Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Upcoming SlideShare
Privacy and Data Security: Risk Management and Avoidance
Next

Share

Seattle Tech4Good meetup: Data Security and Privacy

12/7/2016 - It's difficult to avoid news stories about hacks and misused databases. For our Q4 meetup, we will discuss what nonprofits can do to protect their systems and data. Each panelist will outline best practices for protecting your own data as well as constituent data.
PANELISTS
* Mary Gardner, Chief Information Security Officer at Seattle Children's Hospital.
* Ralph Johnson, Chief Information Security and Privacy Officer, King County
* Peter Kittas, Web and IT Consultant, Revelate LLC

Related Books

Free with a 30 day trial from Scribd

See all

Seattle Tech4Good meetup: Data Security and Privacy

  1. 1. IT Security & Data Privacy https://www.meetup.com/SeaTech4Good/events/235268004/ o 6pm-6:30 – eat, drink, network o 6:30-7:30 – Panelist’s presentations o 7:30-8pm – Q&A o 8pm-8:30 lingering until GA kicks us out
  2. 2. Tonight’s Panelists Mary Gardner Chief Information Security Officer Ralph Johnson Chief Information Security and Privacy Officer Peter Kittas Web and IT Consultant Revelate LLC
  3. 3. Program • Housekeeping (Thank You GA!) • Who is Seattle Tech4Good? • @seatech4good • #datasecurity
  4. 4. Security, Compliance, Risk Management Mary Gardner, CISSP
  5. 5. Security – CIATriad
  6. 6. KnowYour Data  What kind of data do you have  Who has access  Where is your data  Why is it important to your non-profit  When can you delete it?
  7. 7. Regulations and Standards Regulation Description Triggers Requirements HIPAA Requires that protected health Information (PHI) be maintained in a secure and confidential manner  Billing  Self-Insured Companies  Business Associate Agreements  Encryption of PHI  Standards for Deidentification  Breach Notification  Policy and Standards for Protection of Data GLBA Requires that Customers Personally Identifiable Information be secured regardless of where it lives. Also allowed for Investment and Savings banking to be offered at one institution.  Chartered as a financial institution under the guidance of the OCC, SEC  Protection of PII  Vendor Security  Breach Notification  Required Information Security Function SOX Sarbanes – Oxley act required controls be maintained around financial reporting data. Those controls must be certified by independent 3rd party  Publically traded companies  Integrity of Accounting Data  Self –Assessment Program  Attestation of Controls PCI Payment Card Industry Standard requires the protection of cardholder account information  Companies Processing Payment card Information  Requirements Based on Annual Transaction Volumes  Encryption or Obfuscation of Account Numbers  Annual Assessment Program  Attestation of Controls FISMA Federal Information Security Management Act Requires Institutions Gathering or Processing Information on the Governments behalf Handle that data according to risk based standards  Contractual Requirements  Stipulation of Certain Grants or Information Sharing Agreements  Encryption of Sensitive Information  Risk Assessment Program  Identification and Notification of Breach State Breach Laws Many States Require that Individuals be Notified in the Event of the Breach of Their Personally Identifiable Information (PII)  Public or Private Sector Entities Storing or Processing PII  Encryption of PII  Breach Notification
  8. 8. Risk Management
  9. 9. Resources  Center for Internet Security  https://www.cisecurity.org/  https://www.cisecurity.org/critical-controls/documents/Controls%20Practical%20Guidance%20for%20Web%20v4.pdf  OWASP  https://www.owasp.org/  SANS  https://www.sans.org/  RSA conference slides  https://www.rsaconference.com/events/us16/downloads-and-media  Cloud Security Alliance  https://cloudsecurityalliance.org/
  10. 10. Building stronger communities through innovative information technology @KingCountyIT Basic Cyber Hyegene Ralph Johnson Chief Information Security and Privacy Officer King County, Washington
  11. 11. Building stronger communities through innovative information technology What is Information Security? The practice of preventing unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of information. Management of Risk to Information and related systems.
  12. 12. Building stronger communities through innovative information technology Risk Weaknesses in a system or process Effect that the exploitation of a vulnerability by a threat will have on the organization
  13. 13. Building stronger communities through innovative information technology Humans Behind Threats ThreatsMotivation Terrorist groups sabotage the computer systems that operate our critical infrastructure such as the electrical grid Nation state actors sabotage military and critical infrastructure systems to gain an advantage in the event of conflict Hactivists use computer network exploitation to advance their political or social causes Individuals and sophisticated criminal enterprises steal personal information and extort victims for financial gain Trusted insiders steal proprietary information for personal, financial and ideological reasons Trusted insiders are prone to error and mistakes Nation State actors conduct computer intrusions to steal sensitive state secrets and proprietary information from private companies
  14. 14. Building stronger communities through innovative information technology Other Threats Environmental Flood Windstorm Volcanic Eruption Earthquake Fire or Explosion Transportation Employee Related Epidemic
  15. 15. Building stronger communities through innovative information technology Manage Vulnerabilities Through Cyber Hygiene Know what’s connected to and running on your network
  16. 16. Building stronger communities through innovative information technology Manage Vulnerabilities Through Cyber Hygiene Implement key security settings to help protect your systems
  17. 17. Building stronger communities through innovative information technology Manage Vulnerabilities Through Cyber Hygiene Limit and manage those who have admin privileges to change, bypass, or override your security settings
  18. 18. Building stronger communities through innovative information technology Manage Vulnerabilities Through Cyber Hygiene Regularly update all applications, software and operating systems
  19. 19. Building stronger communities through innovative information technology Manage Vulnerabilities Through Cyber Hygiene Regularize the Top Priorities to form a solid foundation of cybersecurity
  20. 20. Building stronger communities through innovative information technology
  21. 21. Cloud vs. On-Premise Security Considerations for Non-Profits Peter Kittas Revelate LLC peter@revelate.io
  22. 22. What is IT Security? • Three primary elements: ◦ Confidentiality – the data is accessible by only authorized people/systems ◦ Integrity – the data is valid and has not had unauthorized modification ◦ Availability – the resource is accessible when needed • IT security is the culmination of information risk management Peter Kittas | Revelate LLC | peter@revelate.io
  23. 23. Security Foundations • Crucial that leadership demonstrates it cares about security • Inventory and classify your organization’s critical data • User security awareness training • Physical Security • Use encryption whenever feasible • Trusted computers/devices • (Recoverable) Backups, preferably on-site and off-site Peter Kittas | Revelate LLC | peter@revelate.io
  24. 24. On-Premise Server Security + Many application choices and ultimate configuration control + Often not dependent on Internet uptime and performance + Data might stay entirely on-site - Managing hardware and software requires ongoing expert attention - Facilities: Dependent on reliable power and HVAC - Physical security: reliable power and HVAC, access to servers and network gear should be controlled Peter Kittas | Revelate LLC | peter@revelate.io
  25. 25. Cloud Provider Security + Handle all hardware and software installation and maintenance + Typically, very strong physical security controls + Inherent remote access capability + Often provides offsite storage / co-location of data - Less influence over future functionality / changes - May require additional investment in reliability and speed of Internet connection - A larger and more visible target - Anyone in the world can access your login page Peter Kittas | Revelate LLC | peter@revelate.io
  26. 26. Authentication and Access Control Best Practices • Use strong, unique passwords, along with a password manager • Require two-factor authentication • Role-based access control • Avoid shared accounts • Account / device audit and revocation capability • Review details of password change procedures Peter Kittas | Revelate LLC | peter@revelate.io
  27. 27. More Cloud Provider Security Considerations • Beware of "free" services • Capability to bulk export all data • Legal and regulatory compliance factors • Examine Knowledge Base/Support pages of provider’s website to gauge their security- mindedness • Does provider conduct independent 3rd party security audits? • Review Terms of Use, Privacy Policy, and Service Level Agreement Peter Kittas | Revelate LLC | peter@revelate.io
  28. 28. Tonight’s Panelists Mary Gardner Chief Information Security Officer Ralph Johnson Chief Information Security and Privacy Officer Peter Kittas Web and IT Consultant Revelate LLC
  29. 29. Three Tidbits from Discussion • Don’t underestimate the importance of continuous security training for employees, volunteers, and Board members. • Several attendees recommend Wombat for gamified training • A good first step is to scan your system for vulnerability. • One available tool is Nessus. • All the major browsers are adding changes in 2017 to show more warnings when people visit websites that don’t have the latest security certificates. • Several attendees recommended Let’s Encrypt to enable HTTPS on your website. It’s free and they are a nonprofit too!
  • HughGee

    Dec. 9, 2016
  • elijahv

    Dec. 8, 2016

12/7/2016 - It's difficult to avoid news stories about hacks and misused databases. For our Q4 meetup, we will discuss what nonprofits can do to protect their systems and data. Each panelist will outline best practices for protecting your own data as well as constituent data. PANELISTS * Mary Gardner, Chief Information Security Officer at Seattle Children's Hospital. * Ralph Johnson, Chief Information Security and Privacy Officer, King County * Peter Kittas, Web and IT Consultant, Revelate LLC

Views

Total views

579

On Slideshare

0

From embeds

0

Number of embeds

0

Actions

Downloads

0

Shares

0

Comments

0

Likes

2

×