This document discusses various IT security, compliance, legal risk, and disaster preparedness topics. It begins by outlining the basics of an IT security lifecycle including inventorying assets, identifying risks, remediating risks, and monitoring alerts. It then discusses threats like cybercrime, phishing, and issues related to e-discovery, PCI compliance, and HIPAA compliance. The document provides recommendations for legal risk mitigation, disaster preparation, cyber incident handling, and options for addressing IT security needs either through do-it-yourself methods, outside help, or hiring a support organization.
HHS Ransomware and Breach Guidance - Brad NighFRSecure
A recent U.S. Government inter-agency report indicates that, on average, there have been 4,000 daily ransomware attacks since early 2016 (a 300% increase over the 1,000 daily ransomware attacks reported in 2015). Ransomware attack prevention from a healthcare perspective is vitally important due to recent changes in HHS guidance. To understand what this means practically, FRSecure offers some valuable resources that discusses what constitutes a ransomware breach, non-compliance consequences and easy steps that can be implemented to reduce organizational risk of a Ransomware breach.
Cyber Risk: Exposures, prevention, and solutionsCapri Insurance
Paula Garrecht, Partner and Commercial Insurance Broker at Capri Insurance, explores the emerging risk of cyber attacks and data breaches with specific relation to public entities. In the ever changing landscape of business communications and processes we face ever changing risks as well. Learn how to:
1. Identify cyber exposures
2. Minimize those exposures
3. Find the right insurance policy to fit your unique cyber needs
HHS Ransomware and Breach Guidance - Brad NighFRSecure
A recent U.S. Government inter-agency report indicates that, on average, there have been 4,000 daily ransomware attacks since early 2016 (a 300% increase over the 1,000 daily ransomware attacks reported in 2015). Ransomware attack prevention from a healthcare perspective is vitally important due to recent changes in HHS guidance. To understand what this means practically, FRSecure offers some valuable resources that discusses what constitutes a ransomware breach, non-compliance consequences and easy steps that can be implemented to reduce organizational risk of a Ransomware breach.
Cyber Risk: Exposures, prevention, and solutionsCapri Insurance
Paula Garrecht, Partner and Commercial Insurance Broker at Capri Insurance, explores the emerging risk of cyber attacks and data breaches with specific relation to public entities. In the ever changing landscape of business communications and processes we face ever changing risks as well. Learn how to:
1. Identify cyber exposures
2. Minimize those exposures
3. Find the right insurance policy to fit your unique cyber needs
The mobile health IT security challenge: way bigger than HIPAA?Stephen Cobb
The potential benefits of mobile medical technology and telemedicine are enormous, from better quality of life to saving lives, not to mention controlling healthcare costs. Yet keeping data safe when it is beyond the confines of hospitals and clinics is a serious challenge, one that cannot be met merely through regulatory compliance. In these slides I show why HIPAA compliant is not the same as being secure, and why protecting health data on mobile devices is a such a big security challenge.
An overview of the Massachusetts 201 CMR 17 Data Privacy Law which goes in to effect on March 1. Contact information is available for each presenter in the slidedeck.
Please contact any of us with questions.
The Data protection law reform is coming with the General Data Protection Regulation (GDPR) taking effect from 25 May 2018. You should start preparing now for changes that GDPR will require to your current policies and procedures. This presentation is an overview of what it is about.
Security, Privacy Data Protection and Perspectives to Counter Cybercrime 0409...Gohsuke Takama
"Security, Privacy Data Protection and Perspectives to Counter Cybercrime" was presented at the CodeGate 2008 security conference in Seoul, Korea, April 2008.
http://www.codegate.org/
INTRODUCTION TO COMPUTER FORENSICS
Introduction to Traditional Computer Crime, Traditional problems associated with Computer Crime. Introduction to Identity Theft & Identity Fraud. Types of CF techniques – Incident and incident response methodology – Forensic duplication and investigation. Preparation for IR: Creating response tool kit and IR team. – Forensics Technology and Systems – Understanding Computer Investigation – Data Acquisition.
How your nonprofit can avoid data breaches and ensure privacyTechSoup Canada
Increasingly, nonprofits hold large quantities of digital assets (such as donor information, grant application details, financial records, etc.). Organizations of all sizes and industries are being targeted by cyber criminals. Cyber-attacks will often devastate an organization’s operations and have significant financial, legal and reputational consequences.
In this webinar, Imran Ahmad of Miller Thomson, LLP will explain how implementing best practices from a pre-breach standpoint can go a long way to mitigate the negative consequences of a cyber-attack.
What you will learn:
- what the cyber threat landscape looks like
- how to ensure privacy of your digital assets
- steps to take in the aftermath of a cyber-attack
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security ProsNicholas Van Exan
An overview of some contemporary topics related to privacy and data breaches, with a focus on how security professional can help mitigate privacy risks both before and after data breaches occur.
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2TechSoup Canada
Part 1 of this webinar series provided an overview of cybersecurity and explained the cyber risks and legislation affecting nonprofits. In part 2 of the series, Imran Ahmad of Miller Thomson, LLP returns to answer your questions on cybersecurity and to delve deeper into cybersecurity maintenance and best practices to avoid data breaches. This includes the implementation of measures to prevent data breaches in the pre-attack phase, to the implementation of security best practices in the event of a cyber attack or breach.
What you will learn:
· How to develop key cybersecurity-related documents;
· How to maintain an internal matrix of when to notify affected individuals;
· How to review contracts from a cybersecurity compliance perspective.
Information Technology Policy for Corporates - Need of the Hour Vijay Dalmia
Information Technology Policy for Corporates is the need of the hour as organisations, are continuously at a stake for violation of information technology laws, commission of cyber crimes, sexual harassment, e-mail violations, and misuse of internet and intranet.
The mobile health IT security challenge: way bigger than HIPAA?Stephen Cobb
The potential benefits of mobile medical technology and telemedicine are enormous, from better quality of life to saving lives, not to mention controlling healthcare costs. Yet keeping data safe when it is beyond the confines of hospitals and clinics is a serious challenge, one that cannot be met merely through regulatory compliance. In these slides I show why HIPAA compliant is not the same as being secure, and why protecting health data on mobile devices is a such a big security challenge.
An overview of the Massachusetts 201 CMR 17 Data Privacy Law which goes in to effect on March 1. Contact information is available for each presenter in the slidedeck.
Please contact any of us with questions.
The Data protection law reform is coming with the General Data Protection Regulation (GDPR) taking effect from 25 May 2018. You should start preparing now for changes that GDPR will require to your current policies and procedures. This presentation is an overview of what it is about.
Security, Privacy Data Protection and Perspectives to Counter Cybercrime 0409...Gohsuke Takama
"Security, Privacy Data Protection and Perspectives to Counter Cybercrime" was presented at the CodeGate 2008 security conference in Seoul, Korea, April 2008.
http://www.codegate.org/
INTRODUCTION TO COMPUTER FORENSICS
Introduction to Traditional Computer Crime, Traditional problems associated with Computer Crime. Introduction to Identity Theft & Identity Fraud. Types of CF techniques – Incident and incident response methodology – Forensic duplication and investigation. Preparation for IR: Creating response tool kit and IR team. – Forensics Technology and Systems – Understanding Computer Investigation – Data Acquisition.
How your nonprofit can avoid data breaches and ensure privacyTechSoup Canada
Increasingly, nonprofits hold large quantities of digital assets (such as donor information, grant application details, financial records, etc.). Organizations of all sizes and industries are being targeted by cyber criminals. Cyber-attacks will often devastate an organization’s operations and have significant financial, legal and reputational consequences.
In this webinar, Imran Ahmad of Miller Thomson, LLP will explain how implementing best practices from a pre-breach standpoint can go a long way to mitigate the negative consequences of a cyber-attack.
What you will learn:
- what the cyber threat landscape looks like
- how to ensure privacy of your digital assets
- steps to take in the aftermath of a cyber-attack
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security ProsNicholas Van Exan
An overview of some contemporary topics related to privacy and data breaches, with a focus on how security professional can help mitigate privacy risks both before and after data breaches occur.
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2TechSoup Canada
Part 1 of this webinar series provided an overview of cybersecurity and explained the cyber risks and legislation affecting nonprofits. In part 2 of the series, Imran Ahmad of Miller Thomson, LLP returns to answer your questions on cybersecurity and to delve deeper into cybersecurity maintenance and best practices to avoid data breaches. This includes the implementation of measures to prevent data breaches in the pre-attack phase, to the implementation of security best practices in the event of a cyber attack or breach.
What you will learn:
· How to develop key cybersecurity-related documents;
· How to maintain an internal matrix of when to notify affected individuals;
· How to review contracts from a cybersecurity compliance perspective.
Information Technology Policy for Corporates - Need of the Hour Vijay Dalmia
Information Technology Policy for Corporates is the need of the hour as organisations, are continuously at a stake for violation of information technology laws, commission of cyber crimes, sexual harassment, e-mail violations, and misuse of internet and intranet.
This presentation is prepared by Author for Perbanas Institute as a part of Author Lecture Series. It is to be used for educational and non-commercial purposes only and is not to be changed, altered, or used for any commercial endeavor without the express written permission from Author and/or Perbanas Institute. Appropriate legal action may be taken against any person, organization, or entity attempting to misrepresent, charge, or profit from the educational materials contained here.
Authors are allowed to use their own articles without seeking permission from any person, organization, or entity.
How to Build and Implement your Company's Information Security ProgramFinancial Poise
Data is one of your business’s most valuable assets and requires protection like any other asset. How can you protect your data from unauthorized access or inadvertent disclosure?
An information security program is designed to protect the confidentiality, integrity, and availability of your company’s data and information technology assets. Federal, state, or international law may also require your business to have an information security program in place.
This webinar will provide the basics of how to create and implement an information security program, beginning with identifying your incident response team, putting applicable insurance policies into place, and closing any gaps in the security of your data.
To view the accompanying webinar, go to: https://www.financialpoise.com/financial-poise-webinars/how-to-build-and-implement-your-companys-information-security-program-2021/
Join Kaseya and guest cybersecurity expert from Kaspersky, Cynthia James, to hear how companies like Target, eBay, and Home Depot are losing data, and how you can protect your company from suffering the same fate.
• The latest cybersecurity threats and vectors putting organizations at risk
• How your organization can avoid falling victim to a data breach
• Additional strategies to secure your organization and its data
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...Financial Poise
Data is one of your business’s most valuable assets and requires protection like any other asset. How can you protect your data from unauthorized access or inadvertent disclosure?
An information security program is designed to protect the confidentiality, integrity, and availability of your company’s data and information technology assets. Federal, state, or international law may also require your business to have an information security program in place.
This webinar will provide the basics of how to create and implement an information security program, beginning with identifying your incident response team, putting applicable insurance policies into place, and closing any gaps in the security of your data.
Part of the webinar series:
CYBERSECURITY & DATA PRIVACY 2022
See more at https://www.financialpoise.com/webinars/
3 Steps to Automate Compliance for Healthcare OrganizationsAvePoint
In this webinar, AvePoint's Chief Compliance & Risk Officer Dana Simberkoff and AvePoint's Director of Risk Management & Compliance Marc Dreyfus shared the playbook to jumpstart your comprehensive, automated program to mitigate the risk of data loss, privacy, and security breaches using AvePoint Compliance Guardian’s “Say it, do it, prove it” approach. To watch the webinar, please visit: http://www.avepoint.com/resources/videos/
Data Confidentiality, Security and Recent Changes to the ABA Model Rulessaurnou
Continuing legal education (CLE) presentation regarding data confidentiality, information security, computer forensics and legal ethics in light of technology-related changes made to the American Bar Association's Model Rules of Professional Conduct.
Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018Next Dimension Inc.
Siskinds, a leading Law Firm in Ontario, presented updates on PIPEDA legislation including what you need to know, and what you need to do in order to ensure your company is compliant.
Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018
Multi-faceted Cyber Security v1
1. Copyright 2014 – LP3
September 2014
Asad Zaman
MBA, MSc-CyberSecurity
2. Copyright 2014 – LP3
• IT Security
• e-Discovery
• Compliance
• Legal Risk
• Disaster Plans
• What can you do?
Agenda
3. Copyright 2014 – LP3
IT Security Lifecycle Basics
Inventory Assets
Hardware, software, mobile devices, communications links,
processes, procedures, checklists, documents, contacts, customer lists
Identify Risk
Create discrepancy reports and act on them
Remediate Risk
Assign actions and close them
Monitor and triage alerts
Log reduction and analysis
Execute and Test Backups
Data, configurations, processes documentation
4. Copyright 2014 – LP3
• Steady increase in cyber crime – collection/exploitation
• Government and hackers can access your unprotected data
• Damage from cyber crime rising dramatically
• Critical business issues
• Reputation – share value
• Fines/penalties – FINRA, SEC
• Litigation – client identity theft, negligence, due diligence
• Compliance
• Business continuity
Cyber Criminals – No Rules!
60% of small businesses that get hacked are
out of business within 1 year
5. Copyright 2014 – LP3
Phishing
• Fake emails seeking to get credentials
• Financial assets: 76% of targets
• Spear phishing – by-name emails
• Company executives, key decision
makers, celebrities, names on
company website
Red Flag Words: account locked,
suspended, verification required,
suspicious transaction, protect your
computer, funds due to you
Countermeasures:
• Don’t click on emailed links and
attachments – only takes ONE person
• Security Awareness Training
Source: Symantec study 2007
7. Copyright 2014 – LP3
Countermeasures:
• Encrypt data and know where it goes
• Use redundant automated backups and test them
Are My Documents Safe?
NSA…“full take,” “bulk access” and “high
volume” operations onYahoo and Google
networks. (WashPost, 4 Nov 13)
Work server
Home computer
8. Copyright 2014 – LP3
“click here” emails
Business Associate Connections
“Please reset my password! Mr. Smith is yelling at me
to get this report done now!” – Social Engineering
How do hackers crack businesses?
9. Copyright 2014 – LP3
What is it?
• Mandated electronic discovery in litigation or
investigations with electronically stored information (ESI)
Why do I care?
• If you cannot find documents and metadata then you
may lose the case – significant financial risk
e-Discovery Risk
Deliver all documents with the name “John
Smith” or “Company XYZ” from 2008 to 2012…
10. Copyright 2014 – LP3
What should I do?
1. Identify
2. Preserve and Retain
3. Collect
4. Process
5. Review
6. Produce
e-Discovery Actions
12. Copyright 2014 – LP3
PCI (Payment Card Industry) DSS
WHAT:
Standards and requirements for payment
card data security
Non-legislative – enforceable through
fines and penalties
Obligation on merchants and service
providers
WHO:
“Payment Card Industry (PCI) Data
security requirements apply to all
Members (banks), merchants and
service providers that store, process
or transmit cardholder data.”
HOW:
Sensitive authentication data cannot be
stored
Cardholder data must be protected
New requirements from PCI DSS 2.0 to
3.0 came out in Nov 2013
Requires Qualified Security Assessor
(QSA) validation annually or Self-
Assessment
Lack of COMPLIANCE:
Fines: Up to $500k per incident (VISA),
government fines, insurance costs, and
litigation
Brand reputation: Share price falls, loss of
customer confidence
Revocation: Inability to process credit
card transactions
More compliance: Additional PCI
validation required
14. Copyright 2014 – LP3
Health Insurance Portability &
Accountability Act (HIPAA) Compliance
WHAT:
• Uniform rules for protecting Health Info
• Written or Oral communcations
• E-mail, computerized and electronic
information (computer records, faxes,
voicemail, PDA entries, etc.)
WHO:
• Comes from a health care provider or a
health plan
• Could be used to identify an individual
• Describes the health care, condition, or
payments or demographics of an individual
HOW:
Physical Safeguards
• Computer terminals are not placed in
public areas
Technical Safeguards
• Every associate must keep his/her
password confidential
Administrative Safeguards
• Policy and procedure for release of
patient information
COMPLIANCE:
• $100 fine per day for each standard
violation. (Up to $25,000 per person, per
year, per standard.)
• $50,000 fine + up to one year in prison for
improperly obtaining or disclosing health
information.
• $100,000 fine + up to five years in prison
for obtaining or disclosing health
information under false pretenses.
• $250,000 fine + up to ten years in prison
for obtaining health information with the
intent to sell, transfer or use for commercial
advantage, personal gain or harm.
15. Purpose Criminal Penalties
Criminal provisions
• Could reach up to 10 years in prison
• Fines started at $100 and could reach
up to $25,000 for all identical
violations of the same provision
HITECH - Harsher Penalties
• Tiers established for civil penalties
• Maximum penalty of $1.5 Million
• The higher the level of culpability,
the higher the penalty
Makes massive changes to
privacy and security laws.
Breach Notification
requirements (Patient,
Department of Health and
Human Services, and Media)
Applies to covered health care
entities and business
associates.
Creates a nationwide electronic
health record
Increases penalties for privacy
and security violations
HITECH (Health InformationTechnology for
Economic and Clinical Health Act)
16. Copyright 2014 – LP3
HIPAA INTHE NEWS
Octomom: Hospital workers accessed records out of curiosity - 15 people fired – 8
under disciplinary action
Brittany Spears: 13 or more workers fired
– 6 workers suspended – 6 doctors face
disciplinary action
17. Copyright 2014 – LP3
What is it?
• Potential failure to comply or apply due care in
various legal areas
Why do I care?
• Risk of civil or criminal prosecution
• Significant financial impact for defense even if you
win a case; losing can put you out of business
Legal Risk
18. Copyright 2014 – LP3
What do I do?
• Assess third party vendor and service provider
agreements
• Document Data Breach Notification and Incident
Response Plans
• Validate employer/employee privacy practices and
technologies
• Revise Policies and Procedures
• Implement RiskTransfer / Insurance Assessment
Legal Risk Mitigation
19. Copyright 2014 – LP3
What should I do?
• Assess Risks
• Hurricane, fire, flood, terrorism, disgruntled employee
• Identify Critical Resources
• Processes, computer systems, information, documents,
employee contact info, customer contact lists
• Develop Plans and Procedures
• Simple step-by-step emergency and restoral procedures
• Downtime is lost business—a good plan is valuable
• Train andTest
• Ensure key staff know the procedures
• Execute both tabletop and actual failover testing
Disaster Preparation
20. Copyright 2014 – LP3
• What are the potential identifiable disasters
(internal and external)?
• How would each affect your critical systems?
Disaster Preparation
Data Center Fire
21. Copyright 2014 – LP3
What do I do?
1. Preparation: Set up systems to detect threats and create
policies for action; including public info release decisions
2. Threat Identification: Effects it is having on your systems
3. Containment: Limit effects by confining to as few systems as
possible; freezing the scene for investigation
4. Eradication: Get rid of whatever the attacker might have left
behind – rebuild from original media if possible
5. Recovery: Restore the system back into normal operations,
reconnect to the network, restore data from known clean backups
if necessary.
6. Follow-up: Root cause identification, deploy countermeasures,
improve processes, etc.
Cyber Incident Handling
22. Copyright 2014 – LP3
Multi-Faceted Cyber Security
• IT Security – Can hackers modify or steal your data?
• e-Discovery – Can you find files you need for legal defense?
• Compliance –Will regulators see evidence of due care?
• Legal Risk – Does your configuration keep data private?
• Disaster Plans – Is your data backed up and restorable?
Secure management
of critical systems
improves all key areas
23. Copyright 2014 – LP3
1. Do it yourself
2. Ask for help
3. Hire support
What should I do?
24. Copyright 2014 – LP3
Do it yourself
1. Train IT staff on critical security issues with
CISSP, SANS GIAC, Microsoft Certified
Systems Engineer: Security
2. Patch workstations and laptops
3. Patch servers
4. Update anti-virus and spyware
5. Backup key systems
6. Use firewalls to limit access
7. Train employees regularly
8. Continuously monitor posture
25. Copyright 2014 – LP3
Ask for help
1. Web information services
2. Local colleges and universities
3. Part-time IT security employees
4. Consultants
5. Virtual CIO/CISO/CPO
Protectingtomorrow.org
Schools, Business,Vets
26. Copyright 2014 – LP3
Hire Support…but who?
1. Trust
2. Experience withAdvanced PersistentThreats
3. No software or hardware vendors
4. Industry experience
5. Technically current
199 critical vulnerabilities in
a Financial Services Firm
27. Copyright 2014 – LP3
Thank you!
Comments?
Questions?
Striking the critical balance
between protection and
performance
sales@LP3.com