Prepared by Dept. of Information Technology & Telecommunications, November 19, 2015 Application Security Business Risk and Data Protection Gregory Neuhaus.

Slides:



Advertisements
Similar presentations
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Advertisements

IT Web Application Audit Principles Presented by: James Ritchie, CISA, CISSP….
K eep I t C onfidential Prepared by: Security Architecture Collaboration Team.
Lessons Learned Data and Asset Security FOCUS Spring 2006 Chuck Banner UVA-Wise.
Information Security Jim Cusson, CISSP. Largest Breaches 110, NorthgateArinso, Verity Trustees 6, Aurora St. Luke's Medical.
2012, Team-Tiger- Northwestern McCormick MSIT 2013 Confidential 1 ©2011, Cognizant Northwestern McCormick MSIT October 20 th, 2012 Information Security.
Data Ownership Responsibilities & Procedures
Information Security Policies Larry Conrad September 29, 2009.
Security Controls – What Works
Information Security Policies and Standards
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Information Systems Security Officer
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.
Code of Conduct for Mobile Money Providers 6 November 2014 All material © GSMA The policy advocacy and regulatory work of the GSMA Mobile Money team.
Factors to be taken into account when designing ICT Security Policies
1 Pertemuan 17 Organisational Back Up Matakuliah:A0334/Pengendalian Lingkungan Online Tahun: 2005 Versi: 1/1.
Session 3 – Information Security Policies
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.
 Jonathan Trull, Deputy State Auditor, Colorado Office of the State Auditor  Travis Schack, Colorado’s Information Security Officer  Chris Ingram,
Information Security Technological Security Implementation and Privacy Protection.
SEC835 Database and Web application security Information Security Architecture.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
Information Security Training for Management Complying with the HIPAA Security Law.
General Awareness Training
1 Deployment of Computer Security in an Organization CE-408 Sir Syed University of Engineering & Technology 99-CE-282, 257 & 260.
Electronic Records Management: What Management Needs to Know May 2009.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.
 Computer security policy ◦ Defines the goals and elements of an organization's computer systems  Definition can be ◦ Highly formal ◦ Informal  Security.
SECURITY POLICIES Indu Ramachandran. Outline General idea/Importance of security policies When security policies should be developed Who should be involved.
Xiaoyue Jiu, Fola Oyediran, Eboni Strawder | Group 10
Presentation to Senior Management MiFID for Senior Managers Introduction These slides introduce the big changes for senior management from MiFID.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
Security Awareness Challenges of Securing Information No single simple solution to protecting computers and securing information Different types of attacks.
PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.
Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,
LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.
OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current.
A PRACTICAL GUIDE TO RESPONDING TO A HEALTHCARE DATA SECURITY BREACH May 19, 2011 | State College, PA Matthew H. Meade Stephanie Winer-Schreiber.
Security Issues and Strategies Chapter 8 – Computers: Understanding Technology (Third edition)
Juan Ortega 12/15/09 NTS355. Microsoft Security Advisory (977544) Vulnerability in SMB Could Allow Denial of Service Flaw on SMBv2 supposedly opened two.
1Copyright Jordan Lawrence. All rights reserved. U. S. Privacy and Security Laws DELVACCA INAUGURAL INHOUSE COUNSEL CONFERENCE April 1, 2009 Marty.
Chap 8: Administering Security.  Security is a combination Technical – covered in chap 1 Administrative Physical controls SE571 Security in Computing.
Data Security at Duke DECEMBER What happened: “At this time, we have no indication that research data or personal data managed by Harvard systems.
Reducing data loss by threats detection. InfoWatch Traffic Monitor & Workplace Security. Andrey Sokurenko Business Development Director.
Computer Security By Duncan Hall.
APolicy EASy Security Project Analysis and Recommendations for TJX Companies, Inc.
Visibility. Intelligence. response Information Security: Risk Management or Business Enablement? Mike Childs Vice President Rook Security.
E-Commerce E-Commerce Security?? Instructor: Safaa S.Y. Dalloul E-Business Level Try to be the Best.
WESTERN PA CHAPTER OF THE AMERICAN PAYROLL ASSOCIATION – NOVEMBER 4, 2015 Risk Management for Payroll.
1 Information Governance (For Dental Practices) Norman Pottinger Information Governance Manager NHS Suffolk.
CBIZ RISK & ADVISORY SERVICES BUSINESS CONTINUITY PLANNING Developing a Readiness Strategy that Mitigates Risk and is Actionable and Easy to Implement.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Business Continuity Planning 101
Cyber Insurance Risk Transfer Alternatives Heather Soronen - Operations Director Rocky Mountain Insurance Information Association.
Data Breach ALICAP, the District Insurance Provider, is Now Offering Data Breach Coverage as Part of Our Blanket Coverage Package 1.
EAST AFRICAN DATA HANDLERS DATA SECURITY/MOBILITY
ACAA Summer Meeting Carrie O’Brien June 1, 2017
Regulatory Compliance
San Francisco IIA Fall Seminar
Information Security based on International Standard ISO 27001
Information Security: Risk Management or Business Enablement?
I have many checklists: how do I get started with cyber security?
Business Impact Analysis 101
Presentation transcript:

Prepared by Dept. of Information Technology & Telecommunications, November 19, 2015 Application Security Business Risk and Data Protection Gregory Neuhaus Assistant Commissioner Disaster Recovery

Prepared by Dept. of Information Technology & Telecommunications, November 19, 2015 Agenda Application Security- How Much is Enough? –Business Risk –Examples of Business Vulnerabilities –Data Classification and Protection –What Can Be Done? –Lesson Learned

Prepared by Dept. of Information Technology & Telecommunications, November 19, 2015 Business Risk – Know Your Business Reputation of your organization – “Your organization makes the news” Goal of treats - Sabotage, Retaliation, Financial gain, Celebrity Impact to critical functions within you organization – What are your Business Contingency and Disaster Recovery plans for the asset? Impact to client services – How will you provide services? Loss of productivity and/or financial loss – Is the application key to employee work or financial viability of your organization? Employees with excessive rights or access to confidential data – The threat is from within! Data loss or breach – You need to classify data? Regulatory Compliance – What is your legal/regulatory liability?

Prepared by Dept. of Information Technology & Telecommunications, November 19, 2015 Application Security is Not Just an IT problem It’s an organizational problem What are your Risk Factors? Do you accept the risk? What are the legal ramifications? How will this effect the services you provide? What is your data worth? Who are your high risk users?

Prepared by Dept. of Information Technology & Telecommunications, November 19, 2015 Examples of Business Vulnerabilities –Ohio data breach A 22-year-old intern was given the responsibility of safeguarding the personal information of thousands of state employees, a security procedure that ended up backfiring. The names and Social Security numbers of all 64,000 Ohio state employees were stolen last weekend from a state agency intern who left a backup data storage device in his car –Horizon Blue Cross Blue Shield (Newark, NJ) More than 300,000 members names, Social Security numbers and other personal information were contained on a laptop computer that was stolen. The laptop was being taken home by an employee who regularly works with member data. 300,000

Prepared by Dept. of Information Technology & Telecommunications, November 19, 2015 Examples of Business Vulnerabilities –Nebraska’s Treasure Office A hacker broke into a child-support computer system and may have obtained names, Social Security numbers and other information (such as tax identification numbers) for 9,000 businesses. 309,000 individuals affected TJ stores (TJX), including TJMaxx, Marshalls, Winners, HomeSense, AJWright, TKMaxx, The TJX Companies Inc.experienced an "unauthorized intrusion" into its computer systems that process and store customer transactions, including: credit card, debit card, check, and merchandise return transactions. They discovered the intrusion mid-December Transaction data from 2003 as well as mid-May through December 2006 may have been accessed, along with 45,700,000 credit and debit card account numbers

Prepared by Dept. of Information Technology & Telecommunications, November 19, 2015 Application Security- Risk Mitigation: What Can Be Done? -Understand your Business Risk -The data belongs to the business, not IT. Take ownership. -Understand who has access and what can they access? -Can you download data from your application? -Designing/follow a security policy -Implement a security policy with proper security tools, procedures and best practices. -Use National Institute of Standards and Technology (NIST) -Audit and enforce the security policy

Prepared by Dept. of Information Technology & Telecommunications, November 19, Does your organization have a Chief Information Security official? -Establish a security incident response process team. -Develop Business Contingency and Disaster Recovery plans for the application -Protect sensitive data through encryption and data classification -Follow good change management procedures -Test Test Test!

Prepared by Dept. of Information Technology & Telecommunications, November 19, 2015 NYC Data Classification NYC.GOV/INFOSEC

Prepared by Dept. of Information Technology & Telecommunications, November 19, 2015 Real world example of a data breach Scenario: City, public - facing applications had a application security flaw that exposed client information Why: Application was extensively modified compromising the base security of the application Impact: Application was taken off web site. Project was re-evaluated by oversights. Project was moved to another agency. Need to send a letter to all users of the application. Termination of senior project manager.

Prepared by Dept. of Information Technology & Telecommunications, November 19, 2015 Lessons Learned Testing: Security testing is very important on applications with sensitive data, resulting in penetration testing for applications. Security scenarios should be part of unit, system and user testing. Exercise all user and administrator functions. System Design: Establish a formal accreditation process as part of the system design lifecycle. Plan security and deal with security issues as part of planning, not as last minute implementation items. This saves time and money.

Prepared by Dept. of Information Technology & Telecommunications, November 19, 2015 Questions and Answers

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.