Information Security What every CFO needs to consider Joe Fracchia, CPA, CISA November 22, 2013.

Slides:

Advertisements

Similar presentations

MASTER OF MANAGEMENT PROGRAM MM46 PPM GRADUATE SCHOOL OF MANAGEMENT January 09, 2010 LECTURER : HENRY CHRISTIANTO., ST., MTI.

Advertisements

Company Analysis.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.

Navigating Compliance Requirements DCM 6.2 Regs and Codes linford & co llp.

RMI Global Risk & Crisis Management Solutions. Certain material influenced by source material drawn from IFAC Risk - Hazard & Opportunity Hazards € Spent.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Enterprise Risk Management Its Meaning and Import Jerry A. Miccolis, FCAS, MAAA Tillinghast - Towers Perrin.

Rethinking Security to Enable Business LJ Johnson Nike’s Global Information Security Officer August 16, 2005.

Copyright © 2011 Pearson Education, Inc. Publishing as Prentice Hall Ch 3 -1 External Strategic Management Audit – Environmental Scanning – Industry Analysis.

Vendor Management Frequent regulatory findings:

© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved. © 2012 McGladrey LLP. All Rights Reserved. © 2013 McGladrey LLP. All.

Chapter 11.  The board is ultimately responsible for risk management  Oversee strategic risks, operational risks, and financial risks  Many federal.

The Evolution of IT Risk & Compliance February 2012 Rosalyn Ellis, CRISC Susan Hoffman, CISA,CGEIT 1.

CUAV Conference Risk Assessment May 18, 2015

100 % UPTIME SLAs 27 | 8 DATA CLOUD CENTERSPODS SSAE-16, SOC 2 TYPE II, PCI-DSS, HIPAA, HITECH AT101, NIST , SAFE HARBOR COMPLIANT POWER INFRASTRUCTURE.

Saxson Global Services Outsourced Professional Services BPO Business Process Outsourcing Your Global Sourcing Partners.

An Introduction to PCI Compliance. Data Breach Trends About PCI-SSC 12 Requirements of PCI-DSS Establishing Your Validation Level PCI Basics Benefits.

Governance of the Treasury Function CIPFA Scottish Treasury Management Forum Alan George, Regional Director 23rd February 2012.

INFORMATION SECURITY REGULATION COMPLIANCE By Insert name dd/mm/yyyy senior leadership training on the primary regulatory requirements,

 Control ◦ Any process that directs the activities of individuals toward the achievement of organizational goals.

Acquisitions: Your Latest Zero Day Presented by: Mitch Greenfield, CISA, CEH, Scott MacArthur, CISSP, CISA, CEH, LPT 1.

Business Analysis: A Business Unit Perspective International Institute of Business Analysis January 18, 2012.

What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.

Session 602 Exploring the Evolution of Access: Classified, Privacy, and Proprietary Restrictions.

© Dr. John T. Whiting All Rights Reserved Slide 1 The Rationale for Integrating IT Assets into the Strategic Business.

GRC - Governance, Risk MANAGEMENT, and Compliance

Outsourcing Business Processes ( without In-sourcing the Associated Risks) Gregg Anderson – Crowe Horwath (risk manager) Doug Tripp – Crowe Dunlevy (outsourced.

CHECKLIST FOR AFRICAN SEED COMPANY DEVELOPMENT Strategic Planning What do you want to accomplish (in terms of volume, growth, financial, reputation)? Where.

Corporate Communications January Excellogic 2. Excellogic Services 3. Mitigate Risks for Customers 4. Why Choose Excellogic? 5. Excellogic Presence.

Geneva Association/International Insurance Society Research Presentation, Chicago Enterprise Risk Management in the Insurance Industry Madhusudan.

Connorco Law Offices Find the right path Next.  Pro-active, entrepreneurial lawyer  Hands-on understanding of your business  Big savings from standard.

1 Proprietary & Confidential. 2 When Not Controlling Info... Proprietary & Confidential  High costs when loosing…  Financial documents  M&A info (UBS.

International Consulting Data Sheet. 1 Program Management for International Headquarters (IHQ) Why does a company go International ? Increase of business.

Business Responsibility and Sustainability Dr Eshani Beddewela Week 04.

Balance Between Audit/Compliance and Risk Management- Best Practices FIRMA 21 st National Training Conference Julia Fredricks, U.S. Chief Compliance Officer.

Cloud Compliance Considerations March 24, 2015 | Jason Smith, CISSP.

1.4 Stakeholders. Stakeholders Not to be confused with Shareholders. Shareholders own a share in the company. Stakeholder is anyone with an interest in.

B-I-C-T Security Strategy Introducing a new framework November 19, 2015 Aman Raheja

The development of the market infrastructure for payment and securities handling Ramzi Hamadeh Group 2 Frankfurt am Main,

International Banking. Description Cross border cross country facet of banking business May not necessarily own or hold a physical presence offshore Traditional.

International Consulting Data Sheet. 1 Program Management for International Headquarters (IHQ) Why does a company go International ? Reach new markets/optimize.

Company: Cincinnati Insurance Company Position: IT Governance Risk & Compliance Service Manager Location: Fairfield, OH About the Company : The Cincinnati.

Audit Committee Presentation Annual Audit Plan

Free Enterprise Marketing I. Basic Principles  Workers have the freedom to organize into a labor union while consumers have the freedom to purchase goods.

Legal framework Look at the legal compliance and framework a business is subject to.

Career Opportunities Brian L. Davis. 2 The Premier Place to Start and Build your Career Service Lines Assurance and Business Advisory Services Financial.

MODULE 5 PLANNING, REPORTING & ACCOUNTABILITY ADB Private Sector Development Initiative Corporate and Financial Governance Training Solomon Islands Dr.

 Chapter 10 Information Systems within the Organization.

Current risk and compliance priorities for law firms PETER SCOTT CONSULTING.

Dolly Dhamodiwala CEO, Business Beacon Management Consultants

SAS No. 70, Service Organizations A standard for reporting on a service organization’s controls affecting user entities' financial statements. Only for.

1 Supply Chain Network Fenland District Council Workshop 1 “Winning contracts with your EMS” >Funded By>Delivered by>Partnered by.

Non-Confidential Copyright © 2006 CyberRAVE LLC. All Rights Reserved. CyberRAVE January 24, 2006 Strategic Approach to Developing Corporate Data Insurance.

Copyright © 2007 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 1 Juniper Security Threat Response Manager (STRM)

An Information Security Management System

PRESENTATION ON THE STATUS AND THE BUDGET OF THE RAILWAY SAFETY REGULATOR TO THE PORTFOLIO COMMITTEE ON TRANSPORT PARLIAMENT OF THE REBUPLIC OF SOUTH.

Providing assurance on risk management and controls

Strategy Implementation

Chapter 9 Cooperative Strategy Student Version

How can an Enterprise Risk Management (ERM), programme enable organizations achieve strategic objectives more effectively? Dr P S Sahota

Regulatory Compliance

Information Security based on International Standard ISO 27001

Classification and Category of Risk

Cyber Risk & Cyber Insurance - Overview

IS4680 Security Auditing for Compliance

GRC - A Strategic Approach

UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT AND ASSESSING THE RISKS OF MATERIAL MISSTATEMENT Topic 5.

Presentation transcript:

Information Security What every CFO needs to consider Joe Fracchia, CPA, CISA November 22, 2013

Information Security  A Quick Primer  Context  Headlines  Opportunity

Information Security Primer  What:  Intellectual Property: Customer Lists, Recipes, Proprietary Processes/Formulae, R&D  Supplier pricing, customer pricing  Financial Data; banking data  HR data  Personally Identifiable Data (PII)  Etc…  Why:  Regulatory, Contractual, Reputational, Competitive

Context Business Operations CompetitionCustomersRegulatorySuppliers Information Security Zones

Headlines Security Week 10/10/2013 Business Operatio ns Competit ion Customer s Regulator y Suppliers

Headlines Business Operatio ns Competit ion Customer s Regulator y Suppliers

Headlines 10/4/2013 Business Operatio ns Competit ion Customer s Regulator y Suppliers

Headlines Business Operatio ns Competit ion Customer s Regulator y Suppliers

Headlines Business Operatio ns Competit ion Customer s Regulator y Suppliers

Headlines Business Operatio ns Competit ion Customer s Regulator y Suppliers

Headlines What specifically does your product do? Where has your R&D investment gone in the past 2 years? What ROI am I buying? What is the value add? When will I get the benefit? Now? What advantage do I get by doing business with you? Business Operatio ns Competit ion Customer s Regulator y Suppliers

Vulnerabilities run across the and overlap the various zones Business Operations CompetitionCustomersRegulatorySuppliers IP, Financial Data, Customer Lists, R&D, Marketing PII, IP Pricing, IP Financial, HIPAA, PII PII, PCI, R&D, Strategic Moves, OPS and Fin Data

How we assure ourselves and each other takes on various forms, each with their own approaches Business Operations CompetitionCustomersRegulatorySuppliers SSAE 16 SOC Reports PCI-DSS; PA-DSS PCI-DSS; PA-DSS; Internal Audit SOX, Internal Audit, PII

Ownership of the various assurance vehicles and the data tends to be in silos: Finance Human Resources Legal/ Counsel SOX, SSAE 16 PII, HIPAAPCIContractual, IP

The opportunity is efficiency: leverage assurance, reduce cost, increase effectiveness Control AreaPCIPIISOX SSAE 16 Internal Audit Self Assess Information Security Policy XXX* Secure Network XX*** Protect Data XXX*** Vulnerability Management XXX*** Access Control XX*** Monitor and Test XX*** Change Control X*** Operations Integrity X***

Examples  We do penetration testing to test our network; PCI requires scans for various levels of providers- do you do them twice?  System integrity depends on change control. SOX, most SSAE 16s and portions of PCI require testing. How do you avoid doing process testing three times?  Are your internal auditors, QSA and functional areas testing the same things that other providers are? Can you leverage?

Now is the right time to have the discussion about the security budget

Questions?

Information Security What every CFO needs to consider Joe Fracchia, CPA.CISA /