Presentation: The New NYDFS Cybersecurity Regulations: What They Require. What They Mean for Your Company and Your Vendor Supply Chain (To Be Updated Based
How to Approach the NYDFS Proposed Cybersecurity RequirementsKyle Brown
The New York Department of Financial Services (NYDFS) is expected to pass a proposed cybersecurity regulation in January 2017, called "Cybersecurity Requirements for Financial Services Companies".
In the light of the imminent regulatory update, most financial institutions, and insurance providers are preparing to comply with the fundamental requirements that the NYDFS will likely adopt.
In this webinar, we covered:
- Explanations of the regulation’s key legal requirements;
- How the regulation interacts with other data security laws;
- Industry best practices for securing data;
- The value of online compliance training.
New York DFS proposed cybersecurity regulationsBrunswick Group
Groundbreaking cybersecurity regulations proposed this month by the New York State Department of Financial Services would impose significant new compliance responsibilities. The proposed regulations raise the bar for communications and public affairs professionals in particular around cybersecurity planning and response.
The proposed regulations far surpass existing federal or state regulations on cybersecurity, and will require a deeper approach and greater integration between legal, communications, and technology planning and strategies.
New York Department of Financial Services Cybersecurity RegulationsShawn Tuma
Getting in Shape – NYDFS Cyber Security Regulations Webinar
Presenters: Shawn Tuma, Cybersecurity & Data Protection Attorney, Scheef & Stone LLP | Bill Belcher, VP Americas, Boldon James In an initiative to protect New York’s financial services industry, a new State regulation has been introduced to protect consumers and financial institutions from cyber-attacks. Effective March 1, 2017, this risk-driven regulation requires all financial services institutions regulated by the Department of Financial Services (DFS) to establish and maintain a cyber security program that will protect both customers’ private data and the technology that supports this. The impact stretches down through the supply chain, as any organization that conducts business with the NYC financial services sector has to adopt the same level of data protection.
Watch this webcast to learn:
The key requirements of the NYC Cyber security regulation
How compliance is about process first, then people and technology
What organizations need to be doing to ensure they comply
How data classification can help ensure compliance
NYDFS Cybersecurity Regulations (23 NYCRR 500) New York is one of the biggest financial hubs in the world; as you can imagine where there is sensitive financial information, there are people who want to get their hands on it. It is for this reason major financial firms operating in New York will face stiff cyber security obligations under the new New York Department of Financial Services Cybersecurity Regulations (23 NYCRR 500). This regulation will apply to firms holding a banking, insurance or financial services licence to operate in New York. 23 NYCRR 500 has been effective as of March 1st 2017, although firms have 180 days from this introduction date to change internal systems in order to meet new compliance and regulation standards. This fact sheet outlines:
23 NYCRR 500 overview
Key dates for covered entities
Key tasks for compliance
How Boldon James can help
Please complete the adjoining form to request it.
Brunswick Intelligence - Building reputational resilience to cyber attackBrunswick Group
Cybersecurity is a business critical risk not just an IT issue. The reputational damage of a cyber breach is often less than the technical damage inflicted, the money lost, or the regulatory fines. With new threats proliferating at startling speed how companies respond to an attack can be more important than the attack itself. The good news is that companies can seize this challenge to differentiate themselves from the competition and earn a greater level of trust from stakeholders.
Learn more about the four steps companies can take to build their reputational resilience to cyber attack.
New Ohio Cybersecurity Law RequirementsSkoda Minotti
Skoda Minotti’s Risk Advisory Services Group and Insurance Services Group are working closely with insurance industry licensees to meet the considerable requirements under the Ohio cybersecurity law. This presentation provides more detailed information about the law, and assists you with your understanding and implementation of the requirements.
Addressing penetration testing and vulnerabilities, and adding verification m...IT Governance Ltd
This webinar will cover the best practices for penetration testing and vulnerability assessments, and how to use staff training to create a strong information security management system that address people, processes and technology.
You will learn about:
- Conducting penetration testing
- Vulnerability assessments and monitoring
- The need to provide employees with training and monitoring controls
A recording of the webinar can be found here:
https://www.youtube.com/watch?v=gsFmP34K8z0
How to Approach the NYDFS Proposed Cybersecurity RequirementsKyle Brown
The New York Department of Financial Services (NYDFS) is expected to pass a proposed cybersecurity regulation in January 2017, called "Cybersecurity Requirements for Financial Services Companies".
In the light of the imminent regulatory update, most financial institutions, and insurance providers are preparing to comply with the fundamental requirements that the NYDFS will likely adopt.
In this webinar, we covered:
- Explanations of the regulation’s key legal requirements;
- How the regulation interacts with other data security laws;
- Industry best practices for securing data;
- The value of online compliance training.
New York DFS proposed cybersecurity regulationsBrunswick Group
Groundbreaking cybersecurity regulations proposed this month by the New York State Department of Financial Services would impose significant new compliance responsibilities. The proposed regulations raise the bar for communications and public affairs professionals in particular around cybersecurity planning and response.
The proposed regulations far surpass existing federal or state regulations on cybersecurity, and will require a deeper approach and greater integration between legal, communications, and technology planning and strategies.
New York Department of Financial Services Cybersecurity RegulationsShawn Tuma
Getting in Shape – NYDFS Cyber Security Regulations Webinar
Presenters: Shawn Tuma, Cybersecurity & Data Protection Attorney, Scheef & Stone LLP | Bill Belcher, VP Americas, Boldon James In an initiative to protect New York’s financial services industry, a new State regulation has been introduced to protect consumers and financial institutions from cyber-attacks. Effective March 1, 2017, this risk-driven regulation requires all financial services institutions regulated by the Department of Financial Services (DFS) to establish and maintain a cyber security program that will protect both customers’ private data and the technology that supports this. The impact stretches down through the supply chain, as any organization that conducts business with the NYC financial services sector has to adopt the same level of data protection.
Watch this webcast to learn:
The key requirements of the NYC Cyber security regulation
How compliance is about process first, then people and technology
What organizations need to be doing to ensure they comply
How data classification can help ensure compliance
NYDFS Cybersecurity Regulations (23 NYCRR 500) New York is one of the biggest financial hubs in the world; as you can imagine where there is sensitive financial information, there are people who want to get their hands on it. It is for this reason major financial firms operating in New York will face stiff cyber security obligations under the new New York Department of Financial Services Cybersecurity Regulations (23 NYCRR 500). This regulation will apply to firms holding a banking, insurance or financial services licence to operate in New York. 23 NYCRR 500 has been effective as of March 1st 2017, although firms have 180 days from this introduction date to change internal systems in order to meet new compliance and regulation standards. This fact sheet outlines:
23 NYCRR 500 overview
Key dates for covered entities
Key tasks for compliance
How Boldon James can help
Please complete the adjoining form to request it.
Brunswick Intelligence - Building reputational resilience to cyber attackBrunswick Group
Cybersecurity is a business critical risk not just an IT issue. The reputational damage of a cyber breach is often less than the technical damage inflicted, the money lost, or the regulatory fines. With new threats proliferating at startling speed how companies respond to an attack can be more important than the attack itself. The good news is that companies can seize this challenge to differentiate themselves from the competition and earn a greater level of trust from stakeholders.
Learn more about the four steps companies can take to build their reputational resilience to cyber attack.
New Ohio Cybersecurity Law RequirementsSkoda Minotti
Skoda Minotti’s Risk Advisory Services Group and Insurance Services Group are working closely with insurance industry licensees to meet the considerable requirements under the Ohio cybersecurity law. This presentation provides more detailed information about the law, and assists you with your understanding and implementation of the requirements.
Addressing penetration testing and vulnerabilities, and adding verification m...IT Governance Ltd
This webinar will cover the best practices for penetration testing and vulnerability assessments, and how to use staff training to create a strong information security management system that address people, processes and technology.
You will learn about:
- Conducting penetration testing
- Vulnerability assessments and monitoring
- The need to provide employees with training and monitoring controls
A recording of the webinar can be found here:
https://www.youtube.com/watch?v=gsFmP34K8z0
Government Technology & Services Coalition & InfraGard NCR's Program: Cyber Security: Securing the Federal Cyber Domain by Strengthening Public-Private Partnership
Presentation: Cybersecurity for Government Contractors
Presenter: Robert Nichols, Partner, Covington & Burling LLP
The Science and Art of Cyber Incident Response (with Case Studies)Kroll
In this joint presentation for the ISSA-LA Summit X in Los Angeles, Jennifer Rathburn, a cybersecurity and data privacy law expert at Foley & Lardner LLP and William Dixon, Associate Managing Director in Kroll's Cyber Risk practice, highlight three incident response scenarios and tips on breach preparation and response.
To learn more, contact Jennifer or William at:
Jennifer Rathburn, Foley & Lardner LLP
jrathburn@foley.com; 414-297-5864
William Dixon, Kroll, a Division of Duff & Phelps
william.dixon@kroll.com; 213-247-3973
NY State's cybersecurity legislation requirements for risk management, securi...IT Governance Ltd
This webinar illustrates:
- The responsibility to appoint a CISO
- Application security program (internal and external) and review by the CISO
- Overview of the risk assessment policy and procedures
- Setting up a program specific to your organization's information systems and business operations
- Identifying cyber threats and how to incorporate controls
- Maintaining an audit trail to include detection and responses to cybersecurity events
- How ISO 27001 and vsRisk can provide the right tools to help you implement a successful program that meets compliance requirements
A recording of the webinar can be found here:
https://www.youtube.com/watch?v=URfAd2E37Eo
SEC OCIE - Cybersecurity Focus Areas, Guidance, and Best PracticesKroll
The SEC Office of Compliance Inspections and Examinations (OCIE) issues risk alerts on cybersecurity to keep registered broker-dealers, investment advisers, and investment companies up to date regarding SEC focus areas for cyber.
OCIE examinations have focused on firms’ written policies and procedures regarding cybersecurity, including validating and testing that such policies and procedures were implemented and followed.
This presentation was prepared by Greg Michaels and Terry Mason for the Duff & Phelps Alternative Investments conference.
Implementing a Security Management FrameworkJoseph Wynn
Given at the Pittsburgh ISSA April 2017 chapter meeting.
This presentation discussed how to improve the success of your information security program by organizing it using a security management framework.
Shaping Your Future in Banking Cybersecurity Dawn Yankeelov
Designed for bankers, this cybersecurity policy presentation given via partnership with the BSG Financial Group explains where the industry should pay attention and what is next. It was presented on Jan. 24, 2017.
Post US Election Privacy Updates & ImplicationsTrustArc
The United States election on November 3rd will impact the future use of personal information for organizations doing business with US citizens. From presidential results to state propositions, there will be many privacy ramifications, and how we move forward to embrace the new changes is a topic that will bring many perspectives.
Join us as we discuss the implications of the US election, including California’s Proposition 24 which would expand the provisions of the CCPA and what the next administration’s role will be in helping shape the new framework for EU-US data transfers.
-Privacy issues that were included or arose in the 2020 election
-Implications of election outcomes on privacy laws or priorities
-What to watch for in 2021
Emerging Trends in Information Security and Privacylgcdcpas
Malware infiltrations, spear phishing, data breaches these are scary words with even scarier implications. These threats are hitting the interconnected technology world fast and hard and can no longer be ignored.
Are you doing everything you can to avoid having your data compromised and becoming the next security breach horror story?
To help you answer that question, join the security experts at LGC+D for the Emerging Trends in Information Privacy and Security seminar on Wednesday, August 6th. They will be joined by a dream team panel of IT, legal and insurance experts that deal with these threats every day, and have the experience and knowledge to help you make the right security decisions.
Malware infiltration, spear phishing, data breaches...these are terrifying words with even more frightening implications. These threats are hitting the technology world hard and fast and can no longer be ignored.
Legal obligations and responsibilities of data processors and controllers und...IT Governance Ltd
This webinar covers:
-The definitions of ‘data controller’ and ‘data processor’ under the GDPR.
-The responsibilities and obligations of controllers and processors.
-The data breach reporting responsibilities of controllers and processors.
-The liability of, and penalties that may be imposed on, data processors and controllers.
-The appointment of joint controllers and subcontracting processors
The webinar can be found here https://www.youtube.com/watch?v=cyUPGGD3iVg&t=8s
SecureWorld Expo Dallas - Cybersecurity Law: What Business and IT Leaders Nee...Shawn Tuma
This presentation was delivered by Shawn E. Tuma, Cybersecurity and Data Privacy Attorney, to SecureWorld Expo Dallas on September 27, 2016.
This presentation was significantly updated from past presentations and included a discussion of the groundbreaking New York Department of Financial Services (NYDFS) Cybersecurity Requirements for Financial Services Companies.
The main points of this presentation are:
(1) Cybersecurity events create a crisis situation and should be treated as such;
(2) Cybersecurity incidents are as much legal events as they are IT or Business / Public Relations events;
(3) Companies must have a cybersecurity breach response plan in place and tested, in advance;
(4) While consumer class action data breach litigation is a significant threat to companies and their leadership, it is not as great of a threat as regulatory enforcement by agencies such as the FTC and SEC, or the shareholder derivative claims for officer and director liability; and
(5) The odds are that all company will be breached, but preparation and diligence can help minimize the likelihood that such a breach from being a catastrophic event.
This presentation addresses the role of attorneys as the first responders in leading their clients through cybersecurity and data loss crisis events. The discussion begins by looking at the risk business have of being the victim of a cybersecurity or data loss incident and examining the nature of such incidents and the crisis environment they create. Then, because of this crisis environment, the need for leadership in helping keep the parties calm, rational, and making deliberate, calculated decisions.
The discussion then explains why cybersecurity events are legal events and legal counsel is the natural leader that should fulfill this role and how they can do so. It will then discuss the process legal counsel will take, including assembling the key players in such an event, both internally and externally. It discusses the obligations for responding to such an event, the steps that must be taken, those that must be considered, and certain factors that go into the decision-making process. It briefly addresses the costs of such an incident and the liability issues that can arise from such an incident and failing to properly respond to the incident. This section includes a discussion of the cybersecurity lawsuit landscape, cybersecurity regulatory landscape, and the issue of cybersecurity-related officer and director liability stemming from shareholder derivative lawsuits based on cybersecurity incidents.
It concludes with a discussion of the steps that companies can take to prepare for and be in a better position to respond to and mitigate the negative repercussions of such an incident.
Government Technology & Services Coalition & InfraGard NCR's Program: Cyber Security: Securing the Federal Cyber Domain by Strengthening Public-Private Partnership
Presentation: Cybersecurity for Government Contractors
Presenter: Robert Nichols, Partner, Covington & Burling LLP
The Science and Art of Cyber Incident Response (with Case Studies)Kroll
In this joint presentation for the ISSA-LA Summit X in Los Angeles, Jennifer Rathburn, a cybersecurity and data privacy law expert at Foley & Lardner LLP and William Dixon, Associate Managing Director in Kroll's Cyber Risk practice, highlight three incident response scenarios and tips on breach preparation and response.
To learn more, contact Jennifer or William at:
Jennifer Rathburn, Foley & Lardner LLP
jrathburn@foley.com; 414-297-5864
William Dixon, Kroll, a Division of Duff & Phelps
william.dixon@kroll.com; 213-247-3973
NY State's cybersecurity legislation requirements for risk management, securi...IT Governance Ltd
This webinar illustrates:
- The responsibility to appoint a CISO
- Application security program (internal and external) and review by the CISO
- Overview of the risk assessment policy and procedures
- Setting up a program specific to your organization's information systems and business operations
- Identifying cyber threats and how to incorporate controls
- Maintaining an audit trail to include detection and responses to cybersecurity events
- How ISO 27001 and vsRisk can provide the right tools to help you implement a successful program that meets compliance requirements
A recording of the webinar can be found here:
https://www.youtube.com/watch?v=URfAd2E37Eo
SEC OCIE - Cybersecurity Focus Areas, Guidance, and Best PracticesKroll
The SEC Office of Compliance Inspections and Examinations (OCIE) issues risk alerts on cybersecurity to keep registered broker-dealers, investment advisers, and investment companies up to date regarding SEC focus areas for cyber.
OCIE examinations have focused on firms’ written policies and procedures regarding cybersecurity, including validating and testing that such policies and procedures were implemented and followed.
This presentation was prepared by Greg Michaels and Terry Mason for the Duff & Phelps Alternative Investments conference.
Implementing a Security Management FrameworkJoseph Wynn
Given at the Pittsburgh ISSA April 2017 chapter meeting.
This presentation discussed how to improve the success of your information security program by organizing it using a security management framework.
Shaping Your Future in Banking Cybersecurity Dawn Yankeelov
Designed for bankers, this cybersecurity policy presentation given via partnership with the BSG Financial Group explains where the industry should pay attention and what is next. It was presented on Jan. 24, 2017.
Post US Election Privacy Updates & ImplicationsTrustArc
The United States election on November 3rd will impact the future use of personal information for organizations doing business with US citizens. From presidential results to state propositions, there will be many privacy ramifications, and how we move forward to embrace the new changes is a topic that will bring many perspectives.
Join us as we discuss the implications of the US election, including California’s Proposition 24 which would expand the provisions of the CCPA and what the next administration’s role will be in helping shape the new framework for EU-US data transfers.
-Privacy issues that were included or arose in the 2020 election
-Implications of election outcomes on privacy laws or priorities
-What to watch for in 2021
Emerging Trends in Information Security and Privacylgcdcpas
Malware infiltrations, spear phishing, data breaches these are scary words with even scarier implications. These threats are hitting the interconnected technology world fast and hard and can no longer be ignored.
Are you doing everything you can to avoid having your data compromised and becoming the next security breach horror story?
To help you answer that question, join the security experts at LGC+D for the Emerging Trends in Information Privacy and Security seminar on Wednesday, August 6th. They will be joined by a dream team panel of IT, legal and insurance experts that deal with these threats every day, and have the experience and knowledge to help you make the right security decisions.
Malware infiltration, spear phishing, data breaches...these are terrifying words with even more frightening implications. These threats are hitting the technology world hard and fast and can no longer be ignored.
Legal obligations and responsibilities of data processors and controllers und...IT Governance Ltd
This webinar covers:
-The definitions of ‘data controller’ and ‘data processor’ under the GDPR.
-The responsibilities and obligations of controllers and processors.
-The data breach reporting responsibilities of controllers and processors.
-The liability of, and penalties that may be imposed on, data processors and controllers.
-The appointment of joint controllers and subcontracting processors
The webinar can be found here https://www.youtube.com/watch?v=cyUPGGD3iVg&t=8s
SecureWorld Expo Dallas - Cybersecurity Law: What Business and IT Leaders Nee...Shawn Tuma
This presentation was delivered by Shawn E. Tuma, Cybersecurity and Data Privacy Attorney, to SecureWorld Expo Dallas on September 27, 2016.
This presentation was significantly updated from past presentations and included a discussion of the groundbreaking New York Department of Financial Services (NYDFS) Cybersecurity Requirements for Financial Services Companies.
The main points of this presentation are:
(1) Cybersecurity events create a crisis situation and should be treated as such;
(2) Cybersecurity incidents are as much legal events as they are IT or Business / Public Relations events;
(3) Companies must have a cybersecurity breach response plan in place and tested, in advance;
(4) While consumer class action data breach litigation is a significant threat to companies and their leadership, it is not as great of a threat as regulatory enforcement by agencies such as the FTC and SEC, or the shareholder derivative claims for officer and director liability; and
(5) The odds are that all company will be breached, but preparation and diligence can help minimize the likelihood that such a breach from being a catastrophic event.
This presentation addresses the role of attorneys as the first responders in leading their clients through cybersecurity and data loss crisis events. The discussion begins by looking at the risk business have of being the victim of a cybersecurity or data loss incident and examining the nature of such incidents and the crisis environment they create. Then, because of this crisis environment, the need for leadership in helping keep the parties calm, rational, and making deliberate, calculated decisions.
The discussion then explains why cybersecurity events are legal events and legal counsel is the natural leader that should fulfill this role and how they can do so. It will then discuss the process legal counsel will take, including assembling the key players in such an event, both internally and externally. It discusses the obligations for responding to such an event, the steps that must be taken, those that must be considered, and certain factors that go into the decision-making process. It briefly addresses the costs of such an incident and the liability issues that can arise from such an incident and failing to properly respond to the incident. This section includes a discussion of the cybersecurity lawsuit landscape, cybersecurity regulatory landscape, and the issue of cybersecurity-related officer and director liability stemming from shareholder derivative lawsuits based on cybersecurity incidents.
It concludes with a discussion of the steps that companies can take to prepare for and be in a better position to respond to and mitigate the negative repercussions of such an incident.
Presentation to (ISC)2 Omaha-Lincoln Chapter meeting on March 15th, 2017. This presentation looks at managing compliance with multiple cybersecurity laws and regulations across different industries using the NIST Risk Management Framework.
Cybersecurity Risk Management for Financial InstitutionsSarah Cirelli
The New York State Department of Financial Services has been closely monitoring this ever-growing threat and has proposed regulations that would require financial services companies to adopt a cybersecurity program to protect their customers, employees, data and operations. Its proposed changes are expected to take effect on March 1, 2017. Financial services companies would have until Feb. 15, 2018, to submit a certificate of compliance with the program. Components of New York's proposed cybersecurity program are outlined in this article.
What Financial Institution Cyber Regs Tell the Infrastructure SectorCBIZ, Inc.
Information security is a threat for every business, but it’s particularly disruptive to the nation’s infrastructure systems. Infrastructure companies should monitor how mandatory rules play out for financial institutions. If the regulatory efforts are successful in reducing the number of financial institution cyber incidents, state and federal regulators may turn their attention to other industries.
New York State Department of Financial Services Expands Its Cyber Focus to In...NationalUnderwriter
New York State Department of Financial Services Expands Its Cyber Focus to Insurers by Eric R. Dinallo, Jeremy Feigelson, David A. O’Neil, Jim Pastore, and Jordan R. Friedland
The New York State Department of Financial Services (“DFS”) recently announced a major expansion of its cybersecurity efforts: DFS will require insurers to respond to a special “comprehensive risk assessment” on cybersecurity, with those assessments to be followed by an enhanced focus on cybersecurity as part of DFS’s regular examinations of insurers. DFS’s announcement expands to insurance the increasingly rigorous approach it has recently applied to banks in the area of cyber security. More importantly, it offers critical guidance to all industries about what regulators will consider adequate precautions and preparation in this area.
All levels of society rely upon information technology systems. Network operations are pervasive and impact nearly every aspect of our society. The desire of companies to collect, use, store, and secure information about customers, employees, and other individuals is a requirement of the new economy. It is no wonder that the prevalence of electronic communications and a growing dependency on cyber structures and operations also create potential vulnerabilities to cyberattacks. It is critical to preserve information systems and address and prevent weaknesses in cyber protection efforts. This webinar examines the means for companies to reach data goals ethically, efficiently and legally. Best practices and model comprehensive privacy and cybersecurity policies are discussed. And, data breach response and related litigation, including class action litigation issues and fiduciary duty violations under corporate law, are discussed.
To view the accompanying webinar, go to:
https://www.financialpoise.com/financial-poise-webinars/data-privacy-compliance-2020/
A Look At Evolving Cybersecurity Policy for Financial Institutions 2021Dawn Yankeelov
Dawn Yankeelov, a cyber policy leader in Kentucky, speaks to the changing landscape for banking cybersecurity policy for a SecuretheVillage workgroup in the Summer of 2021.
Viscount Systems (OTCQB:VSYS), a Canadian manufacturer of advanced physical access control systems combines traditional access control performance with cyber security (true convergence of logical and physical access) to increase security while driving down facility costs to secure offices, hospitals, critical infrastructure, schools, banks, and manufacturing. Our unique offering satisfies new US Federal Government standards for increased protection of facilities from external threats. http://viscount.com/
Crossing the streams: How security professionals can leverage the NZ Privacy ...Chris Hails
Security professionals often struggle with the ‘double intangibility’ of security - the intangibility of risk and intangibility of protection.
Changes hearts and minds often requires legislation and new compliance frameworks to motivate investment.
New Zealand's new Privacy Act comes into play on 1st December 2020 and there are ways security professionals can leverage new aspects including mandatory breach notifications to focus efforts on securing personal information and preventing privacy harms.
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc
In today's digital world, trust is key to customer relationships, but keeping it is a huge challenge. Customers are well-informed and empowered, quick to change brands if their trust is broken, even if it costs them more. This puts a lot of pressure on organizations to handle trust and safety issues with great care and transparency.
The challenge, however, is real. Fragmented solutions have left privacy, legal, and security teams in a perpetual cycle of catch-up, struggling to update privacy notices, manage customer data rights, and answer lengthy security questionnaires—all while trying to prove ROI to the business. It's a thankless job, filled with repetition, tedious tasks, and constant interdepartmental coordination. Combine this with fast regulatory changes and the quick evolution of AI, and it becomes overwhelming.
Join this webinar to learn more about TrustArc's new innovative solution Trust Center, the only unified, no-code online hub for trust and safety information built for privacy, security, compliance, and legal teams. Trust Center streamlines your path to compliance, shortens the pre-sales cycle, and reduces both legal and regulatory risks, saving time, effort, and cost.
This webinar will review:
- Why companies are building unified Trust Centers for a robust privacy program.
- How unified Trust Centers streamline sales cycles, ensure regulatory compliance, and reduce operational bottlenecks.
- How compliance, legal, security, GRC, and privacy teams benefit from a unified Trust Center in terms of needs, pains, and outcomes.
- How TrustArc Trust Center saves time and work while reducing legal, reputational, and compliance risk by effectively managing policies, notices, terms, and disclosures, and providing real-time updates on subprocessors.
Securing Fintech: Threats, Challenges & Best PracticesUlf Mattsson
Cyber attacks have increased in frequency and severity, and financial institutions are particularly interesting targets to cyber criminals. Join this presentation to learn the latest cybersecurity threats and challenges plaguing the financial industry, and the policies and solutions your organization needs to have in place to protect against them.
Viewers will learn:
• Current trends in Cyber attacks
• FFIEC Cyber Assessment Toolkit
• NIST Cybersecurity Framework principles
• Security Metrics
• Oversight of third parties
• How to measure cybersecurity preparedness
• Automated approaches to integrate Security into DevOps
About the Presenter:
Ulf Mattsson is the Chief Technology Officer of Security Solutions at Atlantic BT, and earlier at Compliance Engineering. Ulf was the Chief Technology Officer and a founder of Protegrity, He invented the Protegrity Vaultless Tokenization, Data Type Preservation (DTP2) and created the initial architecture of Protegrity's database security technology. Prior to Protegrity, Ulf worked 20 years at IBM in software development and in IBM's Research organization, in the areas of IT Architecture and Security, and received a US Green Card of class ‘EB 11 – Individual of Extraordinary Ability’ after endorsement by IBM. Ulf is the inventor of more than 45 patents in the areas of Encryption, Policy Driven Data Encryption, Internal Threat Protection, Data Usage Control and Intrusion Prevention
Data protection for Lend.io - legal analysis by Bird and BirdCoadec
New EU data protection rules are coming, with the General Data Protection Regulation likely to be agreed in the next few months. It will have a massive impact on digital businesses
To bring this rather dry subject to life, Coadec working together with techUK has commissioned a leading data protection law firm to look at what current drafts of the new law would mean for a fintech startup we invented, Lend.io.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
2. Speaker Introductions
NY DFS & Regulatory Environment Background
Covered and Exempt Entities
Top 5 Regulatory “Surprises”
Cybersecurity Required Elements
Security Best / Leading Practices Mapped to
Requirements
Question and Answer
1/14/2017 2
3. EXPERIENCE SUMMARY
Jon co-founded eDelta Consulting, Inc. (“eDelta”) in 2000
with former Ernst and Young, LLP alumni in order to provide
a wide-range of Technology and Information Security
services to Fortune 500 clients and medium-sized public
and private companies. For more than a decade, Jon has
been evaluating information systems and associated
business processes in major industries, including financial
services, retail and entertainment.
Jon has assisted the internal audit department of several
Fortune 500 companies in developing and executing plans
to mitigate technology and business risks. Jon has strong
project management, organizational and technical skills. Jon
is a frequent speaker on issues as diverse as Sarbanes
Oxley, information security, disaster recovery, business
continuity planning, corporate risk assessment, and
Computer Assisted Audit Techniques (CAATs). He has an
expert knowledge of technology challenges and their related
regulatory and compliance impact on major corporations.
Prior to eDelta, Jon was a Manager in Ernst & Young's New
York ISAAS Financial Services Group. As a manager at Ernst
& Young, Jon managed various external Technology and
Financial Audits for a diverse set of companys, mutual
funds, and broker/dealers. Jon is Certified Public Accountant
Jon Bosco
Partner
eDelta Consulting, Inc.
jbosco@edeltaconsulting.com
Direct: +646-205-9961
Rich Santelesa
Esq. CIPP-US
rsantalesa@smartedgelawgroup.com
rsantalesa@blegalgroup.com
Direct: +203-307-2665
EXPERIENCE SUMMARY
Int'l Association of Privacy Professionals (IAPP) "Certified
Information Privacy Professional"
IAPP Co-Chair of CT KnowledgeNet (1/1/2014 - 1/1/2016)
Guest Lecturer at Sacred Heart University, in Masters Degree in
Cybersecurity Program
American Bar Association, Section of Science & Tech Law, Chair
of Social Networking Committee; Member InfoSec and EDDE
Committees
New York State Bar Association - Intellectual Property Law
Section – Internet & Technology Law Committee
Greater Bridgeport Bar Association - Intellectual Property &
Commercial Law Committees
Former Local elected official – elected to two year legislative term
(unpaid) as Fairfield Representative Town Member (2009-2011)
responsible for ordinances, oversight and approval of $251+
million budget; appointed to Legislative & Administration
Committee; Former Fairfield Conservation Commissioners.
Certified mentor for small-businesses and startups via the CT
branch of SCORE, a nationally recognized volunteer counseling
organization affiliated with the SBA
Admitted in New York, District of Columbia and Connecticut
(achieved 2nd highest scaled Multistate Bar Exam score of 390
examinees seated for Feb. 2008 Connecticut bar exam)
4. Created in 2011 when the NYS Insurance Department
and NYS Banking Department were consolidated.
Supervises approximately 4,500 entities.
Regulated entities include: state-chartered banks and trust
companies; insurance companies; insurance producers; insurance
adjusters; bail bond agents; service contracts; life settlements;
budget planners; charitable foundations; check cashers; credit
unions; investment companies; licensed lenders; money
transmitters; mortgage bankers; mortgage brokers; mortgage loan
servicers; premium finance agencies; private bankers; safe deposit
companies; sales finance companies; savings banks; and savings
and loans. (http://www.dfs.ny.gov/about/whowesupervise.htm)
Headed by the Superintendent of Financial Services.
First, Ben Lawsky, now Maria Vullo.
1/14/2017 4
5. In 2013 the NYDFS began surveying banking
organizations and then insurance companies.
Issued reports in 2014 and 2015 on cybersecurity in the
insurance and banking industries:
◦ Report on Cyber Security in the Banking Sector - May 2014
◦ Report on Cyber Security in the Insurance Sector - February 2015
◦ Update on Cyber Security in the Banking Sector: Third Party
Service Providers - April 2015
Letter sent from NYDFS on Nov 9, 2015 by then Acting
Superintendent to 18 members of the Financial and
Banking Information Infrastructure Committee heralding
intent to issue cybersecurity requirements
1/14/2017 5
6. Proposed Regs, announced: September 13, 2016
◦ “Cybersecurity Requirements For Financial Services
Companies”(Part 500 of Title 23 of the Official Compilation of
Codes, Rules, and Regulations of the State of New York)
Published in State Register: September 28, 2016
Public comment period ended on Nov. 14, 2016
Little to nothing on NYDFS website since…
NYDFS Reg Materials Released
◦ Proposed 23 NYCRR 500 (PDF)
◦ Notice of Proposed Rulemaking (PDF)
◦ Summary of the Rules (PDF)
◦ Regulatory Impact Statement - SAPA (PDF)
◦ Executive Order No. 17 (PDF)
1/14/2017 6
7. “Covered Entities” - as defined by the Regs mean “any
Person operating under or required to operate under a
license, registration, charter, certificate, permit,
accreditation or similar authorization under the [NY]
banking law, the [NY] insurance law or the [NY] financial
services law.”
◦ NYDFS regulated institutions can be found at
http://www.dfs.ny.gov/about/whowesupervise.htm
CE’s include individuals, partnerships, and corporations
operating in the banking, insurance and other financial
services industries within New York and regulated by the
DFS. Includes state-chartered commercial banks and state-
licensed branches and agencies of foreign banks.
Regs do not apply to local governments.
Limited exemption to Regs
1/14/2017IAPP KnowledgeNet 7
8. Sec. 500.18(a) includes a limited exemption to the
Regs for otherwise Covered Entities. If a CE has:
◦ Fewer than 1,000 customers in each of the last 3 years, AND
◦ Less than $5M in gross annual revenue in each of last 3 fiscal
years, AND
◦ Less than $10M in year-end total assets per GAAP (including
any affiliates for purposes of the total asset calculation)…
THEN, such entities are exempt from the Regs
requirements involving maintenance of specific
cybersecurity personnel, app development, multi-
factor authentication, training, encryption, audits and
audit trails, and conducting vulnerability tests.
Everything else still applies!
1/14/2017IAPP KnowledgeNet 8
9. What about GLBA? Or other federal agency
“guidance” and recommendations such FFIEC,
SEC recommendations?
Are the NYDFS Regs pre-empted for federated
regulated entities?
NO!
The Regs expressly note they “duplicate” “to a
very limited extent” GLBA Sec. 421 requirements,
but that state regs providing greater protections
are expressly authorized under GLBA Sec.
6807(b).
1/14/2017IAPP KnowledgeNet 9
10. Programs - A comprehensive Cybersecurity Program covering 8 cores functions
Policies - A written Cybersecurity Policy, Third Party Infosec Policy, and Incident Response
Plan, each of which must address specific required items
Personnel - Training, monitoring, appointment of a “qualified individual” as CISO, and
“sufficient” cybersecurity personnel (outside third parties can handle these functions)
Technology - Infosec technology and practices, including:
◦ MFA, encryption (at rest and in transit), data retention limits, 6 years of audit train records,
mandated training for all employees and specific cybersecurity training, and testing/risk
assessment (including quarterly vulnerability assessments + annual penetration testing).
Third Party Vendor Requirements – Annual assessment of vendors’ cybersecurity practices
and mandated contractual terms “to the extent applicable”, including: use of MFA, encryption,
“prompt” notice of “any” Cybersecurity Event, ID protection services for customers, rep that any
service or product is free of viruses, etc., and right to perform “cybersecurity audits”.
Reporting & Certification that includes:
◦ CISO written report to board of directors at least 2x year (which DFS can request!);
Reporting to NYDFS of certain “Cybersecurity Events” within 72 hours of discovery; Annual
certification by BoD or “Senior Officer(s)” of compliance with Regs to NYDFS by Jan 15th of
each year (with maintenance for 5 years of “records, schedules and data” supporting the
certification).
1/14/2017 10
11. Short 72 Hour Notifications to NYDFS and DFS can
request all CISO reports
Expansive definition of “Nonpublic Information” that goes
well beyond traditional PHI or PII definitions
Encryption everywhere of NPI – at rest and in transit
6 year retention of massive audit trail records, including
◦ Data sufficient to allow for “complete and accurate reconstruction
of all financial transactions and accounting necessary… to detect
and respond to a cybersecurity event”
◦ Detailed logging of all system event, sysadmin functions
performed and all privileged access to critical systems
Third Party Vendor Requirements – Risk assessments,
annual assessment of TPV cybersecurity practices,
contractual requirements, including ID protection services
and cybersecurity audit rights of vendors with NPI or
systems
1/14/2017 11
12. Cybersecurity Program to ensure “confidentiality, integrity and availability”
of Information Systems, which must address:
Minimum of 6 Core Functions – identify cyber risks, defensive
infrastructure, Cybersecurity Event detection, response and mitigation,
recovery and regulatory reporting
Annual penetration testing and quarterly vulnerability testing
Detailed audit trail logging and data retention
Appropriate access privilege settings and access limitations
Risk-based policies, procedures and controls to monitor unauthorized
access
Encryption of all Nonpublic Information – at rest and in transit
Data retention limits and timely destruction of NPI no longer necessary
Regular cybersecurity awareness training for all employees
Secure application development – both internal & external
Written Incident Response Plan
Must be reviewed and approved by CISO annually
1/14/2017IAPP KnowledgeNet 12
13. Cybersecurity Policy detailing policies and procedures for
protection of NPI and Information Systems.
◦ Must at minimum address 14 areas, which are broad and open-ended
(e.g., “capcicity and performance planning, customer data privcy, risk
assessment, data governance and classification, etc.)
◦ May require existing Cybersecurity Policies to be reviewed and expanded
given broad definition of NPI
◦ Must be updated “as frequently as necessary” but at least annually
Third Party Information Security Policy to ensure security of
NPI and Information Systems “accessible to or held by” third
party parties.
◦ Identifying these parties and performing risk assessments
◦ Specifying minimum cybersecurity practices such third parties must meet
◦ Detailing due diligence processes to determine third party cybersecurity
adequacy
◦ Annual assessment of third parties cybersecurity practices What is
enough?
◦ Contractual requirements as we’ll see further.
1/14/2017 13
14. Chief Information Security Officer – Must be designated, who
must be “qualified” and responsible for oversight, implementation
and enforcement of Cybersecurity Program and Policy.
◦ Can be met through third party service providers (“outsourced
CISO”)
◦ of Short 72 Hour Notifications to NYDFS and DFS can request all
CISO reports
New IT security personnel requirements
◦ Must “employ cybersecurity personnel sufficient to manage”
cybersecurity risks and perform core cybersecurity functions
◦ Regular “cybersecurity update and training sessions” for all
cybersecurity personnel (and annual cybersecurity training for
everyone else)
◦ Require “key” cybersecurity personnel to “stay abreast of”
cybersecurity threats and countermeasures
◦ Covered Entities can use “qualified third party” to assist these
personnel requirements
1/14/2017 14
15. Separate written Third Party Information Security Policy
Periodic (at least annually) assessment of third party cybersecurity practices. Is
a questionnaire sufficient?
Written minimum cybersecurity practices third parties must meet “in order for
them to do business” with Covered Entity. Typically contract Exhibit add-on
And contractual provisions for third party contracts requiring the vendor “to the
extent applicable” to agree to:
◦ Multi-Factor Authentication
◦ Encryption in transit and at rest
◦ Prompt notice for any Cybersecurity Event (even one not containing Covered Entity NPI)
affecting the third party vendor
◦ Offer identity protection services (for unspecified length of time) to any Covered Entity
customers “materially impacted” by Cybersecurity Event due to third party’s “negligence or
willful misconduct”
◦ Reps and Warranties of no viruses, trap doors, time bombs “and other mechanisms that would
impact the security” of CE’s Information Systems or NPI
◦ AND THE BIG ONE – “right of Covered Entity or its agents to perform cybersecurity audits” of
the third party
1/14/2017 15
16. Biannual CISO report to board, which DFS can request:
◦ Must assess security status, detail exceptions to cybersecurity
policies/procedures, identify cyber risk to CE, assess “effectiveness” of
cybersecurity program, list remediation steps for any identified items, and
summarize “all material Cybersecurity Events” that affected CE during time period
of report.
Annual Certification to DFS by Jan 15 of each year using form specified
by Regs
◦ Certification that Board or Senior Office have reviewed “documents, reports,
certifications and opinions” as necessary, that “to best of knowledge” CE complies
with Regs, and documents any areas requiring “material improvement, updating or
resign” and any “remedial efforts planned and underway” as to such areas.
Must notify DFS Superintendent within 72 hours of discovery of (1) all
Cybersecurity Events with “reasonable likelihood of materially affecting
the normal operation of the CE or that affects NPI” and (2) of any
identified “material risk of imminent harm” relating to CE’s cybersecurity
program.
1/14/2017 16
19. Best Practices
Industry Best Practice Frameworks:
o FFIEC Cybersecurity Assessment Tool
(https://www.ffiec.gov/cyberassessmenttool.htm)
o National Institute of Standards and Technology (NIST)
CyberSecurity Self-Assessment Tool
(https://www.nist.gov/sites/default/files/documents/2016/0
9/15/baldrige-cybersecurity-excellence-builder-draft-
09.2016.pdf)
o US Cert Cyber-Resilience Review
(https://www.us-cert.gov/ccubedvp/assessments)
“Annually”, “conduct a risk assessment”, “in accordance with written policies and
procedures”, that are “documented” and that “includes” a “criteria for the evaluation and a
categorization of identified risks” considering “confidentiality, integrity, and available” of
“systems” and the related “adequacy of existing controls”
20. Best Practices
“Key” features and/or controls that need to be embedded within
“Identity Management” solutions and/or the internal control
environment:
Account Request Management - Ability to request, establish,
modify, and/or terminate access.
Role-Based Access- Ability to manage groups, roles,
permissions, and/or resources based on
function/responsibility;
User Provisioning - Ability to periodically retrieve and
recertify access based on organizational hierarchies and
ownership.
“Limit access”, “to nonpublic information”, “to those individuals that require such access”, “to
perform their responsibilities” and “periodically review such access”
21. Best Practices
Multi-Factor Authentication
o Knowledge Factors
o Possession Factors
o Inherence Factors
Risk-Based Authentication requiring additional verification
o Device Security
o Concurrent Login
o Stale Account Login
o Failed Login Attempts Exceed Thresholds
o Behavioral Profiling
“Multi-Factor Authentication” requires “two of the following types of factors: 1) “Knowledge factors, such as
a password”, 2) “Possession factors, such as a token or text message on a mobile phone” and/or 3,)
Inherence factors, such as a biometric characteristic”.
“Risk-Based Authentication is “authentication that detects anomalies or changes in the normal use patterns
of a person” and “requires additional verification of the persons identity”.
22. “Multi-Factor Authentication” required “for any
individual accessing the Covered Entity’s internal
systems or data from an external network”.
“Multi-Factor Authentication” required for
“privileged access” to database servers that allow
access to Nonpublic Information.
“Risk-Based Authentication” required “in order to
access web applications that capture, display or
interface with Nonpublic Information”.
“Multi-Factor Authentication” required “for any
individual accessing web applications that capture,
display or interface with Nonpublic Information”.
23. “Vulnerability assessment of”, “Information Systems at least quarterly”.
“Penetration testing” of “Information Systems at least annually”.
Differences
Vulnerability Scan Penetration Test
Purpose Identify, rank, and report vulnerabilities that,
if exploited, may result in an intentional or
unintentional compromise of a system.
Identify ways to exploit vulnerabilities to circumvent or
defeat the security features of system components.
When At least quarterly or after significant
changes.
At least annually and upon significant changes.
How Typically a variety of automated tools
combined with manual verification of
identified issues.
A manual process that may include the use of vulnerability
scanning or other automated tools
Reports Potential risks posed by known
vulnerabilities, ranked in accordance with
NVD/CVSS base scores associated with each
vulnerability.
Description of each vulnerability verified and/or potential
issue discovered. More specific risks that vulnerability may
pose, including specific methods how and to what extent it
may be exploited. Examples of vulnerabilities include but
are not limited to SQL injection, privilege escalation, cross-
site scripting, or deprecated protocols.
Duration Relatively short amount of time, typically
several seconds to several minutes per scanned
host.
Engagements may last days or weeks depending on the
scope of the test and size of the environment to be tested.
Tests may grow in time and complexity if efforts uncover
additional scope.
24. Industry Best Practice Frameworks:
o Open Web Application Security Project (OWASP)
o Web Application Security Consortium (WASC)
o Others: The Federal Financial Institutions Examination Council (FFIEC),
and the National Institute of Standards and Technology (NIST).
Industry Principles:
o Configuration Management
o Secure Transmission
o Authentication & Authorization
o Session Management
o Data Validation,
o Output Encoding and Escaping
o Cryptography
o Error Handling
o Risk Functionality
“Written procedures, guidelines and standards designed to ensure the use of secure
development practices for in-house developed applications” and “assessing and testing the
security of all externally developed applications”.
25. Privileged Account Best Practices
o Create and enforce policies that forbid the use of single, “all powerful”accounts.
o Privileged Account Password Tools (one time password generation/expiration)
o Leveraging privilege account monitoring & logging tools (e.g., Sudo, User
Session Monitoring & Recording Solutions, Virtual/Physcial Jump Stations)
Audit Logging Best Practices
o Log events should be defined so human can read and understand
o Events need to be timestamped
o Unique Identifiers should be defined for each auditable activity (IDs)
o Log in a text format (not binary)
o Identify the source of the event
o Limit the ability to access logs and restrict the ability to modify logs (WORMs
drives, .
“Cybersecurity program” that includes the ability to “track and maintain data” for the
complete and accurate reconstruction of all transactions and accounting”, the “logging of
all privileged user access to critical systems”, that “protects the integrity” of any “audit
trail” or “hardware”, “from alteration or tampering” that is maintained “for not fewer than
six years”.
26. Best Practices
o In-Transit vs At Rest
o Symmetric vs Asymmetric
o Advanced Encryption Standard (AES)
o Questions Impacting Encyrption
Decisions
“Encrypt all nonpublic information” “in transit” within “one year from the date this
regulation become effective” or “five years” for nonpublic information “at rest” with
adequate “compensating” control between the regulation effective date and transition
period.
27. Policy
o Team
o Response Plan/Strategy
o Communication
o Documentation
o Training
o Testing
Identification
Containment
Eradication
Lessons Learned
“Establish a written incident response plan designed to promptly respond to, and recover
from, any Cybersecurity Event”
28.
29. Richard Santalesa,
Esq, CIPP-US
Sm@rtEdgeLaw Group &
Bortstein Legal Group
Phone: (203) 307-2665
rsantalesa@smartedgelawgroup.co
m
rsantalesa@blegalgroup.com
www.SmartEdgeLawGroup.com
www.blegalgroup.com
www.linkedin.com/in/rsantalesa
1/14/2017 29
Jon Bosco
Partner
eDelta Consulting
Phone: (646)-205-9960
jBosco@edeltaconsulting.com
LinkedIn:
https://www.linkedin.com/in/jon-
bosco-