Presentation is loading. Please wait.

Presentation is loading. Please wait.

DATA SECURITY AND COMPLIANCE…WHAT YOU NEED TO KNOW 1 CYBERSECURITY MONTH SERIES Presented by George Guzman October 27, 2014.

Published byJoella Rodgers Modified over 9 years ago

Similar presentations

Presentation on theme: "DATA SECURITY AND COMPLIANCE…WHAT YOU NEED TO KNOW 1 CYBERSECURITY MONTH SERIES Presented by George Guzman October 27, 2014."— Presentation transcript:

1 DATA SECURITY AND COMPLIANCE…WHAT YOU NEED TO KNOW 1 CYBERSECURITY MONTH SERIES Presented by George Guzman October 27, 2014

2 Contents 2 Welcome and What we Do Data Security and Compliance…what’s the difference? Compliance landscape and strategies Advanced Data Security Target Story Common Denominators Our unique GW environment…lots going on Common risk factors Steps you can take Who to contact

3 What we do 3 The goal of the Compliance and Privacy Office is to establish a voluntary compliance program to ensure that faculty and staff are aware of and comply with federal, state and local laws and regulations. We work closely with the Office of General Counsel, the Division of IT, and the respective academic and administrative functions of the university

4 Data Security and Compliance 4 What’s the difference? Data security is the application of deterrents or security controls to protect data. The level of deterrents or security is commensurate to how the individual or entity uniquely “values” the data. Compliance is applying a baseline of security controls (people, process, technology) defined by a standard. The baseline is applied to a specific type of data….typically regulated; such as health information, financial, personally identifiable information

5 Data Security and Compliance 5 Does Compliance equal highest level of security? No, it ensures a repeatable, stable baseline of security that can be measured to meet a specific regulatory requirement Does highest level of security mean you are “secure”? Maybe, depends on where you place your security. Can you cover 100%...probably not. Data Security and Compliance are key pieces to GW’s information risk management…ensuring compliance and placing highest security controls on assets that matter the most

6 Compliance Landscape 6 http://www.higheredcompliance.org/matrix /

7 Frameworks and Strategies…more than technology 7 NIST 800-53 ISO27001 National Cybersecurity Framework

8 Advanced data security… 8 Part of a defense in depth strategy to apply higher levels of security to high value information/assets  Penetration tests/Red team analysis  Application code reviews  System hardening  Logging  Intrusion detection  Staff with advanced training/credentials (forensics, malware analysis)

9 Examples of Data Security ≠ Compliance 9 40 million credit cards stolen, Target was PCI (Payment Card Industry) compliant, attacked through HVAC vendor

10 Common Denominators 10 What are the common denominators?  Knowing what data you have  Knowing the value of the data  Knowing the risks to your data  Understanding likelihood and impact of these risks  Accepting a level of risk This may seem obvious and easy…but ask your colleagues if they see it the same way. Entities need to define this…we do it here at GW

11 Our Unique GW Environment 11 Federal, State, Local laws (over 400 GW is required to comply) Rapidly changing technology… boundaries are constantly moving Affiliations with hospitals, Public, Private sector, other universities 20,000 students and over 6000 faculty and staff Research Funding

12 Common Risk Factors 12 Awareness of information in your care Access to information…need to know principle Dissemination of information…technology makes it easy Lack of knowledge or training of staff…knowing your role, how to identify and what to do in situations Increased visibility of data loss…fines, reputational hit, accreditation risks, grants

13 Best Practices you can Take 13 Referencing back to the Common Denominators slide Knowing what data you have Knowing the value of the data Knowing the risks to your data Understanding the risk tolerance Ensure you and your team are leveraging available resources (tools, training, seminars) Never hesitate to ask for assistance…better to be safe

14 Resources 14  http://www.cspri.seas.gwu.edu/ http://www.cspri.seas.gwu.edu/  http://www.inforisktoday.com http://www.inforisktoday.com  http://www.higheredcompliance.org/matrix http://www.higheredcompliance.org/matrix  http://www.nist.gov/cyberframework/upload/cybe rsecurity-framework-021214.pdf http://www.nist.gov/cyberframework/upload/cybe rsecurity-framework-021214.pdf  http://www.sans.org/critical-security-controls/ http://www.sans.org/critical-security-controls/  Division of IT Information Security Team http://it.gwu.edu/security http://it.gwu.edu/security

15 Contact Info 15 Compliance and Privacy Office George Guzman, Director of Compliance and Data Privacy, gguzman@gwu.edu 202-994-6226 Compliance Office Email comply@gwu.edu Compliance Office direct line 202-994-3386

Download ppt "DATA SECURITY AND COMPLIANCE…WHAT YOU NEED TO KNOW 1 CYBERSECURITY MONTH SERIES Presented by George Guzman October 27, 2014."

Similar presentations

How Compliance Fits Sandra Dolson Wholesale Compliance Manager SLF Canada.

How Compliance Fits Sandra Dolson Wholesale Compliance Manager SLF Canada.
Safeguarding Data to Ensure Effective Data Use Paige Kowalski |Director| State Policy & Advocacy July 2014.

Safeguarding Data to Ensure Effective Data Use Paige Kowalski |Director| State Policy & Advocacy July 2014.
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training
Navigating Compliance Requirements DCM 6.2 Regs and Codes linford & co llp.

Navigating Compliance Requirements DCM 6.2 Regs and Codes linford & co llp.
1 1 Risk Management: How to Comply with Everything July 11, 2013.

1 1 Risk Management: How to Comply with Everything July 11, 2013.
Outcomes focused regulation and compliance in practice Peter Scott Peter Scott Consulting www.peterscottconsult.co.uk.

Outcomes focused regulation and compliance in practice Peter Scott Peter Scott Consulting
David A. Brown Chief Information Security Officer State of Ohio

David A. Brown Chief Information Security Officer State of Ohio
Information & Communication Technologies 08 2014 NMSU All About Discovery! Risk-Based Information Security Program at NMSU presented by Norma Grijalva.

Information & Communication Technologies NMSU All About Discovery! Risk-Based Information Security Program at NMSU presented by Norma Grijalva.
Security Controls – What Works

Security Controls – What Works
WELCOME Annual Meeting & Compliance Seminar. Code of Conduct - Impact on Corporate Culture by Andy Greenstein Knight Capital Group, Inc.

WELCOME Annual Meeting & Compliance Seminar. Code of Conduct - Impact on Corporate Culture by Andy Greenstein Knight Capital Group, Inc.
Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.

Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.
WHY CHOOSE CEO-PE?  We employ International Association of Privacy Professionals (IAPP) Certified and Health Insurance Portability & Accountability Act.

WHY CHOOSE CEO-PE?  We employ International Association of Privacy Professionals (IAPP) Certified and Health Insurance Portability & Accountability Act.
IT Security Challenges In Higher Education Steve Schuster Cornell University.

IT Security Challenges In Higher Education Steve Schuster Cornell University.
Risk Assessment Frameworks

Risk Assessment Frameworks
Overview 4Core Technology Group, Inc. is a woman/ veteran owned full-service IT and Cyber Security firm based in Historic Petersburg, Virginia. Founded.

Overview 4Core Technology Group, Inc. is a woman/ veteran owned full-service IT and Cyber Security firm based in Historic Petersburg, Virginia. Founded.
Brian Markham Director, DIT Compliance and Risk Services May 1, 2014

Brian Markham Director, DIT Compliance and Risk Services May 1, 2014
Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.

Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.
The Role of Risk Management and Assurance in Effective Organizational Governance Urton Anderson The University of Texas at Austin.

The Role of Risk Management and Assurance in Effective Organizational Governance Urton Anderson The University of Texas at Austin.
OSHA Long Term Care Worker Protection Train the Trainer Program Part 1: Introduction.

OSHA Long Term Care Worker Protection Train the Trainer Program Part 1: Introduction.
Fiscal Compliance for Department Heads & Directors Daniel Adams Audit Services.

Fiscal Compliance for Department Heads & Directors Daniel Adams Audit Services.

Similar presentations

Ads by Google