Managing a Data Breach Prevention-Detection-Mitigation

Slides:



Advertisements
Similar presentations
Data Security and legal issues Starter :- 5 Minutes Make a list of all the companies and organisations that you believe holds data on you. Write down what.
Advertisements

Classification The Threat Environment Joyce Corell, NCSC Assistant Director for Supply Chain National Defense Industrial Association Global Supply Chain.
Risk Management a Case Study DATALAWS Information Technology Law Consultants Presented by F. F Akinsuyi (MSc, LLM)MBCS.
Computer Security: Principles and Practice
SMARTER. TOGETHER. Skimming Prevention: Overview of Best Practices August 5, 2014.
Network security policy: best practices
Company LOGO Copyright Carrie Kerskie Data Breach & Identity Theft By Carrie Kerskie Kerskie Group, Inc.
Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.
℠ Pryvos ℠ Computer Security and Forensic Services May 27, 2015 Copyright © 2015 Pryvos, Inc. 1.
Data Security and Payment Card Acceptance Presented by: Brian Ridder Senior Vice President First National September 10, 2009.
Cyber Insecurity Under Attack Cyber Security Past, present and future Patricia Titus Chief Information Security Officer Unisys Corporation.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Introduction.
Tamra Pawloski Jeff Miller. The views, information, and content expressed herein are those of the authors and do not necessarily represent the views of.
Friday, October 23, Jacqueline Harris, CPM®, CCIM® Director of Training & Administration Digital Realty Jacqueline Harris, CPM®, CCIM® Director.
Territory Insurance Conference, resilient future Mr Ralph Bönig, Special Counsel, Finlaysons Cyber Times and the Insurance Industry Territory Insurance.
Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.
Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.
New EU General Data Protection Regulation Conference 2016 Managing a Data Breach Prevention-Detection-Mitigation By Gerard Joyce Dun Laoghaire Feb 24 th.
CYBERSECURITY: RISK AND LIABILITY March 2, 2016 Joshua A. Mooney Co-chair-Cyber Law and Data Protection White and Williams LLP (215)
Sicherheitsaspekte beim Betrieb von IT-Systemen Christian Leichtfried, BDE Smart Energy IBM Austria December 2011.
1 Information Governance (For Dental Practices) Norman Pottinger Information Governance Manager NHS Suffolk.
External Threats Internal Threats Nation States Cyber Terrorists Hacktivists Organised criminal networks Independent insider Insider planted by external.
Cyber Security – Client View Peter Gibbons | Head of Cyber Security, Group Business Services Suppliers’ Summer Conference 15/07/2015.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
Data Breach ALICAP, the District Insurance Provider, is Now Offering Data Breach Coverage as Part of Our Blanket Coverage Package 1.
Taking on Tomorrow's Challenges Today Taking on Tomorrow's Challenges Today Almost every organisation has been attacked …. But most don’t know about it!
Pioneers in secure data storage devices. Users have become more accustomed to using multiple devices, are increasingly mobile, and are now used to storing.
Cyber Insurance Risk Transfer Alternatives
Law Firm Data Security: What In-house Counsel Need to Know
Technology and Business Continuity
Performing Risk Analysis and Testing: Outsource or In-house
Team 1 – Incident Response
Security Standard: “reasonable security”
Managing a Data Breach Prevention-Detection-Mitigation
Data protection headaches: GDPR, brexit AND perimeter risk
Current ‘Hot Topics’ in Information Security Governance Auditing
Introduction to the Federal Defense Acquisition Regulation
Lecture 14: Business Information Systems - ICT Security
INFORMATION SECURITY The protection of information from accidental or intentional misuse of a persons inside or outside an organization Comp 212 – Computer.
Cyber Attacks on Businesses 43% of cyber attacks target small business Only 14% of small business rate their ability to mitigate cyber risk highly.
Chapter 3: IRS and FTC Data Security Rules
Unit 7 – Organisational Systems Security
Unfortunately, any small business could face the risk of a data breach or cyber attack. Regardless of how big or small your business is, if your data,
I have many checklists: how do I get started with cyber security?
Andy Hall – Cyber & Tech INSURANCE Specialist
Red Flags Rule An Introduction County College of Morris
Security measures Introducing Risk Assessment in GDPR
Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.
By Joseph Carnevale, CIP Partner & Director of Sales
Securing the Threats of Tomorrow, Today.
Cybersecurity compliance for attorneys
Keeping your data, money & reputation safe
GDPR enforcement begins
Security week 1 Introductions Class website Syllabus review
Cybersecurity Threat Assessment
Automating the Monitoring & Management of GDPR Compliance
Strategic threat assessment
Vendor Management The Risks to Your Business
Neopay Practical Guides #2 PSD2 (Should I be worried?)
General Data Protection Regulation “11 months in”
Texas Assisted Living Association 2019 Conference
Colorado “Protections For Consumer Data Privacy” Law
Data Breach of United States Office of Personnel Management
Data Breach of United States Office of Personnel Management
Protecting Knowledge Assets – Case & Method for New CISO Portfolio
Presentation transcript:

Managing a Data Breach Prevention-Detection-Mitigation By Gerard Joyce Dun Laoghaire Dec 13th 2017

Robert Mueller FBI Director There are two types of organisations; those that have been hacked and those that are going to be hacked. Robert Mueller FBI Director

Overview Who We Are and What We Do What is a ‘Data Breach’? Prevention - Exercise 1 Detection - Exercise 2 Mitigation - Exercise 3 To Do List

Who We Are and What We Do Experienced Risk & Compliance Professionals Members of IRM, ACOI, ACCA, ISI... Involved in the Development of Standards We make a Governance, Risk & Compliance Solution called CalQRisk CalQRisk is used by 150+ regulated firms Including Brokers, Financial Advisors, Fund Management Companies, Fund Administrators, Credit Unions, Solicitors, Hotels, Charities and Local Authorities

What is a ‘Data Breach’? Data that you are ‘controlling’ is accessed / viewed / altered by unauthorised persons. Data could be: Personal Identifiable Information (PII) Trade Secrets / Business Processes Intellectual Property Cause of Breach Could be intentional, criminal Could be accidental

July 15 2017: The hackers accessed people’s names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. They also stole credit card numbers for about 209,000 people. And they grabbed personal information of people in the UK and Canada too.

Cyber Security firm FireEye say the global median time it takes to discover breaches is 99 days. (2016 data - down from 146 days in 2015. M-Trends 2017, a view from the front lines, p.47) The Equifax breach wasn’t discovered for 141 days.

In December 2013 over 40 million credit cards were stolen from nearly 2000 Target stores by accessing data on point of sale (POS) systems. Target later revised that number to include private data for 70 million customers.

Risk Assessment Data Breach Prevention Detection Mitigation Documented Policy Unauthorised Access Incident Response Data Breach Prevention Detection Mitigation

Exercise 1 What are the threats and what can you do to prevent them? Think Who? How? What?

Exercise 1 Who? Hackers and Hacktivists Disgruntled Employees Careless Employees Criminal Organisations Aggressive Competitors Hostile Nation States

Exercise 1 How? (What vulnerabilities will they exploit?) Unwitting Employees / Social Engineering Unpatched Flaws in Systems Less Secure Service Providers Insecure Cloud Storage Mobile Devices

Exercise 1 What? (What is of interest?) What are your ‘Crown Jewels’? Personal Data Customer Data Money Trade Secrets / Intellectual Property

Risk Controls – Data Breach Swiss Cheese Model Policy Unauthorised Access Procedures Code of Practice Training & Education Employee - Intentional Data Breach Checks Intrusion Prevention Employee - Unintentional Anti-Virus Software Strong Access Control IT Glitch Encryption Data Classification

Why Detection is Important Fines imposed will be proportional to the ‘Dwell Time’ The longer the theft is going on the more data gets stolen The quicker a breach is detected the quicker action can be taken to mitigate the impact.

Exercise 2 How would you know you have a breach? Think Who would recognise it first? (You, Your Customer…) What the signs might be Service Delivery - How might that be affected?

Exercise 2 How would you know you have a breach? Customers Tell You Service is Disrupted Unusual Traffic on your Network Credit Card Company Calls Data is Corrupted Your Intellectual Property appears “online”

Risk Controls – Data Breach Policy Monitor Feedback Unauthorised Access Procedures Measure Service Training & Education Monitor Network Traffic Employee - Intentional Checks Data Breach Intrusion Prevention Employee - Unintentional Anti-Virus Software Maintain Good Comms Strong Access Control IT Glitch Monitor Data Integrity Encryption Monitor Press / SocMed Data Classification

Mitigation – Be Ready to Respond Incident Response Plan More about this in a moment Before the Incident occurs Restrict ‘lateral movement’ in the Network (IT) Identify an individual to take charge Identify partners (3rd Party) that you might need Legal counsel ● Public Relations IT Forensics After the Incident – Review your policies and procedures

Exercise 3 What should be in an Incident Response Plan? Think Who do you call? What do you do, in what order? Who does what?

Data Breach Almost 157,000 TalkTalk customers had their personal details hacked. When the cyber-attack was revealed, TalkTalk said it did not know how many customers were affected, raising concerns that hundreds of thousands of customers could be at risk. The company was criticised for its lack of information and for failing to take precautions after being hacked twice before this year. Two teenage boys arrested 

Response Plan Incident Lead, Incident Team Individual Roles and Responsibilities Contact List of People that might need to be involved Protocols During a Breach How to assess scope of breach How to Collect Evidence How to stop the Data Loss Forms to Record Details / Action Communications (Internal, Customers, DPC, Press) Review – Learn from Incidents / Exercises

Notification (Art 33) Describe nature of the personal data breach Number of subjects concerned Categories and numbers of records Communicate name of the DPO / contact Describe likely consequences of breach Describe means taken / proposed to be taken to address Including mitigation of ‘side-effects’ Can provide information in phases Document breach and action taken.

Communication (Art 34) Where there is high risk to data subject, communicate to data subject without delay. Clear and plain language Nature of the breach Contact details for DPO / contact Likely consequences Measures taken Not required if Technical measures make info unintelligible Disproportionate. Can be a public communication

Risk Controls – Data Breach Policy Monitor Feedback Response Plan Unauthorised Access Procedures Measure Service Privacy Impact Training & Education Monitor Network Traffic Notification Plan Employee - Intentional Checks Data Breach Intrusion Prevention Communications Plan Employee - Unintentional Anti-Virus Software Maintain Good Comms Collect Evidence Strong Access Control IT Glitch Monitor Data Integrity Review Controls Encryption Monitor Press / SocMed Document Action Data Classification

To Do List Assign management responsibilities Identify all assets that need protection Conduct an impact assessment Review access rights incl. privilege access rights Review update/patching policy Review if malware detection up-to-date Policy & procedures for continuous monitoring of network Consider implementing intrusion detection tools Procedure for reporting ‘events’ Response Plan

Thank You gjoyce@calqrisk.com