Presentation is loading. Please wait.

Presentation is loading. Please wait.

Robert W. Carruth, CSP, ARM-P Risk Control Manager NCACC Risk Management Services.

Published byAmie Peters Modified over 8 years ago

Similar presentations

Presentation on theme: "Robert W. Carruth, CSP, ARM-P Risk Control Manager NCACC Risk Management Services."— Presentation transcript:

1 Robert W. Carruth, CSP, ARM-P Risk Control Manager NCACC Risk Management Services

2 What This is All About: Understanding Data Security in the Cyber-World Reduce the Likelihood of a Data Breach Prepare to Respond for WHEN it Happens Insure Adequate Resources are Available

3 Memory Lane….

4 Now the World Has Access Digital Age Time & Space are Eliminated How are Digital Networks and Data Secured Same Basic Principals as Paper Data Now The World Has Access

5 The Modern Computing Environment Server PrinterSmartphoneVPN Control Systems Alarm Systems TabletLaptopDesktop

6 But It’s Still the Same Data

7 So… Its About Protecting the Data Security Principles Remain the Same Theft is Easier Lots of Data = Lots of Value

8 In Other Words…. Anywhere personal information is collected and managed.

9 Types of Cyber Events Inadvertent Disclosure Loss of Device Virus/Malware “Infection” Disaster or Hardware Malfunction Malicious Attack

10 Results of Cyber Attack Compromise/Loss of Data Destruction of Software Denial of Service “Snowball” Event Credibility of Government is Damaged Slowing of Automation of Processes

11 Target Breach Over 70 Million Affected Credit/Debit Card Data Compromised Used a “Ram Scraper” to Collect Data Malware was installed in transaction process Origin was traced to HVAC Contractor using a Smart- Phone

12 OPM Breach June 4, 2014 Over 4 Million Records Compromised One of Several Cyber Events over 2 Year Period Agency was Fully Compliant with Federal Guidelines

13 Lessons Learned – OPM Breach Critical Infrastructure will be Attacked. Used to compromise government personnel. Conduct of reconnaissance and enumeration. Compliance-based security strategies don’t work. In-depth audits won’t help, either. Given today’s operational realities, governments must rethink security standards. Source: 12 Lessons For Security & Risk Pros From The US OPM Breach, Forrester Research.

14 98% of All Data Breaches Human Error Insider Misuse Malware & Viruses Physical Theft & Loss

15 Sensitive Data Social Security Numbers Banking/Credit Card Data Health Records Personnel Records Other Personal Identifying Information “Harm” Threshold Confidential Operations Documents

16 Vulnerable Areas Board Clerk Register of Deeds Tax Administrator Utilities Human Services/Transportation Health/EMS Human Resources Outside Groups

17 Recommended Actions Appoint a Chief Data Officer or Champion Protect Data as Social Responsibility Monitor for Data Access and Exfiltration Use Encryption as Much as Possible Develop Plans for How Data is Secured

18 Recommended Actions Provide Employee-Centric Data Protection Use Software to Monitor Behavior Develop & Enforce Password Protocols Routinely Purge Authorized User Lists Monitor the Global Cyber Environment Source: 12 Lessons For Security & Risk Pros From The US OPM Breach, Forrester Research.

19 Tax Administrator Maintains County’s Tax Records Assesses New & Existing Property Distributes Tax Notices Receives Payments from Public

20 What Do I Need to Do? Screen Records for Private Data Segregate & Secure Consolidated Lists or Databases Maintain Physical Security over Field Equipment Protect & Secure Received Property Data Review Release of Delinquent Tax Listings Ensure Secure Credit/Debit Card Transactions Tax Administrator

21 The Cyber Pyramid Human Interface Data Storage Systems Security

22 System Security Map Your System – Chart Data Flow Keep Systems Updated – Antivirus & Firewall Address Access by Contractors & Visitors Separate Network Servers Monitor Systems Activity 24/7 Back-up Data Daily Offsite

23 Data Storage Use Vendor for Credit Card Payments Move Archives out of Network Purge Users Periodically Identify What Data is Actually Needed Compartment Sensitive Data Limit Storage on Mobile Devices Get Rid of What you Don’t Need Limit Access to Sensitive Data

24 User Interface Establish Social Networking Policy Educate Your Employees Have a Response Plan & Practice It Control Internet Access Purge Users Periodically Practice Good Physical Security Have a good Password Policy Limit Contractor Exposure Screen Before Posting or Releasing

25 New Concepts The “Data Champion” ID Protection as an Employee Benefit External Response Contractor

26 Incident Preparedness and Response

27 Incident Key Elements Response Team Financial Planning Response Plan

28 Response Team Think Commandos Not Battalions Ability to move quickly Integral positions Administration Entity Attorney IT Department Heads where Data is stored Ability to reach out to Board and additional staff as needed

29 Response Team Data Breach Expertise Internal? External? Multi-jurisdictional Regulatory Experience Type of Data Influence PII PCI PHI

30 Financial Planning What is my potential exposure? Investigation expenses Notification and assistance expenses Regulatory expenses Liability claims and defense cost Potential exposure dependent on type of information compromised Various information (PII, PCI, PHI) - fund to greatest exposure Fund for single or multiple events?

31 Financial Planning Internal Funding General funds Separate claims fund Incorporate in Risk Management fund External Funding – Insurance Confirm coverage for main loss exposures Expert assistance? Risk Control? Deductibles and potential exclusions

32 Financial Planning Cost Example – 1000 records compromised PII:$735,745$736 per record PCI:$682,575$683 per record PHI:$1,017,615$1,018 per record Includes forensics, notifications, regulatory, liability claims and defense

33 Response Plan Flexibility: Remember Commandos! Don’t Assume! Investigate to uncover the cause of the breach. Did an actual legal breach occur? Expert takes point Communications Internal External: Designate a spokesperson(s) Acknowledgement Action Plan Empathy

34 Response Plan Monitor action plan and make adjustments as needed Wrap-up Review Lessons learned System or operational changes Tie back to proactive risk control

35 Actual Cyber Event True story illustration

36 Questions? Comments? Bob Carruth: bob.carruth@ncacc.orgbob.carruth@ncacc.org

Download ppt "Robert W. Carruth, CSP, ARM-P Risk Control Manager NCACC Risk Management Services."

Similar presentations

Travelers CyberRisk for Insurance Companies

Travelers CyberRisk for Insurance Companies
Control and Accounting Information Systems

Control and Accounting Information Systems
Information Security Jim Cusson, CISSP. Largest Breaches 110,000 2009-11-27 NorthgateArinso, Verity Trustees 6,400 2009-11-25 Aurora St. Luke's Medical.

Information Security Jim Cusson, CISSP. Largest Breaches 110, NorthgateArinso, Verity Trustees 6, Aurora St. Luke's Medical.
AmadeusCybersecurity: the essentials12 th November 2014 Alex van Someren Family Office Forum 12 th November 2014, Zurich Cybersecurity: the essentials.

AmadeusCybersecurity: the essentials12 th November 2014 Alex van Someren Family Office Forum 12 th November 2014, Zurich Cybersecurity: the essentials.
© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.

© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
DHS SECURITY INCIDENT REPORTING AND RESPONSE SECURITY INCIDENT REPORTING AND RESPONSE DHS managers, employees, and other authorized information users.

DHS SECURITY INCIDENT REPORTING AND RESPONSE SECURITY INCIDENT REPORTING AND RESPONSE DHS managers, employees, and other authorized information users.
Security Controls – What Works

Security Controls – What Works
1 An Overview of Computer Security computer security.

1 An Overview of Computer Security computer security.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Factors to be taken into account when designing ICT Security Policies

Factors to be taken into account when designing ICT Security Policies
Draft of June 9, 2015 Cyber Risks in the Boardroom Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing.

Draft of June 9, 2015 Cyber Risks in the Boardroom Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing.
Information Resources and Communications University of California, Office of the President System-Wide Strategies for Achieving IT Security at the University.

Information Resources and Communications University of California, Office of the President System-Wide Strategies for Achieving IT Security at the University.
Electronic Banking BY Bahaa Abas Noor abo han. Definition * e-banking is defined as: …the automated delivery of new and traditional banking products and.

Electronic Banking BY Bahaa Abas Noor abo han. Definition * e-banking is defined as: …the automated delivery of new and traditional banking products and.
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
General Awareness Training

General Awareness Training
What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.

What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.
BUSINESS B1 Information Security.

BUSINESS B1 Information Security.
Business Continuity from an Insurance Perspective Presented by Jim Carter Manager, Risk & Insurance.

Business Continuity from an Insurance Perspective Presented by Jim Carter Manager, Risk & Insurance.
Case Study: Department of Revenue Data Breach National Association of State Auditors, Comptrollers and Treasurers March 21, 2013.

Case Study: Department of Revenue Data Breach National Association of State Auditors, Comptrollers and Treasurers March 21, 2013.

Similar presentations

Ads by Google