SlideShare a Scribd company logo

Leading Practices in Information Security & Privacy

Donny Shimamoto
Donny Shimamoto

Many not-for-profits are operating in an environment in which there is a tremendous amount of electronic documents, communications, and confidential data sits on computers and networks that are connected to the Internet. Privacy and security threats are also increasing, putting Internet communications and computer data at risk at an alarming rate. At the same time, laws and regulations with significant penalties have been passed or are being passed by states, the Federal government, and industry groups (e.g. PCI DSS) increasing the consequences of data breaches and privacy violations. Whether you’re an executive director, program manager, or IT manager, this non-technical presentation will help you learn about the threats, requirements, and leading practices related to information security you need to help protect your donors and constituents.

Technology
1 of 39
Download to read offline
INTRAPRISETECHKNOWLOGIES LLC Leading Practices in Information Security & Privacy NTEN Nonprofit Technology Conference Atlanta, Georgia April 9, 2010 Presented by Donny C. Shimamoto, CPA.CITP
Today’s Agenda About the Presenter About the Audience Information Risks and Losses are Increasing Information Security Requirements – ID Theft & Privacy Laws – Payment Card Industry Data Security Standard Your Role in Protecting Information – A SAS 70 is not enough – Risk Assessment Methodology – Generally Accepted Privacy Principles (GAPP)
How Was this Session? Call In Text Online Call 404.939.4909 Text 165 to Visit nten.org/ntc-eval nten.org/ntc ntc- Enter Code 165 69866 Enter Code 165 Session feedback powered by: Tell Us and You Could Win a Free 2011 NTC Registration!
Donny C. Shimamoto, CPA.CITP Background & Experience BBA from University of Hawaii at Manoa – Accounting – Management Information Systems Alumni of PricewaterhouseCoopers LLP – Strategic Technology Group – Financial Audit and IT Audit – Washington Consulting Practice Founder of IntrapriseTechKnowlogies LLC – Organizational Development advisor with a focus on Business Intelligence and Performance Management – Business Process Improvement with emphasis on internal controls and technology risk management – IT Outsourcing for small and middle market organizations
Donny C. Shimamoto, CPA.CITP Involvement, Awards, and Recognition American Institute of CPAs – Assurance Services Executive Committee (2009+) – Co-Chair, Business Intelligence Workgroup (2009+) – IT Executive Committee (2006-2009) Association of IT Professionals – Honolulu : Director (2008), Treasurer (2009), President (2010) – National: Chair, Governance Task Force (2009+), National Strategic Planning Committee (2009) Awards & Recognition – Top “40 Under 40” Accounting Professionals in the US 2007 & 2009, CPA Technology Advisor Magazine – Top High Tech Leaders in Hawaii 2004, Pacific Technology Foundation & Technology News Network 5
Audience Poll #1 What part of the organization are you from? – Executive Director – Finance – IT / IS – Programs / Other Management – Staff – Vendors / Consultants 6
Audience Poll #12 What size of the organization are you from? – Very Large (multiple offices, geographically disbursed) – Large (multiple offices, 250+ staff) – Large (single office, 250+ staff) – Mid-sized (100 – 250 staff) – Small (<100 staff) 7
Information Risks and Losses are Increasing Banking laws leave business customers vulnerable to Internet fraud – March 21, 2010 – Los Angeles Times – 32% of 500 small business owners surveyed had been victimized; >50% more than once – Federal law doesn’t protect business customers Data Theft Creates Notification Nightmare for BlueCross – March 1, 2010 – CIO.com – 57 hard drives stolen, 1M customer support calls – Which of 3M customers to notify?
Information Risks and Losses are Increasing Wanted: Defense Against Online Bank Fraud – February 8, 2010 – Wall Street Journal – Smaller businesses rich target for hackers because the smaller banks they utilize aren’t as sophisticated in their protections Study: Hacking Passwords Easy As 123456 – January 21, 2010 – CIO.com – 2009 Data Breach Study: 30% had passwords <=6 characters 60% use limited set of alpha-numeric characters 50% use names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keys)
Information Risks and Losses are Increasing 2009 AICPA Top Technology Initiatives Survey (http://www.aicpa.org/toptech) 1. Information Security Management 2. Privacy Management 3. Secure Data File Storage, Transmission and Exchange 4. Business Process Improvement, Workflow, and Process Exception Alerts 5. Mobile and Remote Computing
Information Risks and Losses are Increasing 2009 AICPA Top Technology Initiatives Survey (http://www.aicpa.org/toptech) 1. Information Security Management 2. Privacy Management 3. Secure Data File Storage, Transmission and Exchange 4. Business Process Improvement, Workflow, and Process Exception Alerts 5. Mobile and Remote Computing
Information Risks and Losses are Increasing 2008 CSI/FBI Computer Crime and Security Survey – Greatest source of financial loss Financial Fraud moved to the top in 2007 – Displaced Viruses, which as been top for last 7 yrs Financial Fraud stayed at the top in 2008 – Average loss per respondent: $463,100 – Other high loss areas Bots within the Organization: $345,600 Loss of customer/employee data: $268,000 Loss of proprietary information: $241,000
Information Risks and Losses are Increasing Losses from Mobile Device risks: $8,429,150 Losses from Virus: $8,391,800 Source: 2007 CSI/FBI Computer Crime and Security Survey
Information Risks and Losses are Increasing Losses from outsider: $6,875,000 Losses from insider: $6,802,000 Source: 2007 CSI/FBI Computer Crime and Security Survey
Information Risks and Losses are Increasing Federal Trade Commission – ID Theft is the #1 concern of consumers contacting the FTC US Dept of Justice Statistics – ID Theft has overtaken drug trafficking 2006 Gartner Study – 28 ½ people become new victims every minute – new victim almost every 2 seconds Source: Identity Theft Resource Center
Information Risks and Losses are Increasing Common Sources of Data Leaks – 45% Lost or stolen laptop computers – 29% Records lost by 3rd party business partners or outsourcing companies – 26% Misplaced or stolen backup files – 10% Malware programs (e.g. viruses/spyware) Source: Identity Theft Resource Center
Information Risks and Losses are Increasing Hawaii was 25th in ID Theft instances per Capita in 2005
Massachusetts Data Privacy Law Requirements – Written Information Security Program (WISP) Must be appropriate for the size, scope, and type of business conducted by the entity Must address administrative, technical, and physical safeguards Applies to both consumer and employee information Applies to all forms of media (paper & electronic) and the devices that contain them (laptop/phone/ext-HD) – Designated employee must be assigned to Evaluate reasonably foreseeable internal and external risks to personal information being managed
Massachusetts Data Privacy Law Requirements – Employee training program – Monitoring of employee compliance To ensure that the WISP is operating in a manner that can be reasonably assumed to prevent unauthorized access to or use of personal information – Incident management Identification of potential incidents Assessment of breach and potential data loss Documentation of actions taken in response to breaches
Massachusetts Data Privacy Law Additional Technical Requirements for Electronically Stored Information (ESI) – Secure authentication protocols – Control of user IDs and other identifiers – Password security – Restriction of access to personal information to active users and active user accounts Limit access to a need-to-know basis – Must encrypt personal info transmitted over public networks – Must encrypt personal info at rest on portable devices
Massachusetts Data Privacy Law I’m not in Massachusetts, why should I care? State Privacy Laws protect the information of the residents of that state – If you have information about a state’s resident, you are often then subject to the state’s privacy law and compliance with the law The European Union and State of California also have very stringent privacy laws
Personal Information Protection Laws
Hawaii’s ID Theft Laws Internal costs – $197 per compromised record 2007 estimate by Ponemon Institute (per Journal of Accountancy, January 2009) State penalties – Up to $2,500 for EACH violation/record Additional costs – Liability to injured parties for actual damages sustained
Payment Card Industry Data Security Standard Payment Card Industry Data Security Standard (PCI DSS) – Best practice security standards for protecting cardholder data – Compliance REQUIRED for “Merchants” = Companies who accept credit/debit card information (cardholder data) “Service providers” = Companies the provide services to merchants and have access to cardholder data http://www.PCISecurityStandards.org
Payment Card Industry Data Security Standard Penalties for Non-compliance – Potential fines of up to $500,000 (in the discretion of Visa, MasterCard, Discover Network or other card companies). – All fraud losses incurred from the use of the compromised account numbers from the date of compromise forward. – Cost of re-issuing cards associated with the compromise. – Cost of any additional fraud prevention/detection activities required by the card associations (i.e. a forensic audit) or costs incurred by credit card issuers associated with the compromise (i.e. additional monitoring of system for fraudulent activity). From: Wells Fargo Merchant Services https://www.wellsfargo.com/biz/help/merchant/faqs/pci#Q25
Payment Card Industry Data Security Standard 6 Principles + 12 Requirements 1. Build and Maintain a Secure Network 2. Protect Cardholder Data 3. Maintain a Vulnerability Management Program 4. Implement Strong Access Control Measures 5. Regularly Monitor and Test Networks 6. Maintain and Information Security Policy http://www.PCISecurityStandards.org
Payment Card Industry Data Security Standard Common PCI Myth #3 From: Ten Common Myths of PCI DSS © 2008 PCI Security Standards Council https://www.pcisecuritystandards.org/pdfs/pciscc_ten_common_myths.pdf
Payment Card Industry Data Security Standard Compliance Requirements – Level 1 = must have onsite audit performed by a QSA or internal auditor – Level 2-4 = must complete Self-Assessment Questionnaire (SAQ) SAQ Type 1 = card not present SAQ Type 2 = Imprint-only SAQ Type 3 = Stand-alone merchant terminals SAQ Type 4 = POS connected to Internet SAQ Type 5 = All others
Payment Card Industry Data Security Standard Sample SAQ Type 3 questions: (Req 9) – Are all paper and electronic media that contain cardholder data physically secure? – Is strict control maintained over the internal or external distribution of any kind of media that contains cardholder data? Is the media identified so that it can be identified as confidential? Is the media sent by secured courier or other delivery method that can be accurately tracked? – Is strict control maintained over the storage and accessibility of media that contains cardholder data?
Payment Card Industry Data Security Standard Sample SAQ Type 3 questions: (Req 12) – Is a security policy established, published, maintained and disseminated? Is it reviewed at least once a year and updated when the environment changes? – Is a formal security awareness program in place to make all employees aware of the importance of cardholder data security? These are all basically control points/objectives and should be “easy” for a CPA to answer.
Your Role in Protecting Information NPOs must protect personal information – Donors – Clients/customers – Employees NPOs must be sure that service providers are protecting personal information too – Capital campaigns / Fundraising – Donor management – Financial data processing A breach on the part of the service provider is a breach of the NPO
Your Role in Protecting Information A Common Myth: I use a SAS 70 certified vendor, I don’t need to worry. Wrong!! SAS 70 only covers the internal controls and operations of a service provider as it relates to accounting processes and financial reporting It does not cover operations related to non- accounting/non-financial statement data It does not include any coverage of confidentiality or privacy controls
Your Role in Protecting Information Instead of a SAS 70 you need to request a – Trust Services report that specifically covers a review of confidentiality and privacy This is available from CPA firms that have IT audit specialists – Previously this was a very specialized area – Education is being conducted to increase the number of CPAs trained to provide this service So what do I do until I can get this report?
Risk Assessment Methodology Inventory places in your organization with Personally Identifying Information (PII) – Electronic Files/Databases AND Physical Files Identify the safeguards in place Identify applicable security requirements Determine compliance gap Assess risk of non-compliance Develop risk remediation plan – Work with IT to identify and evaluate options
Generally Accepted Privacy Principles Provides criteria and related material for protecting the privacy of personal information Incorporates concepts from significant domestic and international privacy laws, regulations, and guidelines Used to guide and assist organizations in implementing privacy programs http://www.aicpa.org/privacy
Generally Accepted Privacy Principles 1. Management 7. Disclosure to 2. Notice Third Parties 3. Choice & Consent 8. Security for 4. Collection Privacy 9. Quality 5. Use & Retention 10. Monitoring and 6. Access Enforcement http://www.aicpa.org/privacy
You Must Be Proactive for Privacy! Identify and understand the Privacy Requirements that you are subject to Conduct a Privacy Risk Assessment Determine the acceptable level of risk for your organization Develop an enterprise privacy policy Enact an enterprise privacy program Get your privacy program evaluated by a qualified CPA and get a Trust Services report – use this to your advantage!
INTRAPRISETECHKNOWLOGIES LLC Thank you for your attention and participation! Feedback and questions are welcome Donny C. Shimamoto, CPA.CITP donny@myitk.com (808) 735-8324 Any Questions or Comments?
How Was this Session? Call In Text Online Call 404.939.4909 Text 165 to Visit nten.org/ntc-eval nten.org/ntc ntc- Enter Code 165 69866 Enter Code 165 Session feedback powered by: Tell Us and You Could Win a Free 2011 NTC Registration!

Recommended

Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnov
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnovProtecting Accounting Firms and their Clients - Eric Vanderburg - JurInnov
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnovEric Vanderburg
 
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...SafeNet
 
Protecting Law Firms and their Clients: The Role of the Virtual Chief Securit...
Protecting Law Firms and their Clients: The Role of the Virtual Chief Securit...Protecting Law Firms and their Clients: The Role of the Virtual Chief Securit...
Protecting Law Firms and their Clients: The Role of the Virtual Chief Securit...Eric Vanderburg
 
India Legal 17 June 2019
India Legal 17 June 2019India Legal 17 June 2019
India Legal 17 June 2019ENC
 
Data Security and Regulatory Compliance
Data Security and Regulatory ComplianceData Security and Regulatory Compliance
Data Security and Regulatory ComplianceLifeline Data Centers
 
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...Don Grauel
 
Sept 2012 data security & cyber liability
Sept 2012 data security & cyber liabilitySept 2012 data security & cyber liability
Sept 2012 data security & cyber liabilityDFickett
 
CMW Cyber Liability Presentation
CMW Cyber Liability PresentationCMW Cyber Liability Presentation
CMW Cyber Liability PresentationSean Graham
 

Recommended

Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnov
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnovProtecting Accounting Firms and their Clients - Eric Vanderburg - JurInnov
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnovEric Vanderburg
 
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...SafeNet
 
Protecting Law Firms and their Clients: The Role of the Virtual Chief Securit...
Protecting Law Firms and their Clients: The Role of the Virtual Chief Securit...Protecting Law Firms and their Clients: The Role of the Virtual Chief Securit...
Protecting Law Firms and their Clients: The Role of the Virtual Chief Securit...Eric Vanderburg
 
India Legal 17 June 2019
India Legal 17 June 2019India Legal 17 June 2019
India Legal 17 June 2019ENC
 
Data Security and Regulatory Compliance
Data Security and Regulatory ComplianceData Security and Regulatory Compliance
Data Security and Regulatory ComplianceLifeline Data Centers
 
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...Don Grauel
 
Sept 2012 data security & cyber liability
Sept 2012 data security & cyber liabilitySept 2012 data security & cyber liability
Sept 2012 data security & cyber liabilityDFickett
 
CMW Cyber Liability Presentation
CMW Cyber Liability PresentationCMW Cyber Liability Presentation
CMW Cyber Liability PresentationSean Graham
 
Proven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS DeckProven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS DeckNetIQ
 
Privacy Implications of Biometric Data - Kevin Nevias
Privacy Implications of Biometric Data - Kevin NeviasPrivacy Implications of Biometric Data - Kevin Nevias
Privacy Implications of Biometric Data - Kevin NeviasKevin Nevias
 
CULCT Cybersecurity Workshop 2.10.15
CULCT Cybersecurity Workshop 2.10.15CULCT Cybersecurity Workshop 2.10.15
CULCT Cybersecurity Workshop 2.10.15E Andrew Keeney
 
Law_Firm_Info_Security_Report_June2011 (1)
Law_Firm_Info_Security_Report_June2011 (1)Law_Firm_Info_Security_Report_June2011 (1)
Law_Firm_Info_Security_Report_June2011 (1)Aspiration Software LLC
 
Data Security Regulatory Lansdcape
Data Security Regulatory LansdcapeData Security Regulatory Lansdcape
Data Security Regulatory LansdcapeBrian Bauer
 
Data Risks In A Digital Age
Data Risks In A Digital Age Data Risks In A Digital Age
Data Risks In A Digital Age padler01
 
Hacking3e ppt ch10
Hacking3e ppt ch10Hacking3e ppt ch10
Hacking3e ppt ch10Skillspire LLC
 
IBM Security Services
IBM Security ServicesIBM Security Services
IBM Security ServicesRainer Mueller
 
Complacency in the Face of Evolving Cybersecurity Norms is Hazardous
Complacency in the Face of Evolving Cybersecurity Norms is HazardousComplacency in the Face of Evolving Cybersecurity Norms is Hazardous
Complacency in the Face of Evolving Cybersecurity Norms is HazardousEthan S. Burger
 
Whitepaper - Application Delivery in PCI DSS Compliant Environments
Whitepaper - Application Delivery in PCI DSS Compliant EnvironmentsWhitepaper - Application Delivery in PCI DSS Compliant Environments
Whitepaper - Application Delivery in PCI DSS Compliant EnvironmentsJason Dover
 
Ensuring Cyber Security Resilience with a Skilled Workforce
Ensuring Cyber Security Resilience with a Skilled Workforce Ensuring Cyber Security Resilience with a Skilled Workforce
Ensuring Cyber Security Resilience with a Skilled Workforce Zeshan Sattar
 
Cyber for Counties Guidebook
Cyber for Counties Guidebook Cyber for Counties Guidebook
Cyber for Counties Guidebook Kristin Judge
 
Policies and Law in IT
Policies and Law in ITPolicies and Law in IT
Policies and Law in ITAnushka Perera
 
The Basics of Cyber Insurance
The Basics of Cyber InsuranceThe Basics of Cyber Insurance
The Basics of Cyber InsuranceHB Litigation Conferences
 
CRI "Lessons From The Front Lines" March 26th Dublin
CRI "Lessons From The Front Lines" March 26th Dublin CRI "Lessons From The Front Lines" March 26th Dublin
CRI "Lessons From The Front Lines" March 26th Dublin OCTF Industry Engagement
 
Julius Clark is Making Criminal Hackers Miserable
Julius Clark is Making Criminal Hackers MiserableJulius Clark is Making Criminal Hackers Miserable
Julius Clark is Making Criminal Hackers MiserableJulius Clark, CISSP, CISA
 
Cyber Security Threats | IIA Boise Chapter
Cyber Security Threats | IIA Boise ChapterCyber Security Threats | IIA Boise Chapter
Cyber Security Threats | IIA Boise ChapterPatricia M Watson
 
Information Security for Small Business
Information Security for Small BusinessInformation Security for Small Business
Information Security for Small BusinessJulius Clark, CISSP, CISA
 
Cybersecurity in ME April 25 slides
Cybersecurity in ME April 25 slidesCybersecurity in ME April 25 slides
Cybersecurity in ME April 25 slidesAmerican Chamber of Commerce in Bahrain
 
Cyber Security trends and tactics for 2015
Cyber Security trends and tactics for 2015Cyber Security trends and tactics for 2015
Cyber Security trends and tactics for 2015Scalar Decisions
 
TUD CS4105 | 2015 | Lecture 1
TUD CS4105 | 2015 | Lecture 1TUD CS4105 | 2015 | Lecture 1
TUD CS4105 | 2015 | Lecture 1Eelco Visser
 
Information Security: Effects On Businesses and Consumers
Information Security: Effects On Businesses and ConsumersInformation Security: Effects On Businesses and Consumers
Information Security: Effects On Businesses and Consumersvictoriamac2009
 

More Related Content

What's hot

Proven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS DeckProven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS DeckNetIQ
 
Privacy Implications of Biometric Data - Kevin Nevias
Privacy Implications of Biometric Data - Kevin NeviasPrivacy Implications of Biometric Data - Kevin Nevias
Privacy Implications of Biometric Data - Kevin NeviasKevin Nevias
 
CULCT Cybersecurity Workshop 2.10.15
CULCT Cybersecurity Workshop 2.10.15CULCT Cybersecurity Workshop 2.10.15
CULCT Cybersecurity Workshop 2.10.15E Andrew Keeney
 
Law_Firm_Info_Security_Report_June2011 (1)
Law_Firm_Info_Security_Report_June2011 (1)Law_Firm_Info_Security_Report_June2011 (1)
Law_Firm_Info_Security_Report_June2011 (1)Aspiration Software LLC
 
Data Security Regulatory Lansdcape
Data Security Regulatory LansdcapeData Security Regulatory Lansdcape
Data Security Regulatory LansdcapeBrian Bauer
 
Data Risks In A Digital Age
Data Risks In A Digital Age Data Risks In A Digital Age
Data Risks In A Digital Age padler01
 
Complacency in the Face of Evolving Cybersecurity Norms is Hazardous
Complacency in the Face of Evolving Cybersecurity Norms is HazardousComplacency in the Face of Evolving Cybersecurity Norms is Hazardous
Complacency in the Face of Evolving Cybersecurity Norms is HazardousEthan S. Burger
 
Whitepaper - Application Delivery in PCI DSS Compliant Environments
Whitepaper - Application Delivery in PCI DSS Compliant EnvironmentsWhitepaper - Application Delivery in PCI DSS Compliant Environments
Whitepaper - Application Delivery in PCI DSS Compliant EnvironmentsJason Dover
 
Ensuring Cyber Security Resilience with a Skilled Workforce
Ensuring Cyber Security Resilience with a Skilled Workforce Ensuring Cyber Security Resilience with a Skilled Workforce
Ensuring Cyber Security Resilience with a Skilled Workforce Zeshan Sattar
 
Cyber for Counties Guidebook
Cyber for Counties Guidebook Cyber for Counties Guidebook
Cyber for Counties Guidebook Kristin Judge
 
Policies and Law in IT
Policies and Law in ITPolicies and Law in IT
Policies and Law in ITAnushka Perera
 
CRI "Lessons From The Front Lines" March 26th Dublin
CRI "Lessons From The Front Lines" March 26th Dublin CRI "Lessons From The Front Lines" March 26th Dublin
CRI "Lessons From The Front Lines" March 26th Dublin OCTF Industry Engagement
 
Julius Clark is Making Criminal Hackers Miserable
Julius Clark is Making Criminal Hackers MiserableJulius Clark is Making Criminal Hackers Miserable
Julius Clark is Making Criminal Hackers MiserableJulius Clark, CISSP, CISA
 
Cyber Security Threats | IIA Boise Chapter
Cyber Security Threats | IIA Boise ChapterCyber Security Threats | IIA Boise Chapter
Cyber Security Threats | IIA Boise ChapterPatricia M Watson
 

What's hot (19)

Proven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS DeckProven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS Deck
 
Privacy Implications of Biometric Data - Kevin Nevias
Privacy Implications of Biometric Data - Kevin NeviasPrivacy Implications of Biometric Data - Kevin Nevias
Privacy Implications of Biometric Data - Kevin Nevias
 
CULCT Cybersecurity Workshop 2.10.15
CULCT Cybersecurity Workshop 2.10.15CULCT Cybersecurity Workshop 2.10.15
CULCT Cybersecurity Workshop 2.10.15
 
Law_Firm_Info_Security_Report_June2011 (1)
Law_Firm_Info_Security_Report_June2011 (1)Law_Firm_Info_Security_Report_June2011 (1)
Law_Firm_Info_Security_Report_June2011 (1)
 
Data Security Regulatory Lansdcape
Data Security Regulatory LansdcapeData Security Regulatory Lansdcape
Data Security Regulatory Lansdcape
 
Data Risks In A Digital Age
Data Risks In A Digital Age Data Risks In A Digital Age
Data Risks In A Digital Age
 
Hacking3e ppt ch10
Hacking3e ppt ch10Hacking3e ppt ch10
Hacking3e ppt ch10
 
IBM Security Services
IBM Security ServicesIBM Security Services
IBM Security Services
 
Complacency in the Face of Evolving Cybersecurity Norms is Hazardous
Complacency in the Face of Evolving Cybersecurity Norms is HazardousComplacency in the Face of Evolving Cybersecurity Norms is Hazardous
Complacency in the Face of Evolving Cybersecurity Norms is Hazardous
 
Whitepaper - Application Delivery in PCI DSS Compliant Environments
Whitepaper - Application Delivery in PCI DSS Compliant EnvironmentsWhitepaper - Application Delivery in PCI DSS Compliant Environments
Whitepaper - Application Delivery in PCI DSS Compliant Environments
 
Ensuring Cyber Security Resilience with a Skilled Workforce
Ensuring Cyber Security Resilience with a Skilled Workforce Ensuring Cyber Security Resilience with a Skilled Workforce
Ensuring Cyber Security Resilience with a Skilled Workforce
 
Cyber for Counties Guidebook
Cyber for Counties Guidebook Cyber for Counties Guidebook
Cyber for Counties Guidebook
 
Policies and Law in IT
Policies and Law in ITPolicies and Law in IT
Policies and Law in IT
 
The Basics of Cyber Insurance
The Basics of Cyber InsuranceThe Basics of Cyber Insurance
The Basics of Cyber Insurance
 
CRI "Lessons From The Front Lines" March 26th Dublin
CRI "Lessons From The Front Lines" March 26th Dublin CRI "Lessons From The Front Lines" March 26th Dublin
CRI "Lessons From The Front Lines" March 26th Dublin
 
Julius Clark is Making Criminal Hackers Miserable
Julius Clark is Making Criminal Hackers MiserableJulius Clark is Making Criminal Hackers Miserable
Julius Clark is Making Criminal Hackers Miserable
 
Cyber Security Threats | IIA Boise Chapter
Cyber Security Threats | IIA Boise ChapterCyber Security Threats | IIA Boise Chapter
Cyber Security Threats | IIA Boise Chapter
 
Information Security for Small Business
Information Security for Small BusinessInformation Security for Small Business
Information Security for Small Business
 
Cybersecurity in ME April 25 slides
Cybersecurity in ME April 25 slidesCybersecurity in ME April 25 slides
Cybersecurity in ME April 25 slides
 

Viewers also liked

Cyber Security trends and tactics for 2015
Cyber Security trends and tactics for 2015Cyber Security trends and tactics for 2015
Cyber Security trends and tactics for 2015Scalar Decisions
 
TUD CS4105 | 2015 | Lecture 1
TUD CS4105 | 2015 | Lecture 1TUD CS4105 | 2015 | Lecture 1
TUD CS4105 | 2015 | Lecture 1Eelco Visser
 
Information Security: Effects On Businesses and Consumers
Information Security: Effects On Businesses and ConsumersInformation Security: Effects On Businesses and Consumers
Information Security: Effects On Businesses and Consumersvictoriamac2009
 
OIG: Information Technology Security: Improvements Needed in NASA's Continuou...
OIG: Information Technology Security: Improvements Needed in NASA's Continuou...OIG: Information Technology Security: Improvements Needed in NASA's Continuou...
OIG: Information Technology Security: Improvements Needed in NASA's Continuou...Bill Duncan
 
Admin Panels that Don't Suck!
Admin Panels that Don't Suck!Admin Panels that Don't Suck!
Admin Panels that Don't Suck!Envato
 
Scaling the Cloud - Cloud Security
Scaling the Cloud - Cloud SecurityScaling the Cloud - Cloud Security
Scaling the Cloud - Cloud SecurityBill Burns
 
Cloud Security - Security Aspects of Cloud Computing
Cloud Security - Security Aspects of Cloud ComputingCloud Security - Security Aspects of Cloud Computing
Cloud Security - Security Aspects of Cloud ComputingJim Geovedi
 
PSFK Presents the Future of Digital Safety & Security
PSFK Presents the Future of Digital Safety & SecurityPSFK Presents the Future of Digital Safety & Security
PSFK Presents the Future of Digital Safety & SecurityPSFK
 
Security Management Practices
Security Management PracticesSecurity Management Practices
Security Management Practicesamiable_indian
 
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITYAhmed Moussa
 
Network Security Threats and Solutions
Network Security Threats and SolutionsNetwork Security Threats and Solutions
Network Security Threats and SolutionsColin058
 

Viewers also liked (13)

Cyber Security trends and tactics for 2015
Cyber Security trends and tactics for 2015Cyber Security trends and tactics for 2015
Cyber Security trends and tactics for 2015
 
TUD CS4105 | 2015 | Lecture 1
TUD CS4105 | 2015 | Lecture 1TUD CS4105 | 2015 | Lecture 1
TUD CS4105 | 2015 | Lecture 1
 
Information Security: Effects On Businesses and Consumers
Information Security: Effects On Businesses and ConsumersInformation Security: Effects On Businesses and Consumers
Information Security: Effects On Businesses and Consumers
 
OIG: Information Technology Security: Improvements Needed in NASA's Continuou...
OIG: Information Technology Security: Improvements Needed in NASA's Continuou...OIG: Information Technology Security: Improvements Needed in NASA's Continuou...
OIG: Information Technology Security: Improvements Needed in NASA's Continuou...
 
Admin Panels that Don't Suck!
Admin Panels that Don't Suck!Admin Panels that Don't Suck!
Admin Panels that Don't Suck!
 
Scaling the Cloud - Cloud Security
Scaling the Cloud - Cloud SecurityScaling the Cloud - Cloud Security
Scaling the Cloud - Cloud Security
 
Cloud Security - Security Aspects of Cloud Computing
Cloud Security - Security Aspects of Cloud ComputingCloud Security - Security Aspects of Cloud Computing
Cloud Security - Security Aspects of Cloud Computing
 
PSFK Presents the Future of Digital Safety & Security
PSFK Presents the Future of Digital Safety & SecurityPSFK Presents the Future of Digital Safety & Security
PSFK Presents the Future of Digital Safety & Security
 
Cloud security ppt
Cloud security pptCloud security ppt
Cloud security ppt
 
Security Management Practices
Security Management PracticesSecurity Management Practices
Security Management Practices
 
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITY
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best Practices
 
Network Security Threats and Solutions
Network Security Threats and SolutionsNetwork Security Threats and Solutions
Network Security Threats and Solutions
 

Similar to Leading Practices in Information Security & Privacy

Kevin Wharram Security Summit
Kevin Wharram Security SummitKevin Wharram Security Summit
Kevin Wharram Security SummitKevin Wharram
 
IT Security Presentation - IIMC 2014 Conference
IT Security Presentation - IIMC 2014 ConferenceIT Security Presentation - IIMC 2014 Conference
IT Security Presentation - IIMC 2014 ConferenceJeff Lemmermann
 
Data Security for Nonprofits
Data Security for NonprofitsData Security for Nonprofits
Data Security for NonprofitsNPowerCR
 
Security and Compliance
Security and ComplianceSecurity and Compliance
Security and ComplianceBankingdotcom
 
Shariyaz abdeen data leakage prevention presentation
Shariyaz abdeen data leakage prevention presentationShariyaz abdeen data leakage prevention presentation
Shariyaz abdeen data leakage prevention presentationShariyaz Abdeen
 
IT Controls Presentation
IT Controls PresentationIT Controls Presentation
IT Controls PresentationBill Lisse
 
Issala exec-forum-opening-150604
Issala exec-forum-opening-150604Issala exec-forum-opening-150604
Issala exec-forum-opening-150604ISSA LA
 
The Insider Threat
The Insider ThreatThe Insider Threat
The Insider Threatillustro
 
Cyber Security, IP Theft, and Data Breaches
Cyber Security, IP Theft, and Data BreachesCyber Security, IP Theft, and Data Breaches
Cyber Security, IP Theft, and Data BreachesEthisphere
 
Presentation1 110616195133-phpapp01(information security)
Presentation1 110616195133-phpapp01(information security)Presentation1 110616195133-phpapp01(information security)
Presentation1 110616195133-phpapp01(information security)Bonagiri Rajitha
 
Planning Your Business Web Site
Planning Your Business Web SitePlanning Your Business Web Site
Planning Your Business Web SiteDonny Shimamoto
 
Adjusting Your Security Controls: It’s the New Normal
Adjusting Your Security Controls: It’s the New NormalAdjusting Your Security Controls: It’s the New Normal
Adjusting Your Security Controls: It’s the New NormalPriyanka Aash
 
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...IBM Security
 
Information security management v2010
Information security management v2010Information security management v2010
Information security management v2010joevest
 
Gartner Security & Risk Management Summit 2014 - Defending the Enterprise Aga...
Gartner Security & Risk Management Summit 2014 - Defending the Enterprise Aga...Gartner Security & Risk Management Summit 2014 - Defending the Enterprise Aga...
Gartner Security & Risk Management Summit 2014 - Defending the Enterprise Aga...Fasoo
 
MA Privacy Law
MA Privacy LawMA Privacy Law
MA Privacy Lawtravismd
 
Protecting Client Data 11.09.11
Protecting Client Data 11.09.11Protecting Client Data 11.09.11
Protecting Client Data 11.09.11pdewitte
 
Threat Ready Data: Protect Data from the Inside and the Outside
Threat Ready Data: Protect Data from the Inside and the OutsideThreat Ready Data: Protect Data from the Inside and the Outside
Threat Ready Data: Protect Data from the Inside and the OutsideDLT Solutions
 

Similar to Leading Practices in Information Security & Privacy (20)

Kevin Wharram Security Summit
Kevin Wharram Security SummitKevin Wharram Security Summit
Kevin Wharram Security Summit
 
IT Security Presentation - IIMC 2014 Conference
IT Security Presentation - IIMC 2014 ConferenceIT Security Presentation - IIMC 2014 Conference
IT Security Presentation - IIMC 2014 Conference
 
Data Security for Nonprofits
Data Security for NonprofitsData Security for Nonprofits
Data Security for Nonprofits
 
Security and Compliance
Security and ComplianceSecurity and Compliance
Security and Compliance
 
Shariyaz abdeen data leakage prevention presentation
Shariyaz abdeen data leakage prevention presentationShariyaz abdeen data leakage prevention presentation
Shariyaz abdeen data leakage prevention presentation
 
IT Controls Presentation
IT Controls PresentationIT Controls Presentation
IT Controls Presentation
 
Data Loss During Downsizing
Data Loss During DownsizingData Loss During Downsizing
Data Loss During Downsizing
 
Issala exec-forum-opening-150604
Issala exec-forum-opening-150604Issala exec-forum-opening-150604
Issala exec-forum-opening-150604
 
Spo2 t17
Spo2 t17Spo2 t17
Spo2 t17
 
The Insider Threat
The Insider ThreatThe Insider Threat
The Insider Threat
 
Cyber Security, IP Theft, and Data Breaches
Cyber Security, IP Theft, and Data BreachesCyber Security, IP Theft, and Data Breaches
Cyber Security, IP Theft, and Data Breaches
 
Presentation1 110616195133-phpapp01(information security)
Presentation1 110616195133-phpapp01(information security)Presentation1 110616195133-phpapp01(information security)
Presentation1 110616195133-phpapp01(information security)
 
Planning Your Business Web Site
Planning Your Business Web SitePlanning Your Business Web Site
Planning Your Business Web Site
 
Adjusting Your Security Controls: It’s the New Normal
Adjusting Your Security Controls: It’s the New NormalAdjusting Your Security Controls: It’s the New Normal
Adjusting Your Security Controls: It’s the New Normal
 
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
 
Information security management v2010
Information security management v2010Information security management v2010
Information security management v2010
 
Gartner Security & Risk Management Summit 2014 - Defending the Enterprise Aga...
Gartner Security & Risk Management Summit 2014 - Defending the Enterprise Aga...Gartner Security & Risk Management Summit 2014 - Defending the Enterprise Aga...
Gartner Security & Risk Management Summit 2014 - Defending the Enterprise Aga...
 
MA Privacy Law
MA Privacy LawMA Privacy Law
MA Privacy Law
 
Protecting Client Data 11.09.11
Protecting Client Data 11.09.11Protecting Client Data 11.09.11
Protecting Client Data 11.09.11
 
Threat Ready Data: Protect Data from the Inside and the Outside
Threat Ready Data: Protect Data from the Inside and the OutsideThreat Ready Data: Protect Data from the Inside and the Outside
Threat Ready Data: Protect Data from the Inside and the Outside
 

More from Donny Shimamoto

Managing Information for Impact
Managing Information for ImpactManaging Information for Impact
Managing Information for ImpactDonny Shimamoto
 
Technology Strategy for Impact
Technology Strategy for ImpactTechnology Strategy for Impact
Technology Strategy for ImpactDonny Shimamoto
 
New Horizons for the Accountant v2.0
New Horizons for the Accountant v2.0New Horizons for the Accountant v2.0
New Horizons for the Accountant v2.0Donny Shimamoto
 
Business Ethics and the Accounting Department v1.1
Business Ethics and the Accounting Department v1.1Business Ethics and the Accounting Department v1.1
Business Ethics and the Accounting Department v1.1Donny Shimamoto
 
IT Governance for Nonprofits
IT Governance for NonprofitsIT Governance for Nonprofits
IT Governance for NonprofitsDonny Shimamoto
 
Ten Ways to Bring IT to the Leadership Table
Ten Ways to Bring IT to the Leadership TableTen Ways to Bring IT to the Leadership Table
Ten Ways to Bring IT to the Leadership TableDonny Shimamoto
 
IT Budgeting for Not-for-Profits
IT Budgeting for Not-for-ProfitsIT Budgeting for Not-for-Profits
IT Budgeting for Not-for-ProfitsDonny Shimamoto
 
Social Media Hands-On Workshop - Sept 2010
Social Media Hands-On Workshop - Sept 2010Social Media Hands-On Workshop - Sept 2010
Social Media Hands-On Workshop - Sept 2010Donny Shimamoto
 
Using Social Media to Support Business Objectives
Using Social Media to Support Business ObjectivesUsing Social Media to Support Business Objectives
Using Social Media to Support Business ObjectivesDonny Shimamoto
 

More from Donny Shimamoto (10)

Your Path to Innovation
Your Path to InnovationYour Path to Innovation
Your Path to Innovation
 
Managing Information for Impact
Managing Information for ImpactManaging Information for Impact
Managing Information for Impact
 
Technology Strategy for Impact
Technology Strategy for ImpactTechnology Strategy for Impact
Technology Strategy for Impact
 
New Horizons for the Accountant v2.0
New Horizons for the Accountant v2.0New Horizons for the Accountant v2.0
New Horizons for the Accountant v2.0
 
Business Ethics and the Accounting Department v1.1
Business Ethics and the Accounting Department v1.1Business Ethics and the Accounting Department v1.1
Business Ethics and the Accounting Department v1.1
 
IT Governance for Nonprofits
IT Governance for NonprofitsIT Governance for Nonprofits
IT Governance for Nonprofits
 
Ten Ways to Bring IT to the Leadership Table
Ten Ways to Bring IT to the Leadership TableTen Ways to Bring IT to the Leadership Table
Ten Ways to Bring IT to the Leadership Table
 
IT Budgeting for Not-for-Profits
IT Budgeting for Not-for-ProfitsIT Budgeting for Not-for-Profits
IT Budgeting for Not-for-Profits
 
Social Media Hands-On Workshop - Sept 2010
Social Media Hands-On Workshop - Sept 2010Social Media Hands-On Workshop - Sept 2010
Social Media Hands-On Workshop - Sept 2010
 
Using Social Media to Support Business Objectives
Using Social Media to Support Business ObjectivesUsing Social Media to Support Business Objectives
Using Social Media to Support Business Objectives
 

Recently uploaded

Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 

Recently uploaded (20)

Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 

Leading Practices in Information Security & Privacy

  • 1. INTRAPRISETECHKNOWLOGIES LLC Leading Practices in Information Security & Privacy NTEN Nonprofit Technology Conference Atlanta, Georgia April 9, 2010 Presented by Donny C. Shimamoto, CPA.CITP
  • 2. Today’s Agenda About the Presenter About the Audience Information Risks and Losses are Increasing Information Security Requirements – ID Theft & Privacy Laws – Payment Card Industry Data Security Standard Your Role in Protecting Information – A SAS 70 is not enough – Risk Assessment Methodology – Generally Accepted Privacy Principles (GAPP)
  • 3. How Was this Session? Call In Text Online Call 404.939.4909 Text 165 to Visit nten.org/ntc-eval nten.org/ntc ntc- Enter Code 165 69866 Enter Code 165 Session feedback powered by: Tell Us and You Could Win a Free 2011 NTC Registration!
  • 4. Donny C. Shimamoto, CPA.CITP Background & Experience BBA from University of Hawaii at Manoa – Accounting – Management Information Systems Alumni of PricewaterhouseCoopers LLP – Strategic Technology Group – Financial Audit and IT Audit – Washington Consulting Practice Founder of IntrapriseTechKnowlogies LLC – Organizational Development advisor with a focus on Business Intelligence and Performance Management – Business Process Improvement with emphasis on internal controls and technology risk management – IT Outsourcing for small and middle market organizations
  • 5. Donny C. Shimamoto, CPA.CITP Involvement, Awards, and Recognition American Institute of CPAs – Assurance Services Executive Committee (2009+) – Co-Chair, Business Intelligence Workgroup (2009+) – IT Executive Committee (2006-2009) Association of IT Professionals – Honolulu : Director (2008), Treasurer (2009), President (2010) – National: Chair, Governance Task Force (2009+), National Strategic Planning Committee (2009) Awards & Recognition – Top “40 Under 40” Accounting Professionals in the US 2007 & 2009, CPA Technology Advisor Magazine – Top High Tech Leaders in Hawaii 2004, Pacific Technology Foundation & Technology News Network 5
  • 6. Audience Poll #1 What part of the organization are you from? – Executive Director – Finance – IT / IS – Programs / Other Management – Staff – Vendors / Consultants 6
  • 7. Audience Poll #12 What size of the organization are you from? – Very Large (multiple offices, geographically disbursed) – Large (multiple offices, 250+ staff) – Large (single office, 250+ staff) – Mid-sized (100 – 250 staff) – Small (<100 staff) 7
  • 8. Information Risks and Losses are Increasing Banking laws leave business customers vulnerable to Internet fraud – March 21, 2010 – Los Angeles Times – 32% of 500 small business owners surveyed had been victimized; >50% more than once – Federal law doesn’t protect business customers Data Theft Creates Notification Nightmare for BlueCross – March 1, 2010 – CIO.com – 57 hard drives stolen, 1M customer support calls – Which of 3M customers to notify?
  • 9. Information Risks and Losses are Increasing Wanted: Defense Against Online Bank Fraud – February 8, 2010 – Wall Street Journal – Smaller businesses rich target for hackers because the smaller banks they utilize aren’t as sophisticated in their protections Study: Hacking Passwords Easy As 123456 – January 21, 2010 – CIO.com – 2009 Data Breach Study: 30% had passwords <=6 characters 60% use limited set of alpha-numeric characters 50% use names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keys)
  • 10. Information Risks and Losses are Increasing 2009 AICPA Top Technology Initiatives Survey (http://www.aicpa.org/toptech) 1. Information Security Management 2. Privacy Management 3. Secure Data File Storage, Transmission and Exchange 4. Business Process Improvement, Workflow, and Process Exception Alerts 5. Mobile and Remote Computing
  • 11. Information Risks and Losses are Increasing 2009 AICPA Top Technology Initiatives Survey (http://www.aicpa.org/toptech) 1. Information Security Management 2. Privacy Management 3. Secure Data File Storage, Transmission and Exchange 4. Business Process Improvement, Workflow, and Process Exception Alerts 5. Mobile and Remote Computing
  • 12. Information Risks and Losses are Increasing 2008 CSI/FBI Computer Crime and Security Survey – Greatest source of financial loss Financial Fraud moved to the top in 2007 – Displaced Viruses, which as been top for last 7 yrs Financial Fraud stayed at the top in 2008 – Average loss per respondent: $463,100 – Other high loss areas Bots within the Organization: $345,600 Loss of customer/employee data: $268,000 Loss of proprietary information: $241,000
  • 13. Information Risks and Losses are Increasing Losses from Mobile Device risks: $8,429,150 Losses from Virus: $8,391,800 Source: 2007 CSI/FBI Computer Crime and Security Survey
  • 14. Information Risks and Losses are Increasing Losses from outsider: $6,875,000 Losses from insider: $6,802,000 Source: 2007 CSI/FBI Computer Crime and Security Survey
  • 15. Information Risks and Losses are Increasing Federal Trade Commission – ID Theft is the #1 concern of consumers contacting the FTC US Dept of Justice Statistics – ID Theft has overtaken drug trafficking 2006 Gartner Study – 28 ½ people become new victims every minute – new victim almost every 2 seconds Source: Identity Theft Resource Center
  • 16. Information Risks and Losses are Increasing Common Sources of Data Leaks – 45% Lost or stolen laptop computers – 29% Records lost by 3rd party business partners or outsourcing companies – 26% Misplaced or stolen backup files – 10% Malware programs (e.g. viruses/spyware) Source: Identity Theft Resource Center
  • 17. Information Risks and Losses are Increasing Hawaii was 25th in ID Theft instances per Capita in 2005
  • 18. Massachusetts Data Privacy Law Requirements – Written Information Security Program (WISP) Must be appropriate for the size, scope, and type of business conducted by the entity Must address administrative, technical, and physical safeguards Applies to both consumer and employee information Applies to all forms of media (paper & electronic) and the devices that contain them (laptop/phone/ext-HD) – Designated employee must be assigned to Evaluate reasonably foreseeable internal and external risks to personal information being managed
  • 19. Massachusetts Data Privacy Law Requirements – Employee training program – Monitoring of employee compliance To ensure that the WISP is operating in a manner that can be reasonably assumed to prevent unauthorized access to or use of personal information – Incident management Identification of potential incidents Assessment of breach and potential data loss Documentation of actions taken in response to breaches
  • 20. Massachusetts Data Privacy Law Additional Technical Requirements for Electronically Stored Information (ESI) – Secure authentication protocols – Control of user IDs and other identifiers – Password security – Restriction of access to personal information to active users and active user accounts Limit access to a need-to-know basis – Must encrypt personal info transmitted over public networks – Must encrypt personal info at rest on portable devices
  • 21. Massachusetts Data Privacy Law I’m not in Massachusetts, why should I care? State Privacy Laws protect the information of the residents of that state – If you have information about a state’s resident, you are often then subject to the state’s privacy law and compliance with the law The European Union and State of California also have very stringent privacy laws
  • 23. Hawaii’s ID Theft Laws Internal costs – $197 per compromised record 2007 estimate by Ponemon Institute (per Journal of Accountancy, January 2009) State penalties – Up to $2,500 for EACH violation/record Additional costs – Liability to injured parties for actual damages sustained
  • 24. Payment Card Industry Data Security Standard Payment Card Industry Data Security Standard (PCI DSS) – Best practice security standards for protecting cardholder data – Compliance REQUIRED for “Merchants” = Companies who accept credit/debit card information (cardholder data) “Service providers” = Companies the provide services to merchants and have access to cardholder data http://www.PCISecurityStandards.org
  • 25. Payment Card Industry Data Security Standard Penalties for Non-compliance – Potential fines of up to $500,000 (in the discretion of Visa, MasterCard, Discover Network or other card companies). – All fraud losses incurred from the use of the compromised account numbers from the date of compromise forward. – Cost of re-issuing cards associated with the compromise. – Cost of any additional fraud prevention/detection activities required by the card associations (i.e. a forensic audit) or costs incurred by credit card issuers associated with the compromise (i.e. additional monitoring of system for fraudulent activity). From: Wells Fargo Merchant Services https://www.wellsfargo.com/biz/help/merchant/faqs/pci#Q25
  • 26. Payment Card Industry Data Security Standard 6 Principles + 12 Requirements 1. Build and Maintain a Secure Network 2. Protect Cardholder Data 3. Maintain a Vulnerability Management Program 4. Implement Strong Access Control Measures 5. Regularly Monitor and Test Networks 6. Maintain and Information Security Policy http://www.PCISecurityStandards.org
  • 27. Payment Card Industry Data Security Standard Common PCI Myth #3 From: Ten Common Myths of PCI DSS © 2008 PCI Security Standards Council https://www.pcisecuritystandards.org/pdfs/pciscc_ten_common_myths.pdf
  • 28. Payment Card Industry Data Security Standard Compliance Requirements – Level 1 = must have onsite audit performed by a QSA or internal auditor – Level 2-4 = must complete Self-Assessment Questionnaire (SAQ) SAQ Type 1 = card not present SAQ Type 2 = Imprint-only SAQ Type 3 = Stand-alone merchant terminals SAQ Type 4 = POS connected to Internet SAQ Type 5 = All others
  • 29. Payment Card Industry Data Security Standard Sample SAQ Type 3 questions: (Req 9) – Are all paper and electronic media that contain cardholder data physically secure? – Is strict control maintained over the internal or external distribution of any kind of media that contains cardholder data? Is the media identified so that it can be identified as confidential? Is the media sent by secured courier or other delivery method that can be accurately tracked? – Is strict control maintained over the storage and accessibility of media that contains cardholder data?
  • 30. Payment Card Industry Data Security Standard Sample SAQ Type 3 questions: (Req 12) – Is a security policy established, published, maintained and disseminated? Is it reviewed at least once a year and updated when the environment changes? – Is a formal security awareness program in place to make all employees aware of the importance of cardholder data security? These are all basically control points/objectives and should be “easy” for a CPA to answer.
  • 31. Your Role in Protecting Information NPOs must protect personal information – Donors – Clients/customers – Employees NPOs must be sure that service providers are protecting personal information too – Capital campaigns / Fundraising – Donor management – Financial data processing A breach on the part of the service provider is a breach of the NPO
  • 32. Your Role in Protecting Information A Common Myth: I use a SAS 70 certified vendor, I don’t need to worry. Wrong!! SAS 70 only covers the internal controls and operations of a service provider as it relates to accounting processes and financial reporting It does not cover operations related to non- accounting/non-financial statement data It does not include any coverage of confidentiality or privacy controls
  • 33. Your Role in Protecting Information Instead of a SAS 70 you need to request a – Trust Services report that specifically covers a review of confidentiality and privacy This is available from CPA firms that have IT audit specialists – Previously this was a very specialized area – Education is being conducted to increase the number of CPAs trained to provide this service So what do I do until I can get this report?
  • 34. Risk Assessment Methodology Inventory places in your organization with Personally Identifying Information (PII) – Electronic Files/Databases AND Physical Files Identify the safeguards in place Identify applicable security requirements Determine compliance gap Assess risk of non-compliance Develop risk remediation plan – Work with IT to identify and evaluate options
  • 35. Generally Accepted Privacy Principles Provides criteria and related material for protecting the privacy of personal information Incorporates concepts from significant domestic and international privacy laws, regulations, and guidelines Used to guide and assist organizations in implementing privacy programs http://www.aicpa.org/privacy
  • 36. Generally Accepted Privacy Principles 1. Management 7. Disclosure to 2. Notice Third Parties 3. Choice & Consent 8. Security for 4. Collection Privacy 9. Quality 5. Use & Retention 10. Monitoring and 6. Access Enforcement http://www.aicpa.org/privacy
  • 37. You Must Be Proactive for Privacy! Identify and understand the Privacy Requirements that you are subject to Conduct a Privacy Risk Assessment Determine the acceptable level of risk for your organization Develop an enterprise privacy policy Enact an enterprise privacy program Get your privacy program evaluated by a qualified CPA and get a Trust Services report – use this to your advantage!
  • 38. INTRAPRISETECHKNOWLOGIES LLC Thank you for your attention and participation! Feedback and questions are welcome Donny C. Shimamoto, CPA.CITP donny@myitk.com (808) 735-8324 Any Questions or Comments?
  • 39. How Was this Session? Call In Text Online Call 404.939.4909 Text 165 to Visit nten.org/ntc-eval nten.org/ntc ntc- Enter Code 165 69866 Enter Code 165 Session feedback powered by: Tell Us and You Could Win a Free 2011 NTC Registration!