Frontline Enterprise Security

Slides:

Advertisements

Similar presentations

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

Advertisements

MOBILE DEVICES & THEIR IMPACT IN THE ENTERPRISE Michael Balik Assistant Director of Technology Perkiomen Valley School District.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.

Mr C Johnston ICT Teacher

Security Controls – What Works

Information Security Policies and Standards

University of Guelph IT Security Policy Doug Blain Manager, IT Security ISC, April 27th.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

Contact Center Security Strategies Grant Sainsbury Practice Director, Dimension Data.

Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.

Information Technology Audit Process Business Practices Seminar Paul Toffenetti, CISA Internal Audit 29 February 2008.

Initial Findings  Secure all contracts with third party vendors immediately  Develop a strong understanding of the ‘Flow of PHI’ within and outside of.

Network security policy: best practices

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

The Difficult Road To Cybersecurity Steve Katz, CISSP Security Risk Solutions Steve Katz, CISSP Security.

New Data Regulation Law 201 CMR TJX Video.

Information Security Information Technology and Computing Services Information Technology and Computing Services

Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.

 Review the security rule as it pertains to ›Physical Safeguards ♦ How to protect the ePHI in the work environment ♦ Implementation ideas for your office.

NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.

General Awareness Training

Information Security Update CTC 18 March 2015 Julianne Tolson.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

HIPAA COMPLIANCE WITH DELL

Windows 2000 Security Policies & Practices: How to build your plan Mandy Andress, CISSP President ArcSec Technologies.

Information Security and YOU!. Information Assurance Outreach Information Security Online Security Remote Access with Demonstration The Cloud Social.

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

E-Security: 10 Steps to Protect Your School’s Network NEN – the education network.

Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.

Delivering Security for Mobile Device and Mobile Application Management INSERT MSP LOGO HERE.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

 INADEQUATE SECURITY POLICIES ›Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA.

7-Oct-15 System Auditing. AUDITING Auditing is a systematic process of objectively obtaining and evaluating evidence regarding assertions about economic.

Web Security for Network and System Administrators1 Chapter 2 Security Processes.

PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.

Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.

Playing Safely in the Cloud Marie Greenberg, CISSP, IAM, IEM Information Security Manager Virginia State Corporation Commission.

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

Office of Campus Information Security Driving a Security Architecture by Assessing Risk Stefan Wahe Sr. Information Security Analyst.

Mr C Johnston ICT Teacher BTEC IT Unit 05 - Lesson 12 Network Security Policy.

Data Security Overview. Data Security Periphery –Firewalls –Web Filtering –Intrusion Detection & Prevention Internal –Virus Protection –Anti Spy-ware.

Cloud Compliance Considerations March 24, 2015 | Jason Smith, CISSP.

IMFO Annual Conference – 2015 S21: Good Governance & Oversight B2B.

Last Minute Security Compliance - Tips for Those Just Starting 10 th National HIPAA Summit April 7, 2005 Chris Apgar, CISSP – President Apgar &

HO © 2012 Fluor. All rights reserved. Quick Wins in Vulnerability Management Classification: Confidential Owner: Michael Holcomb Approver: Phil.

Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.

Information Security In the Corporate World. About Me Graduated from Utica College with a degree in Economic Crime Investigation (ECI) in Spring 2005.

TRUENORTH TECHNOLOGY POLICIES OVERVIEW. This includes but is not limited to : – Games – Non-work related software – Streaming media applications – Mobile.

Chapter 3 Pre-Incident Preparation Spring Incident Response & Computer Forensics.

HIPAA Compliance Case Study: Establishing and Implementing a Program to Audit HIPAA Compliance Drew Hunt Network Security Analyst Valley Medical Center.

Mr C Johnston ICT Teacher BTEC IT Unit 09 - Lesson 11 Network Security.

Secure Services Shared Hosted MS Exchange 2010.

Program Overview and 2015 Outlook Finance & Administration Committee Meeting February 10, 2015 Sheri Le, Manager of Cybersecurity RTD.

SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #

Chapter 14.  Upon completion of this chapter, you should be able to:  Identify different types of Intrusion Detection Systems and Prevention Systems.

Risk Assessments in Many Flavors George J. Dolicker, CISA, CISSP.

IT Audit for non-IT auditors Cornell Dover Assistant Auditor General 31 March 2013.

Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.

Education – Partnership – Solutions

Topic 5: Communication and the Internet

National Cyber Security

Implementing Client Security on Windows 2000 and Windows XP Level 150

EDUCAUSE Security Professionals Conference 2018 Jason Pufahl, CISO

Drew Hunt Network Security Analyst Valley Medical Center

HIPAA SECURITY RULE Copyright © 2008, 2006, 2004 by Saunders an imprint of Elsevier Inc. All rights reserved.

Network hardening Chapter 14.

6. Application Software Security

Information Security in Your Office

Presentation transcript:

Frontline Enterprise Security Presented by: Michael Weaver, CISSP, QSA Sword & Shield Enterprise Security October 6, 2015

Who am I? Senior Enterprise Consultant at Sword & Shield Started “hacking” around the age of 12 on a Windows 3.11 machine using a 14.4k modem Started a professional IT career doing systems and network administration in 2002

What does a S&S Enterprise Consultant do? Audits and assessments on compliance standards, technology configuration, and information security best practices Advisement on business decisions related to information security Supplement information security staff to assist with projects, technology, training, etc. Draft, review, and revise policies Training on technologies, compliance, and general security concepts

Audits

What Kind of Audits? FISMA, GLBA, HIPAA, ISO 27001 and SOX gap analysis Gap Analysis – How close are you to adhering to the compliance framework? PCI compliance Compliance – The governing authority recognizes that you are meeting or exceeding the requirement of the standard. Risk Assessments based on NIST 800-30 Assessment – Applying my knowledge and expertise to evaluate your organization according to NIST and other standards. How well is your organization protected from actual threats and how likely are they?

Evidence Policies and Procedures to show that the organization has set expectations and communicated them to the appropriate parties. Standard sets of supporting documents, such as diagrams, logs, screen shots, configuration files, etc., are requested in every engagement. However, I dig a lot deeper when you make extraordinary claims or hide something. Interviews with people who setup the controls protecting the information. Observations of the work areas and the “secure” areas where the information is stored, processed, or transmitted. Verification through action.

Typical Compliance and Security Issues Policies and procedures Are they kept up-to-date? Are they known throughout the organization? Are they followed? Giving people higher privileges than they need. Local Admin rights – STOP THIS! Not reviewing, collecting, keeping, alerting, and responding to security events. Not Staying current on patches or having a well developed plan to patch everything in your environment. Training Service Accounts. Lock them down. Yes, you need to change the password, but possibly not as often as normal user accounts. Letting your data walk out the door and letting people bring anything in. Having exceptions to the rules, but only if they promise to be safe.

Getting to the Information without “Hacking” Physical methods - social engineering, tailgating, phishing, just taking the information, unlocked computers in public area, or taking pictures or videos (office windows). Using passwords that should have been changed or accounts that should have been disabled. Having exposed information. BYOD, missing or incorrectly configured security controls (VLANs), removable media, Outlook Anywhere, and using cloud storage or services. Sharing passwords or letting other people use your computer or device.

How to Resolve the Issues

Technology Solutions Basic Firewall Web Application Firewall Multifactor Biometric Web Filter MSSP/SIEM DDoS Mitigation Mobile Device Management Password Management Update Management IDS/IPS Backup Solutions Email Archiving DR Sites Whitelisting Enterprise Wireless Data Loss Prevention Vulnerability Scanning Secure File Transfer NAC Inventory Management FIM

Steps to Success Senior leadership within the organization must understand and support security decisions or they will fail. Everyone in the organization must know their responsibilities and ownership in the security program. You need visibility and knowledge of how information flows through the business. Identify and address all risks to your information. All identified risks will be accepted, avoided, mitigated, or transferred. Develop a security plan and set goals to obtain a strong security posture. Get help when you need it. Training, 3rd parties, and additional staff can provide additional knowledge, expertise, and resources.

Questions?

Thank you!