Don't let them take a byte

43
Defend Your Data Bit by Bit Don’t Let Them Take a Byte: Kevin Ricci, CISA, MCSE

description

Understanding the risks associated with data privacy and security and some strategies to protect your Company.

Transcript of Don't let them take a byte

Page 1: Don't let them take a byte

Defend Your DataBit by Bit

Don’t Let ThemTake a Byte:

Kevin Ricci, CISA, MCSE

Page 2: Don't let them take a byte
Page 3: Don't let them take a byte

Former FBIDirector Mueller:

“There are two typesof companies, those

that have beenhacked and those

that don’t know it”

Page 4: Don't let them take a byte

Why is this important?

Page 5: Don't let them take a byte

• 94% of organizations have had at least one data breach in thepast two years.

• Averages:• Number of breach incidents in the past two years: 4• Number of records compromised per breach – 28,765.• Cost per record lost - $188

• Industry with highest average cost per breach is Healthcare -$233 per record compromised.

• Cause of Breaches:• 37% - Malicious or criminal attack• 35% - Negligent employee• 29% - System glitch

• 94% of organizations have had at least one data breach in thepast two years.

• Averages:• Number of breach incidents in the past two years: 4• Number of records compromised per breach – 28,765.• Cost per record lost - $188

• Industry with highest average cost per breach is Healthcare -$233 per record compromised.

• Cause of Breaches:• 37% - Malicious or criminal attack• 35% - Negligent employee• 29% - System glitch

Key Statistics

Source: Ponemon Institute’s 2013 Cost of DataBreach Study: Global Analysis

Page 6: Don't let them take a byte
Page 7: Don't let them take a byte

Full service Professional Services Firm:

AttestServices

TaxPreparation

andCompliance

IT Audit andSecurity

InternalControl

InternalAudit

Outsourcing

SSAE 16Services

Page 8: Don't let them take a byte

Highly qualifiedin a variety ofspecializations

CPACIA

CFE

CISA

MCSE

ABV

CVAMST

Page 9: Don't let them take a byte

Affiliations:

– AICPA

– PCAOB

– ACFEI

– ISACA

– PCAOB

– TANGO

– CICPAC

– Practicewise

– VACO RiskSolutions

Page 10: Don't let them take a byte

HIPAA Overview• The Health Insurance Portability and

Accountability Act (HIPAA) was passedby Congress in 1996

• Purpose– Ensure the portability of health care

– Prevent fraud and abuse

– Reduce paperwork

– Enforce standards that will improve theefficiency of healthcare delivery, simplifythe exchange of healthcare data, andreduce cost

– Ensure the privacy and security of healthinformation

Page 11: Don't let them take a byte

HIPAA HITECH and Final Omnibus Rule

• In 2009, the American Recovery and Reinvestment Act waspassed and included the Health Information Technologyfor Economic and Clinical Health (HITECH) Act. In 2013,the Final Omnibus Rule was passed.

• HITECH continues the effort of HIPAA to encouragemigration to electronic patient records via financialincentives

• Widens the scope and magnitude of privacy and securityprotections available under HIPAA and clarifies theirprovisions

• Provides stronger enforcement including regular audits• Modifies and clarifies the definition of what constitutes a

reportable privacy breach• Business Associates (BA) are now obligated to comply with

the relevant regulations

Page 12: Don't let them take a byte

HIPAA Overview

Health Insurance Portability and Accountability Act of 1996

Title IInsurancePortability

Title IIPreventingFraud and

Abuse

Title IIITax Related

HealthProvisions

Title IVGroup Health

PlanRequirements

Title VRevenue Offsets

Title IIMedical Liability

Reform

Title IIAdministrativeSimplification

Privacy

Security

EDI

Page 13: Don't let them take a byte

HIPAA Security Rule:• Established in 2003• The Security Rule is

comprised of 22safeguards broken intothree sections– Administrative

Safeguards– Physical Safeguards– Technical Safeguards

Page 14: Don't let them take a byte

HIPAA PHI

• The formal definition of protected health information (PHI):

– Past, current, or future mental or physical health informationor related billing with one of 18 identifiers

– Electronic, Verbal, Written

• Electronic PHI is any identifiable patient data that is eitherstored or transmitted in electronic form.

Page 15: Don't let them take a byte

HIPAAWho Needs to Comply?

• Covered Entities– Health Plans– Healthcare Providers– Healthcare

Clearinghouses

• Business Associates– An entity that creates,

receives, maintains, ortransmits protectedhealth information onbehalf of a coveredentity

Page 16: Don't let them take a byte

Individuals Affected by Breaches

Page 17: Don't let them take a byte

HIPAA Penalties

ViolationAmount Per

Violation

(A) Did Not Know $100 - $50,000

(B) Reasonable Cause $1,000 - $50,000

(C)(i) Willful Neglect-Corrected $10,000 - $50,000

(C)(ii) Willful Neglect-Not Corrected $50,000

Page 18: Don't let them take a byte

HIPAAHHS Website

Page 19: Don't let them take a byte

HIPAATips For Compliance

• Administrative

– Create a thorough HIPAA policy handbook for allemployees

– Require periodic training

– Have all employees sign a confidentiality statement

– Have a comprehensive data breach plan

– Work with your business associates to verify that they arecompliant

Page 20: Don't let them take a byte

HIPAATips For Compliance

• Technical– Complete a security assessment review

– Identify your PHI through data mapping

– Implement the minimum necessary standard – onlyprovide employees access to what they need

– Properly dispose of hardware when it is no longer needed

– Encrypt backup media, portable computers, and mobiledevices containing PHI

– Use business class email

– Enforce strong logical controls

– Maintain a business class firewall and antivirus solution

Page 21: Don't let them take a byte

PCI DSS Overview• American Express,

Discover, MasterCard, Visaand JCB formed thePayment Card IndustrySecurity Standards Councilin 2004

• They are responsible forthe development,management, education,and awareness of thePayment Card IndustryData Security Standard(PCI DSS)

Page 22: Don't let them take a byte

PCI DSSWhere Do I Fit In?

Level 1>2.5m >6m >6m >6m

Level 250k to 2.5m 1m to 6m 1m to 6m 1m to 6m

Level 31 to 50k 20k to 1m 20k to 1m 20k to 1m

Level 4N/A 1 to 20k 1 to 20k 1 to 20k

Required Optional

Page 23: Don't let them take a byte

PCI DSS Compliance

• Identify

• Inventory

• Analyze

• Fix

• Scan

• Compile

• Submit

Page 24: Don't let them take a byte

PCI DSSWhy Should You Comply?

• Inability to accept payment cards

• Legal costs, settlements, judgments

• Higher future costs of compliance

• Fines and penalties

• Lost confidence/sales

• Going out of business

Page 25: Don't let them take a byte

PCI DSSTips For Compliance

• Identify your credit card data through data mapping

• Don’t store credit card data on your network

• If possible, utilize dial-up terminals that do not passthrough your network

• Consult with a PCI DSS specialist to confirm your level,assist with completing the associated requirements, andreview your backupdocumentation

Page 26: Don't let them take a byte

State Data SecurityOverview

• Currently, there is no federal standard, somany states have implemented data breachnotification and data security/privacyregulations of their own

• If you have employees or clients that live inthose states, you may need to comply withtheir requirements

Page 27: Don't let them take a byte

State Data SecurityData Breach Notification

Page 28: Don't let them take a byte

State Data SecurityData Security Regulations

Page 29: Don't let them take a byte

General Security Guidelines• Social media

• Data mapping

• Logical security

• Physical security

• Backups and disaster recovery

• Mobile devices

• New threats

• Spear Phishing

• Non-disclosure agreements

• Cyber insurance

• Education

Page 30: Don't let them take a byte

Social Media

• Implement a social media policy for yourbusiness

• Educate your employees

• Restrict any social media sites that are notused for business purposes

• Consider a post-separation agreement

Page 31: Don't let them take a byte

Data Mapping• Do you know what your sensitive

data is?– Intellectual property– Medical information (PHI)– Personally identifiable information

(PII)– Credit card data

• Do you know where your sensitivedata is?– Human Resources– Bookkeeping– Servers, laptops, desktops, backup

media?

Page 32: Don't let them take a byte

Data Mapping

Page 33: Don't let them take a byte

Logical Security

• User passwords– Minimum of 8 characters– Enforce complexity– Periodic changes– Deny access after so many

invalid attempts

• General– Password protected

screensaver– Coordinate with HR to

immediately be notified ofterminated employees

– Change any hardware defaultpasswords

Page 34: Don't let them take a byte

Logical Security

Page 35: Don't let them take a byte

Physical Security

• General– Educate your receptionist

– Redundant ISP

– Locked to-be-shredded containers

– Guest passes

• Data center– Visitor log

– Security cameras

– Alarm

– Temperature, water, smoke, fire detectors

– Uninterrupted power supplies (UPS)

Page 36: Don't let them take a byte

Backups and Disaster Recovery

• General– Viability testing

– Offsite transport

– Encryption

• Onsite backups– Fireproof safe

– Security

• Cloud backups– Service agreement

– SSAE 16

• Disaster recovery plan

Page 37: Don't let them take a byte

Mobile Devices

• Policies

• Use an antivirus app

• Use a password

• Encryption

• Avoid free Wi-Fi

• Remote wipe

Page 38: Don't let them take a byte

New Threats

• Ransomware

• Heartbleed

• Internet Explorer Vulnerability

Page 39: Don't let them take a byte

Spear Phishing

• Train employees onwhat to look for

• Be careful where youpost personal information

• Beware of unexpected emails

• Keep your software up to date

Page 40: Don't let them take a byte

Non-Disclosure Agreements

Any consultant that can accessyour network should provide you

with a non-disclosure /confidentiality agreement

Page 41: Don't let them take a byte

Cyber Insurance

Work with your legal and insurance contacts tomake sure you have the necessary level of cyber

insurance in the event of an attack or data breach

Page 42: Don't let them take a byte

Education

• Critically important – end users areoften your weakest security link!

• Provide security training during theonboarding process

• Provide your staff with an annualsecurity training

• Provide additional training to anyonewith direct contact with PHI, PII, orother sensitive information

• Have employees sign a document thatthey acknowledge the securitypolicies

Page 43: Don't let them take a byte

Kevin Ricci, Director of [email protected](401) 421-4800 x278