2017-01-24 introduction of pci and hipaa compliance

Thrive. Grow. Achieve.

Is it time for a Security and Compliance Assessment?Nate Solloway, Paul WilliamsJanuary 24, 2016

AGENDA

IS IT TIME FOR A SECURITY AND COMPLIANCE ASSESSMENT?

• Everyone has something to protect

• Compliance Definitions

• State, Federal, and Private Security and Compliance Requirements

• Considerations and Actions to Improve Security and Compliance– Password Policies – Mobile Device Management & BYOD– Process and People Management

• Security tools– Virus and Spam Management– Unified Threat Management and Intrusion Detection – Data Management – Encryption – Archiving and data back up

• How Cloud Computing Can Help You Achieve Security and Compliance Goals?

– Defense in Depth

• How Raffa Can Assist You?

HIPAA

GLBA

FISMA

PCI

SOX

FINRA

Notice of Security Breach

State Laws

Is it time for a Security and Compliance Assessment?

EVERYONE HAS SOMETHING TO PROTECT

• Intellectual Property

• Human Resources Information

• Your Financial Data

• Your Customer Databases

• Your Customer’s Data

• Marketing and Sales Data

It’s not Just About compliance with state and federal regulations.

It’s about protecting your company, your employees and your customers

Is it time for a Security and Compliance Assessment?

Financial Healthcare Legal

Professional Services

COMPLIANCE DEFINITIONS

Definitions are generally accepted by most states

However, exceptions do exist on a state by state basis

Personal Information: An individual’s first name or first initial and last name plus one or more of the following data elements:

1. Social Security number,

2. Driver’s license number or state- issued ID card number

3. Account number, credit card number or debit card number combined with any security code, access code, PIN or password needed to access an account and generally applies to computerized data that includes personal information.

Personal Information shall not include publicly available information that is lawfully made available to the general public from federal, state or local government records, or widely distributed media. In addition, Personal Information shall not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

Breach of Security: The unlawful and unauthorized acquisition of personal information that compromises the security, confidentiality, or integrity of personal information.

DEFINITIONS

Is it Time for a Security and Compliance Assessment?

FEDERAL, STATE & PRIVATE REQUIREMENTS

It is important to understand that these laws don’t only apply to health and financial institutions.

HIPAA: Health Insurance Portability and Accountability Act, a US law designed to provide privacy standards to protect patients' medical records and other health information provided to health plans, doctors, hospitals and other health care providers. Developed by the Department of Health and Human Services, these new standards provide patients with access to their medical records and more control over how their personal health information is used and disclosed. They represent a uniform, federal floor of privacy protections for consumers across the country. State laws providing additional protections to consumers are not affected by this new rule.

The Gramm-Leach-Bliley Act: (GLB Act or GLBA), is a federal law enacted to control the ways that financial institutions deal with the private information of individuals. The Act consists of three sections:

1. The Financial Privacy Rule, which regulates the collection and disclosure of private financial information

2. The Safeguards Rule, which stipulates that financial institutions must implement security programs to protect such information

3. The Pretexting provisions, which prohibit the practice of pretexting (accessing private information using false pretenses).

The Act also requires financial institutions to give customers written privacy notices that explain their information-sharing practices.



The Payment Card Industry Council established rules governing how credit card data would be secured

Short for Payment Card Industry (PCI) Data Security Standard (DSS), PCI DSS is a standard that all organizations, including online retailers, must follow when storing, processing and transmitting their customer's credit card data.

The Data Security Standard (DSS) was developed and the standard is maintained by The Payment Card Industry Security Standards Council (PCI SSC). To be PCI complaint companies must use a firewall between wireless networks and their cardholder data environment, use the latest security and authentication such as WPA/WPA2 and also change default settings for wired privacy keys, and use a network intrusion detection system.

The PCI DSS standard, as of September 2009 (DSS v 1.2), includes 12 requirements for best security practices

PRIVATE REQUIREMENTS

Payment Card Industry (PCI) Data Security Standard (DSS)



State laws may have different definitions and broader requirements than federal law

Page8

• Definition for “Personal Information” is Broader than the General Definition

• Trigger Notification by Access

• Require a Risk of Harm Analysis

• Require Notice to Attorney General or State Agency

• Require Notification Within a Specific Time Frame

• Permit a Private Cause of Action

• Have an Encryption Safe Harbor

• The Statute is Triggered By a Breach of Security in Electronic and/or Paper Records

TYPES OF VARIANCES IN STATE LAWS


SECURITY CONSIDERATIONS AND ACTIONS

Strong password policy is the first line of defense against a data breach

STRONG PASSWORD POLICIES

Risk: A poorly chosen password may result in unauthorized access and/or exploitation of company resources. In 2013 Verizon stated that 90% of successful breaches started with a weak or default password. The increasing strength of password cracking programs significantly increases the risk associated with poor or weak passwords.

Benefit: Strong password policies help to reduce the risk of a breach. Policies should also provide guidance to reduce the risk of human error breaches. Strong passwords should meet these standards at a minimum:

• Lower case characters

• Upper case characters

• Numbers

• "Special characters"(@#$%^&*()_+|~-=\`{}[]:";'<>/)

• Contain at least 12 but preferably 15 characters.



If email or other company data is stored on mobile devices they must be managed.


MOBILE DEVICE MANAGEMENT

The solution allows for password management and the ability to wipe of all data if the device if lost or stolen. Solutions exist for laptops, tablets and smart phones.

Risk: Users cannot be trusted to always do the right thing. Has the potential for conflict between employees and employers. Benefit: MDM solutions offer the ability to wipe lost or stolen assets to protect sensitive information from falling into the wrong hands. One benefit of a clearly stated policy is a reduction of possible remote wipe disagreements.


A clear written policy regarding BYOD needs to be in place and acknowledged by employees.

Is it Time for a Security and Compliance Assessment? Page11

MOBILE DEVICE MANAGEMENT – BRING YOUR OWN DEVICE (BYOD)

Risk: BYOD security becomes complicated since the devices are personally owned. Focus should be to restrict what employees are allowed to have on the BYOD devices. Benefit: MDM solutions offer the ability to segment BYOD devices so that it is easy to secure or delete company information off of personal devices, without affecting the user’s personal data.

BYOD is becoming popular for companies as a way to reduce costs for mobile devices and keep employees happy. Companies need to have clearly-defined BYOD policies that employees need to acknowledge in writing. A clear policy must be created and communicated to all.


Security is as much about people and good process and well documented policy as it is about your IT infrastructure


PROCESS AND PEOPLE MANAGEMENT


Security is as much about people and good process and well documented policy as it is about your IT infrastructure


PROCESS AND PEOPLE MANAGEMENT

• Establish a security and compliance group within the company

• Put in place a clear set of company security policies

• Build role-based access to applications

• Create management systems for admin logins and passwords

• Eliminate shared logins/accounts

• Create and adhere to a stringent staff on boarding off boarding processes & checklists


Set your security expectations on day one with security policy and training.


• Set up your accounts in Active Directory and make sure all• Cloud applications are SAML, ADFS, WS-Fed or O Auth

authenticated• Use unique identifiers when creating new employee

accounts• Maintain a distribution list to announce new hires • Run a system audit when employees change departments• Set the security expectation during the on-boarding

process• Initial and on-going training

Good Security Practices Start on Day One


Make sure you have an off boarding plan that covers all aspects of the employees relationship with the company


Adhere to a strict employee off-boarding checklist

• Plan for the “two-weeks notice” • Maintain distribution list for terminations • Direct the email account of a departing

employee to his/her manager • Terminate all employee accounts • Review the applications saved in your

employee’s single sign-on portal • Make sure to collect all company assets:

laptops, phones, ID badges, software, etc.

SECURITY TOOLS

Security tools include protection against viruses, spyware, and malware for both the network and it’s endpoints.


EMAIL AV (Antivirus & Antispyware)

Scans incoming email for known malicious software, spam and phishing content. Updates signatures on threats similar to traditional antimalware software.

Risk: Email is the primary entry point for virus and malware, protection here is crucial to the stability of data integrity & usability. Benefit: An ounce of prevention is worth a pound of cure - solutions that block hostile emails before employees can open dangerous attachments is a smart business tool to utilize. This is focused on the prevention of malware infections or ID theft.

SECURITY TOOLS

Security tools include protection against viruses, spyware, and malware for both the network and it’s endpoints.


SECURITY TOOLSAntimalware/Antivirus/Anti spyware – Desktop & Server

Software that searches for, removes and prevents the installation of known malicious software from desktops and laptops and servers.

Risk: Not having antimalware software installed and updated is a sign of negligent business practices. Benefit: A crucial layer of protection to keep data and networks secure.

Hosted based firewall

A host based firewall is designed to run on individual workstations and provide rules on connecting to outside networks.

Risk: Roaming laptops do not have the protection of network firewalls and other network based security controls. Benefit: Provides protection for laptops when they are not connected the corporate network.

SECURITY TOOLS

A basic firewall Provides absolutely no threat detection. Firewalls allow and block traffic, and cannot respond to evolving threats


ADVANCE FIREWALL + UTM (Unified Threat Management)

Primary network gateway defense solution for the business community. Solutions evolved from the traditional firewall, becoming an all-inclusive security appliance that can perform multiple functions. Combines network firewalling and any of the following: antivirus (AV), gateway anti-spam, VPN, content filtering, load balancing, data leak prevention and on-appliance reporting.

Risk: As malware becomes more advanced, not having the tools to identify or block attacks can leave a business open for attack. Benefit: Provides a cost-effective, yet comprehensive threat- vector protection. All-in-one solution provides tighter security tool integration.

SECURITY TOOLS

A basic firewall Provides absolutely no threat detection. Firewalls allow and block traffic, and cannot respond to evolving threats


IPS/IDS (Intrusion Protection System/Intrusion Detection System)

Monitors networks for malicious activity; stops, blocks, and reports. Looks for patterns and matches to known vulnerabilities (included in advanced firewall and UTM platforms)

Risk: As malware becomes more advanced, not having the tools to identify or block attacks can leave a business open for attack. Benefit: IPS/IDS solutions help prevent attacks from advanced threats that are able to bypass traditional firewalls and antimalware solutions.

http://www.google.co.uk/url?sa=i&rct=j&q=linkedin&source=images&cd=&cad=rja&docid=wgMpU0JvIS2JEM&tbnid=ZikZ75TaAtLozM:&ved=0CAUQjRw&url=http://nexusdesignconsultancy.co.uk/3-ways-to-make-the-most-of-linkedin/&ei=3YwPUdi0OPLK0AWPhIFY&psig=AFQjCNFV6BsOmjRFBE8qJrqQHj6Xn61Vwg&ust=1360059991679812

http://www.google.co.uk/url?sa=i&rct=j&q=facebook+logo&source=images&cd=&cad=rja&docid=XxWVCLhuQ4cw9M&tbnid=Br5VkYIZLcz9-M:&ved=0CAUQjRw&url=http://logo-studio.blogspot.com/2011/07/facebook-logo-vector.html&ei=U40PUYnJJuaX0QXL1oDgDQ&psig=AFQjCNEwklEcvA5-IMJZRPV_9cvUk4X5Hw&ust=1360060110847507

http://www.google.co.uk/url?sa=i&rct=j&q=twitter+logo&source=images&cd=&cad=rja&docid=3LTVBTaCB-E50M&tbnid=TW40P_3a4vVnfM:&ved=0CAUQjRw&url=http://theinspirationroom.com/daily/2012/twitter-logo-redesigned/&ei=io0PUfDTL-Gc0QWYkYHACg&psig=AFQjCNGNk-4u2mrzbH2zdaU9daOB6eQ5wg&ust=1360060151296654

SECURITY TOOLS

Data files should be encrypted both at rest and during transport. The way data is shared has to be carefully managed.

Work is an activity not a place.


DATA FILE ENCRYPTION

Data file encryption encrypts files and folders selected to be encrypted both on the fly and at rest.

Risk: Lost or stolen assets are easy to get access to. Once an unauthorized party has access to the system, all the data on the device can be accessed if it is not encrypted. Benefit: Provides an additional layer of protection by preventing data from being accessed by unauthorized parties.

SECURITY TOOLS

Policy based encryption for email ensures that email containing sensitive information are protected.


EMAIL ENCRYPTION

Email encryption uses either public key or private key encryption to prevent the email contents from being viewed by anyone except the intended recipients.

Risk: Users routinely send files to the wrong recipients and recipients sometimes forward on files when they should not. Without encrypted email, one the email is sent, there is no way to manage who can access it. Benefit: Provides an additional layer of protection by preventing data from being accessed by unauthorized parties.

SECURITY TOOLS

Compliant Email archiving provides eDiscovery and can save companies time and money


EMAIL ARCHIVING

The act of preserving and making searchable all email to/from an individual. Email archiving solutions capture Email content directly from the email application or during the transmission process.

Risk: Depending on the industry, your company may have a legal requirement to maintain documents for a certain period of time. Benefit: In regulated industries, this helps the organization comply with applicable regulations. It also helps manage old, but possibly important emails that may need to be accessed in the future.

SECURITY TOOLS

Effect data backup will allow a company to continue to operate from anywhere in the event of a disaster


BACKUP DATA & RECOVERY

This involves the copying and archiving of computer information for the intent of restoration. This process is also used to restore lost data following a disaster.

Risk: Without a proven ability to recover from a data loss incident, a company may not be able to stay in business due to the disruption to its business operations by losing it critical data and systems. Benefit: A proper data backup and recovery solution will cover the information that a company need to survive. This includes what is an acceptable recovery time and which data is most crucial.

PREVENTION RATHER THAN CURE

Some of the best strategies have huge cost savings over time

The costs are nothing compared to the cost of a breach

Getting our of scope is better than maintaining compliance


Avoid handling or Storing unnecessary dataUse End to End encryption in POSUse Tokenization in EcommerceDon’t request data you don’t needHave mature data retention AND DELETION processes and procedures

Have an organization certified to protect your data store or handle itHosting of HR and PayrollCertified settlement provider sites for card settlementSAAS providers for key systems

Manage your access policies to all stored dataPhysical Media under lock and key (Paper AND servers)User name and password complexity to internal and SAAS systemsSeparate Guests / disallow Anonymous or alias accessSpecifically secure Admin passwords

Manage your PeopleProvide training programs for data handlers

Disable access on exitMonitor activity

Presentation Title /

HOW PAYMENT HANDLING AFFECTS COMPLIANCE EFFORT (AND RISK) IN PCI

POS Systems

POS with End to End EncryptionPOS with Encryption and Paper backupCard Readers with Dial upCard Readers on networkPOS but Card is not storedPOS reads and may store number

You can reduce your compliance effort, Risk and Costs by OVER 90% by eliminating credit card numbers from your POS.

Encrypted end point devices are now commonly available

ECOMMERCE AND CARD NOT PRESENT

Ecommerce is inherently more risky. The card number has to get into a remote system somehow.

Employees handling cards risks distributing card stored data (paper, email) – You may have an approved gateway but not get the benefit

Storing the card number electronically anywhere steps you up to the highest level of risk and cost of compliance.

Card not Present

Approved and hosted vendor Cart and gateway

Bank Virtual Terminal on Network PC

Ecommerce but with Payment Integration

Integrated Ecom-merce, Card number Stored

THE CLOUD AS AN EFFECTIVE SECURITY AND COMPLIANCE SOLUTION

A “layered defense” or defense in depth is the best practice for security and Compliance.


“a defense-in-depth strategy can provide an effective approach to conceptualize control implementation”- FINRA Cybersecurity Report

“There is no silver bullet. Therefore, the best security posture is achieved by using multiple safeguards. Security professionals refer to this as “layered defense” or “defense-in-depth.”

The Cloud Solution


Top tier data centers provide certified enterprise quality service levels


CLOUD SERVICES – SECURE & RELIABLE

Top Tier Data Centers = Physical Security

Top Tier data centers are fully redundant and audited to meet SSAE 16 and SOC II Type II standards. They have the following characteristics:

• Fully redundant systems including power, HVAC and Tier-1 ISPs

• Dedicated certified security staff

• Compliant with the PCI data center security components

• Closed-circuit TV monitoring

• Multi-level secure controlled access policies

• Provide enterprise quality service levels


Top tier service providers leverage data centers to deliver world class service and reliability


CLOUD SERVICES – SECURE & RELIABLE

Top Tier Service Providers Deliver Secure Reliable Networks

Top tier cloud service providers use best of breed industry infrastructure providers to build out highly redundant and reliable networks to support the delivery of cloud services. The infrastructure includes:

• Enterprise grade servers

• Full component redundancy

• Fully redundant storage

• Fully redundant multi-path switching

• 10 gigE Network connections

• Redundant, enterprise-class firewalls• Multiple Intrusion Prevention Systems (IPS) employed (host and network)• Centralized logging• Event monitoring • DDoS mitigation


Top tier service providers manage software applications and the relationship of all service providers.

They also provide technical support and a single point of contact for companies using the services.


CLOUD SERVICES – CONTINUALLY MANAGED

Top Tier Service Providers Maintain and Manage and Support ApplicationsService Providers and Deliver Support for All Services

Top tier cloud service providers maintain and manage all services on a day to day basis.

• Management and patching of Email software

• Management of security software to latest versions signature files (host and network)

• Management of Networks software firewalls and IDS solutions.

• Platform and console management and upgrades and updates

• Management of relationships and service levels for all providers

THANK YOU!

Nate SollowayDirect: 202-555-5555E-mail: [email protected]

John Rice Direct: 646-225-9453E-mail: [email protected] Q

A

Is it Time for a Security and Compliance Assessment? Page 25

mailto:[email protected]

mailto:[email protected]

2017-01-24 introduction of pci and hipaa compliance

Technology