360° of it compliance. threats & countermeasures mark jennings symquest group, inc
DESCRIPTION
What is Compliance? From a business perspective, compliance is simply the act of meeting the standards associated with regulatory requirements within your industry. Compliance within these regulations typically extends beyond the handling of digital data. Compliance is really about being a responsible custodian of Protected information.TRANSCRIPT
360° OF IT COMPLIANCE
What is Compliance?From a business perspective, compliance is simply the act of meeting the standards associated with regulatory requirements within your industry.
Compliance within these regulations typically extends beyond the handling of digital data.
Compliance is really about being a responsible custodian of Protected information.
Protected InformationExamples of Personally Identifiable Information (PII)
Name Address Phone numbers Fax Numbers Email addresses Social Security Numbers Date of Birth Medical Record Numbers
Health Plan ID Numbers Dates of Treatment Account Numbers License Numbers Vehicle Identifiers IP addresses Biometric Identifiers (fingerprints,
retinal scans, etc) Full face photos
Recent IncidentsTarget
40 Million debit and credit cards exposed $67M settlement Damaged Target’s reputation CEO resigned
Sony Pictures Email stolen and leaked Digital content stolen Computers disabled
U.S. Office of Personnel Management Over 18 Million Employee records stolen Director resigns
Ramifications of a BreachHIPAA
Potential fines - $50,000 per violation up to $1.5M Potential Jail sentences – Up to 10 years Inclusion on HHS “Wall of Shame”
PCI Fines Monetary settlements with card services providers Suspension of Card Services
THREATS
External Cyber Attack Direct attempt to
infiltrate a company or organization
Distributed Denial of Service (DDoS) Attack
Broadcast Viruses and Worms
Source: Akamai Technologies
Internal Security Breaches• The Disgruntled Employee
• The “Entrepreneurial” Employee
• The Curious Employee
Social EngineeringSocial Engineering takes advantage of an employee’s willingness
to trust, desire to be helpful, or simply their ignorance.
Examples of Social Engineering Impersonating IT Very convincing but rogue emails The old “Lost USB stick” trick
Mobile Computing The rise of laptops, tablets, and smartphones The desire to work from anywhere The “Bring you own Device” (BYOD) trend
Problems How secure is the data on the mobile device? What other applications are in use on the device? Can you control the flow of corporate data on those devices? Can you control the protection of those devices (antivirus, anti-malware,
web filtering)? Are these devices using public wifi and, if so, are your employees
protecting those communications properly?
Untrained Employees
Most of the threats above can be magnified by employees that are not aware of the threats.
Employees are not aware of the security protocols
Employees are not aware of the warning signs
Employees are not aware of the regulations
System Failure
A system failure can create multiple problems
Inability to service clients, customers, or patients
Recovery time
Data Loss
Catastrophic Event In the event of a major disaster are you prepared to resume
business in a reasonable timeframe?
Can you recover your data?
What is your plan?
Are your employees (or at least your managers) aware of the plan?
Catastrophic Event
COUNTERMEASURES
Countermeasures for Compliance
Many of the regulatory standards require implementation of countermeasures for each of these threats
In some cases these are specific requirements In other cases the requirements are broad
Examples The HIPAA Security Rule includes “required” requirements
and “addressable” requirements PCI may require different levels of auditing based on the
volume or type of credit card transactions
Countermeasure ConceptsLayered Security Model
Each threat can occur at various “layers” within the network Make sure that you have adequate controls at each layer to thwart
particular threats: Email Filtering Web filtering Firewall Network Access Control/Wireless Security Network Security monitoring Operating system security patches Anti Virus/Anti Malware Application Security Patches Employee Education
Countermeasures for External Cyber Attacks
Reduce your public “footprint”
Employ email filtering
Employ web filtering
Countermeasures for Internal Security Breaches
Review your internal security practices
Know where information is stored and who has access to it
Maintain an audit trail
Countermeasures for Social Engineering Establish policies and procedures
Never give out your password to ANYONE. Verify the identity of anyone attempting to perform a transaction with
you. Acceptable Use Policies
Implement employee identifiers Badges Name tags
Employee training Educate employees on the policies and procedures Provide training on the fundamentals of safe computing
Countermeasures for Mobile Computing Employ Mobile Device Management (MDM)
Employ 2-factor authentication
Ensure mobile users are using encrypted means to communicate with the organization
Ensure data is encrypted on the local device
Countermeasures for Untrained Employees
1. Never divulge your password…to anyone2. Lock your screen when you are away from your PC3. Scrutinize the email addresses of senders4. Do not open emails from people you do not know5. Be very careful clicking on hyperlinks embedded in emails6. Use a PIN to access your smartphone or tablet7. Never leave your laptop, smartphone, or tablet unattended in a public
space8. Report the loss of a laptop, smartphone, or tablet immediately9. Be wary of public wifi10. Report any security incident (email scam, suspicious behavior, etc.) to
your IT administrator immediately
Top Ten Things your employees should know about safe computing
Countermeasures for System Failure
Redundant System Design
Recovery server
Virtualization with redundant hosts and shared storage
Good backup strategy
Practice the 3-2-1 Rule
Countermeasures for Catastrophic Disaster Develop a plan
Determine your Recovery Time Objective (RTO) Determine your Recovery Point Objective (RPO)
Plan your recovery strategy in accordance with your RTO/RPO
Document the plan
Communicate the plan
Exercise the plan
Cloud Options Software as a Service (SaaS) systems
Only the specific software and data is hosted by provider Data contained within hosted software system is protect by provider Difficult to integrate with other systems
Infrastructure as a Service (IaaS) Entire systems are hosted within vendors data center All data within the hosted systems (excluding mobile devices) is
protected by provider Typically requires IT expertise in house to manage
IaaS with a Managed Service Provider (MSP) All systems are hosted within vendors data center Mobile devices and end user support is managed by the MSP
Cloud Options
Advantages of the Cloud Systems are maintained by IT professionals
Systems implemented using industry standard best practices Systems run on enterprise-class equipment Systems are hosted in enterprise class facilities
Air handling Battery backup Redundant communications lines Generators Physical Security
Systems (should be) Redundant Redundant data centers
Systems are protected by Multilayered Security
The SymQuest Cloud Two completely redundant and replicated data centers in South
Burlington, VT and Portland, Maine Hosted clients receive a completely segregated Virtual Network with
dedicated virtual servers and an independent firewall Full service management of hosted servers and workstations
Backup Patching Replication AV/AM
Management of on-premises equipment 99.9% uptime Service Level Agreement Compliance assistance
SymQuest will provide documentation to auditors upon request to assist you in proving compliance
Final Thoughts Security and compliance is a complex topic
The IT industry is only going to become more complex
The use of managed IT services, either on premise or in the cloud, does not absolve an organization of its regulatory responsibilities but it does ensure that trained and dedicated professionals are in charge of that aspect of the business.
In the event of an audit an IT Managed service provider should be able to assist you in proving compliance
Having a professional managed services team should put the organization in a better position to defend against common threats, however …
there is no 100%.
THANK YOUMark JenningsDirector of Sales | Network [email protected] (802)-658-9836 Let’s Connect