Team 2 – understand vulnerabilities

Slides:

Advertisements

Similar presentations

All Rights Reserved, Duke Medicine 2007 IT Security Presented by: Trisha Craig and Don Elsner Principal Auditors – IT Audit Duke University 1.

Advertisements

CIP Cyber Security – Security Management Controls

Notes: Update as of 1/13/2010. Vulnerabilities are included for SQL Server 2000, SQL Server 2005, SQL Server Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g),

SL21 Information Security Board Mission, Goals and Guiding Principles.

Information Security Policies and Standards

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.

Controls for Information Security

Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.

Session 3 – Information Security Policies

Enterprise Security. Mark Bruhn, Assoc. VP, Indiana University Jack Suess, VP of IT, UMBC.

New Data Regulation Law 201 CMR TJX Video.

NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.

 Jonathan Trull, Deputy State Auditor, Colorado Office of the State Auditor  Travis Schack, Colorado’s Information Security Officer  Chris Ingram,

© 2009 IDBI Intech, Inc. All rights reserved.IDBI Intech Confidential 1 Information (Data) Security & Risk Mitigation.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Information Systems Security Computer System Life Cycle Security.

BITS Proprietary and Confidential © BITS Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.

Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.

Keogh and Associates Copyright 2003 Sellers, Resellers, Integrators, Consultants What Are Their Roles?? Presenter Colin Keogh Keogh and Associates.

© BITS BITS and FSSCC R&D Efforts John Carlson Senior Vice President of BITS Panel on Data Breaches in Payments Systems-- Roles and Best Practices.

1 CIP Cyber Security – Personnel & Training Steve Garn CIP Compliance Workshop Baltimore, MD August 19-20, 2009 © ReliabilityFirst Corporation.

Mobile Banking By: Chenyu Gong, Jalal Hafidi, Harika Malineni.

GSHRM Conference Cyber Security Education Shri Cockroft, CISO Piedmont Healthcare, Inc. September 21, 2015.

August Mr. Mike Finley, CISSP Senior Security Engineer Computer Science Corporation.

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

Customers Security in Context Microsoft & Office 365 / Azure Cloud Security Engagement Framework & References Real World application Frameworks.

CU – Boulder Security Incidents Jon Giltner. Our Challenge.

High Assurance Products in IT Security Rayford B. Vaughn, Mississippi State University Presented by: Nithin Premachandran.

INNOVATE THROUGH MOTIVATION MSP Services Overview KEVIN KIRKPATRICK – OWNER, MSP INC LOGO.

MIS323 – Business Telecommunications Chapter 10 Security.

Sicherheitsaspekte beim Betrieb von IT-Systemen Christian Leichtfried, BDE Smart Energy IBM Austria December 2011.

Information Security tools for records managers Frank Rankin.

Welcome Information Security Office Services Available to Counties Security Operations Center Questions.

Managed IT Services in Charlotte NC. We are leading managed IT services providers in Charlotte NC. Call us now on (704) for managed IT services.

Information Security in Laurier Grant Li Wilfrid Laurier University.

Snowfensive At Snowfensive.com, we provide specialized cyber security risk assessments for organizations. We also give security awareness training for.

Security and resilience for Smart Hospitals Key findings

Principles Identified - UK DfT -

Michael Wright • Chief Security Officer • Tech Lock

Increasing Information and Data Security in Today’s Cybersecurity World 2017 Conference Review 6/6/2017.

3 Do you monitor for unauthorized intrusion activity?

Cybersecurity, competence and preparedness

Cyber Security for Building Management

Cybersecurity - What’s Next? June 2017

Case Study - Target.

Comprehensive Security and Compliance at an Affordable Price.

Team 1 – Incident Response

Demystifying cybersecurity: Best practices to help strengthen your program Chris Candela Senior Consultant Business Consulting Services Charles Schwab.

Cyber Security Enterprise Risk Management: Key to an Organization’s Resilience Richard A. Spires CEO, Learning Tree International Former CIO, IRS and.

Team 4 – Mack, Josh, Felicia, Kevin and Walter

Capabilities Matrix Access and Authentication

Introduction to the Federal Defense Acquisition Regulation

Medical Device Cybersecurity Legislative Activities - Overview

Securing the Law Firm Myth vs. Reality vs. Practicality:

BUILDING A PRIVACY AND SECURITY PROGRAM FOR YOUR NON-PROFIT

Joe, Larry, Josh, Susan, Mary, & Ken

Information Security Board

Unfortunately, any small business could face the risk of a data breach or cyber attack. Regardless of how big or small your business is, if your data,

COMPTIA CAS-003 Dumps VCE

I have many checklists: how do I get started with cyber security?

IT Development Initiative: Status and Next Steps

Data Security Protection Toolkit – Overview

General Counsel and Chief Privacy Officer

Managing the Security Function

Keeping your data, money & reputation safe

Cyber Security - Protecting Information

3 Do you monitor for unauthorized intrusion activity?

3 Do you monitor for unauthorized intrusion activity?

Anatomy of a Common Cyber Attack

Presentation transcript:

Team 2 – understand vulnerabilities Team 2: Target IT Programs – Legacy and New Development How would you assess current vulnerabilities of your current development projects and legacy programs? How would you do manage risk going forward? The Board of Directors and Senior Leadership want to provide assurances that the breach cannot occur again. What assurances can you provide? What would you want different in your testing and audits?

Fazio lacked user training to protect from phishing emails How would you assess current vulnerabilities of your current development projects and legacy programs? Fazio vendor malware was not robust enough; used free version of Malwarebyte--no real-time protection Fazio lacked user training to protect from phishing emails Target did not ensure trusted vendor’s systems were adequately protected Target Security Operations Center (SOC) was evidently not trained well enough to react properly to intrusion detection software (IDS) notifications IDS was set to detect, not take any other action Sensitive customer info was not adequately protected Target did not use/require 2-factor authentication

HOW WOULD YOU DO MANAGE RISK GOING FORWARD? Target ensure/validate all trusted vendors systems are adequately protected before allow access (e.g. use commercial grade IDS) Ensure up-to-date training on phishing emails Ensure SOC is trained on responding to IDS detection notifications Incorporate 2-factor authentication Ensure SOC is aware of industry on-going security trends/threats Use “white listing”

Increase security and awareness through the risk management actions The Board of Directors and Senior Leadership want to provide assurances that the breach cannot occur again. What assurances can you provide Increase security and awareness through the risk management actions

What would you want different in your testing and audits? Ensure that adequate security processes for in-house and 3rd party vendors are baked in Ensure audits are performed in a timely manner Ensure all testing and audit processes are properly followed Ensure vulnerabilities are adequately patched

Team 5: Senior Corporate Operations Group What is the best way to manage the risk of others interfacing with our network and systems? Enclave systems that vendors need access to How should you control others on your network for access and authorization? Enclaving systems White Listing 2-factor authentication What should be required of vendors and sub-contractors to work with your systems Require cyber security training B-2-B agreement How do you ensure proper training and certification of sub-contractors and vendors? Require review of all training documents/process and do not grant access till all requirements are met