Presentation is loading. Please wait.

Presentation is loading. Please wait.

Www.evalid8.com Identity Theft… …or a Lack of Management A 50,000 Foot Technology View of this Business Tsunami Maryland Chamber of Commerce Conference.

Similar presentations


Presentation on theme: "Www.evalid8.com Identity Theft… …or a Lack of Management A 50,000 Foot Technology View of this Business Tsunami Maryland Chamber of Commerce Conference."— Presentation transcript:

1 Identity Theft… …or a Lack of Management A 50,000 Foot Technology View of this Business Tsunami Maryland Chamber of Commerce Conference 2007 Cambridge, MD Presented by: Brian Dilley - President / Founder eValid8 Corporation CISA / CGEIT / MBA Accredited Auditor

2 Agenda  Introduction  Legal Precedent  Snap Shot  Technology Solutions  Independent Validation  Logical Solutions  Physical Solutions  What it is going to Cost YOU!  Frontline Report  Open Mic

3 Introduction  Mr. Brian Dilley - Your Speaker  President  Certified Information Systems Auditor  Accredited Mortgage Bankers PKI Auditor  Member – Information Systems Audit and Control Association (ISACA)  Member – ISACA Maryland Chapter Board  Member – Howard County Chamber of Commerce  24 years of Experience  Cryptographer, IT Security Specialist, PKI Expert  Active PKI Internal / External auditing activities  FISMA SP Assessor  Identity Management – Global / Federal / State / Commercial  IRS Privacy SME

4 Legal Precedent  Revised TJX Settlement To Offer Customers Vouchers Or Checks After a federal judge raised concerns about a proposed TJX settlement stemming from an intrusion into its systems that compromised 45.7 million credit and debit card numbers, the deal has been revised to offer customers a choice of a $30 store voucher or a $15 check, according to this Boston Globe article. The company has estimated that it expects breach-related costs of about $256 million. The story indicates that the litigation outcome could set a precedent ($5.00 per record) for other similar breach-related cases. LATEST NEWS IS THAT THE BREACH COULD EXCEED 94 million CREDIT CARDS – FINES WILL INCREASE

5 Snap Shot  Maryland Personal Information Protection Act  8 Sections  Definitions  Customer Obligations  Protections  Breach  Provision  Notice  Business Affiliate  Violation  Good News (yada yada yada … If you comply with GLBA, Federal Fair & Accurate Transaction Act, Federal Interagency Guidelines Establishing Information Security Standards, Federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice you meet the intent of SB 194 and are covered…what analysis have you conducted ?????

6 Technology Solutions  Encryption  In transit (electronic or physical)  In storage (long or short term)  , Documents,  Tokens, Biometrics, RealID, HSPD12, PKI, Strong Authentication – all based on cryptography and/or digital certificates  Authorized Access  Permissions and Rights  Vetting Permissions / Issuing IDs

7 More Technology  VPNs  Dedicated Lines  Encryption  Session Termination  SSH / Credential logons  Algorithms  AES, SHA-1 or greater – RC4 can be beaten  SSL / TLS  HTTPS  Firewalls  Ports & Protocols  Only open what is needed  Logs  Audit, Review, Report, Investigate

8 Technology Statements  Logon Warning Banners  Allows prosecution,  Due notice has been given  Privacy Statement  Website – Do you have one?  Retention Policy – See Vangel Paper  Period required by contracts or law  Access / Authorization / Documentation  Destruction SHRED! SHRED! SHRED!  Removal, minimize what is to be stored & retained  IT Security and Privacy Protection touches every business sector today

9 Organization IT Plans  IT Documents & Plans  Privacy Statement  System Security Plan  Business Continuity Plans  Backup / Archive Plans  Retention Policies  Destruction / Disposal Policy  Transmission / Transportation Policy  User Policy / Authentications  Independent Audits / Assessments  Plan of Action & Milestones

10 Controls  Technical, Logical, Physical  All families of protection come into play  Comprehensive Plan  Implementation of Plan  3 rd Party Validation of Plan - eValidated™  Physical Controls  Gates, Guns, Guards, Doors, & Locks,  If you have those then the hard work begins  Log Books  Documentation of all events, prompt reporting  Training Awareness  Dust the cobwebs off  All professionals go to training to keep their skills up  Accountability  Personnel / Management

11 Independent Validation  HAVING NO PLANS IS NOT BETTER  Due diligence prevents lawsuits based upon negligence  LAWYERS HAVE IDENTIFIED THIS AS ANOTHER ABESTOS HEYDAY FOR THEIR INDUSTRY This time all businesses are in play – IT crosses all industries

12 Certified IT Auditors  Right Profession for the Right Engagement  ISACA – ANSI Accredited  CISA  CISM  Trained Professionals  Security and Privacy separation of duties provides management with a check and balance  Global Recognized Professionals  Continuing Education Units 

13 What it is Going to Cost You!  Penalties  Applicable Laws – Varies, but are accumulative  Credit Monitoring Cost  $100 * 100K User Database = $10,000,000  Notification Cost  $0.41 * 100K User Database = $41,000  Required improvements  $5,000 - $100,000,000  Legal Defenses, Seniors IT Professionals This is for one minor database being lost!

14 More $$$$$$$$$$$$$$$$$$  Lawsuits  Not only from individuals, but companies that have entrusted their information to you  The sky is the limit – Tort Law prevails  Trained Professionals  Over $100K per year, per professional – local business level  U.S. Government pays over $250K per year, per professional  Conservative Estimate, lets assume 400,000 specialists  $100,000,000,000 per year  Based on 3,000,000 Federal (Non-DoD) employees by the Census Bureau (2005) i.e. DHS employs over 800K employees as of 2006

15 More $$$$$$$$$$$$$$$$$$  Business against Business  VISA, MasterCard, American Express  Healthcare  Privacy Information retained  Consumers against Business  Clients  Lawyer growth industry  This will be an emerging trend for litigation and restitutions  Privacy tied to security solutions  Legal Ramifications on Two Fronts

16 Frontline Report  Old practices are what makes it work  Watching, all the time  Awareness improves behavior, improves response times  Accountability and Responsibility  Independent Assessments – Regular basis  Technology  Part of the solution  Scales  Provides Strong protections / authentication / logging  Electronic Non-Repudiation

17 More News…  People  Biggest Exposure and Solution Component  Physical & Cyber Security  Have got to work together  Old perceptions and paradigms must be broken  Jobs will not be replaced by technology  Securityenables Privacy --> Privacyenables Trust --> Trustenables Business!

18 Open Mic Contact Information (If you want a copy) eValid8 Corporation Phone: Fax:

19 Where are those files? Business Landscape

20 References  GAO Report – Identity Awareness   President’s Strategic Plan   U.S. Government Identity Theft Website   NIST IT Security Publications   Maryland Law 


Download ppt "Www.evalid8.com Identity Theft… …or a Lack of Management A 50,000 Foot Technology View of this Business Tsunami Maryland Chamber of Commerce Conference."

Similar presentations


Ads by Google