Presentation is loading. Please wait.

Presentation is loading. Please wait.

Prepared by Dept. of Information Technology & Telecommunications, November 19, 2015 Application Security Business Risk and Data Protection Gregory Neuhaus.

Published byBennett Nichols Modified over 9 years ago

Similar presentations

Presentation on theme: "Prepared by Dept. of Information Technology & Telecommunications, November 19, 2015 Application Security Business Risk and Data Protection Gregory Neuhaus."— Presentation transcript:

1 Prepared by Dept. of Information Technology & Telecommunications, November 19, 2015 Application Security Business Risk and Data Protection Gregory Neuhaus Assistant Commissioner Disaster Recovery

2 Prepared by Dept. of Information Technology & Telecommunications, November 19, 2015 Agenda Application Security- How Much is Enough? –Business Risk –Examples of Business Vulnerabilities –Data Classification and Protection –What Can Be Done? –Lesson Learned

3 Prepared by Dept. of Information Technology & Telecommunications, November 19, 2015 Business Risk – Know Your Business Reputation of your organization – “Your organization makes the news” Goal of treats - Sabotage, Retaliation, Financial gain, Celebrity Impact to critical functions within you organization – What are your Business Contingency and Disaster Recovery plans for the asset? Impact to client services – How will you provide services? Loss of productivity and/or financial loss – Is the application key to employee work or financial viability of your organization? Employees with excessive rights or access to confidential data – The threat is from within! Data loss or breach – You need to classify data? Regulatory Compliance – What is your legal/regulatory liability?

4 Prepared by Dept. of Information Technology & Telecommunications, November 19, 2015 Application Security is Not Just an IT problem It’s an organizational problem What are your Risk Factors? Do you accept the risk? What are the legal ramifications? How will this effect the services you provide? What is your data worth? Who are your high risk users?

5 Prepared by Dept. of Information Technology & Telecommunications, November 19, 2015 Examples of Business Vulnerabilities –Ohio data breach A 22-year-old intern was given the responsibility of safeguarding the personal information of thousands of state employees, a security procedure that ended up backfiring. The names and Social Security numbers of all 64,000 Ohio state employees were stolen last weekend from a state agency intern who left a backup data storage device in his car –Horizon Blue Cross Blue Shield (Newark, NJ) More than 300,000 members names, Social Security numbers and other personal information were contained on a laptop computer that was stolen. The laptop was being taken home by an employee who regularly works with member data. 300,000

6 Prepared by Dept. of Information Technology & Telecommunications, November 19, 2015 Examples of Business Vulnerabilities –Nebraska’s Treasure Office A hacker broke into a child-support computer system and may have obtained names, Social Security numbers and other information (such as tax identification numbers) for 9,000 businesses. 309,000 individuals affected TJ stores (TJX), including TJMaxx, Marshalls, Winners, HomeSense, AJWright, TKMaxx, The TJX Companies Inc.experienced an "unauthorized intrusion" into its computer systems that process and store customer transactions, including: credit card, debit card, check, and merchandise return transactions. They discovered the intrusion mid-December 2006. Transaction data from 2003 as well as mid-May through December 2006 may have been accessed, along with 45,700,000 credit and debit card account numbers

7 Prepared by Dept. of Information Technology & Telecommunications, November 19, 2015 Application Security- Risk Mitigation: What Can Be Done? -Understand your Business Risk -The data belongs to the business, not IT. Take ownership. -Understand who has access and what can they access? -Can you download data from your application? -Designing/follow a security policy -Implement a security policy with proper security tools, procedures and best practices. -Use National Institute of Standards and Technology (NIST) http://www.nist.gov/ -Audit and enforce the security policy

8 Prepared by Dept. of Information Technology & Telecommunications, November 19, 2015 -Does your organization have a Chief Information Security official? -Establish a security incident response process team. -Develop Business Contingency and Disaster Recovery plans for the application -Protect sensitive data through encryption and data classification -Follow good change management procedures -Test Test Test!

9 Prepared by Dept. of Information Technology & Telecommunications, November 19, 2015 NYC Data Classification NYC.GOV/INFOSEC

10 Prepared by Dept. of Information Technology & Telecommunications, November 19, 2015 Real world example of a data breach Scenario: City, public - facing applications had a application security flaw that exposed client information Why: Application was extensively modified compromising the base security of the application Impact: Application was taken off web site. Project was re-evaluated by oversights. Project was moved to another agency. Need to send a letter to all users of the application. Termination of senior project manager.

11 Prepared by Dept. of Information Technology & Telecommunications, November 19, 2015 Lessons Learned Testing: Security testing is very important on applications with sensitive data, resulting in penetration testing for applications. Security scenarios should be part of unit, system and user testing. Exercise all user and administrator functions. System Design: Establish a formal accreditation process as part of the system design lifecycle. Plan security and deal with security issues as part of planning, not as last minute implementation items. This saves time and money.

12 Prepared by Dept. of Information Technology & Telecommunications, November 19, 2015 Questions and Answers

Download ppt "Prepared by Dept. of Information Technology & Telecommunications, November 19, 2015 Application Security Business Risk and Data Protection Gregory Neuhaus."

Similar presentations

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
IT Web Application Audit Principles Presented by: James Ritchie, CISA, CISSP….

IT Web Application Audit Principles Presented by: James Ritchie, CISA, CISSP….
K eep I t C onfidential Prepared by: Security Architecture Collaboration Team.

K eep I t C onfidential Prepared by: Security Architecture Collaboration Team.
Lessons Learned Data and Asset Security FOCUS Spring 2006 Chuck Banner UVA-Wise.

Lessons Learned Data and Asset Security FOCUS Spring 2006 Chuck Banner UVA-Wise.
Information Security Jim Cusson, CISSP. Largest Breaches 110,000 2009-11-27 NorthgateArinso, Verity Trustees 6,400 2009-11-25 Aurora St. Luke's Medical.

Information Security Jim Cusson, CISSP. Largest Breaches 110, NorthgateArinso, Verity Trustees 6, Aurora St. Luke's Medical.
2012, Team-Tiger- Northwestern McCormick MSIT 2013 Confidential 1 ©2011, Cognizant Northwestern McCormick MSIT- 2013 October 20 th, 2012 Information Security.

2012, Team-Tiger- Northwestern McCormick MSIT 2013 Confidential 1 ©2011, Cognizant Northwestern McCormick MSIT October 20 th, 2012 Information Security.
Data Ownership Responsibilities & Procedures

Data Ownership Responsibilities & Procedures
Information Security Policies Larry Conrad September 29, 2009.

Information Security Policies Larry Conrad September 29, 2009.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Information Systems Security Officer

Information Systems Security Officer
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.

COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.
Code of Conduct for Mobile Money Providers 6 November 2014 All material © GSMA 2014. The policy advocacy and regulatory work of the GSMA Mobile Money team.

Code of Conduct for Mobile Money Providers 6 November 2014 All material © GSMA The policy advocacy and regulatory work of the GSMA Mobile Money team.
Factors to be taken into account when designing ICT Security Policies

Factors to be taken into account when designing ICT Security Policies
1 Pertemuan 17 Organisational Back Up Matakuliah:A0334/Pengendalian Lingkungan Online Tahun: 2005 Versi: 1/1.

1 Pertemuan 17 Organisational Back Up Matakuliah:A0334/Pengendalian Lingkungan Online Tahun: 2005 Versi: 1/1.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.

Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.
 Jonathan Trull, Deputy State Auditor, Colorado Office of the State Auditor  Travis Schack, Colorado’s Information Security Officer  Chris Ingram,

 Jonathan Trull, Deputy State Auditor, Colorado Office of the State Auditor  Travis Schack, Colorado’s Information Security Officer  Chris Ingram,

Similar presentations

Ads by Google