Wolfs Risk Management Services Risk Management Services IT Assurance Services –Internal Audit Services –Compliance Services –WolfPAC Solutions Risk Management perform work with over 200 organizations Diverse experience WAN & LAN Network Engineering Regulatory and Legal Services Various Industry Operations IT Operations and Management Software Development Financial Accounting Information Security Commitment to industry excellence with certifications as CPA, CISA, CIA, CISSP, CRCM, and JD.
Agenda Data privacy statistics Data breach costs Information Security Threats Data privacy rules and regulations
What is Information Security? It is the protection from unauthorized: – Access (Confidentiality) – Modification (Integrity) – Destruction (Availability) – Disclosure (Confidentiality)
Why is Information Security Important? Need to provide confidentiality, integrity, and availability of information assets: To maintain trust, image, credibility: people entrust us with their personal information so that we can help protect them and build a solid foundation for their financial security Security Incidents cost $$$$ For legal compliance: Gramm-Leach-Bliley Act (GLBA)/State Privacy laws
As we know, There are known knowns. There are things we know we know. We also know There are known unknowns. That is to say We know there are some things We do not know. But there are also unknown unknowns, The ones we don't know We don't know. Donald Rumsfeld, Feb. 12, 2002, Department of Defense news briefing
Last year (10/1/08 – 9/30/09) 498 Reported security breaches involving sensitive personal information Representing approximately 168 million records. Total records affected for 145 Breaches considered Unknown Source: datalossdb.org
Security Breaches Summary… Stolen laptops / computers Stolen paper reports Hacking incidents Vendor mismanagement Improper destruction of files Lost backup tapes Dishonest employees selling information
Causes of Data Breaches 5% - Other 10% - Internal Fraud 11% - Lost Media/Documents 15% - Hack by external party 29% - Accidental release 29% - Lost/Stolen Device/Documents Source: datalossdb.org
What does a breach cost? Average Cost per Record: $202 Average Cost per Breach: 6.6 Million (Ranged from $613,000 to $32 Million) Source: Ponemon Institute
Cost Per Record, by Industry Source: Ponemon Institute
Whats Trust got to do with it? If you do not trust a company: 77% refuse to buy products or services 72% criticized them to people you know 75% refused to do business with them 34% shared opinion and experiences on the web Source: Edelman Trust Barometer (2009) – Worlds largest public relations firm.
Factors Important to Trust 94% high quality products and services 93% treats employees well 91% communicates frequently and honestly on the state of its business 91% gives value for money 90% strong financial future 89% senior leadership that can be trusted 86% create and keeps job in my area 85% commits time, money, resources to greater good Source: Edelman Trust Barometer (2009)
Ive done nothing wrong, I can't be responsible for a company I hire. - Owner
http://www.theregister.co.uk/2009/10/14/microsoft_windows_bank_thefts/ The obvious solution for many is to simply close all online banking accounts. Contrary to what banks say, writing checks really isn't that much of a hassle, at least if you don't write that many of them. But if you insist on making online payments and transfers, the best decision you can make is to stop using Windows to make those transactions.
20 Information Security Threats Phishing and Pharming What are they? Phishing - is the process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. Phishing is carried out by e-mail or instant messaging and directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. Phishing is a type of social engineering. Pharming - is a hackers attack aiming to redirect a website's traffic to another, bogus website. Pharming is technically harder to accomplish than phishing, but also sneakier because it can be done without any active mistake on the part of the victim. Pharming is a type of Bot. Both phishing and pharming have been used to steal identity information
21 Information Security Threats Botnets/Zombie Networks What is it? Bot - software applications that run automated tasks over the Internet Zombie – an infected computer Botnet/Zombie Network – a collection of compromised computers Bot Herder – an individual or group that develops or obtains Bots and sells them to hackers
22 Information Security Threats Botnets/Zombie Networks Threats –Data Theft –Keystroke logging –DDoS attacks –Pharming attacks –Viruses, Trojans and Worms –Email spam Preventive Controls –Install personal firewall –Install anti-virus & anti spyware –Use strong passwords and authentication such as secure tokens
23 Information Security Threats Malware/Mobile Malware What is it? Malware - malicious software including computer viruses, worms, trojan horses, most rootkits, spyware, dishonest adware Mobile Malware - attacks portable devices such as lap top computers, cell phones, PDAs, and Blackberries
24 Information Security Threats Malware/Mobile Malware Threats –Theft of email and text messages –Theft of client and employee personal information –Attack on critical systems Preventive Controls –Encrypt portable devices –Install anti-virus software –Use WiFi and Bluetooth at home or at trusted locations –Do not save business data on your mobile –Communicate to employees the type of information to be accessed using these devices
25 Information Security Threats Outsourcing What is it? Specifically when a third party hosts, manages and/or maintains technology resources Threats –How safe is the contracted party? Preventive Controls –Obtain a SAS 70 and copies of audits –Ensure contracts define responsibilities –Obtain certification from vendor
26 Information Security Threats Social Engineering What is it? Low tech form of hacking Tries to trick individuals into giving out sensitive information Can be performed in person or via the telephone or email Social engineers will try to access facilities and play the part of supervisors, employees, vendors or auditors
27 Information Security Threats Social Engineering Threats –Unauthorized access to data, systems and sites –Phishing attacks Preventive Controls –Train staff to be alert of suspicious activity and unknown individuals –Restrict access to the facility to individuals with a valid business reason to enter –Enact company policies on when to give out personal information and passwords –Conduct security awareness campaigns
28 Information Security Threats Natural Disasters What are they? Hurricanes, Tornadoes, Floods, Fires, Etc. Threats –Loss of data –Loss of systems availability –Loss of site access Preventive Controls –Backup all files in a remote location/s –Store files on secure online storage sites –Secondary computing environment –Business Continuity Planning
Rules and Regulations Gramm Leach Bliley Act (GLBA) Payment Card Industry Data Security Standard (PCI DSS) State Laws Federal Laws
GLBA The GLBA gives authority to eight federal agencies and the states to administer and enforce the Financial Privacy Rule and the Safeguards Rule. Apply to "financial institutions," includes banks, securities firms, insurance companies, and other companies providing many other types of financial products and services to consumers.
PCI DSS Comprehensive requirements for payment account data security. –Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters –Protect Cardholder Data Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks –Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software Requirement 6: Develop and maintain secure systems and applications
PCI DSS –Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need-to-know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data –Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes –Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security
State Laws (New England) NE states define personal information similarly. Combination of name and any one or more of the following: 1)Social Security number; 2)Driver's license number or state identification card number; or 3)Account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual's financial account
State Laws (New England) Notification of breach to compromised parties through various communication methods –Substitute notices based on cost/number of compromised records In all states, law enforcement agencies may delay notification of breaches if it is deemed that disclosure will impede or compromise an investigation
NE State Laws - Penalties CT: unfair trade practice and enforced by Attorney General (Civil penalties up to $500,000) ME: Civil violation, not more than $500 per violation, max of $2,500 each day in violation MA: The attorney general may bring an action pursuant to section 4 of chapter 93A
NE State Laws – Penalties (cont.) NH: If the violation is willful or knowing the court awards as much as 3 times but not less than 2 times of actual damages…as well as the costs of the suit and reasonable attorneys fees. –Attorney generals office shall enforce the provisions RI: Civil violation not more than $100 per occurrence and not more than $25,000 total VT: Attorney general and states attorney have full authority to investigate, enforce, prosecute, obtain and impose remedies
M.G.L. 93H 201 CMR 17.00 (MA Law) Goes beyond just notification Establishes minimum security –17.03: Duty to Protect and Standards for Protecting Personal Information –17.04: Computer System Security Requirements Implementation of standards by March 1, 2010
Background –Passed by the Office of Consumer Affairs and Business Regulation on September 19, 2008 –Originally scheduled to be effective on January 1, 2009. Deadline extended to March 1, 2010. –One of the first state privacy laws to go beyond requiring notifications. –Established to make companies assume more ownership of sensitive data and be penalized if they abuse that access
Who is Affected? Any person who owns, licenses, stores, or maintains personal information about a resident of Massachusetts. Applies to ANY organization in possession of personal information of Massachusetts residents, whether or not that business maintains a presence in the state.
What is Covered? Personal Information: Means a Massachusetts residents first name or initial, and last name in combination with one or more of the following: –Social Security number –Drivers license or state ID card number –Financial account (not just bank account numbers), credit / debit card number (with or without security / access codes, PINs, or passwords needed to access the account) Excludes information lawfully obtained from publicly available information or government records Includes employee information thus requiring almost all organizations in MA and surrounding states to comply
What is Covered Employee Type Information: –Payroll records –Health benefits –Direct deposit records –401(k)
Required Elements Designated Employee - One or more employees must be designated to maintain the information security program (ISP) Written– ISP must be formally documented Risk Assessment - ISP must identify and assess reasonably foreseeable risks –Internal and external –Provide an inventory of sensitive data –Evaluate the effectiveness of the safeguards currently in place to mitigate such risks
Required Elements Continuous Employee Security Awareness Training Disciplinary measures Preventing terminating employees from accessing records Third Party Service Providers –ISP must require by contract that the third party service providers with access to personal information protect it. Physical Restrictions
Required Elements Regular Monitoring Annual update of Security Program Breach Responses
Required Elements Technical controls: –Security Access Controls – Password controls, access levels, lock out settings. –Encryption – Encryption of data when residing on portable devices or transported over public networks –Firewalls - up-to-date firewall protection as well as operating system security patches are installed. –Malware and Virus Protection - up-to-date malware and virus definitions. –Employee Training - education and training of employees on the proper use of computer information security systems and the importance of personal information security –Monitoring - reasonable monitoring of systems for the unauthorized use of or access to personal information
Compliance and Enforcement Attorney General Enforcement Attorney General may enforce violations of Chapter 93H via actions brought under Chapter 93A Compliance Standards –Size, scope and type of business * –Amount of resources available to such person * –Amount of personal information stored * –The need for security * * No guidance on minimum requirements
Federal Laws Privacy law in draft that could override state laws 9 Bills introduced over the last few years but have not been successful –Consumer Notification –Penalties –Enforcement –Centralized reporting
Matthew Putvinski, CPA, CISA, CISSP Director – IT Assurance Services 617-428-5479 firstname.lastname@example.org twitter.com/mattputvinski http://www.linkedin.com/in/mattputvinski Thank You!