Presentation to the CIO PREPARED BY: JOSHUA SMITH, GARY FAULKNER, BRANDON VAN GUILDER, AND ERIC RUSCH.

Slides:



Advertisements
Similar presentations
Pennsylvania BANNER Users Group 2007 Disaster Recover For The Financial Aid Environment.
Advertisements

THE DEPARTMENT OF HEALTH AND HUMAN SERVICES (HHS) OFFICE FOR CIVIL RIGHTS (OCR) ENFORCES THE HIPAA PRIVACY, SECURITY, AND BREACH NOTIFICATION RULES HIPAA.
Presented By Krypto Security Software, LLC. What is BackStopp is a simple but effective tool to help an organization protect its mobile data in the event.
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
HIPAA Implementation. Basic HIPAA Requirements Designating a Privacy Officer Notifying patients about their privacy rights and how their information can.
KDE Employee Training. What IS a Data Breach? Unauthorized release (loss or theft) of Sensitive or Confidential Data, such as PII, PHI, etc. On site or.
Current Security Threats WMO CBS ET-CTS Toulouse, France May 2008 Allan Darling, NOAA’s National Weather Service WMO CBS ET-CTS Toulouse, France.
Data Security for Healthcare Facilities Debbie Abbott Health Information Consultant Resolutions (Int) Pty Ltd.
PHYSICAL SECURITY Attacker. Physical Security Not all attacks on your organization's data come across the network. Many companies focus on an “iron-clad”
Sophos / Utimaco Data Loss Prevention Peter Szendröi, SOPHOS Nordics Jan 20, 2010.
August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
Lack of Security in Hotspots/Wi Fi Areas Yin Wai ISM 158 4/27/10.
Payment Card Industry (PCI) Data Security Standard
ACCEPTABLE An acceptable use policy (AUP), also known as an acceptable usage policy or fair use policy, is a set of rules applied by the owner or manager.
Philippe LE TERTRE IS Governance Consultant  Founder and managing partner of VADEGIS (company specialized in Information System Management.
Information Resources and Communications University of California, Office of the President System-Wide Strategies for Achieving IT Security at the University.
Database Security Overview Blake Middleton CSE 7330 – Fall 2009.
Incident Response Updated 03/20/2015
Company LOGO Copyright Carrie Kerskie Data Breach & Identity Theft By Carrie Kerskie Kerskie Group, Inc.
VA OI&T Field Security Service Seal of the U.S. Department of Veterans Affairs Office of Information and Technology Office of Information Security.
New Data Regulation Law 201 CMR TJX Video.
Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.
INFORMATION SECURITY GOVERNANCE (ISG) Relates to the security of information systems Is an element of corporate governance.
Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.
(2011) Security Breach Compromises 75,000 Staff/Student Social Security Numbers Image from this Site Presenters: Aron Eisold, Matt Mickelson, Bryce Nelson,
Information System Security Plan Steps. STEP ONE – Understand the A sset Philosophically, we believe that “security should follow data” But we know that.
Social Media Jeevan Kaur, Michael Mai, Jing Jiang.
What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.
Normalized Endpoint Computing Research Team Results PSU Technology Solution Mat B. & Alice S.
Where’s the Money Going? 10 Things You Should Know about Internal Controls and Fraud Donna S. Brown, CPA Bob Powell, CPA November 12, 2010.
Group 2: Marco Hidalgo Wesley Lao Michelle Marquez-Lim
WSV323. CSO/CIO department Regulation translated to control objectives Infrastructure Support Control objectives turned into control activities.
Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.
1 Secure Telework Connectivity Peggy Ward Chief Information Security Officer July 22,
 INADEQUATE SECURITY POLICIES ›Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA.
ISO27001 Introduction to Information Security. Who has day-to-day responsibility? All of us! Why Information Security? Control risk, limit liability What.
IDENTITY THEFT. RHONDA L. ANDERSON, RHIA, PRESIDENT ANDERSON HEALTH INFORMATION SYSTEMS, INC.
PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.
OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current.
A PRACTICAL GUIDE TO RESPONDING TO A HEALTHCARE DATA SECURITY BREACH May 19, 2011 | State College, PA Matthew H. Meade Stephanie Winer-Schreiber.
The Post Service Officer VFW Department Convention June 2010.
Addressing Unauthorized Release of Personal Information at UC Davis August 12, 2003.
Update on Privacy Issues at USU October 10, 2013.
Chapter 2 Securing Network Server and User Workstations.
Site Security Policy Case 01/19/ : Information Assurance Policy Douglas Hines, Jr.
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
Security Environment Assessment. Outline  Overview  Key Sources and Participants  General Findings  Policy / Procedures  Host Systems  Network Components.
Privacy Act United States Army (Managerial Training)
APolicy EASy Security Project Analysis and Recommendations for TJX Companies, Inc.
(2011) Security Breach Compromises 75,000 Staff/Student Social Security Numbers Image from this Site Presenters: Aron Eisold, Matt Mickelson, Bryce Nelson,
New EU General Data Protection Regulation Conference 2016 Managing a Data Breach Prevention-Detection-Mitigation By Gerard Joyce Dun Laoghaire Feb 24 th.
CYBERSECURITY: RISK AND LIABILITY March 2, 2016 Joshua A. Mooney Co-chair-Cyber Law and Data Protection White and Williams LLP (215)
BYOD: An IT Security Perspective. What is BYOD? Bring your own device - refers to the policy of permitting employees to bring personally owned mobile.
Moving to BYOD Gary Audin 1.
INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.
SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #
IT Governance Purpose: Information technology is a catalyst for productivity, creativity and community that enhances learning opportunities in an environment.
PRESENTED BY Raju. What is information security?  Information security is the process of protecting information. It protects its availability, privacy.
Properly Safeguarding Personally Identifiable Information (PII) Ticket Program Manager (TPM) Social Security’s Ticket to Work Program.
Importance of IT security ->protects data ->ensures authentication and confidentiality ->preevents data theft.
Performing Risk Analysis and Testing: Outsource or In-house
Cyber Security Zafar Sadik
Out of the Breach and Into the Fire
Technology Audit Plan ----BCSY University
IT Development Initiative: Status and Next Steps
How to Mitigate the Consequences What are the Countermeasures?
IT Development Initiative: Status & Next Steps
A SEMINAR SYNOPSIS ON XML ENCRYPTION
Fy ‘08 NETWORK PLANNING TASK FORCE
Presentation transcript:

Presentation to the CIO PREPARED BY: JOSHUA SMITH, GARY FAULKNER, BRANDON VAN GUILDER, AND ERIC RUSCH

 Overview of Security Incident  Analysis of incident using COBIT control objectives (DS5)  Recommendations based on analysis  Conclusion & Questions

 Stolen information was retrieved from VA servers by an authorized worker  The VA worker utilized the data for testing and had authorization to bring work home  Information was brought home on external HD and laptop  An unencrypted national database of 26.5 million veteran’s personal information was stolen  The theft occurred on May 3 rd at the worker’s home and reported by the VA May 22 nd

 Analysis was completed using COBIT Control Objectives (DS5)  All 21 control objectives were assessed  Not all objectives were applicable  Objectives not applicable were given a grade of PASS  Objectives not met were given expanded recommendations

 Create an independent Security Oversight Committee  Committee reviews policies, procedures, and security control practices annually and directly after any security incidents.  Cost: $10k – 20k Annually  Improve Communication and documentation between departments and management  Increase security incident response  Cost: $5k - $10k  Expand Authority of the CIO  Manage all IT staff across departments  Enforce policies  Cost: $5k - $10k

 Employee Training Program  Employees need annual training on security policies and procedures.  Cost: $10k – $15k annually  DLP – Data Loss Prevention Policy and Procedure  Policy and procedure restricting data removal to prevent PII  Restrict Personal Devices from be connected to the VA network  Cost: Minimal  Implement NAC on the VA Network  Restrict Personal or unauthorized devices from connecting to the VA Network  Cost: $75k - $100k

 Encrypt all VA devices using SEE (Symantec Endpoint Encryption)  Utilize full disk encryption to protect data and PII  Cost: $35k - $50K  Implement Identify Finder to Prevent Data Leakage  Locate and secure sensitive information and PII  Cost: $1.5M - $2M plus $30K - $50K annually

 Develop and maintain a security program that will meet our needs now and in the future.  Questions & Discussion

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.