2016 02-23 is it time for a security and compliance assessment?

Thrive. Grow. Achieve.

Is it time for a Security and Compliance Assessment?

Nate Solloway, John Rice , Paul Williams

February 23, 2016

AGENDA

IS IT TIME FOR A SECURITY AND COMPLIANCE ASSESSMENT?

• Everyone has something to protect

• Compliance Definitions

• State, Federal, and Private Security and Compliance Requirements

• Considerations and Actions to Improve Security and Compliance

– Password Policies

– Mobile Device Management & BYOD

– Process and People Management

• Security tools

– Virus and Spam Management

– Unified Threat Management and Intrusion Detection

– Data Management

– Encryption

– Archiving and data back up

• How Cloud Computing Can Help You Achieve Security and Compliance Goals?

– Defense in Depth

• How Raffa Can Assist You?

HIPAA

GLBA

FISMA

PCI

SOX

FINRA

Notice of Security Breach

State Laws


EVERYONE HAS SOMETHING TO

PROTECT

• Intellectual Property

• Human Resources Information

• Your Financial Data

• Your Customer Databases

• Your Customer’s Data

• Marketing and Sales Data

It’s not Just About

compliance with

state and federal

regulations.

It’s about

protecting your

company, your

employees and

your customers


Financial Healthcare Legal

Professional Services

COMPLIANCE DEFINITIONS

Definitions are

generally accepted

by most states

However,

exceptions do

exist on a state by

state basis

Personal Information: An individual’s first name or first initial and last name plus

one or more of the following data elements:

1. Social Security number,

2. Driver’s license number or state- issued ID card number

3. Account number, credit card number or debit card number combined with any

security code, access code, PIN or password needed to access an account and

generally applies to computerized data that includes personal information.

Personal Information shall not include publicly available information that is lawfully

made available to the general public from federal, state or local government

records, or widely distributed media. In addition, Personal Information shall not

include publicly available information that is lawfully made available to the general

public from federal, state, or local government records.

Breach of Security: The unlawful and unauthorized acquisition of personal

information that compromises the security, confidentiality, or integrity of personal

information.

DEFINITIONS

Is it Time for a Security and Compliance Assessment?

FEDERAL, STATE & PRIVATE

REQUIREMENTS

It is important to

understand that

these laws don’t

only apply to

health and

financial

institutions.

HIPAA: Health Insurance Portability and Accountability Act, a US law designed to

provide privacy standards to protect patients' medical records and other health

information provided to health plans, doctors, hospitals and other health care providers.

Developed by the Department of Health and Human Services, these new standards

provide patients with access to their medical records and more control over how their

personal health information is used and disclosed. They represent a uniform, federal floor

of privacy protections for consumers across the country. State laws providing additional

protections to consumers are not affected by this new rule.

The Gramm-Leach-Bliley Act: (GLB Act or GLBA), is a federal law enacted to control

the ways that financial institutions deal with the private information of individuals. The Act

consists of three sections:

1. The Financial Privacy Rule, which regulates the collection and disclosure of private

financial information

2. The Safeguards Rule, which stipulates that financial institutions must implement

security programs to protect such information

3. The Pretexting provisions, which prohibit the practice of pretexting (accessing private

information using false pretenses).

The Act also requires financial institutions to give customers written privacy notices that

explain their information-sharing practices.



REQUIREMENTS

The Payment Card

Industry Council

established rules

governing how

credit card data

would be secured

Short for Payment Card Industry (PCI) Data Security Standard (DSS), PCI DSS is a

standard that all organizations, including online retailers, must follow when storing,

processing and transmitting their customer's credit card data.

The Data Security Standard (DSS) was developed and the standard is maintained by

The Payment Card Industry Security Standards Council (PCI SSC). To be PCI

complaint companies must use a firewall between wireless networks and their cardholder

data environment, use the latest security and authentication such as WPA/WPA2 and

also change default settings for wired privacy keys, and use a network intrusion detection

system.

The PCI DSS standard, as of September 2009 (DSS v 1.2), includes 12 requirements for

best security practices

PRIVATE REQUIREMENTS

Payment Card Industry (PCI) Data Security Standard (DSS)



REQUIREMENTS

State laws may

have different

definitions and

broader

requirements than

federal law

Page8

• Definition for “Personal Information” is Broader than the General Definition

• Trigger Notification by Access

• Require a Risk of Harm Analysis

• Require Notice to Attorney General or State Agency

• Require Notification Within a Specific Time Frame

• Permit a Private Cause of Action

• Have an Encryption Safe Harbor

• The Statute is Triggered By a Breach of Security

in Electronic and/or Paper Records

TYPES OF VARIANCES IN STATE LAWS


SECURITY CONSIDERATIONS AND

ACTIONS

Strong password

policy is the first

line of defense

against a data

breach

STRONG PASSWORD POLICIES

Risk: A poorly chosen password may result in unauthorized access and/or exploitation of

company resources. In 2013 Verizon stated that 90% of successful breaches started with a

weak or default password. The increasing strength of password cracking programs

significantly increases the risk associated with poor or weak passwords.

Benefit: Strong password policies help to reduce the risk of a breach. Policies should also

provide guidance to reduce the risk of human error breaches. Strong passwords should

meet these standards at a minimum:

• Lower case characters

• Upper case characters

• Numbers

• "Special characters"(@#$%^&*()_+|~-=\`{}[]:";'<>/)

• Contain at least 12 but preferably 15 characters.



ACTIONS

If email or other

company data is

stored on mobile

devices they must

be managed.

Is it Time for a Security and Compliance Assessment? Page

10

MOBILE DEVICE MANAGEMENT

The solution allows for password management and the ability to wipe of all data if the

device if lost or stolen. Solutions exist for laptops, tablets and smart phones.

Risk: Users cannot be trusted to always do the right thing. Has the potential for conflict

between employees and employers.

Benefit: MDM solutions offer the ability to wipe lost or stolen assets to protect sensitive

information from falling into the wrong hands. One benefit of a clearly stated policy is a

reduction of possible remote wipe disagreements.


ACTIONS

A clear written

policy regarding

BYOD needs to be

in place and

acknowledged by

employees.

Is it Time for a Security and Compliance Assessment? Page11

MOBILE DEVICE MANAGEMENT – BRING YOUR OWN DEVICE (BYOD)

Risk: BYOD security becomes complicated since the devices are personally owned.

Focus should be to restrict what employees are allowed to have on the BYOD

devices.

Benefit: MDM solutions offer the ability to segment BYOD devices so that it is easy to

secure or delete company information off of personal devices, without affecting the user’s

personal data.

BYOD is becoming popular for companies as a way to reduce costs for mobile devices

and keep employees happy. Companies need to have clearly-defined BYOD policies that

employees need to acknowledge in writing. A clear policy must be created and

communicated to all.


ACTIONS

Security is as

much about

people and good

process and well

documented policy

as it is about your

IT infrastructure


PROCESS AND PEOPLE MANAGEMENT


ACTIONS

Security is as

much about

people and good

process and well

documented policy

as it is about your

IT infrastructure


PROCESS AND PEOPLE MANAGEMENT

• Establish a security and compliance

group within the company

• Put in place a clear set of company security

policies

• Build role-based access to applications

• Create management systems for admin

logins and passwords

• Eliminate shared logins/accounts

• Create and adhere to a stringent staff on

boarding off boarding processes & checklists


ACTIONS

Set your security

expectations on

day one with

security policy and

training.


• Set up your accounts in Active Directory and make sure all

• Cloud applications are SAML, ADFS, WS-Fed or O Auth

authenticated

• Use unique identifiers when creating new employee accounts

• Maintain a distribution list to announce new hires

• Run a system audit when employees change departments

• Set the security expectation during the on-boarding process

• Initial and on-going training

Good Security Practices Start on Day One


ACTIONS

Make sure you

have an off

boarding plan that

covers all aspects

of the employees

relationship with

the company


Adhere to a strict employee off-boarding checklist

• Plan for the “two-weeks notice”

• Maintain distribution list for terminations

• Direct the email account of a departing employee to his/her manager

• Terminate all employee accounts

• Review the applications saved in your employee’s single sign-on portal

• Make sure to collect all company assets: laptops,

phones, ID badges, software, etc.

SECURITY TOOLS

Security tools

include protection

against viruses,

spyware, and

malware for both

the network and

it’s endpoints.


EMAIL AV (Antivirus & Antispyware)

Scans incoming email for known malicious software, spam and phishing content.

Updates signatures on threats similar to traditional antimalware software.

Risk: Email is the primary entry point for virus and malware, protection here is crucial

to the stability of data integrity & usability.

Benefit: An ounce of prevention is worth a pound of cure - solutions that block hostile

emails before employees can open dangerous attachments is a smart business tool to

utilize. This is focused on the prevention of malware infections or ID theft.

SECURITY TOOLS

Security tools

include protection

against viruses,

spyware, and

malware for both

the network and

it’s endpoints.


SECURITY TOOLS

Antimalware/Antivirus/Anti spyware – Desktop & Server

Software that searches for, removes and prevents the installation of known malicious

software from desktops and laptops and servers.

Risk: Not having antimalware software installed and updated is a sign of negligent

business practices.

Benefit: A crucial layer of protection to keep data and networks secure.

Hosted based firewall

A host based firewall is designed to run on individual workstations and provide rules on

connecting to outside networks.

Risk: Roaming laptops do not have the protection of network firewalls and other

network based security controls.

Benefit: Provides protection for laptops when they are not connected the corporate

network.

SECURITY TOOLS

A basic firewall

Provides

absolutely no

threat detection.

Firewalls allow

and block traffic,

and cannot

respond to

evolving threats


ADVANCE FIREWALL + UTM (Unified Threat Management)

Primary network gateway defense solution for the business community. Solutions evolved

from the traditional firewall, becoming an all-inclusive security appliance that can perform

multiple functions. Combines network firewalling and any of the following: antivirus (AV),

gateway anti-spam, VPN, content filtering, load balancing, data leak prevention and on-

appliance reporting.

Risk: As malware becomes more advanced, not having the tools to identify or block

attacks can leave a business open for attack.

Benefit: Provides a cost-effective, yet comprehensive threat- vector protection. All-in-one

solution provides tighter security tool integration.

SECURITY TOOLS

A basic firewall

Provides

absolutely no

threat detection.

Firewalls allow

and block traffic,

and cannot

respond to

evolving threats


IPS/IDS (Intrusion Protection System/Intrusion Detection System)

Monitors networks for malicious activity; stops, blocks, and reports. Looks for patterns

and matches to known vulnerabilities (included in advanced firewall and UTM platforms)

Risk: As malware becomes more advanced, not having the tools to identify or block

attacks can leave a business open for attack.

Benefit: IPS/IDS solutions help prevent attacks from advanced threats that are able to

bypass traditional firewalls and antimalware solutions.

http://www.google.co.uk/url?sa=i&rct=j&q=linkedin&source=images&cd=&cad=rja&docid=wgMpU0JvIS2JEM&tbnid=ZikZ75TaAtLozM:&ved=0CAUQjRw&url=http://nexusdesignconsultancy.co.uk/3-ways-to-make-the-most-of-linkedin/&ei=3YwPUdi0OPLK0AWPhIFY&psig=AFQjCNFV6BsOmjRFBE8qJrqQHj6Xn61Vwg&ust=1360059991679812

http://www.google.co.uk/url?sa=i&rct=j&q=facebook+logo&source=images&cd=&cad=rja&docid=XxWVCLhuQ4cw9M&tbnid=Br5VkYIZLcz9-M:&ved=0CAUQjRw&url=http://logo-studio.blogspot.com/2011/07/facebook-logo-vector.html&ei=U40PUYnJJuaX0QXL1oDgDQ&psig=AFQjCNEwklEcvA5-IMJZRPV_9cvUk4X5Hw&ust=1360060110847507

http://www.google.co.uk/url?sa=i&rct=j&q=twitter+logo&source=images&cd=&cad=rja&docid=3LTVBTaCB-E50M&tbnid=TW40P_3a4vVnfM:&ved=0CAUQjRw&url=http://theinspirationroom.com/daily/2012/twitter-logo-redesigned/&ei=io0PUfDTL-Gc0QWYkYHACg&psig=AFQjCNGNk-4u2mrzbH2zdaU9daOB6eQ5wg&ust=1360060151296654

SECURITY TOOLS

Data files should

be encrypted

both at rest and

during transport.

The way data is

shared has to be

carefully

managed.

Work is an

activity not a

place.


DATA FILE ENCRYPTION

Data file encryption encrypts files and folders selected to be encrypted both on the fly and

at rest.

Risk: Lost or stolen assets are easy to get access to. Once an unauthorized party has

access to the system, all the data on the device can be accessed if it is not encrypted.

Benefit: Provides an additional layer of protection by preventing data from being

accessed by unauthorized parties.

SECURITY TOOLS

Policy based

encryption for

email ensures

that email

containing

sensitive

information are

protected.


EMAIL ENCRYPTION

Email encryption uses either public key or private key encryption to prevent the email

contents from being viewed by anyone except the intended recipients.

Risk: Users routinely send files to the wrong recipients and recipients sometimes

forward on files when they should not. Without encrypted email, one the email is sent,

there is no way to manage who can access it.

Benefit: Provides an additional layer of protection by preventing data from being

accessed by unauthorized parties.

SECURITY TOOLS

Compliant Email

archiving

provides

eDiscovery and

can save

companies time

and money


EMAIL ARCHIVING

The act of preserving and making searchable all email to/from an individual. Email

archiving solutions capture Email content directly from the email application or during the

transmission process.

Risk: Depending on the industry, your company may have a legal requirement to

maintain documents for a certain period of time.

Benefit: In regulated industries, this helps the organization comply with applicable

regulations. It also helps manage old, but possibly important emails that may need to be

accessed in the future.

SECURITY TOOLS

Effect data

backup will allow

a company to

continue to

operate from

anywhere in the

event of a

disaster


BACKUP DATA & RECOVERY

This involves the copying and archiving of computer information for the intent of

restoration. This process is also used to restore lost data following a disaster.

Risk: Without a proven ability to recover from a data loss incident, a company may not

be able to stay in business due to the disruption to its business operations by losing it

critical data and systems.

Benefit: A proper data backup and recovery solution will cover the information that a

company need to survive. This includes what is an acceptable recovery time and which

data is most crucial.

PREVENTION RATHER THAN CURE

Some of the best strategies have huge cost savings over time

The costs are nothing compared to the cost of a breach

Getting our of scope is better than maintaining compliance


Avoid handling or Storing unnecessary data

Use End to End encryption in POS

Use Tokenization in Ecommerce

Don’t request data you don’t need

Have mature data retention AND DELETION processes and procedures

Have an organization certified to protect your data store or handle it

Hosting of HR and Payroll

Certified settlement provider sites for card settlement

SAAS providers for key systems

Manage your access policies to all stored data

Physical Media under lock and key (Paper AND servers)

User name and password complexity to internal and SAAS systems

Separate Guests / disallow Anonymous or alias access

Specifically secure Admin passwords

Manage your People

Provide training programs for data handlers

Disable access on exit

Monitor activity

HOW PAYMENT HANDLING AFFECTS

COMPLIANCE EFFORT (AND RISK) IN PCI

POS Systems

POS with End to End Encryption

POS with Encryption and Paper backup

Card Readers with Dial up

Card Readers on network

POS but Card is not stored

POS reads and may store number

You can reduce

your compliance

effort, Risk and

Costs by OVER

90% by eliminating

credit card

numbers from

your POS.

Encrypted end

point devices are

now commonly

available

Presentation Title /

ECOMMERCE AND CARD NOT PRESENT

Ecommerce is inherently more risky. The card number has to get into a remote system somehow.

Employees handling cards risks distributing card stored data (paper, email) – You may have an approved gateway but not get the benefit

Storing the card number electronically anywhere steps you up to the highest level of risk and cost of compliance.

Card not Present

Approved and hosted vendor Cart and gateway

Bank Virtual Terminal on Network PC

Ecommerce but with Payment Integration

Integrated Ecommerce, Card number Stored

THE CLOUD AS AN EFFECTIVE SECURITY

AND COMPLIANCE SOLUTION

A “layered

defense” or

defense in depth

is the best

practice for

security and

Compliance.


“a defense-in-depth strategy can

provide an effective approach to

conceptualize control implementation”

- FINRA Cybersecurity Report

“There is no silver bullet. Therefore, the

best security posture is achieved by

using multiple safeguards. Security

professionals refer to this as “layered

defense” or “defense-in-depth.”

The Cloud Solution



Top tier data

centers provide

certified

enterprise quality

service levels


CLOUD SERVICES – SECURE & RELIABLE

Top Tier Data Centers = Physical Security

Top Tier data centers are fully redundant and audited to meet SSAE 16 and SOC II Type

II standards. They have the following characteristics:

• Fully redundant systems including power, HVAC and Tier-1 ISPs

• Dedicated certified security staff

• Compliant with the PCI data center security components

• Closed-circuit TV monitoring

• Multi-level secure controlled access policies

• Provide enterprise quality service levels



Top tier service

providers

leverage data

centers to deliver

world class

service and

reliability


CLOUD SERVICES – SECURE & RELIABLE

Top Tier Service Providers Deliver Secure Reliable Networks

Top tier cloud service providers use best of breed industry infrastructure providers to build

out highly redundant and reliable networks to support the delivery of cloud services. The

infrastructure includes:

• Enterprise grade servers

• Full component redundancy

• Fully redundant storage

• Fully redundant multi-path switching

• 10 gigE Network connections

• Redundant, enterprise-class firewalls

• Multiple Intrusion Prevention Systems (IPS) employed (host and network)

• Centralized logging

• Event monitoring

• DDoS mitigation



Top tier service providers manage software applications and the relationship of all service providers.

They also provide technical support and a single point of contact for companies using the services.


CLOUD SERVICES – CONTINUALLY MANAGED

Top Tier Service Providers Maintain and Manage and Support Applications

Service Providers and Deliver Support for All Services

Top tier cloud service providers maintain and manage all services on a day to day basis.

• Management and patching of Email software

• Management of security software to latest versions signature files (host and network)

• Management of Networks software firewalls and IDS solutions.

• Platform and console management and upgrades and updates

• Management of relationships and service levels for all providers

THANK YOU!

Nate Solloway

Direct: 202-555-5555

E-mail: [email protected]

John Rice

Direct: 646-225-9453

E-mail: [email protected]

Q

A

Is it Time for a Security and Compliance Assessment? Page 25

mailto:[email protected]

mailto:[email protected]

2016 02-23 is it time for a security and compliance assessment?

Technology