Presentation is loading. Please wait.

Presentation is loading. Please wait.

Data Security: Steps to Improved Information Security September 22, 2015 Presented by: Alex Henderson General Counsel and Chief Administrative Officer.

Published byJustina Leonard Modified over 8 years ago

Similar presentations

Presentation on theme: "Data Security: Steps to Improved Information Security September 22, 2015 Presented by: Alex Henderson General Counsel and Chief Administrative Officer."— Presentation transcript:

1 Data Security: Steps to Improved Information Security September 22, 2015 Presented by: Alex Henderson General Counsel and Chief Administrative Officer Teraverde Management Advisors

2 One of the issues in the FTC vs. Wyndham case was whether businesses were on notice as to what Data Security the FTC would require The FTC now has Data Security tools for businesses. The FTC has published a "Protecting Personal Information, A Guide for Businesses" which says that a sound Data Security plan should be built on 5 principles: – take stock – scale down – lock it – pitch it – plan ahead

3 How does Data Security apply to a mortgage banker? Are these “events” merely security/privacy “incidents” or are they also “data breaches”? A loan officer downloads his customer list of 1,200 names and addresses and a pipeline report listing income and credit information and takes it to a competitor. A Loan Origination System reporting data base containing Personally Identifiable Information (“PII”) appears to have been entered, but it unclear by whom and whether information was extracted A loan office clicks on a Phishing email, and a ‘CryptoLocker’ malware locks company files and demands a ransom A disgruntled employee posts former customer PII on the ‘dark web’

4 Take a Data and Risk Inventory (GLBA Risk Assessment): What Personally Identifiable Information does the company collect? Where and how is data stored and segregated? digital copiers, laptops, tablets, phones, mobile apps How is very sensitive data protected (i.e. is it encrypted)? What controls are in place to protect access to data (i.e., dual authentication)?

5 Determine which laws and rules apply to you: Which data privacy laws apply to your collection and use of the data? State laws generally are enforced by the state Attorneys General and typically deal with notification requirements in the event of a data breach. Federal laws such as Gram-Leach Bliley(protection of PII) and the Fair Credit Reporting Act are generally more specific to particular sectors. The FFIEC Cyber Assessment tools provide definitive guidance

6 Make sure the Company’s Privacy Policies and Notices are current and enforced A privacy policy is a policy internal to your company, i.e., what the company tells its employees about the collection and use of personal data. A privacy notice is the policy the company shares with the outside world Both have to correspond and reflect your actual purposes to avoid UDAP issues

7 Manage your Vendors Mortgage bankers use a large number of vendors How do vendors protect your Company and your customers’ data? Enforce information security and privacy requirements on vendors that line up to the Company’s Information Security requirements Do you have a package of vendor management requirements that includes data security? The vendor should have a comprehensive vendor management response document, and should carry data breach insurance

8 Evaluate cyber-risk insurance. A data breach can explode very quickly and the costs to your company can be very high (significant costs per record lost). Do your current insurance policies cover a data breach? What exclusions may invalidate coverage? can you insure against a penalty from the FTC or other governmental entity? Will you insurer require an outside Risk Assessment?

9 Create an Incident Response Plan and follow it: no matter how strong data security, a breach can occur and response is as important as security Who is in charge of data privacy? CIO, Legal, Compliance, COO? Know the difference between a “security incident” and “data breach" Make sure your whole management team is aware of the Incident Response Plan Engage legal counsel at the beginning. Determine referral and notification policies to law enforcement beforehand. Prepare for the consumer and regulatory notice process. Know what identity theft and other damages your clients may face Plan for remedies to be offered to clients -- fraud security measures

10 Examine Social Engineering; firewalls and strong passwords are basic, but 80% of breaches occur from Social Engineering What training is provided to employees on Information Security? How is effectiveness of training evaluated? Are there periodic tests of employee compliance? How are these periodic tests tracked and frequent violators counseled/retrained? Have a specific and ongoing formal program in place to train, test, and counsel employees for social engineering risks

11 Questions to think about When was your last Risk Assessment and what areas did it cover? When was your last Business Continuity Drill? When was your last Penetration Test? When was your last Information Security Training and did it cover social engineering? Do you maintain an adequate hardware and software inventory to ensure all systems have the most up-to-date firmware or software version to prevent malicious attacks? How do you handle patch management? How do you ensure anti-virus software is current? Does your internal audit and compliance monitoring system sufficiently test information security topics? Have you set up a secure method for customers to send you their verifying information for their mortgage application?

12 Understand the difference between a vulnerability assessment and a penetration test: more than just semantics Vulnerability Assessments create a prioritized list of vulnerabilities, and generally how to remediate. Penetration Tests attack a specific goal. Most helpful to organizations already at their desired security posture.

13 Data theft is not your only concern Test your business continuity / disaster recovery plan regularly Ensure your data back-up systems are functioning and secure Are your systems or the vendor’s cloud more secure?

14 Do not limit Information Security to the IT function CIOs think technology, not employee behaviors Most breaches are not perimeter defense of ‘front door’ attacks Most breaches are introduced by employees, vendors, or social media phishers Maintain current risk assessments Have all areas audit user access to systems regularly Training is the most cost effective deterrent The money saved by bring your own device (BYOD) may not be cost effective if it introduces a data breach

15 Questions or Comments?

Download ppt "Data Security: Steps to Improved Information Security September 22, 2015 Presented by: Alex Henderson General Counsel and Chief Administrative Officer."

Similar presentations

Property Inventory Valuation Replacement Cost Value The amount it would take to replace property with like property of the same quality and construction.

Property Inventory Valuation Replacement Cost Value The amount it would take to replace property with like property of the same quality and construction.
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.

Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Invasion of Smart Phones in Clinical Areas Chrissy Kyak Privacy Officer University of Maryland Upper Chesapeake Health.

Invasion of Smart Phones in Clinical Areas Chrissy Kyak Privacy Officer University of Maryland Upper Chesapeake Health.
IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.

IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.
Gramm-Leach-Bliley Act for Financial Aid Val Meyers Associate Director Michigan State University.

Gramm-Leach-Bliley Act for Financial Aid Val Meyers Associate Director Michigan State University.
Protecting Personal Information Guidance for Business.

Protecting Personal Information Guidance for Business.
© 2014 Nelson Brown Hamilton & Krekstein LLC. All Rights Reserved PRIVACY & DATA SECURITY: A LEGAL FRAMEWORK MOLLY LANG, PARTNER, NELSON BROWN & CO.

© 2014 Nelson Brown Hamilton & Krekstein LLC. All Rights Reserved PRIVACY & DATA SECURITY: A LEGAL FRAMEWORK MOLLY LANG, PARTNER, NELSON BROWN & CO.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.

Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
Security Controls – What Works

Security Controls – What Works
Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.

Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,

DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,
Steps to Compliance: Risk Assessment PRESENTED BY.

Steps to Compliance: Risk Assessment PRESENTED BY.
Network security policy: best practices

Network security policy: best practices
Electronic Banking BY Bahaa Abas Noor abo han. Definition * e-banking is defined as: …the automated delivery of new and traditional banking products and.

Electronic Banking BY Bahaa Abas Noor abo han. Definition * e-banking is defined as: …the automated delivery of new and traditional banking products and.
© 2012-Robert G Parker May 24, 2012 Page: 1 © 2012-Robert G Parker May 24, 2012 Page: 1 © 2012-Robert G Parker May 24, 2012 Page: 1 © 2012-Robert G Parker.

© 2012-Robert G Parker May 24, 2012 Page: 1 © 2012-Robert G Parker May 24, 2012 Page: 1 © 2012-Robert G Parker May 24, 2012 Page: 1 © 2012-Robert G Parker.
Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.

Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.
Enterprise Risk ManagementSeptember 2010Miami, FL © 2010 Enterprise Risk Management Information Security- Facing the Risks in Electronic Channels and Social.

Enterprise Risk ManagementSeptember 2010Miami, FL © 2010 Enterprise Risk Management Information Security- Facing the Risks in Electronic Channels and Social.

Similar presentations

Ads by Google