#IASACFO.

Slides:

Advertisements

Similar presentations

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

Advertisements

Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.

Auditing, Assurance and Governance in Local Government

1 Auditing in the Public Interest Records Management in the Victorian Public Sector Audit objective Audit had two objectives : The first objective was.

Control and Accounting Information Systems

Environmental Management System (EMS)

Security, Privacy, and the Protection of Personally Identifiable Information Rodney J. Petersen Policy Analyst, EDUCAUSE EDUCAUSE/Internet2 Security.

Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.

E B a n k i n g Information Security Guidelines ABA’s Technology Risk Management – A Strategic Approach Telephone/Webcast Briefing June 17, 2002.

SOX and IT Audit Programs John R. Robles Thursday, May 31, Tel:

Security Controls – What Works

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Internal Control and Internal Audit

Information Systems Controls for System Reliability -Information Security-

Complying With The Federal Information Security Act (FISMA)

Vendor Risk: Effective Management is Essential

Peer Information Security Policies: A Sampling Summer 2015.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

ADB Project TA 3696-PAK, Regulation for Corporate Governance 1 REGULATION FOR CORPORATE GOVERNANCE IN PAKISTAN CAPITAL MARKETS.

System of Governance Articles 41 to 49 of Directive 2009/138/EC 11 th May 2010 Eamonn Henry.

Establishing A Compliance Program: It Makes Sense

September 14, David A. Reed Attorney at Law Reed & Jolly, PLLC (703)

Private & Confidential1 (SIA) 13 Enterprise Risk Management The Standard should be read in the conjunction with the "Preface to the Standards on Internal.

Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.

Eliza de Guzman HTM 520 Health Information Exchange.

What Keeps Your Board Up at Night? Sylvia Kerrigan, Exec. VP, General Counsel & Secretary – Marathon Oil Sean Gorman, Partner – Bracewell & Giuliani.

Data Governance 101. Agenda  Purpose  Presentation (Elijah J. Bell) Data Governance Data Policy Security Privacy Contracts  FERPA—The Law  Q & A.

Staffing and training. Objectives To understand approaches to the development of strategies and policies for staffing of a Regulatory Authority including.

PACB One-Day Cybersecurity Workshop CYBERSECURITY IN YOUR ISP! PRESENTED BY: JON WALDMAN, SBS – CISA, CRISC © Secure Banking Solutions, LLC

International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.

Panelists ASIS International – Dr. Marc Siegel, Security Management System Consultant, ASIS International Disaster Recovery Institute International (DRII)

Chief Compliance Officer

Company: Cincinnati Insurance Company Position: IT Governance Risk & Compliance Service Manager Location: Fairfield, OH About the Company : The Cincinnati.

Information Security Measures Confidentiality IntegrityAccessibility Information cannot be available or disclosed to unauthorized persons, entities or.

Cyber Risk Management Solutions Fall 2015 Thomas Compliance Associates, Inc

CBIZ RISK & ADVISORY SERVICES BUSINESS CONTINUITY PLANNING Developing a Readiness Strategy that Mitigates Risk and is Actionable and Easy to Implement.

The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law

INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.

By: Mark Reed.  Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.

Data Breach ALICAP, the District Insurance Provider, is Now Offering Data Breach Coverage as Part of Our Blanket Coverage Package 1.

JOHN M. HUFF NAIC PRESIDENT DIRECTOR, MISSOURI DEPARTMENT OF INSURANCE JUNE 16, 2016 NAIC CYBERSECURITY INITIATIVES.

Cyber Security Phillip Davies Head of Content, Cyber and Investigations.

NY DFS Cyber Regulation and the Impact on PA Mutual Insurers

Law Firm Data Security: What In-house Counsel Need to Know

CPA Gilberto Rivera, VP Compliance and Operational Risk

What Is ISO ISO 27001, titled "Information Security Management - Specification With Guidance for Use", is the replacement for BS It is intended.

Data Minimization Framework

Responding to a Data Breach 360° of IT Compliance

Overview Introduction Meaningful Use Objective for Security Key Security Areas and Measures Best Practices Security Risk Analysis (SRA) Action Plan Demonstration.

Service Organization Control (SOC)

Safety Accountabilities

Построение культуры integrity в компании Aнар Каримов партнёр «ЭКВИТА»

Information Security: Risk Management or Business Enablement?

I have many checklists: how do I get started with cyber security?

Cybersecurity for the Insurance Sector:

Bob Siegel President Privacy Ref, Inc.

David Axtell Todd Martin Stinson Leonard Street, LLP

Cyberforum 2018 March 8, 2018 Los Angeles GDPR & SECURITY

Corporate Governance for Mutuals

NRC Cyber Security Regulatory Overview

General Counsel and Chief Privacy Officer

2017 Administration and Finance Conference

QUALITY, HEALTH, SAFETY & ENVIRONMENTAL POLICY

HIPAA Security Standards Final Rule

Managing IT Risk in a digital Transformation AGE

Cyber Security in a Risk Management Framework

DFS letter has you asking

Operational Risk Management

Anatomy of a Common Cyber Attack

Presentation transcript:

#IASACFO

Moderator Shawn R. Grotte, CPA Partner, BKD LLP Lessons from the Trenches: What Boards and Management Need to Know about Cybersecurity Moderator Shawn R. Grotte, CPA Partner, BKD LLP

THE 2018 CHIEF FINANCIAL OFFICER ROUNDTABLE Session Presenters Shawn R. Grotte, CPA Partner BKD LLP Devin Shirley, CISSP, GISP Chief Information Security Officer Arkansas Blue Cross and Blue Shield Philip Sherrill, CPA, CIA, CHIE Vice-President and Chief Audit Executive Arkansas Blue Cross and Blue Shield

NAIC Insurance Data Security Model Law adopted October 24th, 2017 THE 2018 CHIEF FINANCIAL OFFICER ROUNDTABLE NAIC Insurance Data Security Model Law adopted October 24th, 2017 “…to establish standards for data security and standards for the investigation of and notification to the Commissioner of a Cybersecurity Event applicable to Licensees…” Comprehensive Written Information Security Program Considers the size and complexity of the organization Considers the nature and scope of activities Considers the sensitivity of information the organization governs Objectives of an Information Security Program Protect the security and confidentiality of sensitive information Protect against any threats or hazards Protect against unauthorized access or use; minimize the risk of harm Process for retention and destruction of sensitive information

NAIC Insurance Data Security Model Law adopted October 24th, 2017 THE 2018 CHIEF FINANCIAL OFFICER ROUNDTABLE NAIC Insurance Data Security Model Law adopted October 24th, 2017 “…to establish standards for data security and standards for the investigation of and notification to the Commissioner of a Cybersecurity Event applicable to Licensees…” Risk Assessment Identify reasonably foreseeable internal and external threats Access the likelihood and potential impact of those threats Assess the sufficiency of policies and procedures Assess the effectiveness of key controls (no less than annually) Program Adjustments Monitor, evaluate and adjust, as appropriate, to relevant changes in: Technology and Information System infrastructure Sensitivity of information Internal or external threats Changing business arrangements, i.e. M&A, partnerships, outsourcing, etc.

NAIC Insurance Data Security Model Law adopted October 24th, 2017 THE 2018 CHIEF FINANCIAL OFFICER ROUNDTABLE NAIC Insurance Data Security Model Law adopted October 24th, 2017 “…to establish standards for data security and standards for the investigation of and notification to the Commissioner of a Cybersecurity Event applicable to Licensees…” Board Governance Structure The Board or an appropriate committee of the Board shall require management to: Develop, implement and maintain an Information Security Program Report on the overall status of the program and compliance with the Model Law Report on material matters related to the program Oversight of Third-Party Service Providers Demonstrate due diligence in the selection of third-party service providers Require appropriate administrative, technical and physical measures

NAIC Insurance Data Security Model Law adopted October 24th, 2017 THE 2018 CHIEF FINANCIAL OFFICER ROUNDTABLE NAIC Insurance Data Security Model Law adopted October 24th, 2017 “…to establish standards for data security and standards for the investigation of and notification to the Commissioner of a Cybersecurity Event applicable to Licensees…” Risk Management and Controls Appropriate Security Measures, based on assessed risk Integration in an organization’s Enterprise Risk Management process Awareness of emerging threats and vulnerabilities Cybersecurity awareness training Incident Response Plan Written Incident Response Plan designed to: Define the internal process for responding to an event Define roles, responsibilities and decision-making authority Define internal and external information sharing Requirements for remediation

NAIC Insurance Data Security Model Law adopted October 24th, 2017 THE 2018 CHIEF FINANCIAL OFFICER ROUNDTABLE NAIC Insurance Data Security Model Law adopted October 24th, 2017 “…to establish standards for data security and standards for the investigation of and notification to the Commissioner of a Cybersecurity Event applicable to Licensees…” Annual Certification Submitted to the Commissioner in writing by February 15th certifying compliance Notification (Licensee, Third-Party, Reinsurers) Notify the Commissioner as promptly as possible but in no event later than 72 hours from a determination that an event has occurred The Licensee reasonably believes that the information involved is of 250 or more consumers residing in the State and either: An event requires notice to be provided to any government, regulatory or supervisory body There is reasonable likelihood of material harm impacting a consumer in the State or a material part of the normal operations of the Licensee