Records compromised - 28,070 • Cost per record - $217 • Average cost per record by industry: • Healthcare - $398 (highest) • Financial - $259 • Industrial - $190 • Retail - $189 • Public - $73 (lowest) • Cause of breaches: • 49% - Malicious or criminal attack • 19% - Human error • 32% - System glitch The Cost of a Breach Source: Ponemon Institute’s 2015 Cost of Data Breach Study 6
Former FBI Director Mueller: “There are two types of companies, those that have been hacked and those that don’t know it”
 Gourav Mukherjee  Partner  Vaco Risk Solutions  Laurie Kamaiko  Partner  Sedgwick LLP  Shiraz Saeed  Product Specialist – Cyber Liability  AIG
 Speaker Risk Discussions  Panel Discussion – Best Practices and Strategies  Question andAnswer
Presenter: Gourav Mukherjee, Partner CISA, CISSP, CRISC, QSA, JD Enterprise Data Security Roadmap
With traditional culprits • Petty criminals • Organized crime • Governments
3 Cyber attacks dominating the news
Their targets and attack methods evolve 4
Current Environment* Creates Cybersecurity Demands 5*Skyrocketing data breaches and diminishing privacy, accompanied by huge fines and disintegrating public trust
Security morphs to “Cybersecurity’ 14 Gartner Group: Cybersecurity encompasses a broad range of practices, tools and concepts related closely to those of information and operational technology security. Cybersecurity is distinctive in its inclusion of the offensive use of information technology to attack adversaries.
Enterprise Data Security is a subset of Enterprise Cybersecurity 6
Foundation of Cybersecurity: The Golden Triangle 8
9 It starts with the right people … In-house staff Partners Outsourced Providers People Process Technology Log Management Compliance Reporting Event Correlation Threat Reporting Vulnerability Scanners Identity & Desktop Mgmt Ticketing System Change Tracking Threat Analysis Compliance Mgmt SLA Mgmt Risk AssessmentChange Mgmt Vulnerability Mgmt Identity & Access Incident Mgmt CustomersIn-house staff Partners Outsourced Providers People Process Technology Log Management Compliance Reporting Event Correlation Threat Reporting Vulnerability Scanners Identity & Desktop Mgmt Ticketing System Change Tracking Threat Analysis Compliance Mgmt SLA Mgmt Risk AssessmentChange Mgmt Vulnerability Mgmt Identity & Access Incident Mgmt Customers In-house staff Partners Outsourced Providers People Customers Security is only as good as its people. Points of Consideration:  People are the weakest link.  Staff will need a specialized skill set and experienced staff are often difficult to find  Current training is expensive, time consuming and non-effective  Need analysts for 24x7 coverage, other supporting functions must be considered: - System admins, Intelligence resources, Escalation resources, Compliance officers, Management / Supervision
10 Integrated processes …. In-house staff Partners Outsourced Providers People Process Technology Log Management Compliance Reporting Event Correlation Threat Reporting Vulnerability Scanners Identity & Desktop Mgmt Ticketing System Change Tracking Threat Analysis Compliance Mgmt SLA Mgmt Risk AssessmentChange Mgmt Vulnerability Mgmt Identity & Access Incident Mgmt CustomersIn-house staff Partners Outsourced Providers People Process Technology Log Management Compliance Reporting Event Correlation Threat Reporting Vulnerability Scanners Identity & Desktop Mgmt Ticketing System Change Tracking Threat Analysis Compliance Mgmt SLA Mgmt Risk AssessmentChange Mgmt Vulnerability Mgmt Identity & Access Incident Mgmt Customers Data Security processes and procedures must be documented, consistently implemented, and based upon existing standards / governance frameworks. Procedures must take into consideration corporate security policy, business controls, and relevant regulatory requirements. Points of Consideration:  The Cybersecurity mission must be clearly defined – Incident discovery, CERT, etc.  An alarm does not always equate to action.  Processes must take into consideration evaluation and incorporation of a constantly changing stream of potentially threats  Best practices for incident investigation, response, and mitigation must be maintained and updated as technologies are added, change, or mature. Process Threat Analysis Compliance Mgmt. SLA Mgmt. Risk AssessmentChange Mgmt. Vulnerability Mgmt. Identity & Access Incident Mgmt.
11 Built on a solid technology platform In-house staff Partners Outsourced Providers People Process Technology Log Management Compliance Reporting Event Correlation Threat Reporting Vulnerability Scanners Identity & Desktop Mgmt Ticketing System Change Tracking Threat Analysis Compliance Mgmt SLA Mgmt Risk AssessmentChange Mgmt Vulnerability Mgmt Identity & Access Incident Mgmt CustomersIn-house staff Partners Outsourced Providers People Process Technology Log Management Compliance Reporting Event Correlation Threat Reporting Vulnerability Scanners Identity & Desktop Mgmt Ticketing System Change Tracking Threat Analysis Compliance Mgmt SLA Mgmt Risk AssessmentChange Mgmt Vulnerability Mgmt Identity & Access Incident Mgmt Customers Technology Log Management Compliance Reporting Event Correlation Threat Reporting Vulnerability Scanners Identity & Desktop Mgmt. Ticketing System Change Tracking Technology is the foundation on which the organization demonstrates the ability to provide security continuously, even under times of duress such as persistent attack, natural disaster, facilities failure, etc. Points of Consideration:  Security technologies (SIEM, trouble ticketing, incident management, etc.) are often special purpose, costly, and challenging to maintain due to their overall complexity  The number of disparate systems and volume of device / event data will typically require a dedicated IT staff for system administration  Capacity management can be challenge due to the need to support peak loads which may include DDoS, monthly batch processing, etc.  The management and reporting systems must be flexible enough to accommodate process and security policy as well as changes in the technology landscape
The changing requirements for enterprise data security & risk management coupled with technology advancements have triggered a paradigm shift in the design and ongoing administration of security. Charter Governance Strategy Build a dedicated security operations capability Cross-functional (IT, Business, Audit, etc.) 3+ year cycle, priorities set by enterprise Technology or service only Self governed (IT Security) Budget based, 12 month planning cycle Mission&Strategy Tools Use Cases Referential Data SIEM, ticketing, portal/ dashboard, Big Data Tailored rules based on risk & compliance drivers Required data, used to prioritize work SIEM tool only Standard rules Minimal customization Minimal importance, Secondary priority Technology Measures Reporting Cross-functional, efficiency, quality, KPI/SLO/SLA Metrics, analytics, scorecards, & dashboards Silos, ticket/technology driven Ticket/technology driven Operations Management Proactive. Visible. Anticipate threats. Mitigate risks. Detect & react to threats. Security Cybersecurity
There is no app for enterprise data security… ….Don’t be a FOOL and think you just need to buy a TOOL
‹#›
Information (Data) Life Cycle 15 ISACA.ORG To identify residual risks and select appropriate technical measures and activities to protect confidential data, an organization must first understand how information flows throughout its systems over time and how the information is accessed and processed at different stages.
Principles of Data • Principle 1: Honor policies throughout the confidential data life span.3 This includes a commitment to process all data in accordance with applicable statutes and regulations, preserve privacy and respect customer choice and consent, and allow individuals to review and correct their information if necessary. • Principle 2: Minimize risk of unauthorized access or misuse of confidential data. The information management system should provide reasonable administrative, technical and physical safeguards to ensure confidentiality, integrity and availability of data. • Principle 3: Minimize the impact of confidential data loss. Information protection systems should provide reasonable safeguards, such as encryption, to ensure the confidentiality of data that are lost or stolen. Appropriate data breach response plans and escalation paths should be in place, and all employees who are likely to be involved in breach response should receive training. • Principle 4: Document applicable controls and demonstrate their effectiveness. 16
Roadmap to Data Security 17 Classification Discovery Security Enforcement Monitoring
Classification • Determine what data are sensitive to the organization, either for regulatory compliance and/or internally. ▫ Written procedures and guidelines for data classification should define what categories and criteria the organization will use to classify data and specify the roles and responsibilities of employees within the organization regarding data stewardship ▫ To be effective, a classification scheme should be simple enough that all employees can execute it properly. • EDUCATE and TRAIN 18
Discovery • Find out where the sensitive data are located, how they flow, who can access them, performance and other requirements for security. ▫ Data Mapping: Structured and Unstructured Data  Location  Relevance  Sensitivity  Use  Correctness ▫ Cleanup/Remediate ▫ EDUCATE and TRAIN 19
Security • Apply the data security method(s) that best achieve the requirements from discovery, and protect the data according to the sensitivity determined in classification. ▫ Data at rest, transit and disposal ▫ Frameworks  Cybersecurity framework – NIST  ISACA  IS0 27001  Best Practices ▫ EDUCATE and TRAIN 20
Enforcement • Design and implement processes and technology to disclose sensitive data only to authorized users, according to the least possible amount of information required to perform job functions (least-privilege principle). ▫ EDUCATE and TRAIN 21
Monitoring • Ensure ongoing, highly granular monitoring of any attempts to access sensitive data. Monitoring is the only defense against authorized user data abuse. ▫ Internal and External ▫ EDUCATE and TRAIN 22
23 Enterprise Data Security is a subset of Enterprise Cybersecurity NIST 800-53
Gourav@vaco.com 18
EMERGING TRENDS IN DIGITAL PRIVACY AND SECURITY: THE LEGAL LANDSCAPE Laurie Kamaiko Cybersecurity and Privacy Group Sedgwick LLP New York Office Laurie.Kamaiko@sedgwicklaw.com Telephone 212.898.4015 12
Cyber Risks – Why Do You Care?  Every company is vulnerable if subject to a successful cyber attack  Every company is subject to a loss or cost  Every company is subject to statutory or regulatory compliance of some kind, especially if a breach of personal information  resultant risk of regulatory inquiry and litigation
Cyber Risks – Why Do You Care?  Every company can reduce these risks and resultant costs by:  Awareness  Preparedness  Reducing human error element
Current & Impending Cyber Risks & Exposures Data Breaches of Personally Identifiable Information (PI) and Protected Health Information (PHI) of Individuals  Type of information defined by statutes and regulations  Heavily regulated to protect against identity theft and fraudulent transactions  Security requirements  Breach response requirements  Traditionally name plus:  Financial account, payment card numbers  Government-issued identification, social security number, etc.  Variations Include: Health information, insurance account  Trend toward expansion of what constitutes protected PI:  Online account credentials  Medical biometric information 15
Current & Impending Cyber Risks & Exposures  Theft of Other Confidential Information  Trade secrets / IP / business secrets  Client/customer secrets  Cyber attacks on property and business functions  Denial of service attacks/disruption of business and operating systems  Targeting your company  Targeting others or critical infrastructure  affecting your company  Financially motivated versus malicious versus political  Extortion 16
Current & Impending Cyber Risks & Exposures  Business Practices in Collection/Usage/Disclosure and Information About Individuals  Online behavior tracking  Collection and usage of information on individuals  Sharing of that information  Disclosure of collection and sharing  Storage beyond need  Zip code collection (when not necessary for credit card transaction)  Privacy policy and terms of use statements/sufficiency  Increased use of vendors 17
Current & Impending Cyber Risks & Exposures  “Big Data”  Collection and analysis of data about consumer and populations has become important to most companies  Its use and transferability are part of many corporate transactions  Planning  Marketing  Acquisitions  Divestitures  Data Security, privacy and practices present myriad of (non) compliance risks  Laws  Regulations  Controls  Due diligence obligations
Current & Impending Cyber Risks & Exposures  Increasing Risks From:  Internet of Things  Increased Interconnectivity  Increased Vulnerability  13.4 Billion in 2015  > 25 to 75 Billion Interconnected Devices by 2020  Increased Use of Vendors  Vendor Vulnerability  Access to company data  Avenue for malware intrusion  Lack of control  increased need for due diligence  Contractual responsibilities and liabilities  Incorporating Use of Personal Devices and Social Media Into Work Place 19
Current & Impending Cyber Risks & Exposures  Increasing National/Regulatory Agency/Industry Standards   Expansion of statutory liabilities  Increased regulatory enforcement  Increase in contractual responsibilities o All increase potential liabilities for non-compliance o Compliant today may not be compliant tomorrow  Growth of Contractual Obligations o Security o Breach response o Indemnity 20
Current & Impending Cyber Risks & Exposures  All entities are at risk  Employee information  Customers’/clients’ information  Business information  Functions you perform for others  Functions others perform for you  Small company small risk  Industries most targeted:  Financial Institutions  Healthcare  Educational institutions  Retail  Service providers to targeted companies 21
The Sources of Exposures CYBER RISKS Fraud Theft Deceit Hacktivisim Terrorism Rogue Employees External Hackers Phishing Trojans Botnots System Failure Poor Data Protection Security Flaw Accidental Disclosure Lost Devices Negligence/ Inadvertent Activity (Human Error) Criminal/ Malicious Activity Insiders ▪ Outsiders ▪ Vendors/Agents 22
Costs and Exposures From a Data Breach Direct Response Costs  Crisis Management • Legal forensics • Mandatory notifications (PI/PHI) • Remediation to consumers • Remediation of breached system • Contractual indemnities and penalties  Claims • Contractual • Third parties affected (clients, consumers) • Legal fees for defense • Settlements/judgments Business Costs  Business disruption  Management resources  Impairment systems and equipment  Reputation Harm  Customer turnover  Loss of profits/earnings  Reconstitution of lost data  Marketing  Voluntary notifications  Loss of IP/secrets/business opportunities 23
Legal and Regulatory Framework  Three Themes  Privacy  Collecting, using, and disclosing/sharing certain levels of data about individuals  Security  Protecting data against loss, unauthorized acquisition, misuse, or damage Implementing “reasonable” & “appropriate” measures to protect data  Breach Notification  Notifying those affected and governmental agencies when security is breached  Content and notice requirements vary  Generally “breach” defined to mean:  Unauthorized acquisition or misuse of found information  In some states/regulations, unauthorized access sufficient  Not all require likelihood of harm24 Requirements can vary depending on jurisdiction, agency with oversight, type of entity breached and type of data
Legal and Regulatory Framework  State Laws Mandating Security and Breach Response  47 States Have Breach Response Requirements  Lesser Number (But Growing) Have Security Requirements  Expanding Requirements (e.g., Level of Encryption) and Scope (Types of Information)  State Laws Mandating Disclosure of Collection, Usage and Security Practices  Business Practices Are Under Scrutiny  Growing Trend to Regulate and Enforce (Starting in California) 25
Legal and Regulatory Framework  Federal and Sector-Specific Laws and Regulations  Not Yet National Statute Re Security and Breach Notice, Though Bills Pending  Both Federal Agency and State Agency Can Enforce  Healthcare: HIPAA and HiTech  Financial: Gramm-Leach-Bliley, et al.  Public Companies: SEC (Disclosure Guidelines)  Also: Red Flags Rule, FCRA, Can-Spam, Video Privacy Protection Act, etc.  Federal Agency Guidelines: SEC, FTC, FDA, FCC, NIST For Critical Infrastructure, etc.  International: Data Security and Response Requirements  Cross-Boarder Transfer of Information About Individuals and Other Countries  Recent Upheaval Re: U.S. Safe Harbor Program for Transfer of PI to U.S. Declared Invalid By E.U. Commission October 6, 2015
Legal and Regulatory Framework  Increasing Enforcement  Regulatory Enforcement Actions More Frequent & Resulting in Larger Settlements o 20 years of monitoring/audits  AGs, OCR (healthcare) and Other Regulatory Agencies Focus on Companies That: o Knew or should have known of a problem o Did not do pre-incident assessment of their data and their security o Did not have incident response plans in place  FTC Enforcement Focused on Unfair and Deceptive Trade Practices o “Unfair” -- Inadequate security o “Deceptive” – Not act in conformity with policies and statements  Private Litigation/Class Actions 27
Industry Internal Regulation: Credit / Debit Cards  PCI – DSS (Payment Card Industry Data Security Standards)  Contract-based obligations applicable to all involved in chain of card processing  Requires specified security measures to protect credit card transactions  Incorporated into some state statutes (e.g., Nevada, New Mexico, Washington)  New rules require due diligence and responsibility for vendors • Major Factor in Any Credit Card Breaches  Most entities not fully compliant with PCI DSS • Liability Impact  Breached merchants contractually liable for substantial assessments/fines for PCI-DSS violations led to breaches  Basis of negligence and other allegations in 31 party claims  New liability shifting for costs of fraudulent transactions if merchant does not institute new chip card processing 28
Litigation Trends: Statutory, Regulatory, Contractual  Holding Companies Accountable  For Your Own Practices  For Your Business Partners  Due Diligence of Vendors  If You Are a Vendor, Responsibility for Sensitive Information of Clients That You access, e.g.,:  Business Associates & HIPAA-Covered Entities  Notice Obligations If Breach, at Least to Business Client  Scrutinizing Pre-Breach Efforts at Compliance, If Not Just Breach and Post-Breach Response
Litigation Trends: Statutory, Regulatory, Contractual  Litigation Arising From Breaches of PI  Failure to adequately secure information  Failure to timely notify of breach  Failure to adequately respond to breach  Misrepresentation of security vulnerability, effect  Pre-Breach  Post-Breach  Unjust enrichment (part of fees paid is for security not provided)  Lost value of stolen information  Loss of use of service or hardware  Violation of consumer protection statutes  statutory $ awards  Avoids Issue of Whether Plaintiffs Sustained Actual Damage  > 80 different causes of action have been identified 30
Litigation Trends: Statutory, Regulatory, Contractual  Potential Plaintiffs  Consumers whose information is accessed (consumer class actions)  Financial institutions affected (fraud charges, card replacement costs, etc.)  Shareholder/derivative suits  Share price drops  Wasting of corporate assets  Board approval of inadequate security/failure assess/address vulnerabilities  Misrepresentation/failure to disclose:  Cause, Information at Risk, Remediation  Breached entity seeking contribution from others contributing to lapse in security: vendors, advisors, etc.  Regulators 31
Litigation Trends: Statutory, Regulatory, Contractual  Potential Defendants  Breached entities  Vendors holding an access route to information  Security vendors involved in security or design, security assessments, or remediation  Professional advisors  D&Os approving company security policies, responses and financial disclosures 32
Other Privacy Litigation  Theories of Liability for Non-Breach Privacy Lawsuits  Consumer Tracking/Online Behavioral Advertising  Improper collection practices  Improper disclosures  Statutory Violations That are Not Data Breaches Per Se  Privacy Violations – From Business Practices  Wrongful collection/sale of PI  Failure disclose collection/sharing of PI (e.g., California)  Adequacy of privacy policies (websites, mobile apps)  Non-compliance with representations in privacy policies  Zip codes as wrongfully collected PI by retailers without need (California, Massachusetts, and possibly other states in future)  Unauthorized distribution (blasting, e.g., TCPA)  Restrictions on recording of business calls with consumers  Trend toward asserting violations of unfair trade practices and consumer protections  seeking statutory damages 33
Factors Reducing Costs of Breaches  Board-Level Involvement in Breach  Insurance Protection  Industry  Regulated Industries, Such as Healthcare and Education, More Costly  Ponemon study
Factors Reducing Costs of Breaches  Company Has Plans In Place  Incident Response Plan  Lawyer on Retainer  Pre-Negotiated Contracts/Rates for Forensics, Customer Notification, Call Centers, Credit Card Monitoring  Increased Costs if Breach due to Hackers/Criminal Insiders (47% Breaches)  Verizon study
Risk Management Tips  Be Prepared  Be Aware of the Issues and Vulnerabilities o Yours o Your Business Partners  Identify Your Data Assets and Where Sensitive Data Is Located o On Your Systems and Within Your Company  Perform Risk Threat Assessments, and Identify Controls and Their Effectiveness  Allocate Resources: $, Management o SEU  Create Policies and Procedures Before an Incident  Privacy  Training  Incident Response ■ Vendor Selection, Due Diligence and Management 36
Risk Management Tips • Be Prepared continued  Accept It Is Not Just an IT Issue  Preparedness & response requires involvement of all departments, including: C-Suite, Legal, IT, Risk Management, Human Resources, Marketing, Operations  Institute a Culture of Compliance  “Privacy by Design”  Practice  Table Tops, “Fire Drills”  Legal Compliance
Risk Management Tips  Identify √ High Risk, High Value Data and Risks of Loss Breach √ Controls  Protect √ Create Systematic Protections, Bring in Technology & Experts to Address Vulnerabilities & Increase Protections √ Due Diligence on Vendors  Prepare √ Develop Policies and Response Plans √ Risk Transfer: Insurance, Contractual Indemnity with Vendors  Train √ Train all employees √ Table tops, Drill √ Test  Repeat 38
Laurie Kamaiko Cybersecurity and Privacy Group Sedgwick LLP New York Office Laurie.Kamaiko@sedgwicklaw.com Telephone 212.898.4015 39 82364316v1 Questions?
Cyber Liability – Network Security and Privacy
 Identify exposures  Third party liability  First party losses  Other coverage sections  Claims  Sample situation  AIG enhancements  Conclusion 41 Agenda
42 Do You Handle Confidential Information? How Do We Identify Exposures? Where Do You Store The Information? Do You Have A Website?  Own company (including employees)  Clients (confidential, personal, or commercial)  Computer network – do you operate the network yourself or outsource to a vendor?  Paper records  What content is on the site?  Can employees or third parties upload content (blog, post pictures or comments)?
 Internally – Employees/Vendors – Malicious - Stealing Information (Card Skimming) – Negligence – Lost Resources (Laptop, Smart Phone, Tablet) – Vendor Contracts – Indemnification  Externally – Individual Hackers/Organized Crime – Stealing Information – Sending Viruses/Malicious Code – Disruption Of Business (Vandalism) 43 HOW CAN AN EVENT OCCUR?
 Network Security Failure – Failure of a company to protect their computer systems – Virus, malicious code, malware attacks  Privacy Event – Failure to protect confidential information – Personal or corporate; online or offline – Violation of any Federal, State, or local privacy statute – Failure to comply with PCI-DSS standards  Allegations Can be Brought by – Government agencies, individuals, businesses or administrative 44 THIRD PARTY COVERAGE
 Event Management – Incident Response Plan – Breach Consultation – Legal Consultation – Forensic Investigation – Public Relations Services – Notification To Consumers Based On State Mandate – Providing ID-monitoring/Credit Monitoring – Lost Electronic Data 45 FIRST PARTY COVERAGE
 Network Interruption – Addresses loss of income and operating expenses resulting from the interruption or suspension of business due to a failure of network security  Cyber Extortion – Provides coverage for extortion threats against a company’s computer network and confidential information by an outsider seeking money or other valuables 46 FIRST PARTY COVERAGE
Media Content Liability  Companies Have Published Content – Website, print, broadcast  Typical Types of Claims – Trademark and copyright infringement – Defamation, false light and imprisonment – Product disparagement, infliction of emotional distress 47 THIRD PARTY COVERAGE
48 CYBEREDGE BREACH RESOLUTION TEAM  24/7 hotline staffed by IBM experts to respond to Insureds concern that they may be victim of a breach  The IBM experts will go over key indicators of a breach with the Insured’s IT department to determine if one has indeed occurred.  If a breach is suspected or has occurred, Insureds will be automatically connected with our CyberEdge Breach Resolution Team. © American International Group, All rights reserved. CyberEdge Hotline: 1-800-CYBR-345 (292–7345)
49 BREACH RESPONSE TIMELINE
50 SAMPLE SITUATION  HIPAA: Privacy regulations that govern the healthcare industry  HITECH Act (Health Information Technology for Economic and Clinical Health Act)  Enacted on February 17, 2009  Breach notification requirements for HIPAA covered entities + business associates  Breach notification applies to HIPAA to promote the adoption and meaningful use of health information technology  Subtitle D of the HITECH Act addresses the privacy and security  Outlines the guidelines for who, what, where, when a privacy breach occurs Access Record Maintain Destroy Retain Hold Modify Use Source: www.healthit.gov Covered Entity: Hospital
51 GUIDELINES If… Then… Breach occurs Written notice, first class mail at last known address, as soon as practicable no later than 60 days after discovery of breach Individual is deceased Notify next of kin Insufficient information for 10+ individuals Home page of website of covered entity or major print or broadcast media Urgent Telephone 500+ residents in a given state 1. Prominent media outlet within the state 2. Notify the Secretary within 60 days 3. Secretary to post on an HHS Web site a list that identifies each covered entity involved Source: www.healthit.gov
52  Letters/E-mail typically include the following:  Description of what happened, date of the breach and the date of the discovery of the breach  Description of the types of unsecured PHI that were involved in the breach (i.e. full name, Social Security number, date of birth etc.)  The steps individuals should take to protect themselves from potential harm resulting from the breach  Description of what the covered entity involved is doing to investigate the breach, to mitigate losses, and to protect against any further breaches  Contact procedures for individuals NOTIFICATION REQUIREMENTS Source: www.healthit.gov
53 AIG VALUE PROPOSITION
54 AIG Enhancements
55
56
57
 Detects vulnerabilities across network devices, servers, web applications, and databases to help reduce risk exposure and better manage compliance requirements  Strong security expertise provides vulnerability identification with resulting prioritized plan for remediation and improved security INFRASTRUCTURE VULNERABILITY SCANNING POWERED BY IBM Key Components • Reports help demonstrate compliance with federal, state and industry regulations • Assess an environment from either the external or internal perspective • IBM Security expertise improves accuracy of findings and reduces mitigation time • Consultation on recommendations for improved security © American International Group, All rights reserved.
59 AIG ENHANCEMENTS
 Leading edge global threat intelligence and technology that isolates and shuns IP addresses currently being used by criminals.  Before initiating an attack on a network, criminals first conduct reconnaissance to confirm that certain IP addresses are viable targets.  Shunning prevents these criminal communications from reaching a network and confirming the IP addresses as viable targets WHAT IS IP SHUNNING?
61 DYNAMIC THREAT MATRIX
62 IP SHUNNING TYPICAL DEPLOYMENT
63 BLOCKED ATTACKS BY TYPE 63
64 CYBEREDGE RISKTOOL  Web-based customizable risk management platform  Manage the human element of cyber risk and manage compliance  Pre-populated with:  Corporate security policies  Training with exams  Self assessments and risk guides  Simplifies and documents end user training  Unlimited use
65 CYBEREDGE RISKTOOL
 Two complimentary hours from a specialized law firm to provide guidance on building and executing an incident response plan, as well as ensuring an organization is compliant with regulatory standards.  One complimentary hour from a forensic firm on what an organization’s technical response plan should include.  One complimentary hour from a vetted public relations firm to discuss an effective crisis communication plan to handle and mitigate the potential reputational and brand risk an organization would face in the event of a breach. CONSULTATION SERVICES © American International Group, All rights reserved.
67 COMPLIANCE/LEGAL CONSULTATION
68 American International Group, Inc. (AIG) is a leading international insurance organization serving customers in more than 130 countries.. AIG companies serve commercial, institutional, and individual customers through one of the most extensive worldwide property-casualty networks of any insurer. In addition, AIG companies are leading providers of life insurance and retirement services in the United States. AIG common stock is listed on the New York Stock Exchange and the Tokyo Stock Exchange. Additional information about AIG can be found at www.aig.com | YouTube: www.youtube.com/aig | Twitter: @AIG_LatestNews | LinkedIn: http://www.linkedin.com/company/aig AIG is the marketing name for the worldwide property-casualty, life and retirement, and general insurance operations of American International Group, Inc. For additional information, please visit our website at www.aig.com. All products and services are written or provided by subsidiaries or affiliates of American International Group, Inc. Products or services may not be available in all countries, and coverage is subject to actual policy language. Non-insurance products and services may be provided by independent third parties. Certain property-casualty coverages may be provided by a surplus lines insurer. Surplus lines insurers do not generally participate in state guaranty funds, and insureds are therefore not protected by such funds. Apple, the Apple logo, iPhone and iPad are trademarks of Apple Inc., registered in the U.S. and other countries. App Store is a service mark of Apple Inc. Android and Google Play are trademarks of Google Inc. Shiraz Saeed - Product Specialist - Cyber Liability Tel +1 908 679 3472 | Cell +1 908 698 2269 | shiraz.saeed@aig.com
Panel Discussion
 How do I mitigate my risk with the growing use of mobile and portable technologies?  Policies and Education  Social networking awareness  Encryption  Remote Wipes/Autolocks  Obtaining employee consent  Backing up company information on an employee device  Do’s and Don’ts of mobile use  Laptop Safety
 What should I be doing to prepare my Company for the increased regulations related to IT Security?  Understand business activities subject to regulation for privacy considerations ▪ Disclosure of PI collections and sharing procedures ▪ Website and mobile app privacy ▪ Credit card information  Know how changes in business operations impact compliance requirements  Accept responsibility for compliance ▪ EXECUTIVE MANAGEMENT ▪ BOARD OF DIRECTORS
Questions?
Do You Know the SCORE? •Security •Compliance and •Operations •Risk •Evaluation
Do You Know the SCORE? • A high level assessment of the key components of your IT environment: –IT operations –Physical security –Logical security –Mobile devices –Recovery –Network security –Online security –Data privacy and security compliance –System and hardware controls
The SCORE Report
The SCORE Report
Michael Camacho, Partner mcamacho@lgcd.com Kevin Ricci, Director of IT kricci@lgcd.com
 What are some of the things I need to consider when using 3rd party service providers?  For all vendors: ▪ Due diligence on their data security ▪ Coordination of representations in privacy policies ▪ Allocation of responsibilities in event of breach ▪ Terms in vendor agreements: ▪ Indemnification provisions ▪ Access provisions ▪ Insurance requirements (cyber and other)  Cloud computing ▪ Identify the assets for cloud deployment ▪ Evaluate the assets ▪ Map the assets to the cloud deployment model ▪ Evaluate potential cloud service models ▪ Map out data flow
 What should I be doing to prepare the Company for a breach?  Screen new hires and vendors  Annual risk assessments  Educate employees  Discuss privacy by design with operations people  Pre-arrange breach service providers  Develop a cross functional privacy committee for breach planning and response  Discuss information collection and disclosure practices with all departments  Consider insuring against risks
 What can I do to better protect my data from cyber crime?  Data Mapping - Understand WHAT your sensitive data is and WHERE it resides  Perform a security risk assessment  Set security standards  Develop comprehensive policies  Provide security training  Adopt a business plan  Spear Phishing Do’s and Don’ts

More Related Content

PPTX
Security assessment isaca sv presentation jan 2016
byEnterpriseGRC Solutions, Inc.
 
PPTX
Information Security Assessment Offering
byeeaches
 
PDF
Managed Security For A Not So Secure World Wp090991
byErik Ginalick
 
PPSX
Does audit make us more secure
byEnterpriseGRC Solutions, Inc.
 
PDF
Combating Fraud: Six Principles for Security
byStrategic Treasurer
 
PDF
bsi-cyber-resilience-presentation
byAjai Srivastava
 
PDF
How to measure your cybersecurity performance
byAbhishek Sood
 
PDF
Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...
byResolver Inc.
 
Security assessment isaca sv presentation jan 2016
byEnterpriseGRC Solutions, Inc.
 
Information Security Assessment Offering
byeeaches
 
Managed Security For A Not So Secure World Wp090991
byErik Ginalick
 
Does audit make us more secure
byEnterpriseGRC Solutions, Inc.
 
Combating Fraud: Six Principles for Security
byStrategic Treasurer
 
bsi-cyber-resilience-presentation
byAjai Srivastava
 
How to measure your cybersecurity performance
byAbhishek Sood
 
Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...
byResolver Inc.
 

What's hot

PDF
Protect Yourself from Cyber Attacks Through Proper Third-Party Risk Management
byDevOps.com
 
PDF
Whitepaper - Application Delivery in PCI DSS Compliant Environments
byJason Dover
 
PDF
Why does-your-company-need-a-third-party-risk-management-program
byCharles Steve
 
PPTX
Banks and cybersecurity v2
bySemir Ibrahimovic
 
PDF
Cyber Risk Quantification | Safe Security
byRahul Tyagi
 
PDF
A compliance officer's guide to third party risk management
bySALIH AHMED ISLAM
 
PDF
Corporate Treasurers Focus on Cyber Security
byJoan Weber
 
PDF
Cyber Security Tips and Resources for Financial Institutions
byColleen Beck-Domanico
 
PDF
How to Establish a Cyber Security Readiness Program
byMatt Moneypenny
 
PDF
Security_360_Marketing_Package
byRandy B.
 
PDF
How close is your organization to being breached | Safe Security
byRahul Tyagi
 
PPTX
Corp Overview 11510
byjduhaime
 
PDF
200606_NWC_Strategic Security
byChad Korosec
 
PDF
2015 Scalar Security Study Executive Summary
bypatmisasi
 
PPTX
CYBERSECURITY, RISK & COMPLIANCE | AMPCUS INC.
byUnified11
 
PDF
Executive Summary of the 2016 Scalar Security Study
byScalar Decisions
 
PDF
third party risk management best practices
bySALIH AHMED ISLAM
 
PDF
The 4 Challenges of Managing Privacy Incident Response
byElizabeth Dimit
 
Protect Yourself from Cyber Attacks Through Proper Third-Party Risk Management
byDevOps.com
 
Whitepaper - Application Delivery in PCI DSS Compliant Environments
byJason Dover
 
Why does-your-company-need-a-third-party-risk-management-program
byCharles Steve
 
Banks and cybersecurity v2
bySemir Ibrahimovic
 
Cyber Risk Quantification | Safe Security
byRahul Tyagi
 
A compliance officer's guide to third party risk management
bySALIH AHMED ISLAM
 
Corporate Treasurers Focus on Cyber Security
byJoan Weber
 
Cyber Security Tips and Resources for Financial Institutions
byColleen Beck-Domanico
 
How to Establish a Cyber Security Readiness Program
byMatt Moneypenny
 
Security_360_Marketing_Package
byRandy B.
 
How close is your organization to being breached | Safe Security
byRahul Tyagi
 
Corp Overview 11510
byjduhaime
 
200606_NWC_Strategic Security
byChad Korosec
 
2015 Scalar Security Study Executive Summary
bypatmisasi
 
CYBERSECURITY, RISK & COMPLIANCE | AMPCUS INC.
byUnified11
 
Executive Summary of the 2016 Scalar Security Study
byScalar Decisions
 
third party risk management best practices
bySALIH AHMED ISLAM
 
The 4 Challenges of Managing Privacy Incident Response
byElizabeth Dimit
 

Similar to Emerging Trends in Information Privacy and Security

PDF
Today's Cyber Challenges: Methodology to Secure Your Business
byJoAnna Cheshire
 
PPTX
A guide to Sustainable Cyber Security
byErnest Staats
 
PPTX
Defensible cybersecurity-jan-25th-
byIT Strategy Group
 
PDF
{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...
byTaiye Lambo
 
PPTX
Phi 235 social media security users guide presentation
byAlan Holyoke
 
PDF
BEA Presentation
byGlenn E. Davis
 
PDF
Cyber Risk Management in 2017: Challenges & Recommendations
byUlf Mattsson
 
PPTX
2016 Risk Management Workshop
byStacy Willis
 
PPT
Information Security Framework
byssuser65fa31
 
PDF
CIA-Triad-Presentation.pdf
byBabyBoy55
 
PDF
Rothke stimulating your career as an information security professional
byBen Rothke
 
PDF
managed-security-for-a-not-so-secure-world-wp090991
byJim Romeo
 
PPTX
CRS Company Overview -Feb 6 2017
byJoseph John
 
PPTX
Your data is your business: Secure it or Lose it!
byPerformance Tuning Corporation
 
PDF
Credit Union Cyber Security
byStacy Willis
 
PDF
Information Security It's All About Compliance
byDinesh O Bareja
 
PDF
CNIT 160: Ch 2b: Security Strategy Development
bySam Bowne
 
PDF
Cybersecurity solution-guide
byAdilsonSuende
 
PDF
Data Security Service Offering-v3
byAbe Newton
 
PDF
2018-11-15 IT Assessment
byRaffa Learning Community
 
Today's Cyber Challenges: Methodology to Secure Your Business
byJoAnna Cheshire
 
A guide to Sustainable Cyber Security
byErnest Staats
 
Defensible cybersecurity-jan-25th-
byIT Strategy Group
 
{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...
byTaiye Lambo
 
Phi 235 social media security users guide presentation
byAlan Holyoke
 
BEA Presentation
byGlenn E. Davis
 
Cyber Risk Management in 2017: Challenges & Recommendations
byUlf Mattsson
 
2016 Risk Management Workshop
byStacy Willis
 
Information Security Framework
byssuser65fa31
 
CIA-Triad-Presentation.pdf
byBabyBoy55
 
Rothke stimulating your career as an information security professional
byBen Rothke
 
managed-security-for-a-not-so-secure-world-wp090991
byJim Romeo
 
CRS Company Overview -Feb 6 2017
byJoseph John
 
Your data is your business: Secure it or Lose it!
byPerformance Tuning Corporation
 
Credit Union Cyber Security
byStacy Willis
 
Information Security It's All About Compliance
byDinesh O Bareja
 
CNIT 160: Ch 2b: Security Strategy Development
bySam Bowne
 
Cybersecurity solution-guide
byAdilsonSuende
 
Data Security Service Offering-v3
byAbe Newton
 
2018-11-15 IT Assessment
byRaffa Learning Community
 

Recently uploaded

PDF
Founder & Tech Lead | Web Development & Digital Growth Consultant | Helping B...
byShyamal Das
 
PDF
How to Install XRDP on CentOS 10 .pdf
byGreen Webpage
 
PDF
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
PPTX
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
PDF
Rustici Software: eLearning standards in the age of AI
byRustici Software
 
PDF
Antminer S23Hyd-580_Manual-V1.1-oneminers.pdf
byFranzhLawrenceBataan1
 
PPTX
TravelTech Paris 2025 | Beyond the pipes: Why Channel Management isn’t really...
byapidays
 
PPTX
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
PDF
The new book “Marketing in the Metaverse” spotlights Scott M. Graffius’ research
byScott M. Graffius
 
PDF
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
PPTX
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
PDF
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
PDF
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
PDF
GenerationAI Paris 2025 | How Agentic AI is Reinventing Organizations
byapidays
 
PDF
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
PPTX
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
PDF
TravelTech Paris 2025 | The EU Digital Identity Wallet and it’s impact on Tra...
byapidays
 
PDF
The Manifesto for AI-enabled Governance !
byYannis Charalabidis
 
PDF
20260212 Security-JAWS activity results for 2025 and activity goals for 2026
byTyphon 666
 
Founder & Tech Lead | Web Development & Digital Growth Consultant | Helping B...
byShyamal Das
 
How to Install XRDP on CentOS 10 .pdf
byGreen Webpage
 
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
Rustici Software: eLearning standards in the age of AI
byRustici Software
 
Antminer S23Hyd-580_Manual-V1.1-oneminers.pdf
byFranzhLawrenceBataan1
 
TravelTech Paris 2025 | Beyond the pipes: Why Channel Management isn’t really...
byapidays
 
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
The new book “Marketing in the Metaverse” spotlights Scott M. Graffius’ research
byScott M. Graffius
 
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
GenerationAI Paris 2025 | How Agentic AI is Reinventing Organizations
byapidays
 
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
TravelTech Paris 2025 | The EU Digital Identity Wallet and it’s impact on Tra...
byapidays
 
The Manifesto for AI-enabled Governance !
byYannis Charalabidis
 
20260212 Security-JAWS activity results for 2025 and activity goals for 2026
byTyphon 666
 

Emerging Trends in Information Privacy and Security

  • 1.
    EMERGING TRENDS IN INFORMATIONPRIVACY AND SECURITY November 18, 2015 Presentation
  • 2.
  • 3.
     Full serviceprofessional services firm:  Attest services  Tax preparation and compliance  IT audit  Data security and design  IT compliance  Internal control  Internal audit outsourcing  SSAE 16 services (SOC 1-3)  Over 80 professionals  Highly qualified in variety of specializations:  CPA, CIA, CFE, CISA, MCSE, ABV, CVA, MST  Affiliations:  AICPA, PCAOB, ACFEI, ISACA, PCAOB, TANGO, CICPAC, Practicewise, VACO Risk Solutions
  • 4.
     Vaco RiskSolutions  Specializing in helping our clients reduce their risks  30 locations strong  Highly qualified consultants ▪ CHS, CISA, CISM, CISSP, CITP, CPA, PMP, QSA, PA QSA, PCIP, JD, Six-Sigma Black Belt  We belong to: ▪ Member of Information System Audit and Controls Association (ISACA) ▪ Member of American College of Forensic Examiners Institute (ACFEI) ▪ Association of Credit Union Internal Auditors (ACUIA) ▪ PCI Qualified Security Assessors certified by PCI Security Standards Council ▪ Payment Application Qualified Security Assessors certified by PCI Security Standards Council ▪ Member of Petroleum Convenience Alliance for Technology Standards (PCATS) ▪ Member of National Association of Convenience Stores (NACS) 4
  • 7.
    • Averages: • Costper incident - $6,500,000 • Records compromised - 28,070 • Cost per record - $217 • Average cost per record by industry: • Healthcare - $398 (highest) • Financial - $259 • Industrial - $190 • Retail - $189 • Public - $73 (lowest) • Cause of breaches: • 49% - Malicious or criminal attack • 19% - Human error • 32% - System glitch • Averages: • Cost per incident - $6,500,000 • Records compromised - 28,070 • Cost per record - $217 • Average cost per record by industry: • Healthcare - $398 (highest) • Financial - $259 • Industrial - $190 • Retail - $189 • Public - $73 (lowest) • Cause of breaches: • 49% - Malicious or criminal attack • 19% - Human error • 32% - System glitch The Cost of a Breach Source: Ponemon Institute’s 2015 Cost of Data Breach Study 6
  • 8.
    Former FBI Director Mueller: “Thereare two types of companies, those that have been hacked and those that don’t know it”
  • 9.
     Gourav Mukherjee Partner  Vaco Risk Solutions  Laurie Kamaiko  Partner  Sedgwick LLP  Shiraz Saeed  Product Specialist – Cyber Liability  AIG
  • 10.
     Speaker RiskDiscussions  Panel Discussion – Best Practices and Strategies  Question andAnswer
  • 11.
    Presenter: Gourav Mukherjee, Partner CISA,CISSP, CRISC, QSA, JD Enterprise Data Security Roadmap
  • 12.
    With traditional culprits •Petty criminals • Organized crime • Governments
  • 13.
  • 14.
    Their targets andattack methods evolve 4
  • 15.
    Current Environment* Creates Cybersecurity Demands 5*Skyrocketing data breachesand diminishing privacy, accompanied by huge fines and disintegrating public trust
  • 16.
    Security morphs to“Cybersecurity’ 14 Gartner Group: Cybersecurity encompasses a broad range of practices, tools and concepts related closely to those of information and operational technology security. Cybersecurity is distinctive in its inclusion of the offensive use of information technology to attack adversaries.
  • 17.
    Enterprise Data Security is asubset of Enterprise Cybersecurity 6
  • 18.
  • 19.
    9 It starts withthe right people … In-house staff Partners Outsourced Providers People Process Technology Log Management Compliance Reporting Event Correlation Threat Reporting Vulnerability Scanners Identity & Desktop Mgmt Ticketing System Change Tracking Threat Analysis Compliance Mgmt SLA Mgmt Risk AssessmentChange Mgmt Vulnerability Mgmt Identity & Access Incident Mgmt CustomersIn-house staff Partners Outsourced Providers People Process Technology Log Management Compliance Reporting Event Correlation Threat Reporting Vulnerability Scanners Identity & Desktop Mgmt Ticketing System Change Tracking Threat Analysis Compliance Mgmt SLA Mgmt Risk AssessmentChange Mgmt Vulnerability Mgmt Identity & Access Incident Mgmt Customers In-house staff Partners Outsourced Providers People Customers Security is only as good as its people. Points of Consideration:  People are the weakest link.  Staff will need a specialized skill set and experienced staff are often difficult to find  Current training is expensive, time consuming and non-effective  Need analysts for 24x7 coverage, other supporting functions must be considered: - System admins, Intelligence resources, Escalation resources, Compliance officers, Management / Supervision
  • 20.
    10 Integrated processes …. In-housestaff Partners Outsourced Providers People Process Technology Log Management Compliance Reporting Event Correlation Threat Reporting Vulnerability Scanners Identity & Desktop Mgmt Ticketing System Change Tracking Threat Analysis Compliance Mgmt SLA Mgmt Risk AssessmentChange Mgmt Vulnerability Mgmt Identity & Access Incident Mgmt CustomersIn-house staff Partners Outsourced Providers People Process Technology Log Management Compliance Reporting Event Correlation Threat Reporting Vulnerability Scanners Identity & Desktop Mgmt Ticketing System Change Tracking Threat Analysis Compliance Mgmt SLA Mgmt Risk AssessmentChange Mgmt Vulnerability Mgmt Identity & Access Incident Mgmt Customers Data Security processes and procedures must be documented, consistently implemented, and based upon existing standards / governance frameworks. Procedures must take into consideration corporate security policy, business controls, and relevant regulatory requirements. Points of Consideration:  The Cybersecurity mission must be clearly defined – Incident discovery, CERT, etc.  An alarm does not always equate to action.  Processes must take into consideration evaluation and incorporation of a constantly changing stream of potentially threats  Best practices for incident investigation, response, and mitigation must be maintained and updated as technologies are added, change, or mature. Process Threat Analysis Compliance Mgmt. SLA Mgmt. Risk AssessmentChange Mgmt. Vulnerability Mgmt. Identity & Access Incident Mgmt.
  • 21.
    11 Built on asolid technology platform In-house staff Partners Outsourced Providers People Process Technology Log Management Compliance Reporting Event Correlation Threat Reporting Vulnerability Scanners Identity & Desktop Mgmt Ticketing System Change Tracking Threat Analysis Compliance Mgmt SLA Mgmt Risk AssessmentChange Mgmt Vulnerability Mgmt Identity & Access Incident Mgmt CustomersIn-house staff Partners Outsourced Providers People Process Technology Log Management Compliance Reporting Event Correlation Threat Reporting Vulnerability Scanners Identity & Desktop Mgmt Ticketing System Change Tracking Threat Analysis Compliance Mgmt SLA Mgmt Risk AssessmentChange Mgmt Vulnerability Mgmt Identity & Access Incident Mgmt Customers Technology Log Management Compliance Reporting Event Correlation Threat Reporting Vulnerability Scanners Identity & Desktop Mgmt. Ticketing System Change Tracking Technology is the foundation on which the organization demonstrates the ability to provide security continuously, even under times of duress such as persistent attack, natural disaster, facilities failure, etc. Points of Consideration:  Security technologies (SIEM, trouble ticketing, incident management, etc.) are often special purpose, costly, and challenging to maintain due to their overall complexity  The number of disparate systems and volume of device / event data will typically require a dedicated IT staff for system administration  Capacity management can be challenge due to the need to support peak loads which may include DDoS, monthly batch processing, etc.  The management and reporting systems must be flexible enough to accommodate process and security policy as well as changes in the technology landscape
  • 22.
    The changing requirementsfor enterprise data security & risk management coupled with technology advancements have triggered a paradigm shift in the design and ongoing administration of security. Charter Governance Strategy Build a dedicated security operations capability Cross-functional (IT, Business, Audit, etc.) 3+ year cycle, priorities set by enterprise Technology or service only Self governed (IT Security) Budget based, 12 month planning cycle Mission&Strategy Tools Use Cases Referential Data SIEM, ticketing, portal/ dashboard, Big Data Tailored rules based on risk & compliance drivers Required data, used to prioritize work SIEM tool only Standard rules Minimal customization Minimal importance, Secondary priority Technology Measures Reporting Cross-functional, efficiency, quality, KPI/SLO/SLA Metrics, analytics, scorecards, & dashboards Silos, ticket/technology driven Ticket/technology driven Operations Management Proactive. Visible. Anticipate threats. Mitigate risks. Detect & react to threats. Security Cybersecurity
  • 23.
    There is noapp for enterprise data security… ….Don’t be a FOOL and think you just need to buy a TOOL
  • 24.
  • 25.
    Information (Data) LifeCycle 15 ISACA.ORG To identify residual risks and select appropriate technical measures and activities to protect confidential data, an organization must first understand how information flows throughout its systems over time and how the information is accessed and processed at different stages.
  • 26.
    Principles of Data •Principle 1: Honor policies throughout the confidential data life span.3 This includes a commitment to process all data in accordance with applicable statutes and regulations, preserve privacy and respect customer choice and consent, and allow individuals to review and correct their information if necessary. • Principle 2: Minimize risk of unauthorized access or misuse of confidential data. The information management system should provide reasonable administrative, technical and physical safeguards to ensure confidentiality, integrity and availability of data. • Principle 3: Minimize the impact of confidential data loss. Information protection systems should provide reasonable safeguards, such as encryption, to ensure the confidentiality of data that are lost or stolen. Appropriate data breach response plans and escalation paths should be in place, and all employees who are likely to be involved in breach response should receive training. • Principle 4: Document applicable controls and demonstrate their effectiveness. 16
  • 27.
    Roadmap to DataSecurity 17 Classification Discovery Security Enforcement Monitoring
  • 28.
    Classification • Determine whatdata are sensitive to the organization, either for regulatory compliance and/or internally. ▫ Written procedures and guidelines for data classification should define what categories and criteria the organization will use to classify data and specify the roles and responsibilities of employees within the organization regarding data stewardship ▫ To be effective, a classification scheme should be simple enough that all employees can execute it properly. • EDUCATE and TRAIN 18
  • 29.
    Discovery • Find outwhere the sensitive data are located, how they flow, who can access them, performance and other requirements for security. ▫ Data Mapping: Structured and Unstructured Data  Location  Relevance  Sensitivity  Use  Correctness ▫ Cleanup/Remediate ▫ EDUCATE and TRAIN 19
  • 30.
    Security • Apply thedata security method(s) that best achieve the requirements from discovery, and protect the data according to the sensitivity determined in classification. ▫ Data at rest, transit and disposal ▫ Frameworks  Cybersecurity framework – NIST  ISACA  IS0 27001  Best Practices ▫ EDUCATE and TRAIN 20
  • 31.
    Enforcement • Design andimplement processes and technology to disclose sensitive data only to authorized users, according to the least possible amount of information required to perform job functions (least-privilege principle). ▫ EDUCATE and TRAIN 21
  • 32.
    Monitoring • Ensure ongoing,highly granular monitoring of any attempts to access sensitive data. Monitoring is the only defense against authorized user data abuse. ▫ Internal and External ▫ EDUCATE and TRAIN 22
  • 33.
    23 Enterprise Data Security is asubset of Enterprise Cybersecurity NIST 800-53
  • 34.
  • 35.
    EMERGING TRENDS INDIGITAL PRIVACY AND SECURITY: THE LEGAL LANDSCAPE Laurie Kamaiko Cybersecurity and Privacy Group Sedgwick LLP New York Office Laurie.Kamaiko@sedgwicklaw.com Telephone 212.898.4015 12
  • 36.
    Cyber Risks –Why Do You Care?  Every company is vulnerable if subject to a successful cyber attack  Every company is subject to a loss or cost  Every company is subject to statutory or regulatory compliance of some kind, especially if a breach of personal information  resultant risk of regulatory inquiry and litigation
  • 37.
    Cyber Risks –Why Do You Care?  Every company can reduce these risks and resultant costs by:  Awareness  Preparedness  Reducing human error element
  • 38.
    Current & ImpendingCyber Risks & Exposures Data Breaches of Personally Identifiable Information (PI) and Protected Health Information (PHI) of Individuals  Type of information defined by statutes and regulations  Heavily regulated to protect against identity theft and fraudulent transactions  Security requirements  Breach response requirements  Traditionally name plus:  Financial account, payment card numbers  Government-issued identification, social security number, etc.  Variations Include: Health information, insurance account  Trend toward expansion of what constitutes protected PI:  Online account credentials  Medical biometric information 15
  • 39.
    Current & ImpendingCyber Risks & Exposures  Theft of Other Confidential Information  Trade secrets / IP / business secrets  Client/customer secrets  Cyber attacks on property and business functions  Denial of service attacks/disruption of business and operating systems  Targeting your company  Targeting others or critical infrastructure  affecting your company  Financially motivated versus malicious versus political  Extortion 16
  • 40.
    Current & ImpendingCyber Risks & Exposures  Business Practices in Collection/Usage/Disclosure and Information About Individuals  Online behavior tracking  Collection and usage of information on individuals  Sharing of that information  Disclosure of collection and sharing  Storage beyond need  Zip code collection (when not necessary for credit card transaction)  Privacy policy and terms of use statements/sufficiency  Increased use of vendors 17
  • 41.
    Current & ImpendingCyber Risks & Exposures  “Big Data”  Collection and analysis of data about consumer and populations has become important to most companies  Its use and transferability are part of many corporate transactions  Planning  Marketing  Acquisitions  Divestitures  Data Security, privacy and practices present myriad of (non) compliance risks  Laws  Regulations  Controls  Due diligence obligations
  • 42.
    Current & ImpendingCyber Risks & Exposures  Increasing Risks From:  Internet of Things  Increased Interconnectivity  Increased Vulnerability  13.4 Billion in 2015  > 25 to 75 Billion Interconnected Devices by 2020  Increased Use of Vendors  Vendor Vulnerability  Access to company data  Avenue for malware intrusion  Lack of control  increased need for due diligence  Contractual responsibilities and liabilities  Incorporating Use of Personal Devices and Social Media Into Work Place 19
  • 43.
    Current & ImpendingCyber Risks & Exposures  Increasing National/Regulatory Agency/Industry Standards   Expansion of statutory liabilities  Increased regulatory enforcement  Increase in contractual responsibilities o All increase potential liabilities for non-compliance o Compliant today may not be compliant tomorrow  Growth of Contractual Obligations o Security o Breach response o Indemnity 20
  • 44.
    Current & ImpendingCyber Risks & Exposures  All entities are at risk  Employee information  Customers’/clients’ information  Business information  Functions you perform for others  Functions others perform for you  Small company small risk  Industries most targeted:  Financial Institutions  Healthcare  Educational institutions  Retail  Service providers to targeted companies 21
  • 45.
    The Sources ofExposures CYBER RISKS Fraud Theft Deceit Hacktivisim Terrorism Rogue Employees External Hackers Phishing Trojans Botnots System Failure Poor Data Protection Security Flaw Accidental Disclosure Lost Devices Negligence/ Inadvertent Activity (Human Error) Criminal/ Malicious Activity Insiders ▪ Outsiders ▪ Vendors/Agents 22
  • 46.
    Costs and ExposuresFrom a Data Breach Direct Response Costs  Crisis Management • Legal forensics • Mandatory notifications (PI/PHI) • Remediation to consumers • Remediation of breached system • Contractual indemnities and penalties  Claims • Contractual • Third parties affected (clients, consumers) • Legal fees for defense • Settlements/judgments Business Costs  Business disruption  Management resources  Impairment systems and equipment  Reputation Harm  Customer turnover  Loss of profits/earnings  Reconstitution of lost data  Marketing  Voluntary notifications  Loss of IP/secrets/business opportunities 23
  • 47.
    Legal and RegulatoryFramework  Three Themes  Privacy  Collecting, using, and disclosing/sharing certain levels of data about individuals  Security  Protecting data against loss, unauthorized acquisition, misuse, or damage Implementing “reasonable” & “appropriate” measures to protect data  Breach Notification  Notifying those affected and governmental agencies when security is breached  Content and notice requirements vary  Generally “breach” defined to mean:  Unauthorized acquisition or misuse of found information  In some states/regulations, unauthorized access sufficient  Not all require likelihood of harm24 Requirements can vary depending on jurisdiction, agency with oversight, type of entity breached and type of data
  • 48.
    Legal and RegulatoryFramework  State Laws Mandating Security and Breach Response  47 States Have Breach Response Requirements  Lesser Number (But Growing) Have Security Requirements  Expanding Requirements (e.g., Level of Encryption) and Scope (Types of Information)  State Laws Mandating Disclosure of Collection, Usage and Security Practices  Business Practices Are Under Scrutiny  Growing Trend to Regulate and Enforce (Starting in California) 25
  • 49.
    Legal and RegulatoryFramework  Federal and Sector-Specific Laws and Regulations  Not Yet National Statute Re Security and Breach Notice, Though Bills Pending  Both Federal Agency and State Agency Can Enforce  Healthcare: HIPAA and HiTech  Financial: Gramm-Leach-Bliley, et al.  Public Companies: SEC (Disclosure Guidelines)  Also: Red Flags Rule, FCRA, Can-Spam, Video Privacy Protection Act, etc.  Federal Agency Guidelines: SEC, FTC, FDA, FCC, NIST For Critical Infrastructure, etc.  International: Data Security and Response Requirements  Cross-Boarder Transfer of Information About Individuals and Other Countries  Recent Upheaval Re: U.S. Safe Harbor Program for Transfer of PI to U.S. Declared Invalid By E.U. Commission October 6, 2015
  • 50.
    Legal and RegulatoryFramework  Increasing Enforcement  Regulatory Enforcement Actions More Frequent & Resulting in Larger Settlements o 20 years of monitoring/audits  AGs, OCR (healthcare) and Other Regulatory Agencies Focus on Companies That: o Knew or should have known of a problem o Did not do pre-incident assessment of their data and their security o Did not have incident response plans in place  FTC Enforcement Focused on Unfair and Deceptive Trade Practices o “Unfair” -- Inadequate security o “Deceptive” – Not act in conformity with policies and statements  Private Litigation/Class Actions 27
  • 51.
    Industry Internal Regulation: Credit/ Debit Cards  PCI – DSS (Payment Card Industry Data Security Standards)  Contract-based obligations applicable to all involved in chain of card processing  Requires specified security measures to protect credit card transactions  Incorporated into some state statutes (e.g., Nevada, New Mexico, Washington)  New rules require due diligence and responsibility for vendors • Major Factor in Any Credit Card Breaches  Most entities not fully compliant with PCI DSS • Liability Impact  Breached merchants contractually liable for substantial assessments/fines for PCI-DSS violations led to breaches  Basis of negligence and other allegations in 31 party claims  New liability shifting for costs of fraudulent transactions if merchant does not institute new chip card processing 28
  • 52.
    Litigation Trends: Statutory, Regulatory,Contractual  Holding Companies Accountable  For Your Own Practices  For Your Business Partners  Due Diligence of Vendors  If You Are a Vendor, Responsibility for Sensitive Information of Clients That You access, e.g.,:  Business Associates & HIPAA-Covered Entities  Notice Obligations If Breach, at Least to Business Client  Scrutinizing Pre-Breach Efforts at Compliance, If Not Just Breach and Post-Breach Response
  • 53.
    Litigation Trends: Statutory, Regulatory,Contractual  Litigation Arising From Breaches of PI  Failure to adequately secure information  Failure to timely notify of breach  Failure to adequately respond to breach  Misrepresentation of security vulnerability, effect  Pre-Breach  Post-Breach  Unjust enrichment (part of fees paid is for security not provided)  Lost value of stolen information  Loss of use of service or hardware  Violation of consumer protection statutes  statutory $ awards  Avoids Issue of Whether Plaintiffs Sustained Actual Damage  > 80 different causes of action have been identified 30
  • 54.
    Litigation Trends: Statutory, Regulatory,Contractual  Potential Plaintiffs  Consumers whose information is accessed (consumer class actions)  Financial institutions affected (fraud charges, card replacement costs, etc.)  Shareholder/derivative suits  Share price drops  Wasting of corporate assets  Board approval of inadequate security/failure assess/address vulnerabilities  Misrepresentation/failure to disclose:  Cause, Information at Risk, Remediation  Breached entity seeking contribution from others contributing to lapse in security: vendors, advisors, etc.  Regulators 31
  • 55.
    Litigation Trends: Statutory, Regulatory,Contractual  Potential Defendants  Breached entities  Vendors holding an access route to information  Security vendors involved in security or design, security assessments, or remediation  Professional advisors  D&Os approving company security policies, responses and financial disclosures 32
  • 56.
    Other Privacy Litigation Theories of Liability for Non-Breach Privacy Lawsuits  Consumer Tracking/Online Behavioral Advertising  Improper collection practices  Improper disclosures  Statutory Violations That are Not Data Breaches Per Se  Privacy Violations – From Business Practices  Wrongful collection/sale of PI  Failure disclose collection/sharing of PI (e.g., California)  Adequacy of privacy policies (websites, mobile apps)  Non-compliance with representations in privacy policies  Zip codes as wrongfully collected PI by retailers without need (California, Massachusetts, and possibly other states in future)  Unauthorized distribution (blasting, e.g., TCPA)  Restrictions on recording of business calls with consumers  Trend toward asserting violations of unfair trade practices and consumer protections  seeking statutory damages 33
  • 57.
    Factors Reducing Costsof Breaches  Board-Level Involvement in Breach  Insurance Protection  Industry  Regulated Industries, Such as Healthcare and Education, More Costly  Ponemon study
  • 58.
    Factors Reducing Costsof Breaches  Company Has Plans In Place  Incident Response Plan  Lawyer on Retainer  Pre-Negotiated Contracts/Rates for Forensics, Customer Notification, Call Centers, Credit Card Monitoring  Increased Costs if Breach due to Hackers/Criminal Insiders (47% Breaches)  Verizon study
  • 59.
    Risk Management Tips Be Prepared  Be Aware of the Issues and Vulnerabilities o Yours o Your Business Partners  Identify Your Data Assets and Where Sensitive Data Is Located o On Your Systems and Within Your Company  Perform Risk Threat Assessments, and Identify Controls and Their Effectiveness  Allocate Resources: $, Management o SEU  Create Policies and Procedures Before an Incident  Privacy  Training  Incident Response ■ Vendor Selection, Due Diligence and Management 36
  • 60.
    Risk Management Tips •Be Prepared continued  Accept It Is Not Just an IT Issue  Preparedness & response requires involvement of all departments, including: C-Suite, Legal, IT, Risk Management, Human Resources, Marketing, Operations  Institute a Culture of Compliance  “Privacy by Design”  Practice  Table Tops, “Fire Drills”  Legal Compliance
  • 61.
    Risk Management Tips Identify √ High Risk, High Value Data and Risks of Loss Breach √ Controls  Protect √ Create Systematic Protections, Bring in Technology & Experts to Address Vulnerabilities & Increase Protections √ Due Diligence on Vendors  Prepare √ Develop Policies and Response Plans √ Risk Transfer: Insurance, Contractual Indemnity with Vendors  Train √ Train all employees √ Table tops, Drill √ Test  Repeat 38
  • 62.
    Laurie Kamaiko Cybersecurity andPrivacy Group Sedgwick LLP New York Office Laurie.Kamaiko@sedgwicklaw.com Telephone 212.898.4015 39 82364316v1 Questions?
  • 63.
    Cyber Liability –Network Security and Privacy
  • 64.
     Identify exposures Third party liability  First party losses  Other coverage sections  Claims  Sample situation  AIG enhancements  Conclusion 41 Agenda
  • 65.
    42 Do You Handle ConfidentialInformation? How Do We Identify Exposures? Where Do You Store The Information? Do You Have A Website?  Own company (including employees)  Clients (confidential, personal, or commercial)  Computer network – do you operate the network yourself or outsource to a vendor?  Paper records  What content is on the site?  Can employees or third parties upload content (blog, post pictures or comments)?
  • 66.
     Internally – Employees/Vendors –Malicious - Stealing Information (Card Skimming) – Negligence – Lost Resources (Laptop, Smart Phone, Tablet) – Vendor Contracts – Indemnification  Externally – Individual Hackers/Organized Crime – Stealing Information – Sending Viruses/Malicious Code – Disruption Of Business (Vandalism) 43 HOW CAN AN EVENT OCCUR?
  • 67.
     Network SecurityFailure – Failure of a company to protect their computer systems – Virus, malicious code, malware attacks  Privacy Event – Failure to protect confidential information – Personal or corporate; online or offline – Violation of any Federal, State, or local privacy statute – Failure to comply with PCI-DSS standards  Allegations Can be Brought by – Government agencies, individuals, businesses or administrative 44 THIRD PARTY COVERAGE
  • 68.
     Event Management– Incident Response Plan – Breach Consultation – Legal Consultation – Forensic Investigation – Public Relations Services – Notification To Consumers Based On State Mandate – Providing ID-monitoring/Credit Monitoring – Lost Electronic Data 45 FIRST PARTY COVERAGE
  • 69.
     Network Interruption –Addresses loss of income and operating expenses resulting from the interruption or suspension of business due to a failure of network security  Cyber Extortion – Provides coverage for extortion threats against a company’s computer network and confidential information by an outsider seeking money or other valuables 46 FIRST PARTY COVERAGE
  • 70.
    Media Content Liability Companies Have Published Content – Website, print, broadcast  Typical Types of Claims – Trademark and copyright infringement – Defamation, false light and imprisonment – Product disparagement, infliction of emotional distress 47 THIRD PARTY COVERAGE
  • 71.
    48 CYBEREDGE BREACH RESOLUTIONTEAM  24/7 hotline staffed by IBM experts to respond to Insureds concern that they may be victim of a breach  The IBM experts will go over key indicators of a breach with the Insured’s IT department to determine if one has indeed occurred.  If a breach is suspected or has occurred, Insureds will be automatically connected with our CyberEdge Breach Resolution Team. © American International Group, All rights reserved. CyberEdge Hotline: 1-800-CYBR-345 (292–7345)
  • 72.
  • 73.
    50 SAMPLE SITUATION  HIPAA:Privacy regulations that govern the healthcare industry  HITECH Act (Health Information Technology for Economic and Clinical Health Act)  Enacted on February 17, 2009  Breach notification requirements for HIPAA covered entities + business associates  Breach notification applies to HIPAA to promote the adoption and meaningful use of health information technology  Subtitle D of the HITECH Act addresses the privacy and security  Outlines the guidelines for who, what, where, when a privacy breach occurs Access Record Maintain Destroy Retain Hold Modify Use Source: www.healthit.gov Covered Entity: Hospital
  • 74.
    51 GUIDELINES If… Then… Breach occursWritten notice, first class mail at last known address, as soon as practicable no later than 60 days after discovery of breach Individual is deceased Notify next of kin Insufficient information for 10+ individuals Home page of website of covered entity or major print or broadcast media Urgent Telephone 500+ residents in a given state 1. Prominent media outlet within the state 2. Notify the Secretary within 60 days 3. Secretary to post on an HHS Web site a list that identifies each covered entity involved Source: www.healthit.gov
  • 75.
    52  Letters/E-mail typicallyinclude the following:  Description of what happened, date of the breach and the date of the discovery of the breach  Description of the types of unsecured PHI that were involved in the breach (i.e. full name, Social Security number, date of birth etc.)  The steps individuals should take to protect themselves from potential harm resulting from the breach  Description of what the covered entity involved is doing to investigate the breach, to mitigate losses, and to protect against any further breaches  Contact procedures for individuals NOTIFICATION REQUIREMENTS Source: www.healthit.gov
  • 76.
  • 77.
  • 78.
  • 79.
  • 80.
  • 81.
     Detects vulnerabilitiesacross network devices, servers, web applications, and databases to help reduce risk exposure and better manage compliance requirements  Strong security expertise provides vulnerability identification with resulting prioritized plan for remediation and improved security INFRASTRUCTURE VULNERABILITY SCANNING POWERED BY IBM Key Components • Reports help demonstrate compliance with federal, state and industry regulations • Assess an environment from either the external or internal perspective • IBM Security expertise improves accuracy of findings and reduces mitigation time • Consultation on recommendations for improved security © American International Group, All rights reserved.
  • 82.
  • 83.
     Leading edgeglobal threat intelligence and technology that isolates and shuns IP addresses currently being used by criminals.  Before initiating an attack on a network, criminals first conduct reconnaissance to confirm that certain IP addresses are viable targets.  Shunning prevents these criminal communications from reaching a network and confirming the IP addresses as viable targets WHAT IS IP SHUNNING?
  • 84.
  • 85.
  • 86.
  • 87.
    64 CYBEREDGE RISKTOOL  Web-basedcustomizable risk management platform  Manage the human element of cyber risk and manage compliance  Pre-populated with:  Corporate security policies  Training with exams  Self assessments and risk guides  Simplifies and documents end user training  Unlimited use
  • 88.
  • 89.
     Two complimentaryhours from a specialized law firm to provide guidance on building and executing an incident response plan, as well as ensuring an organization is compliant with regulatory standards.  One complimentary hour from a forensic firm on what an organization’s technical response plan should include.  One complimentary hour from a vetted public relations firm to discuss an effective crisis communication plan to handle and mitigate the potential reputational and brand risk an organization would face in the event of a breach. CONSULTATION SERVICES © American International Group, All rights reserved.
  • 90.
  • 91.
    68 American International Group,Inc. (AIG) is a leading international insurance organization serving customers in more than 130 countries.. AIG companies serve commercial, institutional, and individual customers through one of the most extensive worldwide property-casualty networks of any insurer. In addition, AIG companies are leading providers of life insurance and retirement services in the United States. AIG common stock is listed on the New York Stock Exchange and the Tokyo Stock Exchange. Additional information about AIG can be found at www.aig.com | YouTube: www.youtube.com/aig | Twitter: @AIG_LatestNews | LinkedIn: http://www.linkedin.com/company/aig AIG is the marketing name for the worldwide property-casualty, life and retirement, and general insurance operations of American International Group, Inc. For additional information, please visit our website at www.aig.com. All products and services are written or provided by subsidiaries or affiliates of American International Group, Inc. Products or services may not be available in all countries, and coverage is subject to actual policy language. Non-insurance products and services may be provided by independent third parties. Certain property-casualty coverages may be provided by a surplus lines insurer. Surplus lines insurers do not generally participate in state guaranty funds, and insureds are therefore not protected by such funds. Apple, the Apple logo, iPhone and iPad are trademarks of Apple Inc., registered in the U.S. and other countries. App Store is a service mark of Apple Inc. Android and Google Play are trademarks of Google Inc. Shiraz Saeed - Product Specialist - Cyber Liability Tel +1 908 679 3472 | Cell +1 908 698 2269 | shiraz.saeed@aig.com
  • 92.
  • 93.
     How doI mitigate my risk with the growing use of mobile and portable technologies?  Policies and Education  Social networking awareness  Encryption  Remote Wipes/Autolocks  Obtaining employee consent  Backing up company information on an employee device  Do’s and Don’ts of mobile use  Laptop Safety
  • 94.
     What shouldI be doing to prepare my Company for the increased regulations related to IT Security?  Understand business activities subject to regulation for privacy considerations ▪ Disclosure of PI collections and sharing procedures ▪ Website and mobile app privacy ▪ Credit card information  Know how changes in business operations impact compliance requirements  Accept responsibility for compliance ▪ EXECUTIVE MANAGEMENT ▪ BOARD OF DIRECTORS
  • 95.
  • 97.
    Do You Knowthe SCORE? •Security •Compliance and •Operations •Risk •Evaluation
  • 98.
    Do You Knowthe SCORE? • A high level assessment of the key components of your IT environment: –IT operations –Physical security –Logical security –Mobile devices –Recovery –Network security –Online security –Data privacy and security compliance –System and hardware controls
  • 99.
  • 100.
  • 101.
    Michael Camacho, Partner mcamacho@lgcd.com KevinRicci, Director of IT kricci@lgcd.com
  • 102.
     What aresome of the things I need to consider when using 3rd party service providers?  For all vendors: ▪ Due diligence on their data security ▪ Coordination of representations in privacy policies ▪ Allocation of responsibilities in event of breach ▪ Terms in vendor agreements: ▪ Indemnification provisions ▪ Access provisions ▪ Insurance requirements (cyber and other)  Cloud computing ▪ Identify the assets for cloud deployment ▪ Evaluate the assets ▪ Map the assets to the cloud deployment model ▪ Evaluate potential cloud service models ▪ Map out data flow
  • 103.
     What shouldI be doing to prepare the Company for a breach?  Screen new hires and vendors  Annual risk assessments  Educate employees  Discuss privacy by design with operations people  Pre-arrange breach service providers  Develop a cross functional privacy committee for breach planning and response  Discuss information collection and disclosure practices with all departments  Consider insuring against risks
  • 104.
     What canI do to better protect my data from cyber crime?  Data Mapping - Understand WHAT your sensitive data is and WHERE it resides  Perform a security risk assessment  Set security standards  Develop comprehensive policies  Provide security training  Adopt a business plan  Spear Phishing Do’s and Don’ts