Www.evalid8.com Identity Theft… …or a Lack of Management A 50,000 Foot Technology View of this Business Tsunami Maryland Chamber of Commerce Conference.

Slides:

Advertisements

Similar presentations

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY.

Advertisements

Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.

The Federation for Identity and Cross-Credentialing Systems (FiXs) FiXs ® - Federated and Secure Identity Management in Operation Implementing.

I.D. Theft Alaska’s New Protection of Personal Information Act Ed Sniffen Senior Assistant Attorney General Alaska Department of Law.

Identity Theft & Data Security Concerns Are You Meeting Your Obligations to Protect Customer Information? Finance & Administration Roundtable February.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Security Controls – What Works

Information Security Policies and Standards

Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

Beyond HIPAA, Protecting Data Key Points from the HIPAA Security Rule.

Network security policy: best practices

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Created May 2, Division of Public Health Managing Records What is a Record? What is a Records Retention & Disposition Schedule? Why is this Important?

Company LOGO Copyright Carrie Kerskie Data Breach & Identity Theft By Carrie Kerskie Kerskie Group, Inc.

© 2004 West Legal Studies in Business A Division of Thomson Learning 1 Chapter 52 Liability of Accountants and Other Professionals Chapter 52 Liability.

A Comprehensive Solution Team Mag 5 Valerie B., Derek C., Jimmy C., Julia M., Mark Z.

April 23, Massachusetts’ New Data Security Regulations: Ten Steps To Compliance Amy Crafts

General Awareness Training

Managing Risk in Cloud Computing Contracts Henry Ward and Todd Taylor April 30, 2015.

Business Law for the Entrepreneur and Manager

Electronic Records Management: What Management Needs to Know May 2009.

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder Legal Liability Chapter 5.

HIPAA PRIVACY AND SECURITY AWARENESS.

Internet Security for Small & Medium Business Week 6

Ames Laboratory Privacy and Personally Identifiable Information (PII) Training Welcome to the Ames Laboratory’s training on Personally Identifiable Information.

Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

Florida Information Protection Act of 2014 (FIPA).

© 2009 PGP Corporation Confidential State of Key Management Brian Tokuyoshi Solution Manager.

Elements of Trust Framework for Cyber Identity & Access Services CYBER TRUST FRAMEWORK Service Agreement Trust Framework Provider Identity Providers Credential.

Chapter 4 Getting Paid. Objectives Understand electronic payment systems Know why you need a merchant account Know how to get a merchant account Explain.

Data Security: Steps to Improved Information Security September 22, 2015 Presented by: Alex Henderson General Counsel and Chief Administrative Officer.

PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.

Chapter 18: Doing Business on the Internet Business Data Communications, 4e.

Lesson 5-Legal Issues in Information Security. Overview U.S. criminal law. State laws. Laws of other countries. Issues with prosecution. Civil issues.

Secure Messaging Workshop The Open Group Messaging Forum February 6, 2003.

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

© Copyright 2010 Hemenway & Barnes LLP H&B

1 st Choice Document Destruction th Avenue, Milaca, Minnesota Office: Cell:

Is Your Background Check Process Compliant?. 2 © Copyright 2015 ADP, LLC. Proprietary and Confidential Information. Agenda Privileged & Confidential.

1Copyright Jordan Lawrence. All rights reserved. U. S. Privacy and Security Laws DELVACCA INAUGURAL INHOUSE COUNSEL CONFERENCE April 1, 2009 Marty.

Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.

Organizing a Privacy Program: Administrative Infrastructure and Reporting Relationships Presented by: Samuel P. Jenkins, Director Defense Privacy Office.

Legal Liability Considerations for Auditors

Privacy and Data Breach Issues Kirk Herath, VP, Chief Privacy Officer, Nationwide & Dino Tsibouris, Founding Principal, Tsibouris & Associates.

Dino Tsibouris & Mehmet Munur Privacy and Information Security Laws and Updates.

An Overview THE AUDIT PROCESS. MAJOR PHASES IN AN AUDIT Client acceptance and retention Establish terms of the engagement Plan the audit Consider internal.

Legal, Regulations, Investigations, and Compliance Chapter 9 Part 2 Pages 1006 to 1022.

CYBERSECURITY: RISK AND LIABILITY March 2, 2016 Joshua A. Mooney Co-chair-Cyber Law and Data Protection White and Williams LLP (215)

Security Systems | ST/SRM3-NA | 4/6/2016 © 2016 Robert Bosch LLC and affiliates. All rights reserved. 1 Ensure data security in a hyper-connected world.

Information Security and Privacy in HRIS

POLICIES & PROCEDURES FOR HANDLING CONFIDENTIAL INFORMATION NOVEMBER 5 TH 2015.

Payment Card Industry (PCI) Rules and Standards

E&O Risk Management: Meeting the Challenge of Change

Data Minimization Framework

Protection of CONSUMER information

Learn Your Information Security Management System

Legal Liability Chapter 5.

Florida Information Protection Act of 2014 (FIPA)

Session 11 Other Assurance Services

MIS 5121: Real World Control Failure - TJX

Florida Information Protection Act of 2014 (FIPA)

Chapter 3: IRS and FTC Data Security Rules

IIA District Conference Seminar Presenter David Cole, CPA, CISA, CRISC

County HIPAA Review All Rights Reserved 2002.

Compliance in the Cloud

Move this to online module slides 11-56

Presentation transcript:

Identity Theft… …or a Lack of Management A 50,000 Foot Technology View of this Business Tsunami Maryland Chamber of Commerce Conference 2007 Cambridge, MD Presented by: Brian Dilley - President / Founder eValid8 Corporation CISA / CGEIT / MBA Accredited Auditor

Agenda  Introduction  Legal Precedent  Snap Shot  Technology Solutions  Independent Validation  Logical Solutions  Physical Solutions  What it is going to Cost YOU!  Frontline Report  Open Mic

Introduction  Mr. Brian Dilley - Your Speaker  President  Certified Information Systems Auditor  Accredited Mortgage Bankers PKI Auditor  Member – Information Systems Audit and Control Association (ISACA)  Member – ISACA Maryland Chapter Board  Member – Howard County Chamber of Commerce  24 years of Experience  Cryptographer, IT Security Specialist, PKI Expert  Active PKI Internal / External auditing activities  FISMA SP Assessor  Identity Management – Global / Federal / State / Commercial  IRS Privacy SME

Legal Precedent  Revised TJX Settlement To Offer Customers Vouchers Or Checks After a federal judge raised concerns about a proposed TJX settlement stemming from an intrusion into its systems that compromised 45.7 million credit and debit card numbers, the deal has been revised to offer customers a choice of a $30 store voucher or a $15 check, according to this Boston Globe article. The company has estimated that it expects breach-related costs of about $256 million. The story indicates that the litigation outcome could set a precedent ($5.00 per record) for other similar breach-related cases. LATEST NEWS IS THAT THE BREACH COULD EXCEED 94 million CREDIT CARDS – FINES WILL INCREASE

Snap Shot  Maryland Personal Information Protection Act  8 Sections  Definitions  Customer Obligations  Protections  Breach  Provision  Notice  Business Affiliate  Violation  Good News (yada yada yada … If you comply with GLBA, Federal Fair & Accurate Transaction Act, Federal Interagency Guidelines Establishing Information Security Standards, Federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice you meet the intent of SB 194 and are covered…what analysis have you conducted ?????

Technology Solutions  Encryption  In transit (electronic or physical)  In storage (long or short term)  , Documents,  Tokens, Biometrics, RealID, HSPD12, PKI, Strong Authentication – all based on cryptography and/or digital certificates  Authorized Access  Permissions and Rights  Vetting Permissions / Issuing IDs

More Technology  VPNs  Dedicated Lines  Encryption  Session Termination  SSH / Credential logons  Algorithms  AES, SHA-1 or greater – RC4 can be beaten  SSL / TLS  HTTPS  Firewalls  Ports & Protocols  Only open what is needed  Logs  Audit, Review, Report, Investigate

Technology Statements  Logon Warning Banners  Allows prosecution,  Due notice has been given  Privacy Statement  Website – Do you have one?  Retention Policy – See Vangel Paper  Period required by contracts or law  Access / Authorization / Documentation  Destruction SHRED! SHRED! SHRED!  Removal, minimize what is to be stored & retained  IT Security and Privacy Protection touches every business sector today

Organization IT Plans  IT Documents & Plans  Privacy Statement  System Security Plan  Business Continuity Plans  Backup / Archive Plans  Retention Policies  Destruction / Disposal Policy  Transmission / Transportation Policy  User Policy / Authentications  Independent Audits / Assessments  Plan of Action & Milestones

Controls  Technical, Logical, Physical  All families of protection come into play  Comprehensive Plan  Implementation of Plan  3 rd Party Validation of Plan - eValidated™  Physical Controls  Gates, Guns, Guards, Doors, & Locks,  If you have those then the hard work begins  Log Books  Documentation of all events, prompt reporting  Training Awareness  Dust the cobwebs off  All professionals go to training to keep their skills up  Accountability  Personnel / Management

Independent Validation  HAVING NO PLANS IS NOT BETTER  Due diligence prevents lawsuits based upon negligence  LAWYERS HAVE IDENTIFIED THIS AS ANOTHER ABESTOS HEYDAY FOR THEIR INDUSTRY This time all businesses are in play – IT crosses all industries

Certified IT Auditors  Right Profession for the Right Engagement  ISACA – ANSI Accredited  CISA  CISM  Trained Professionals  Security and Privacy separation of duties provides management with a check and balance  Global Recognized Professionals  Continuing Education Units 

What it is Going to Cost You!  Penalties  Applicable Laws – Varies, but are accumulative  Credit Monitoring Cost  $100 * 100K User Database = $10,000,000  Notification Cost  $0.41 * 100K User Database = $41,000  Required improvements  $5,000 - $100,000,000  Legal Defenses, Seniors IT Professionals This is for one minor database being lost!

More $$$$$$$$$$$$$$$$$$  Lawsuits  Not only from individuals, but companies that have entrusted their information to you  The sky is the limit – Tort Law prevails  Trained Professionals  Over $100K per year, per professional – local business level  U.S. Government pays over $250K per year, per professional  Conservative Estimate, lets assume 400,000 specialists  $100,000,000,000 per year  Based on 3,000,000 Federal (Non-DoD) employees by the Census Bureau (2005) i.e. DHS employs over 800K employees as of 2006

More $$$$$$$$$$$$$$$$$$  Business against Business  VISA, MasterCard, American Express  Healthcare  Privacy Information retained  Consumers against Business  Clients  Lawyer growth industry  This will be an emerging trend for litigation and restitutions  Privacy tied to security solutions  Legal Ramifications on Two Fronts

Frontline Report  Old practices are what makes it work  Watching, all the time  Awareness improves behavior, improves response times  Accountability and Responsibility  Independent Assessments – Regular basis  Technology  Part of the solution  Scales  Provides Strong protections / authentication / logging  Electronic Non-Repudiation

More News…  People  Biggest Exposure and Solution Component  Physical & Cyber Security  Have got to work together  Old perceptions and paradigms must be broken  Jobs will not be replaced by technology  Securityenables Privacy --> Privacyenables Trust --> Trustenables Business!

Open Mic Contact Information (If you want a copy) eValid8 Corporation Phone: Fax:

Where are those files? Business Landscape

References  GAO Report – Identity Awareness   President’s Strategic Plan   U.S. Government Identity Theft Website   NIST IT Security Publications   Maryland Law 