Strategies to Improve

the

Risk Management Plan Keith W. Siepel PMP, CISSP, CSSGB PMI Southwest Ohio Chapter

Mega Event, Horseshoe Casino April 12, 2016

Agenda

1.Why worry about Information Security (InfoSec)? 2.Some potential threats and where they originated? 3.What are the Standards and Regulations? 4.What strategies can I use to mitigate these risks?

Why Worry About InfoSec? It’s In the News - DAILY

3/25 Verizon confirms breach affecting 1.5M business customers. 1

3/23 – Hospital Ransomware attacks surge… 2

3/17 – Research Institute paid $3.9M HIPAA Settlement… 3

Why Worry About InfoSec?

4

Why Worry About InfoSec?

4

Why Worry About InfoSec?

5

InfoSec Risk comes in many varieties

• Intellectual Property Theft 6

• Monetary Theft

InfoSec Risk comes in many varieties

• Vulnerabilities – Software and Hardware • Threats to Business Continuity

• Physical 7

• Phone Calls • Infected PDFs

InfoSec Risk comes in many varieties

InfoSec Risk comes in many varieties

• Downloaded Applications

• Phishing • Poor complexity passwords

• Misconception – “I don’t have anything of value” 8

• Misconception – “My antivirus will protect me”

InfoSec Risk comes in many varieties

• Misconception – “My firewall will protect me” • Misconception – “we are too small to get hacked”

InfoSec Risk comes in many varieties

Qualifying and Quantifying the Risk

• Volume of security breaches growing exponentially

forcing both government and private industry to respond. • Average consolidated total cost of a data breach is $6.5M

(in the US – less than 100k records). 9

• 90% of breaches affect small business • Per Price Waterhouse Cooper there were 42.8M cyber

incidents around the world in 2014. 12

Qualifying and Quantifying the Risk

• FBI estimates over 500M financial records stolen in 2014 10

• 60% increase in detected incidences in healthcare 2013- 2014 resulting in 282% increase in financial losses year to year. 11

• “The absence of evidence is not evidence of absence…” Carl Sagan, Astronomer

Current Security Standards/Regulations

Standard Name Subject Matter

PCI DSS Payment card data security

ISO 27001:2013 Specification for InfoSec Management System

ISO 27002 Best practice for InfoSec

HIPAA Medical Privacy and Security

ISO 27018 PII security in the cloud

FISMA Business with Government

Gramm-Leach-Bliley Act Privacy for Financial Institutions

• PCI DSS – currently on version 3.1 • Latest standard changes acceptable security

encryption technology • Provides specifications for what can and cannot be

stored as part of the payment card process

PCI DSS

Highlights of specific standards

ISO 27001:2013

• Consider risks and opportunities when you plan your ISMS

• Establish an information security risk assessment process

• Requires management review to ensure continuing suitability, adequacy and effectiveness

• Introduces control to include InfoSec in all project management plans.

Highlights of specific standards

ISO 27002:2013

• Best practice guide to information security controls. • Defines recommended InfoSec practices in the

following areas:

Security Policy Management Operational Security Management

Corporate Security Management Network Security Management

Personnel Security Management System Security Management

Organizational Asset Management Supplier Relationship Management

Information Access Management Security Incident Management

Cryptography Policy Management Security Continuity Management

Physical Security Management Security Compliance Management

Highlights of specific standards

• This is a regulatory law created to protect millions of working Americans with medical problems. • Limits pre-existing condition clauses.

• Includes Privacy and Security regulations associated with the use, storage, and transmission of protected health information.

• Fines for noncompliance are potentially HUGE-!

HIPAA

Highlights of specific standards

• Covers Personally Identifiable Information in the public cloud

• Cross Industry • Multiple vendors currently claim certification

• Microsoft • Dropbox • Amazon Web Services • Google Apps for work • …

ISO 27018:2014

Highlights of specific standards

FISMA

• Regulatory requirement for doing business with the federal government

• Applies to Federal agencies and all organizations that do business with or operate IT systems on behalf of Federal government.

Highlights of specific standards

Gramm-Leach-Bliley Act

Highlights of specific standards

• Requires financial institutions to explain their information sharing practices to their customers and to safeguard sensitive data.

• Privacy Rule • Safeguards Rule

• Create a Cyber Asset Identification and classification system.

• Include Cyber related risks associated with the previous step in your risk register & risk management plan.

• Identify the types of information you are working with?

• Qualify and quantify the impact of not being able to access your systems/information.

Risk Mitigation Strategies

Risk Mitigation Strategies

• Review your test environment (software development projects).

• Limit access to protected information to those who “need to know”

• Verify physical and technical controls are in place for Business Continuity/Disaster Recovery.

• Verify Business Continuity/Disaster plans specifically address cyber related risks.

• Train employees/contractors to: • Recognize and report email phishing • Identify suspect URL’s • Understand why regular password changes and

complex passwords are vital.

Risk Mitigation Strategies

Risk Mitigation Strategies

• Require complex passwords and regular password changes (at least every 45 days)

Risk Mitigation Strategies

• Hardware/Software Infrastructure patching • Risk transference • Keep updated hard copy of your project plan and

critical data associated with that plan.

For more information

• PCI DSS Requirements and Assessment Procedures • National Cybersecurity Center of Excellence Document

Library • US Computer Emergency Readiness Team (CERT) • Stop Think Connect – SMB Resource Guide • FBI Internet Crime Prevention Tips • HIPAA Security Rule Guidance Material

HIPAA/HITECH Privacy & Security Checklist • 2015 Cost of Cyber Crime Study: United States • Gramm-Leach-Bliley Act – FTC Guidance

Questions?

Keith W. Siepel PMP, CISSP, CSSGB siepelk@live.com

PMI Southwest Ohio Chapter Mega Event, Horseshoe Casino

April 12, 2016

Bibliography

1 - McGee, M. K. (2016, March 25). Verizon Confirms Breach Affecting Business Customers. Retrieved April 01, 2016, from http://www.databreachtoday.com/verizon-confirms-breach-affecting-business-customers-a-8991

2 - McGee, M. K. (2016, March 23). Custom Hospital Ransomware Attacks Surge; So now what? Retrieved April 01, 2016, from http://www.databreachtoday.com/hospital-ransomware-attacks-surge-so-now-what-a-8987

3 – McGee, M. K. (2016, March 23). Research Institute Breach Results in $3.9 Million Sanction Retrieved April 01, 2016, from http://www.databreachtoday.com/research-institute-breach-results-in-39-million-sanction-a-8979

4 - Data Breaches in H1 2015 Infographic - Breach Level Index. (n.d.). Retrieved April 01, 2016, from http://www.safenet-inc.com/resources/data-protection/h1-2015-data-breaches-infographic/

Top part of Inographic based on Breach Level Index (http://www.breachlevelindex.com)

5 - Infographic Archives - Cybersecurity Observatory. (n.d.). Retrieved April 01, 2016, from http://www.cybersecobservatory.com/category/infographic/

Credit PriceWaterhouseCoopers LLP "The Global State of Information Security Survey 2016"

6 - Rashid, F. Y. (2013, February 11). Ex-Employees Take Trade Secrets to New Jobs, Say It's Not Illegal. Retrieved April 01, 2016, from http://securitywatch.pcmag.com/none/307942-ex-employees-take-trade-secrets-to-new-jobs-say-it-s-not-illegal

7 - Corporate Data Breaches in US Private Sector. (2015, November 03). Retrieved April 01, 2016, from http://rmsshredding.com/data-breaches-plague-private-sectors-in-the-us/

8 – InfoSec Institute – A Buyers Guide to Stolen Data on the Deep Web - Darkmatters. Retrieved April 01, 2016, from http://darkmatters.norsecorp.com/2015/04/07/a-buyers-guide-to-stolen-data-on-the-deep-web/

9 - Key Findings from Larry Ponemon's 2015 Cost of a Data Breach Study. (n.d.). Retrieved April 01, 2016, from http://www.slideshare.net/ibmsecurity/2015-cost-of-data-breach-study

10 - Kelly, E. (2014, October 20). Officials warn 500 million financial records hacked. Retrieved April 01, 2016, from http://www.usatoday.com/story/news/politics/2014/10/20/secret-service-fbi-hack-cybersecuurity/17615029/

11 - Healthcare Industry's Approach To Cybersecurity Shifts In Light Of Increasing Risks. (2015, December 07). Retrieved April 01, 2016, from https://blog.slpowers.com/2015/12/07/healthcare-industrys-approach-to-cybersecurity-shifts-in-light-of-increasing-risks/

12 – Greenwald, J. (2014, September 30). Cyber security incident reports increased 48% this year. Retrieved April 11, 2016, from http://www.businessinsurance.com/article/20140930/NEWS07/140939982

Bibliography