Presentation is loading. Please wait.

Presentation is loading. Please wait.

Demystifying cybersecurity: Best practices to help strengthen your program Chris Candela Senior Consultant Business Consulting Services Charles Schwab.

Published byErick Hawkins Modified over 6 years ago

Similar presentations

Presentation on theme: "Demystifying cybersecurity: Best practices to help strengthen your program Chris Candela Senior Consultant Business Consulting Services Charles Schwab."— Presentation transcript:

1 Demystifying cybersecurity: Best practices to help strengthen your program
Chris Candela Senior Consultant Business Consulting Services Charles Schwab & Co., Inc.

2 Protecting your firm and your clients can feel daunting
Public Information

3 Regulatory environment
Governance and risk assessment Access rights and controls Data loss prevention Vendor management SEC Training Incident response Source: SEC Risk Alert, September 2015 (Volume IV, Issue 8) Public Information

4 Following an industry-recognized framework can help you assess, strengthen, and maintain your program Identify Respond Detect Recover Protect National Institute of Standards and Technology (NIST) Cybersecurity Framework SEC cybersecurity examination sweep was largely modeled on this framework.1 1 SEC Risk Alert, April 2014 Public Information

5 NIST | Identify Define governance structures and set policies to manage risks to your firms assets and infrastructure. Categories Asset management Business environment Governance Risk assessment Risk management strategy Identify Respond Detect Recover Protect Targeted actions Take inventory Manage vendors Establish governance Conduct risk assessment Public Information

6 Take inventory-understand what you are protecting
Laptops Desktops Mobile devices Printers Servers Hardware Software name Installed version Purchase date Criticality Software Data classification: public, private, sensitive Risk level: high, medium, low Data Vendors & third parties Services offered Data accessed Due diligence completion date Contract start & expiration dates Cybersecurity Workshop

7 Manage vendors Conduct vendor due diligence
How do vendors connect to your network? What encryption practices do they use? Conduct routine access reviews and annual audits Public Information

8 Establish governance Create clear executive level ownership and accountability for your firm’s information security. Ensure a clear understanding of risks, priorities, and emerging threats at the executive level. Form an information security leadership team to provide organizational support. Public Information

9 Conduct risk assessment
Asset Risk Vulnerability Threat Public Information

10 NIST | Protect Set controls and safeguards necessary to protect or deter threats
Categories Access control Awareness and training Data security Information protection processes and procedures Maintenance Protective technology Identify Respond Detect Recover Protect Targeted actions Credentials Client, remote, and third- party network access Access permissions Public Information

11 Credential Policy Credentials Password complexity Password managers
Access rights Two-factor authentication Public Information

12 Access permissions Role-based access to systems, files, and data
User role vs. administrator Restrict vendor access to necessary resources only Establish procedures, review, and update periodically Public Information

13 NIST | Protect Set controls and safeguards necessary to protect or deter threats
Categories Access control Awareness and training Data security Information protection processes and procedures Maintenance Protective technology Identify Respond Detect Recover Protect Targeted actions Staff training Client education Fund transfer requests Public Information

14 Staff training and client education
Hacking Phishing Identify theft Website cloning spoofing Ransomware Social engineering Pharming For illustrative purposes only Public Information

15 Staff training and client education
“I think we have a huge responsibility to educate our clients, too. I can work really hard to make sure we’re protecting our clients’ assets and data, but our clients need education so they know how to protect themselves.” Julie Goodrum Wagner Wealth Management Public Information

16 Fund transfer requests
Prepare your team and your clients Detect and prevent fraud attempts Respond if you suspect fraud occurred Proper controls can prevent 95% of external fraud.1 1 Schwab Fraud Prevention and Investigations Team, as of October 20, 2015. Public Information

17 NIST | Protect Set controls and safeguards necessary to protect or deter threats
Categories Access control Awareness and training Data security Information protection processes and procedures Maintenance Protective technology Identify Recover Protect Targeted actions Data encryption Physical asset management Respond Detect Public Information

18 Data encryption Public Information

19 Physical asset management
Clean desk policy Locked file cabinets Card access lock for office Computer end-of-life policy Public Information

20 NIST | Protect Set controls and safeguards necessary to protect or deter threats
Categories Access control Awareness and training Data security Information protection processes and procedures Maintenance Protective technology Identify Respond Detect Recover Protect Targeted actions Data loss prevention System and software updates Removable media Public Information

21 Aspects of data loss prevention
File sharing websites Remote copy/paste Public Wi-Fi review software Aspects of data loss prevention Mobile devices Website filters Public Information

22 Software maintenance Establish patch maintenance plan
Most security incidents exploit vulnerabilities more than three months old. —2016 Ponemon Institute study Ensures consistency in configuration Automate updates Disable administrator accounts for users that don’t need it Public Information

23 Removable media Disable the use of removable media
Establish approval process Only use firm provided, encrypted media Disable auto-run to prevent malware Public Information

24 NIST | Detect Continuous monitoring to provide proactive and real-time alerts of events
Categories Anomalies and events Security continuous monitoring Detection processes Identify Respond Detect Recover Protect Targeted actions Baseline network operations Penetration testing Public Information

25 Baseline network operations
For illustrative purposes only Public Information

26 Penetration testing Consult with qualified IT specialist
Attempt to exploit network vulnerabilities Document and remediate weaknesses Conduct periodically “Testing shows the presence, not the absence of bugs” — Edsger W. Dijkstra Public Information

27 NIST | Respond Define the steps and response activities to manage IT security events including breach Categories Response planning Communications Analysis Improvements Identify Respond Detect Recover Protect Targeted action Incident response and business continuity plan creation Public Information

28 Written response plans All information security plans are documented
Incident response Incident recovery Business continuity Disaster recovery Maintain response plans—review and update as risks change Conduct testing—document when and how Update based on test results—document changes Communicate—ensure employees are aware of the changes Public Information

29 NIST | Recover Fully recover business capabilities and manage reputational risk following a significant disruption Categories Recovery planning Improvements Communications Identify Respond Detect Recover Protect Targeted action Implement changes Make clients whole Public Information

30 Customer losses Track any successful unauthorized incidents
Identify amount of customer losses Make the client whole Does cyber liability insurance make sense? Public Information

31 Resources and next steps
Public Information

32 Thank you Advisor Services Important disclosures
These materials are provided as a convenience. They are provided entirely as-is, without warranties of any kind. Use of the materials is at your own sole risk and liability. Neither Charles Schwab & Co., Inc. nor any of its affiliates or employees makes any warranty, express or implied, or assumes any liability or responsibility for the accuracy, completeness, regulatory compliance, or usefulness of any information, tools, resources, or process disclosed, or represents that its use would protect against cybersecurity (aka Information Technology, IT) security incidents, including but not limited to system breaches, compromise of firm security, and/or improper access to confidential information. Neither Charles Schwab & Co., Inc. nor any of its affiliates or employees is responsible for any damages or other harm that might occur as a result of, or in spite of, use of any information, tools, resources, or processes disclosed. You are solely responsible for securing your systems and data, including your organization’s compliance with all applicable laws, regulations, and regulatory guidances. References herein to any specific product, process, or service by trade name, trademark, manufacturer, or otherwise does not necessarily constitute or imply its endorsement, recommendation, or favoring by Charles Schwab & Co., Inc.  © 2016 Charles Schwab & Co., Inc. ("Schwab"). All rights reserved. Member SIPC. Schwab Advisor Services™ serves independent investment advisors and includes the custody, trading, and support services of Schwab. Independent investment advisors are not owned by, affiliated with, or supervised by Schwab. (0317-VH95 ) Public Information

Download ppt "Demystifying cybersecurity: Best practices to help strengthen your program Chris Candela Senior Consultant Business Consulting Services Charles Schwab."

Similar presentations

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
David A. Brown Chief Information Security Officer State of Ohio

David A. Brown Chief Information Security Officer State of Ohio
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.

Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.

© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.
CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,

CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,
Security Controls – What Works

Security Controls – What Works
August 9, 2005 UCCSC -- 2005 IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
NIST framework vs TENACE Protect Function (Sestriere, 21-23 Gennaio 2015)

NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Network security policy: best practices

Network security policy: best practices
Cloud Computing How secure is it? Author: Marziyeh Arabnejad Revised/Edited: James Childress April 2014 Tandy School of Computer Science.

Cloud Computing How secure is it? Author: Marziyeh Arabnejad Revised/Edited: James Childress April 2014 Tandy School of Computer Science.
New Data Regulation Law 201 CMR 17.00. TJX Video.

New Data Regulation Law 201 CMR TJX Video.
NUAGA May 22, 2014.  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.

NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.

Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.

Similar presentations

Ads by Google