1. www.evalid8.com Identity Theft… …or a Lack of Management A 50,000 Foot Technology View of this Business Tsunami Maryland Chamber of Commerce Conference 2007 Cambridge, MD Presented by: Brian Dilley - President / Founder eValid8 Corporation CISA / CGEIT / MBA Accredited Auditor

2. www.evalid8.com Agenda  Introduction  Legal Precedent  Snap Shot  Technology Solutions  Independent Validation  Logical Solutions  Physical Solutions  What it is going to Cost YOU!  Frontline Report  Open Mic

3. www.evalid8.com Introduction  Mr. Brian Dilley - Your Speaker  President  Certified Information Systems Auditor  Accredited Mortgage Bankers PKI Auditor  Member – Information Systems Audit and Control Association (ISACA)  Member – ISACA Maryland Chapter Board  Member – Howard County Chamber of Commerce  24 years of Experience  Cryptographer, IT Security Specialist, PKI Expert  Active PKI Internal / External auditing activities  FISMA SP 800-53 Assessor  Identity Management – Global / Federal / State / Commercial  IRS Privacy SME

4. www.evalid8.com Legal Precedent  Revised TJX Settlement To Offer Customers Vouchers Or Checks After a federal judge raised concerns about a proposed TJX settlement stemming from an intrusion into its systems that compromised 45.7 million credit and debit card numbers, the deal has been revised to offer customers a choice of a $30 store voucher or a $15 check, according to this Boston Globe article. The company has estimated that it expects breach-related costs of about $256 million. The story indicates that the litigation outcome could set a precedent ($5.00 per record) for other similar breach-related cases. LATEST NEWS IS THAT THE BREACH COULD EXCEED 94 million CREDIT CARDS – FINES WILL INCREASE

5. www.evalid8.com Snap Shot  Maryland Personal Information Protection Act  8 Sections  14-3501 - Definitions  14-3502 - Customer Obligations  14-3503 - Protections  14-3504 - Breach  14-3505 - Provision  14-3506 - Notice  14-3507 - Business Affiliate  14-3508 - Violation  Good News (yada yada yada … If you comply with GLBA, Federal Fair & Accurate Transaction Act, Federal Interagency Guidelines Establishing Information Security Standards, Federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice you meet the intent of SB 194 and are covered…what analysis have you conducted ?????

6. www.evalid8.com Technology Solutions  Encryption  In transit (electronic or physical)  In storage (long or short term)  eMail, Documents,  Tokens, Biometrics, RealID, HSPD12, PKI, Strong Authentication – all based on cryptography and/or digital certificates  Authorized Access  Permissions and Rights  Vetting Permissions / Issuing IDs

7. www.evalid8.com More Technology  VPNs  Dedicated Lines  Encryption  Session Termination  SSH / Credential logons  Algorithms  AES, SHA-1 or greater – RC4 can be beaten  SSL / TLS  HTTPS  Firewalls  Ports & Protocols  Only open what is needed  Logs  Audit, Review, Report, Investigate

8. www.evalid8.com Technology Statements  Logon Warning Banners  Allows prosecution,  Due notice has been given  Privacy Statement  Website – Do you have one?  Retention Policy – See Vangel Paper http://www.vangelpaper.com/laws/records.php http://www.vangelpaper.com/laws/records.php  Period required by contracts or law  Access / Authorization / Documentation  Destruction SHRED! SHRED! SHRED!  Removal, minimize what is to be stored & retained  IT Security and Privacy Protection touches every business sector today

9. www.evalid8.com Organization IT Plans  IT Documents & Plans  Privacy Statement  System Security Plan  Business Continuity Plans  Backup / Archive Plans  Retention Policies  Destruction / Disposal Policy  Transmission / Transportation Policy  User Policy / Authentications  Independent Audits / Assessments  Plan of Action & Milestones

10. www.evalid8.com Controls  Technical, Logical, Physical  All families of protection come into play  Comprehensive Plan  Implementation of Plan  3 rd Party Validation of Plan - eValidated™  Physical Controls  Gates, Guns, Guards, Doors, & Locks,  If you have those then the hard work begins  Log Books  Documentation of all events, prompt reporting  Training Awareness  Dust the cobwebs off  All professionals go to training to keep their skills up  Accountability  Personnel / Management

11. www.evalid8.com Independent Validation  HAVING NO PLANS IS NOT BETTER  Due diligence prevents lawsuits based upon negligence  LAWYERS HAVE IDENTIFIED THIS AS ANOTHER ABESTOS HEYDAY FOR THEIR INDUSTRY This time all businesses are in play – IT crosses all industries

12. www.evalid8.com Certified IT Auditors  Right Profession for the Right Engagement  ISACA – ANSI Accredited  CISA  CISM  Trained Professionals  Security and Privacy separation of duties provides management with a check and balance  Global Recognized Professionals  Continuing Education Units  http://www.isaca.org http://www.isaca.org

13. www.evalid8.com What it is Going to Cost You!  Penalties  Applicable Laws – Varies, but are accumulative  Credit Monitoring Cost  $100 * 100K User Database = $10,000,000  Notification Cost  $0.41 * 100K User Database = $41,000  Required improvements  $5,000 - $100,000,000  Legal Defenses, Seniors IT Professionals This is for one minor database being lost!

14. www.evalid8.com More $$$$$$$$$$$$$$$$$$  Lawsuits  Not only from individuals, but companies that have entrusted their information to you  The sky is the limit – Tort Law prevails  Trained Professionals  Over $100K per year, per professional – local business level  U.S. Government pays over $250K per year, per professional  Conservative Estimate, lets assume 400,000 specialists  $100,000,000,000 per year  Based on 3,000,000 Federal (Non-DoD) employees by the Census Bureau (2005) i.e. DHS employs over 800K employees as of 2006

15. www.evalid8.com More $$$$$$$$$$$$$$$$$$  Business against Business  VISA, MasterCard, American Express  Healthcare  Privacy Information retained  Consumers against Business  Clients  Lawyer growth industry  This will be an emerging trend for litigation and restitutions  Privacy tied to security solutions  Legal Ramifications on Two Fronts

16. www.evalid8.com Frontline Report  Old practices are what makes it work  Watching, all the time  Awareness improves behavior, improves response times  Accountability and Responsibility  Independent Assessments – Regular basis  Technology  Part of the solution  Scales  Provides Strong protections / authentication / logging  Electronic Non-Repudiation

17. www.evalid8.com More News…  People  Biggest Exposure and Solution Component  Physical & Cyber Security  Have got to work together  Old perceptions and paradigms must be broken  Jobs will not be replaced by technology  Securityenables Privacy --> Privacyenables Trust --> Trustenables Business!

18. www.evalid8.com Open Mic Contact Information (If you want a copy) eValid8 Corporation Phone: 866.465.6005 Fax: 410.465.9315 eMail: brian.dilley@evalid8.combrian.dilley@evalid8.com

19. www.evalid8.com Where are those files? Business Landscape

20. www.evalid8.com References  GAO Report – Identity Awareness  http://www.gao.gov/new.items/d02766.pdf http://www.gao.gov/new.items/d02766.pdf  President’s Strategic Plan  http://www.ftc.gov/opa/2007/04/idtheft.shtm http://www.ftc.gov/opa/2007/04/idtheft.shtm  U.S. Government Identity Theft Website  http://www.idtheft.gov/ http://www.idtheft.gov/  NIST IT Security Publications  http://www.nist.gov/public_affairs/pubs.htm http://www.nist.gov/public_affairs/pubs.htm  Maryland Law  http://mlis.state.md.us/2007RS/bills/sb/sb0194e.pdf