Presentation is loading. Please wait.

Presentation is loading. Please wait.

What Is Information Security? – Security Basics 101 Shannon M. Culp Manager Information Security – Information Security Officer (CISO)

Similar presentations

Presentation on theme: "What Is Information Security? – Security Basics 101 Shannon M. Culp Manager Information Security – Information Security Officer (CISO)"— Presentation transcript:

1 What Is Information Security? – Security Basics 101 Shannon M. Culp Manager Information Security – Information Security Officer (CISO)

2 2  Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction.information systems  The terms information security, computer security and information assurance are frequently incorrectly used interchangeably. These fields are interrelated often and share the common goals of protecting the Confidentiality, Integrity and Availability of information; however, there are some subtle differences between securityinformation assuranceConfidentiality IntegrityAvailability From Wikipedia on the internet What is Information Security?

3 Information Security in Business  Governments, military, corporations, financial institutions, hospitals, and private businesses amass a great deal of confidential information about their employees, customers, products, research, and financial status. Most of this information is now collected, processed and stored on electronic computers and transmitted across networks to other computers. Governmentsmilitarycorporationsfinancial institutions hospitalsbusinessescomputersnetworks  Should confidential information about a business' customers or finances or new product line fall into the hands of a competitor, such a breach of security could lead to lost business, law suits or even bankruptcy of the business. Protecting confidential information is a business requirement, and in many cases also an ethical and legal requirement.bankruptcy 3 From Wikipedia on the internet

4 4  FTC Act  Gramm Leach Bliley Act  HIPAA + HITECH Act  EU Data Privacy Directive  Sarbanes Oxley  Bank Secrecy Act  General Negligence Law  Downstream Liability  PCI DSS (electronic payments)  California Data Privacy Law  Feinstein Data Privacy Reporting Proposal  OFAC –OCC Rules  State Security Breach  USA Patriot I and II  Fair Credit Reporting Act  SEC Regulations 10(b)(5)  Minnesota Plastic Card Security Act  Ohio Privacy Law Regulatory Requirements

5 5 Why? To steal information - “Netspionage Costs Firms Millions” For financial gain or theft - “Flaw Causes Credit Card Chaos” To make a statement “Most do it for profit but there are those that don’t” Because they can! “Teen hacker intended to disable 10,000 sites ” For revenge! “Due to the Economy - Layoffs lead to revenge hacking by X- Employees”

6 57.1% of respondents require HIPAA compliance 18.1% HITECH Act Compliance 42.9% Payment Card Industry (PCI) Why Do I Need Security? 6  CSI Computer Crime Survey, December 2009 – 443 Respondents  Types of attacks experienced by respondents  64.3% - Malware infection  42.2% - Laptop / mobile device theft  30% - Insider abuse of Net access or email  29.2% - Denial of service  19.5% - Financial Fraud  15% - Unauthorized access or privilege escalation by insider  17.3% - Password sniffing  8% - Exploit of wireless network 2009 CSI Computer Crime and Security Survey

7 Why Do I Need Security 7 o Same respondents that reported breaches 99.1% had Anti-virus software 97.9% had a Firewall 89.9% had Anti-spyware 85.7% used Virtual Private Networks (VPN) 75.3% Encrypted data in transit 72.6% utilized an Intrusion Detection System 65.9% had Vulnerability / Patch Management 62.2% Encrypted data at rest 60.4% Utilized Web / URL Filtering 40.9% had Data Loss Protection / Content Monitoring 2009 CSI Computer Crime and Security Survey


9 9 What Information?  Personal Health Information  Social Security Number  Account password  Bank Account Number  Bank Routing (Transit Number)  Credit Card Number/Primary Access Number  Credit Card Verification Code  Date of Birth  Drivers License Number  Loan Number

10 What is Information Worth?  Your full identity goes for $10 - $150. That includes name, DOB, address and social security number. Surprisingly, your social security number will fetch a paltry $5 - $7. They are more valuable when attached to the rest of your personal info.  Identity theft continues to be the fasted growing crime in the world.  It’s now bringing in more money than drug trafficking. From a thief’s point of view, online identity theft is a safe and profitable business. Don’t look for it to slow down any time in the near future. Protect yourself with Identity Theft Solutions.Protect yourself with Identity Theft Solutions. 10

11 What is Information Worth?  Credit card numbers are the most popular items for sale. Even though they bring considerably less money than bank numbers, they are the easiest to steal. Their value is anywhere from $.50 to $5.  The next most valuable piece of info is your email password. It can bring from $1 - $150 depending on whether your account has been used for spamming previously. Email passwords allow access to an email account and are typically used for sending spam. They can also be used to recover a user’s passwords from various Web sites that will email password-reset information to the user’s email account. Here’s another kick - email accounts with usernames in standard English are generally higher priced. Kinda makes you want to change your name to "Qwerty".  Medical Information and Social Security Numbers are not as easy to come by but go much further. 11

12 Where Do I Start With Information Security? 12 The overall goal is to ensure that Information Security and resources are protected and used according to the following: Consistent with your company’s mission and security standards Compliance with state and federal law, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Safeguard the confidentiality, integrity and availability of Electronic Protected Health Information (EPHI) as required by HIPAA

13 Accountability and Ownership  Security must be incorporated into a “program” and collaborated as part of all employees every day activity – Security is EVERYONE’S job!  For a Security Program to be successful  Not one-time or situational  Must have senior management support and leadership buy-in  Accountability must be assigned to individuals  Policies must be designed to be enforced  Auditing and reviews must occur frequently 13

14 Accountability and Ownership  Implement user security policies and procedures to ensure that information accessed via electronic resources is protected.  EVERY person who performs work for your organization through employment, contract, residency, or as a student, vendor, or volunteer, etc., must be accountable for protecting electronic information, especially protected health information (PHI). 14

15 Accountability and Ownership  The accountabilities discussed in your program include:  accessing and storing electronic information  email use and all communications  internet usage  printing, faxing, transporting and disposing of information  Everyone in your organization should:  use good security practices  know how to identify potential security risks  report anything unusual or suspicious 15

16 Simple Security Program Guidance  Policies must enforce along with the organization’s technology and infrastructure must support:  Prohibiting sharing of passwords  All users should be accountable for any activity performed under their ID  Never write passwords down!  Regular random audits as well as on-demand audits for HIPAA complaints  Security Awareness – education is KEY! 16

17 Simple Security Program Guidance  Make sure mobile devices are protected  PDA’s, Smart Phones, iPads, Blackberries, iPhones, Windows Mobile, etc.  Force a PIN, device security wipe, remote wipe on demand  Encrypt Laptops = “safe harbor”  Encrypt Patient data and credit card data  Make sure credit card numbers handled according to PCI DSS (Payment Card Industry Data Security Standards) 17

18 Simple Security Program Guidance  Never store confidential or patient data on workstations or mobile devices  Make sure monitors and screens are positioned so that “shoulder surfers” can’t see things they aren’t supposed to  Implement “need to know” policy  Make sure internet browsing is filtered and controlled for business purposes and protection of PHI (Protected Health Information) 18

19 Simple Security Program Guidance  Remind staff that it is “not okay” to discuss patient activities on Facebook, MySpace, and other blogs or post pictures  Opens door for HIPAA complaints, investigations and fines  Even if a name is not mentioned – still PHI  Use good security practices when opening emails and attachments  Make sure education includes shredding of documentation and secure faxing 19

20 Simple Security Program Guidance  Don’t allow employees to use personal email accounts for business (i.e. yahoo, hotmail, etc)  Put policy, tools and processes in place to track and monitor email messages, and internet activity  Put policy, tools and processes in place to ensure secure handling of paper documents containing PHI or confidential information 20

21 Simple Security Program Guidance  Use “strong” passwords  protecting your password helps to protect our organization’s information. Here are some tips for selecting strong passwords (Remember some systems may have password limitations – do your best to make these system passwords strong):  Do not use your name or personal information  Create passwords that are at least 6 or more characters  Use upper and lower case letters  Use a combination of letters and numbers  Use special characters (like %, $ @) in your password  Use Misspelled words  Use phrases 21

22  Vanity Plate – compound words  Too late again = 2L8aga1n  Music is for me = MusikS4m3  Day after today = dayFter2day  15djoth! (15 dogs jumped over the house)  Seashore = Se@shor  Deadbolt = Ded&bowlt8  Easy money = Ea$ymon3y  Blackboard = blaK4borD  Substitute letters for numbers in your phrases  5 or $ = S  1 = L or I  3 = E  0 = O 22

23 Simple Security Program Guidance  Make sure your data is available when you need it  Business continuity planning (BCP) is the creation and validation of a practiced logistical plan for how an organization will recover and restore partially or completely interrupted critical (urgent) functions within a predetermined time after a disaster or extended disruption. The logistical plan is called a business continuity plan.logisticalplan organizationcriticaldisaster  In plain language, BCP is working out how to stay in business in the event of disaster. Incidents include local incidents like building fires, regional incidents like earthquakes, or national incidents like pandemic illnesses. 23

24 Simple Security Program Guidance  Remember the three keys of Security  Confidentiality – “need to know”  Integrity – information is not modified and maintains original properties  Availability – information is always available when needed 24

25 Helpful Links  National Institute Standards and Technology  Special Publication 800-66 – HIPAA security rule  FIPS 200 and NIST SP 800-53 – security controls  Computer Security Institute –  HITECH Act -  Security Awareness Materials -  25

26 Good Luck!  What questions do you have?  My contact information Shannon M. Culp TriHealth, Inc. 513-569-6744 26

Download ppt "What Is Information Security? – Security Basics 101 Shannon M. Culp Manager Information Security – Information Security Officer (CISO)"

Similar presentations

Ads by Google