Information Security and Technology Overview Presented By: Enterprise Risk Management (ERM) Division Jill Martucci, CISA, SSCP, Senior Allison Hall, Experienced Assistant

2 Agenda Overall Firm & ERM Capabilities Current Events and Threats Tips for 2016 Questions and Comments

3 Senior Consultant with a focus on information technology and information security auditing for banks and financial organizations Audit and assessment performance in areas such as SSAE16 SOC Reporting, FFIEC, GLBA, PCI DSS, etc. Experienced in vulnerability assessments, social engineering and phishing, and ethical hacking Clients range from $10 million + to $2 billion + Associates Degree in Criminal Justice and a Bachelor of Science Degree in Computer Security and Information Assurance Systems Security Certified Practitioner (SSCP) through the International Information Systems Security Certification Consortium ((ISC)²) Certified Information Systems Auditor (CISA) through the Information Systems Audit and Control Association (ISACA)

4 Consultant with a focus on Payment Card Industry Data Security Standard (PCI DSS) Compliance Audit and assessment performance in areas such as SSAE16 SOC Reporting, FFIEC, GLBA, etc. Experienced in vulnerability assessments, social engineering, and data analysis Clients range from $10 million + to $2 billion + Bachelor of Science Degree in Forensic Science Member of the Information Systems Audit and Control Association (ISACA) PCI DSS Payment Card Professional (PCIP) (pending)

5 Overall Firm Capabilities Founded in 1978 We are the 38 th largest accounting firm in the U.S. – Approximately 750 employees – Ten office locations, headquartered in Rochester – Approximately $100 million/year revenue – 141 partners/principals – 112 managers Full array of audit, accounting and consulting services Nationally & internationally aligned with Moore Stephens

6 Enterprise Risk Management Team Dedicated IT/IA Consultants – Certified Information Systems Auditors (CISA) – Certified in Risk and Information Systems Control (CRISC) – Certified in Information Security Management (CISM) – Certified Information Systems Security Professional (CISSP) – Certified Fraud Examiners (CFE) – Certified Internal Auditors (CIA) – Certified Information Technology Professionals (CITP) – PCI Qualified Security Assessor (PCI QSA)

7 Enterprise Risk Management Team Service Offerings Internal Audit IT Controls Consulting SSAE16 Service Organization Control (SOC) Reporting Computer Forensics Payment Card Industry Data and Application Security Services Vulnerability and Penetration Testing IT Risk Management HIPAA/HITECH Meaningful Use US State Data Privacy PCI DSS FFIEC SOX/COSO/CoBIT FTC Red Flags GLBA

8 Current Events and Threats Why Information Security? Savvy attackers are using increased levels of deception and, in some cases, hijacking companies’ own infrastructure and turning it against them 60 percent of all targeted attacks struck small- and medium-sized organizations Organizations are still not adopting basic best practices like blocking executable files and screensaver attachments

9 Current Events and Threats Stay Out of the News Former BancCentral (OK) Employee Charged with Accessing Bank Computer Network Former IT Engineer Stung for Destructive Attack Against Law Firm Owner of California Payment Processing Company Charged with Fraud Human Error to Blame as UK Data Breach Investigations Surge FBI Reports $2.3 Billion Lost to CEO Scams Over the Past Three Years Improper Data Transfer Leads to Data Exposure of 850,000 People Google Finds 800,000 Websites Breached Worldwide 51% of consumers will take business elsewhere post breach

10 Current Events and Threats Ransomware Type of malware that limits or prevents users from accessing their system Normally encrypts the user data – can spread to network data Victims must pay the ransom to regain access Phishing s designed to fool you Can be very convincing; they may appear to come from a friend or organization you know Sometimes use details from social media accounts

11 Current Events and Threats Cloud Data Losses Highly sensitive, confidential, and regulatory personal controlled data is regularly stored in the cloud Increasing use of cloud services can increase the probability of a $20 million data breach by as much as three times Cybercriminals are regularly using cloud services to exfiltrate data from inside your business or to gain access using trusted online services Bring Your Own Device (BYOD) Now being called BYODB - Bring Your Own Data Breach Mobile devices bring a new set of threats, including allowing malicious software an unparalleled look into victims’ lives

12 Tips for 2016 Be Prepared Conduct a Risk Assessment Identify and rank where ALL sensitive data is stored, processed, transmitted, and maintained, for clients and employees Incident Response and Preparedness For every $5.60 that a data breach costs you, the prevention would have cost only $1.00 Plug Known Holes and Perform Routine Audits Passwords, User Access, AV, Patching, Firewalls, Third Parties You cannot protect against a risk you do not know exists!

QUESTIONS?

14 Albany | Batavia | Buffalo | East Aurora | Geneva | New York City | Rochester | Rutland | Syracuse | Utica