MIS 5121: Real World Control Failures: USIS

Slides:

Advertisements

Similar presentations

Eight Strategies to Reduce Your Risk in the Event of A Data Breach Sheryl Falk December 10, 2013.

Advertisements

Insurance in the Cloud Ben Hunter, Canadian Underwriting Specialist Technology Insurance Specialty Chubb Insurance Company of Canada.

Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.

The Third International Forum on Financial Consumer Protection & Education “Fostering Greater Consumer Protection & Education” Preventing Identity Theft.

7 Effective Habits when using the Internet Philip O’Kane 1.

AHCCCS SYSTEM SECURITY  Why is Security SO important?  Federal and State standards  Security breaches in the last year  What AHCCCS is doing  What.

Outside Business Activities and Selling Away

Are Large Scale Data Breaches Inevitable? Douglas E. Salane Center for Cybercrime Studies John Jay College of Criminal Justice Cyber Infrastructure Protection.

Evolution of the Siemens Experience in its Effort to Test IT Controls on a Continuous Basis Rolf Haardörfer IT Audit Professional Siemens Corporation Tenth.

Security expenditure should be determined by security risk. What is the financial risk to UNC of undetected modification of bioresearch data? theft and.

SMARTER. TOGETHER. Skimming Prevention: Overview of Best Practices August 5, 2014.

Network security policy: best practices

Network Centric Enterprise Public Trust Information and Navy Enterprise Resource Planning Presented to the Small Business and Industry Outreach Initiative.

Inspecting A Hedge Fund 2010 NASAA IA Training. Preparing for the Inspection  Getting over your fears  Treat as any other advisor  Preparation  Obtain.

External Threats to Healthcare Data Joshua Spencer, CPHIMS, C | EH.

The Financial Impact of Cyber Security 50 Questions Every CFO Should Ask A publication of the American National Standards Institute and the Internet Security.

Joseph Kummer Terri Berry Brad White.  1. Specific instances of employee hacking and the consequences which resulted therefrom.  2. How employees utilize.

Overview:  Different controls in an organization  Relationship between IT controls & financial controls  The Mega Process Leads  Application of COBIT.

Threat Assessment in a Logical Environment U.S. Financial Infrastructure Physical to Logical environment Protection and Threat Assessment Safe School.

ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:

Kellie E. Tomeo, Esq Rampart International, LLC. AdvantageChallenge Increase existing security personnel productivity Increase existing facility personnel.

Hands-on SQL Injection Attack and Defense Winter ICT Educator Conference Jan. 3-4, 2013.

Custom Corporate Consulting and Training Fraud: Detecting and Preventing Presented October 30, 2010 To University of Texas at Arlington Executive MBA Students.

The Ministry of Economic Development and Trade of the Russian Federation Corporate Governance Department.

1 Total Productive Maintenance and Maintenance Management

CU – Boulder Security Incidents Jon Giltner. Our Challenge.

1-1 Management Execution. 1-2 The Eight Components of Management Execution OrganizationResources Policies & Procedures Continuous Improvement Systems.

Risk Management for Small & Medium Sized Enterprises

Visibility. Intelligence. response Information Security: Risk Management or Business Enablement? Mike Childs Vice President Rook Security.

IRS, CRIMINAL INVESTIGATION AND IDENTITY THEFT/DATA BREACHES

By: Taysha Johnson. What is an insider threat? 1.A current or former employee, contractor, or other business partner who has or had authorized access.

Cyber Insurance Overview July 30, 2016 Wesley Griffiths, FCAS International Association of Black Actuaries.

September 19, 2016 Steve Konecny CFE, CIRA, CEH, CRISC Hands on Hacking.

Cybersecurity as a Business Differentiator

Increasing Information and Data Security in Today’s Cybersecurity World 2017 Conference Review 6/6/2017.

Managing a Data Breach Prevention-Detection-Mitigation

Data Compromises: A Tax Practitioners “Nightmare”

Hackers and Crackers iJacsn.

Lecture 14: Business Information Systems - ICT Security

Total Productive Maintenance and Maintenance Management

Managing a Data Breach Prevention-Detection-Mitigation

MIS 5121: Real World Control Failure - TJX

Cyber Attacks on Businesses 43% of cyber attacks target small business Only 14% of small business rate their ability to mitigate cyber risk highly.

Cyber Risk Management Through Vendor Contracts

Cyber Insurance Overview

Chapter 3: IRS and FTC Data Security Rules

Information Security: Risk Management or Business Enablement?

Cyber Trends and Market Update

MIS 5121 Real World Control Failure

Millions of T-Mobile customers exposed in Experian breach

Managing the Security Function

The Financial Impact of Cyber Risk 50 Questions Every CFO Should Ask

4th Quarter 2016 Earnings Call

Federal Bureaucracy Large complex organization of appointed officials All of the agencies, people, and procedures that the federal government operates.

Card Data Fraud.

Information Systems for Health:

Tips on Privacy Audits and Assessments Insurance Consumer Affairs Exchange October 2, 2005 Kirk Herath, CPO & Associate General Counsel, Nationwide Insurance.

MIS 5121 Control Failure: Morgan Stanley

Data Security Julie D. Wilson Sr

Forensic and Investigative Accounting

Strategic threat assessment

Confidentiality in the Workplace

Enterprise Resource Planning Systems

Data Breach of United States Office of Personnel Management

Security Policies and Implementation Issues

Jodi Bouvin, Ben Bridges, Thomas Schaefer

Data Breach of United States Office of Personnel Management

Identity Theft and Credit Safety

Presentation transcript:

MIS 5121: Real World Control Failures: USIS By Lezlie Jiles

Control Failure: SAP Hacked Background: The company was founded in 1996 during the privatization of the executive branch of United States Office of Personnel Management (OPM) USIS provided security-based service solutions to organizations as well as the government. In 2007 the Carlyle Group sold USIS to Providence Equity Partners, which was a private equity firm, for US $1.5 billion. A few years later USIS received a OPM contract for $253 million They became the US Government’s lead background check provider. Control Failures: 2013 to 2014 USIS employee claimed that USIS management formulated a strategy to intentionally circumvent OPM’s mandated processes and protocols with regards to conducting background investigations. In 2014 USIS was accused of not following all OPM-mandated procedures and protocols in its background investigation. In July of 2014 USIS reported that they were hacked via their SAP system, which was managed by a third party.

Control Failure: SAP Hacked Control Failures continued: Attackers gained to access to USIS SAP system and then pivot to their network. The breach may have been caused by SAP not fixing the loophole, or USIS failure to update the system. The breach on SAP left financial information, corporate trade secrets venerable, as well as the ability for the attackers to modify master data, steal money and create fictions vendors. Results: PII of more than 27,000 federal employees were stolen USIS’s reputation was destroyed USIS lost their governmental contract Ultimately filed for bankruptcy

Control Failure: SAP Hacked What Could / Should those in Authority Have Done Different?: They should have lockdown the SAP security system. USIS should have had better directive, detective and preventative controls. There should have also been a process in place to implement system updates regularly. Reference: USIS SAP failures: info security, ERP Scan, Forbes https://www.forbes.com/sites/forbestechcouncil/2017/07/07/erp-security-deserves-our-attention-now-more-than- ever/#250b3e9da010