How Secure Is Your Data?

decisioncrunchNetworking and Communications

Nov 20, 2013 (3 years and 8 months ago)

82 views

How Secure Is Your Data?







Financial Management and Human Resources Forum

Atlanta


October 7, 2013

Data Security


Essential for Trust

Robert E.
Berdelle

2013 Finance and HR Forum

Brian A. Gallagher

Atlanta October 7, 2013

3

The Speed of Trust

by Stephen M R Covey

The 5 Waves of Trust


Self Trust


Relationship Trust


Organizational Trust


Market Trust


Societal Trust




Trust begins with each of us personally, continues to our
relationships, expands to our organizations, extends into our
marketplace relationships and encompasses our global society at
large. To build trust with others, we must first start with ourselves.


Atlanta October 7, 2013

4

The Speed of Trust

CHARACTER


Integrity
: honesty, walking
your talk, ethics


Intent
: motives, agendas,
mutual benefit


COMPETENCE


Capabilities
: talents, skills,
knowledge to produce
results


Results:
track record,
performance, getting the
right things done

Atlanta October 7, 2013

5

6

U.S. Trust Trends


United Way, Red Cross,
Salvation Army, and the Charitable Sector

Tracker:
Q. For the next list of charitable organizations that I read, I would like you to tell me how much trust you have in the
organization to accomplish what they say they will do. (Top 2 Box, 4
-
point scale, General Population, age 18+)

Edelman: Q. Below is a list of institutions. For each one, please indicate how much you trust that institution to do what is
rig
ht using a 9
-
point scale where one means that you “do not trust them at all” and nine means that you “trust them a great deal”. (NGOs, Top

4
Box, Informed Publics ages 25
-
64)

2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
United Way
79%
75%
77%
76%
79%
75%
81%
71%
70%
69%
70%
Charitable Organizations
82%
84%
86%
82%
83%
79%
83%
71%
74%
70%
74%
Red Cross
86%
84%
89%
85%
86%
85%
88%
89%
89%
86%
89%
Salvation Army
93%
92%
91%
92%
92%
89%
90%
90%
90%
90%
89%
U.S. NGO's (Edelman's Trust Barometer)
36%
41%
49%
47%
55%
54%
57%
63%
45%
63%
55%
58%
35%
45%
55%
65%
75%
85%
95%
Organizational Metric
-

Trust

Atlanta October 7, 2013

6

Data Security
-

Essential for Trust


United Way Strategy


Enhance Corporate and Individual
Engagement


More personal donor information is essential


Companies require employee information to be secure and
confidential


Imperative for United Ways to competently handle donor information


Two United Way Initiatives:

1)
UWW data security assessment


Engaged Clifton Larson Allen


Controls review and penetration/vulnerability testing


Recommend corrective actions

2)
FIC initiative to create best practices document for UW network


Atlanta October 7, 2013

7


















United Way Worldwide

Financial Issues Committee (FIC)

Data Security Update




Financial Management and Human Resources Forum

Atlanta


October 7, 2013

What Led to the Work?

FIC Meeting


New Orleans March 2013


As United Ways, we want more information about our donors


are we being proactive enough to show the companies we
are going to “secure” it?





Companies who are running our United Way campaigns are
asking what steps are being taken to secure their employee
information


Higher expectations/demand for protection of personal
information (not just credit card information


PCI
Compliance)


Atlanta October 7, 2013

9

Scope of Project

Document Structure


Best Practice Not a Policy


What Information Is At Risk?





Atlanta October 7, 2013

10

Scope of Project (cont.)

Table of Contents


DRAFT


Executive Summary


Donor Expectations and Trust


What Information Is At Risk?

o
Information Protected by Federal and State Laws (US focused)

o
Constituent Information

o
United Way (Local or Worldwide) Information

o
Information Governed by Contracts, Grants, etc., with Companies/Agencies


Risk Assessment

o
Physical Data Center

o
Access to Local Information

o
Third Party Service Providers

o
Storage Media

o
PCI Compliance





Atlanta October 7, 2013

11

Scope of Project (cont.)

Table of Contents


DRAFT


Internal Controls to Mitigate Risks

o
Limiting Access to Information

o
Encryption

o
Internal Controls

o
Antivirus Deployment

o
Employee Onboarding/
Offboarding

Policy

o
Mobile Devices


Other Risk Management Issues

o
Insurance




o
Response to an Information Breach

o
Security Awareness Training

o
Security Review Plan

o
Incident Response Plan





Atlanta October 7, 2013

12

Scope of Project (cont.)

Table of Contents


DRAFT


Other Risk Management Issues (cont.)

o
IT Policies and Procedures Document

o
Network Diagram and Documentation

o
Business Continuity/Disaster Recovery Plan


Assessment Tools

o
Self
-
Assessment Questionnaire

o
Performance Matrix

o
Resources


Appendix

o
Sample Polices





Atlanta October 7, 2013

13

Team Assigned


Finance Professionals

o
Amy Maziarka, Co
-
Chair, United Way of the Greater Chippewa Valley

o
Mark Erickson, Co
-
Chair, United Way of Palm Beach County

o
Ray Berry, United Way of Pioneer Valley

o
Kathy Doty, United Way of Greater Toledo

o
Patricia
Latimore
, United Way of Massachusetts Bay & Merrimack Valley

o
Darren Minks, United Way of the Plains

o
Taryn Vidovich, Orange County United Way


IT Professionals

o
Chris
Keightley
, United Way Worldwide

o
Michael Parker, United Way for Southeastern Michigan

o
Chris Reese, Orange County United Way

o
Javier
Torner
, CSU San Bernardino

o
Brian Weber, United Way Worldwide





Atlanta October 7, 2013

14

©2012 CliftonLarsonAllen
LLP

15

15

15

15

©2012 CliftonLarsonAllen
LLP

Data Security Awareness
Presentation

Gil Bohene CISA, CRISC, CISM


Partner

Laura Faulkner
-

Senior IT Consultant,
CliftonLarsonAllen, LLP

Atlanta October 7, 2013

©2012 CliftonLarsonAllen
LLP

16

General Control Reviews


Information Technology General Control Review (IT GCR)
:


An

IT

General

Controls

Review

is

focused

on

processes

that

support

the

proper

management

of

information

technology

assets

and

the

protection

of

information

from

a

best

practices

perspective


Benefits
:


Provide

an

overview

of

the

operating

environment

including

locations,

contacts,

personnel

resources,

services,

business

processes,

application

systems

and

technical

infrastructure
.


Identify

IT

control

weaknesses

and

breakdowns

i
.
e
.

perform

gap

analysis

for

desired

controls


Improve

overall

IT

infrastructure


Deliverable
:



Detailed

GCR

report

that

contains

specific

finding

and

recommended

remediation

for

one

aspect

of

application

access

controls

including

assignment

of

risk,

priority,

and

level

of

effort
.


©2012 CliftonLarsonAllen
LLP

17

Technical IT Services


Internal

Vulnerability

Assessments

(IVA)
:



The

Internal

Vulnerability

Assessment

will

be

a

technical

evaluation

of

the

key

devices

(file

servers,

mail

servers,

production

servers,

routers,

switches,

etc
.
)

that

reside

on

your

trusted

business

networkPromotes

deeper

knowledge

of

the

client’s

business
.


External

Penetration

Testing

(EPT)
:



The

External

Network

Penetration

Test

is

designed

to

aggressively

test

your

network

perimeter

to

identify

exposure

to

security

breaches

from

outside

your

network
.


Deliverable
:



Our

deliverable

report

will

provide

your

network

administrators

with

detailed

recommendations

for

how

to

address

specific

findings

and

harden

IT

infrastructure
.


Identify

potential

vulnerabilities

inside/outside

the

network

that

might

be

used

to
:


Gain

unauthorized

access

to

sensitive

confidential

information
.


Modify

or

destroy

data
.


Operate

trusted

business

systems

for

non
-
business

purposes
.


©2012 CliftonLarsonAllen
LLP

18

IT General Control Approach


Approach

and

execution


Interview

key

staff


Review

documentation


Observe

current

processes

and

testing

controls

within

the

organization
.



Scope



10

Key

Information

Technology

domains

were

assessed


Governance

controls


Server

controls


Network

controls


Software

controls


Application

controls


Workstations



User

Access

controls


Business

Continuity

Planning

(BCP)


Disaster

Recovery

Planning

(DRP)


Physical

Security

&

Environmental

controls



©2012 CliftonLarsonAllen
LLP

19

General Control Reviews
-

Scope

©2012 CliftonLarsonAllen
LLP

20

Internal Vulnerability Assessment Approach


Approach

and

execution

-

Based

on

two

(
2
)

phases
:


1.
Penetration

Testing



based

on

limited

access,

we

apply

hacker

like

tools

and

techniques


2
.

Configuration

auditing

-

validates

the

issues

identified

during

the

first

phase

and

further

tests

system

configurations



Scope


3 Information Technology domains are
assessed


Authentication


Patch

management


Configuration




©2012 CliftonLarsonAllen
LLP

21

External Penetration Testing Approach


Approach

and

execution

-

Based

on

four

(
4
)

phases
:


1.
Discovery


find

your

“entry”

points

2.
Reconnaissance
-

gather

specifics

about

the

systems

3.
Scanning
-

locate

potential

vulnerabilities

that

would

allow

access

4.
Penetrate
-

try

to

gain

access

by

exploiting

the

vulnerabilities



Scope


3 Information Technology domains are
assessed


Authentication


Patch

Management


Configuration




©2012 CliftonLarsonAllen
LLP

22

What does this mean for your Organization?


You’re only as strong as
your weakest
link


Employees


Vendors


Customers/Donors


Have an ongoing discussion about
RISK


R
eview your controls


I
dentify weaknesses


S
ecure what you can


K
nowledge is key



©2012 CliftonLarsonAllen
LLP

23

Best Practices to consider…


Access Control


Assign access permissions based on the theory of least privilege


Segregation of duties


Assign user accountability


Limit generic or shared accounts


Implement strong password policies


Minimum 8 characters


24 passwords remembered i.e. no re
-
use of last 24 passwords


Expiration of 90 days


Complexity enabled


Lockout policy




©2012 CliftonLarsonAllen
LLP

24

Best Practices, etc.


Vendor Management


Identify your critical vendors


Assign risk


Perform due diligence



Change Management


Changes should be documented and approved prior to
implementation



Network Administration


Stay current on patches/updates


Restrict external access as much as possible


Implement monitoring





©2012 CliftonLarsonAllen
LLP

25

Best Practices, etc.


Disaster Recovery/Business Continuity


Identify the critical processes that drive your business


Develop your “what if” scenarios


Determine your recovery strategies



Physical Security


Restrict physical access to data center


Implement environmental controls






©2012 CliftonLarsonAllen
LLP

26

Conclusion


Identify what’s critical



Be PROACTIVE, not reactive



Use a different perspective



Educate yourself and your employees






T
HANK YOU!

Presenter
-

Laura Faulkner



©2012 CliftonLarsonAllen
LLP

27

CONTACT INFORMATION



Laura Faulkner


612.397.3090

Laura.faulkner@claconnect.com


Gil Bohene


571.227.9500

Gil.Bohene@claconnect.com


Security Awareness Training


Michael Parker

UW for Southeastern Michigan

Financial Management and Human Resources Forum

Atlanta


October 7, 2013

What is “Security Awareness”?

Security awareness is “the knowledge
and attitude
members of an organization possess regarding the
protection of the physical and especially, information
assets of that organization
.”



Organizational
-
wide culture, with behavioral change component


Includes people, process and technology



Atlanta October 7, 2013

29

Why do we need Security Awareness Training?


Organizational value statement


drives credibility and transparency


Ethical responsibility to our constituents


Compliance with federal and state laws (HIPAA, PCI, PII, etc.)


Contractual mandates by companies we work with


Risk management


Atlanta October 7, 2013

30

Elements of successful security awareness programs


C
-
Level support


buy
-
in is critical


Partnering with key departments


mutual interests can drive
support


Creativity


materials, communication, events


Metrics


use of attitude surveys, # of security related incidents


Emphasize “how to” rather than “don’t do this”


90 day plans focusing on 3 topics vs. annual plan


reinforces
knowledge, changes behaviors


Multiple forms of training materials


online systems, newsletters,
posters, games, etc.; tailored to generational differences

Atlanta October 7, 2013

31

Typical topics covered in awareness training
programs


The nature of sensitive material and physical
assets individuals
may come in contact
with


Employee and contractor responsibilities in handling sensitive information, including
review
of nondisclosure agreements


Requirements for proper handling of sensitive material in physical form, including
marking, transmission, storage and destruction


Proper methods for protecting sensitive information on
computer
systems, including
password
policies, encryption and network access


Other computer security concerns, including
malware, phishing, social engineering

etc
.


Workplace security, including building access, wearing of security badges, reporting
of incidents, forbidden articles,
websites, etc
.


Consequences of failure to properly protect information, including potential loss of
employment, economic consequences to the firm, damage to individuals whose
private records are divulged, and possible civil and criminal penalties

Atlanta October 7, 2013

32

Typical content covered in training

General security awareness (all employees)


High level review of network logins/passwords, viruses/malware, mobile
data, physical security, phishers, acceptable
use
policies, incident
response, security services,
r
isk management, encryption, backups

Security
a
wareness for managers


Lead by example, security management practices, legal issues

Security awareness for IT professionals


Common forms of attack, network security, disaster recovery, best practices

Security awareness for web application developers


Open Web Application Security Project (OWASP)
Top
Ten list






Atlanta October 7, 2013

33

Typical content covered in training, continued

Physical security


Workplace violence, theft, physical access controls, emergencies

Data and records retention


Document creation, laws, best practices for retention and
destruction

Privacy awareness
-

public/non
-
public information, laws, best practices

PCI requirements and
compliance

HIPAA/HITECH


PHI (protected health information)







Atlanta October 7, 2013

34

Handling Security Breaches

Notification considerations


Legal requirements


UWW requirements


Constituent response


Media response


Incident Response Plans


covers physical and network breaches


Notification contact lists


Assessment phase


Response determination


Containment phase









Atlanta October 7, 2013

35

Handling Security Breaches, continued



Documentation


logs of who, what, where, pictures, etc.


Evidence preservation


pictures, damage


Damage assessment


costs/values


Notification


insurance, legal, police


Evaluation of plan










Atlanta October 7, 2013

36



Questions??