Presentation on theme: "Data Security: Steps to Improved Information Security September 22, 2015 Presented by: Alex Henderson General Counsel and Chief Administrative Officer."— Presentation transcript:
Data Security: Steps to Improved Information Security September 22, 2015 Presented by: Alex Henderson General Counsel and Chief Administrative Officer Teraverde Management Advisors
One of the issues in the FTC vs. Wyndham case was whether businesses were on notice as to what Data Security the FTC would require The FTC now has Data Security tools for businesses. The FTC has published a "Protecting Personal Information, A Guide for Businesses" which says that a sound Data Security plan should be built on 5 principles: – take stock – scale down – lock it – pitch it – plan ahead
How does Data Security apply to a mortgage banker? Are these “events” merely security/privacy “incidents” or are they also “data breaches”? A loan officer downloads his customer list of 1,200 names and addresses and a pipeline report listing income and credit information and takes it to a competitor. A Loan Origination System reporting data base containing Personally Identifiable Information (“PII”) appears to have been entered, but it unclear by whom and whether information was extracted A loan office clicks on a Phishing email, and a ‘CryptoLocker’ malware locks company files and demands a ransom A disgruntled employee posts former customer PII on the ‘dark web’
Take a Data and Risk Inventory (GLBA Risk Assessment): What Personally Identifiable Information does the company collect? Where and how is data stored and segregated? digital copiers, laptops, tablets, phones, mobile apps How is very sensitive data protected (i.e. is it encrypted)? What controls are in place to protect access to data (i.e., dual authentication)?
Determine which laws and rules apply to you: Which data privacy laws apply to your collection and use of the data? State laws generally are enforced by the state Attorneys General and typically deal with notification requirements in the event of a data breach. Federal laws such as Gram-Leach Bliley(protection of PII) and the Fair Credit Reporting Act are generally more specific to particular sectors. The FFIEC Cyber Assessment tools provide definitive guidance
Manage your Vendors Mortgage bankers use a large number of vendors How do vendors protect your Company and your customers’ data? Enforce information security and privacy requirements on vendors that line up to the Company’s Information Security requirements Do you have a package of vendor management requirements that includes data security? The vendor should have a comprehensive vendor management response document, and should carry data breach insurance
Evaluate cyber-risk insurance. A data breach can explode very quickly and the costs to your company can be very high (significant costs per record lost). Do your current insurance policies cover a data breach? What exclusions may invalidate coverage? can you insure against a penalty from the FTC or other governmental entity? Will you insurer require an outside Risk Assessment?
Create an Incident Response Plan and follow it: no matter how strong data security, a breach can occur and response is as important as security Who is in charge of data privacy? CIO, Legal, Compliance, COO? Know the difference between a “security incident” and “data breach" Make sure your whole management team is aware of the Incident Response Plan Engage legal counsel at the beginning. Determine referral and notification policies to law enforcement beforehand. Prepare for the consumer and regulatory notice process. Know what identity theft and other damages your clients may face Plan for remedies to be offered to clients -- fraud security measures
Examine Social Engineering; firewalls and strong passwords are basic, but 80% of breaches occur from Social Engineering What training is provided to employees on Information Security? How is effectiveness of training evaluated? Are there periodic tests of employee compliance? How are these periodic tests tracked and frequent violators counseled/retrained? Have a specific and ongoing formal program in place to train, test, and counsel employees for social engineering risks
Questions to think about When was your last Risk Assessment and what areas did it cover? When was your last Business Continuity Drill? When was your last Penetration Test? When was your last Information Security Training and did it cover social engineering? Do you maintain an adequate hardware and software inventory to ensure all systems have the most up-to-date firmware or software version to prevent malicious attacks? How do you handle patch management? How do you ensure anti-virus software is current? Does your internal audit and compliance monitoring system sufficiently test information security topics? Have you set up a secure method for customers to send you their verifying information for their mortgage application?
Understand the difference between a vulnerability assessment and a penetration test: more than just semantics Vulnerability Assessments create a prioritized list of vulnerabilities, and generally how to remediate. Penetration Tests attack a specific goal. Most helpful to organizations already at their desired security posture.
Data theft is not your only concern Test your business continuity / disaster recovery plan regularly Ensure your data back-up systems are functioning and secure Are your systems or the vendor’s cloud more secure?
Do not limit Information Security to the IT function CIOs think technology, not employee behaviors Most breaches are not perimeter defense of ‘front door’ attacks Most breaches are introduced by employees, vendors, or social media phishers Maintain current risk assessments Have all areas audit user access to systems regularly Training is the most cost effective deterrent The money saved by bring your own device (BYOD) may not be cost effective if it introduces a data breach