Download presentation
Presentation is loading. Please wait.
1
Strategies & Tactics for Data Security
2015 IAEWS Fall Congress Strategies & Tactics for Data Security Panel Discussion David Lewis, OperationsInc; Patrick Manzo, Monster; Steve Roosa, Holland & Knight; Andy Hibel, HigherEdJobs
2
IAEWS Fall Congress Data Security?
3
2015 MasterCard Security Survey
IAEWS Fall Congress 2015 MasterCard Security Survey Concerned About Behaviors Being Pick Pocketed 46% Home Being Robbed 59% Being Hacked 62% Financial Info Stolen 77% Check Financial Info on Public Networks 39% “Rarely if at All” Change Passwords for Financial Info 46%
4
IAEWS Fall Congress Naked But Secure . . . 55% of Americans Would Prefer Naked Leaked Pictures Than Financial Data
5
IAEWS Fall Congress Matter of Trust Trust Career Site Job Seeker
6
Distinguishing Security v. Privacy
7
Privacy Issues—Intentional Collection, Use, and Sharing
Privacy Involves the Consequences of Collection, Use, and Sharing of Data (Especially Personally Identifiable Information) with: Advertisers and marketing companies Analytics companies Hosted solutions Social network functions 3rd party service providers Other users Other businesses Data brokers
8
Security Issues—When Things Break
Unintended or Unauthorized Access/Disclosure: Malware Stolen passwords Exploits of vulnerabilities (e.g., Heartbleed) Insider data theft Remote hacks and network intrusion Injection attacks against databases
9
Technical Safeguards, Protections, Countermeasures
Intrusion detection systems Logging Firewalls 2FA Anti-Virus Sanitizing database inputs Encryption in transit Encryption at rest Secure coding practices
10
Incident Response Plans
Train on them Update them Must be short enough to be actionable Communications should maintain privilege Involve: Legal, PR, and Information Security Have breach counsel and response vendor vetted and selected in advance
11
The Cloud…
12
Cloud Services Determine if you can even use a cloud solution based on legal requirements. If you don’t encrypt data before it is sent to the cloud, the cloud provider technically has physical access to the data Have your security team compare the security procedures you follow internally to those of the cloud, and identify any shortcomings on the part of the cloud provider. Push back against cloud providers on terms AWS v. Azure Begin with the end in mind: intercloud transition
13
Managing 3rd Party Risk Contractual Constraints Indemnity
Right to audit Insurance requirements Reps and Warranties Incident Response provisions Static code analysis for 3rd party vulnerabilities Compliance with OWASP ASVS Level 2 (see next slide) Other due diligence
14
OWASP’s Standards Are Excellent (Open Web Application Security Project)
ASVS – Application Security Verification Standard Project The primary aim of the OWASP Application Security Verification Standard (ASVS) Project is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. The standard provides a basis for testing application technical security controls, as well as any technical security controls in the environment, that are relied on to protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection.
17
IAEWS Fall Congress Conclusion - Contact Info Write Down Something You Will Do As First Step David Lewis, OperationsInc Patrick Manzo, Monster Steve Roosa, Holland & Knight Andy Hibel, HigherEdJobs
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.