Presentation is loading. Please wait.

Presentation is loading. Please wait.

Best Practices for Data Security and Protecting Personal Information

Published byCecily Hudson Modified over 6 years ago

Similar presentations

Presentation on theme: "Best Practices for Data Security and Protecting Personal Information"— Presentation transcript:

1 Best Practices for Data Security and Protecting Personal Information
MCLE – March 2017

2 Presenter Matthew Pettine, CGEIT, CISA, ASE, MCSE, MCDBA, MBA
Managing Director, IT Advisory Practice MFA Cornerstone Consulting (978) Page 2 | Copyright MFA – Moody, Famiglietti & Andronico, LLP. All rights reserved.

3 About MFA Proactive CPA and consulting firm with national and global reach Founded in 1982 Over 150 professionals, including 25 partners Located in Tewksbury, Massachusetts Page 3 | Copyright MFA – Moody, Famiglietti & Andronico, LLP. All rights reserved.

4 About MFA Business Tax Individual, Family and Fiduciary Tax
State and Local Tax Audit and Assurance Technical Accounting Advisory Transaction Services Valuation Litigation Support Fraud and Forensic Accounting Business Performance Enhancement Sarbanes-Oxley Compliance Internal Controls IT Advisory Wealth Management Retirement Plan Advisory Professional Staffing Page 4 | Copyright MFA – Moody, Famiglietti & Andronico, LLP. All rights reserved.

5 Some Privacy and Electronic Data Regulations
Health Information Privacy Accountability Act (HIPAA) Health Information Technology for Economic and Clinical Health (HITECH) Financial Service Modernization Act (Graham-Leach-Bliley GLBA) Family Educational Rights and Privacy Act of 1974 (FERPA) FTC – Fair and Accurate Credit Transactions Act (FACTA) Red Flags Rule Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM Act) Massachusetts Privacy Regulations: 201 CMR 17 PCI -DSS (Payment Card Industry – Data Security Standards) Page 5 | Copyright MFA – Moody, Famiglietti & Andronico, LLP. All rights reserved.

6 Enforcement and Penalties!
Common Themes Physical, Technical and Administrative Controls Protection against unauthorized access or disclosure Notification Requirements Written Policies Training Business Process Development and Monitoring Enforcement and Penalties! Page 6 | Copyright MFA – Moody, Famiglietti & Andronico, LLP. All rights reserved.

7 Massachusetts Privacy Regulations: 201 CMR 17
Law is designed to protect the personal information of Massachusetts citizens Intent of law is to prevent personal information from being breached in the first place As opposed to merely addressing what must happen in the wake of a security breach Establishes minimum standards, responsibilities and reporting protocol Page 7 | Copyright MFA – Moody, Famiglietti & Andronico, LLP. All rights reserved.

8 Massachusetts Personal Data Security Law
Personal information to be protected includes: A citizen’s name (first & last or first initial & last name) COMBINED with one or more of the following: Credit card number Social security number Financial account number State issued identification number Page 8 | Copyright MFA – Moody, Famiglietti & Andronico, LLP. All rights reserved.

9 Massachusetts Personal Data Security Law
Applies to individuals and businesses that own, license, store or maintain “personal information” about a citizen of Massachusetts HR Departments – I9s, background checks, direct deposits, health and life insurance, 401(k)s Finance Departments – third-party vendors and sole proprietors Dealing directly with credit card-based retail sales Real estate, mortgage and investments Page 9 | Copyright MFA – Moody, Famiglietti & Andronico, LLP. All rights reserved.

10 Failure to Comply If an information breach occurs, and no prescribed information security efforts were in place – companies may be subject to both criminal and civil penalties Fines established under Massachusetts General Law 93H-93I Very specific public notification requirements Damage to reputation if security breach occurs Significant time, resources and costs required to properly handle a security breach Page 10 | Copyright MFA – Moody, Famiglietti & Andronico, LLP. All rights reserved.

11 Becoming Compliant Page 11 | Copyright MFA – Moody, Famiglietti & Andronico, LLP. All rights reserved.

12 Steps to Achieve Compliance
Organizational Risk Assessment Create a Written Information Security Plan (WISP) Computer system security Vendor management Training employees Monitoring protocols Page 12 | Copyright MFA – Moody, Famiglietti & Andronico, LLP. All rights reserved.

13 Step 1: Risk Assessment Identify where sensitive information is handled and stored within the business Identify potential risks Evaluate controls relative to existing risks Gap analysis and remediation plan Page 13 | Copyright MFA – Moody, Famiglietti & Andronico, LLP. All rights reserved.

14 Step 2: Create a Written Information Security Plan (WISP)
Designate a security coordinator Document information flows Document general computer controls Develop organizational policies Develop employee consequences for non-adherence Page 14 | Copyright MFA – Moody, Famiglietti & Andronico, LLP. All rights reserved.

15 Step 3: Computer System Security
Regulations include specific requirements related to computer system security Authentication – Encryption Access Controls – Firewalls & OS Patches Data Transmission – Viruses & Malware Monitoring – Training Page 15 | Copyright MFA – Moody, Famiglietti & Andronico, LLP. All rights reserved.

16 Step 3: Computer System Security (Continued)
Authentication Control of User Accounts “Control of IDs” “Reasonably secure passwords” Control of password security Restrict access to active users Block access after multiple attempts Page 16 | Copyright MFA – Moody, Famiglietti & Andronico, LLP. All rights reserved.

17 Step 3: Computer System Security (Continued)
Access Controls Restrict access to those who “need to know” to perform their jobs File system security / permissions Third-party tools available Assign IDs and passwords Unique (not shared) “Not vendor supplied defaults” Page 17 | Copyright MFA – Moody, Famiglietti & Andronico, LLP. All rights reserved.

18 Step 3: Computer System Security (Continued)
Data Transmission Encryption of transmitted data “Where technically feasible” Web Sites (SSL / https) (PGP / 3rd party services) Remote Access Solutions Online Service Providers Wireless (“All Data”) Page 18 | Copyright MFA – Moody, Famiglietti & Andronico, LLP. All rights reserved.

19 Step 3: Computer System Security (Continued)
Monitoring “Reasonable monitoring of systems for unauthorized use of or access to personal information” Intrusion Detection Application Logs Server Firewalls Network Security Logs File System Auditing Page 19 | Copyright MFA – Moody, Famiglietti & Andronico, LLP. All rights reserved.

20 Step 3: Computer System Security (Continued)
Encryption of Personal Information Stored on Portable Devices Laptops Encryption vs. Passwords File-based vs. Entire Laptop Operating System vs. Third Party Solutions “Other Devices” Portable Hard Drives (USB devices) Backup Media CDs, DVDs, iPhones, PDAs Page 20 | Copyright MFA – Moody, Famiglietti & Andronico, LLP. All rights reserved.

21 Step 3: Computer System Security (Continued)
Firewalls & OS Patches Firewall Protection “Reasonably up-to-date” Vendor supported and routinely updated Operating System Security Patches Automatic update features Servers & workstations User considerations Page 21 | Copyright MFA – Moody, Famiglietti & Andronico, LLP. All rights reserved.

22 Step 3: Computer System Security (Continued)
Viruses & Malware “Reasonably up-to-date versions” “Must include malware protection” Supported by vendor Up-to-date patches and definitions “Set to receive the most current security updates on a regular basis” Page 22 | Copyright MFA – Moody, Famiglietti & Andronico, LLP. All rights reserved.

23 Step 3: Computer System Security (Continued)
“Education and training of employees on the proper use of the computer security system and the importance of personal information security.” New hire orientation Specific routine organizational efforts Page 23 | Copyright MFA – Moody, Famiglietti & Andronico, LLP. All rights reserved.

24 Step 4: Assessing 3rd Party Vendors
Must ensure that third party providers have the capacity to protect personal information you give them access to Payroll providers Health insurance broker Background check provider 401(k) provider Online/Cloud Service providers Cleaners & disposal crews Conduct due diligence Make safeguards a condition of your contract with them Page 24 | Copyright MFA – Moody, Famiglietti & Andronico, LLP. All rights reserved.

25 Step 5: Training Employees
Organizations must train their employees on a regular basis Training sessions need to be documented Employee attendance at training sessions needs to be documented as well Sanctions for violations need to be clear and contain disciplinary measures Measures must be in place to prevent terminated employees from accessing records containing personal information Page 25 | Copyright MFA – Moody, Famiglietti & Andronico, LLP. All rights reserved.

26 Step 6: Monitoring Compliance
Ensuring employee training Executing on violations in a demonstrable and evidenced manner Regular review of policies for relevancy Reviewing organizational adherence to established operational protocol Page 26 | Copyright MFA – Moody, Famiglietti & Andronico, LLP. All rights reserved.

27 Additional Resources The Massachusetts Personal Data Security Law – August 2010 Frequently Asked Questions regarding The Massachusetts Personal Data Security Law An MFA Perspective Article on the new Massachusetts Personal Data Security Law MFA Web Seminar Presentation on the new Massachusetts Personal Data Security Law Understand how MFA can help in your efforts toward compliance: MFA's Privacy and Data Protection Services Page 27 | Copyright MFA – Moody, Famiglietti & Andronico, LLP. All rights reserved.

28 Questions? Page 28 | Copyright MFA – Moody, Famiglietti & Andronico, LLP. All rights reserved.

29 How to Contact Us Matthew Pettine, CGEIT, CISA, ASE, MCSE, MCDBA, MBA
Managing Director, IT Advisory Practice MFA Cornerstone Consulting (978) Page 29 | Copyright MFA – Moody, Famiglietti & Andronico, LLP. All rights reserved.

30 Thank You Follow us on /mfacpa.boston Follow us on /mfacpa

31 MFA - Moody, Famiglietti & Andronico | MFA Cornerstone Consulting MFA Capital Advisors | MFA Asset Management MFA Talent Management | MFA Global

Download ppt "Best Practices for Data Security and Protecting Personal Information"

Similar presentations

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Red Flags Rule BAS Forum August 18, 2010. What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.

Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.

HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.
Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.

Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.
Complying With Payment Card Industry Data Security Standards (PCI DSS)

Complying With Payment Card Industry Data Security Standards (PCI DSS)
Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.

Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Privacy Laws & Higher Education. Agenda 1.Five Privacy Laws a.FERPA b.HIPAA c.GLB d.FACTA Disposal Rule e.CAN-SPAM 2.Overview of the Laws a.What does.

Privacy Laws & Higher Education. Agenda 1.Five Privacy Laws a.FERPA b.HIPAA c.GLB d.FACTA Disposal Rule e.CAN-SPAM 2.Overview of the Laws a.What does.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
Privacy, Security, Confidentiality, and Legal Issues

Privacy, Security, Confidentiality, and Legal Issues
Massachusetts privacy law and your business  Jonathan Gossels, President, SystemExperts Corporation  Moderator: Illena Armstrong  Actual Topic: Intersecting.

Massachusetts privacy law and your business  Jonathan Gossels, President, SystemExperts Corporation  Moderator: Illena Armstrong  Actual Topic: Intersecting.
Springfield Technical Community College Security Awareness Training.

Springfield Technical Community College Security Awareness Training.
Information Privacy and Compliance Training For All Brigham Young University– Idaho Employees.

Information Privacy and Compliance Training For All Brigham Young University– Idaho Employees.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.

Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Security Controls – What Works

Security Controls – What Works
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
New Data Regulation Law 201 CMR 17.00. TJX Video.

New Data Regulation Law 201 CMR TJX Video.

Similar presentations

Ads by Google