Mark Jennings SymQuest Group Inc Mjenningssymquestcom What is Compliance From a business perspective compliance is simply the act of meeting the standards associated with regulatory requirements ID: 733061
Download Presentation The PPT/PDF document "360° of IT Compliance Threats & Cou..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
360° of IT ComplianceSlide2
Threats & Countermeasures
Mark Jennings
SymQuest Group, Inc.
Mjennings@symquest.comSlide3
What is Compliance?
From a business perspective, compliance is simply the act of
meeting the standards associated with regulatory requirements
within your industry.Compliance within these regulations typically extends beyond the handling of digital data.Compliance is really about being a responsible custodian of Protected information.Slide4
Protected Information
Examples of Personally Identifiable Information (PII)
Name
AddressPhone numbers Fax Numbers
Email addresses
Social Security Numbers
Date of Birth
Medical Record Numbers
Health Plan ID Numbers
Dates of Treatment
Account NumbersLicense NumbersVehicle Identifiers IP addressesBiometric Identifiers (fingerprints, retinal scans, etc)Full face photosSlide5
Recent Incidents
Target
40 Million debit and credit cards exposed
$67M settlementDamaged Target’s reputationCEO resignedSony PicturesEmail stolen and leakedDigital content stolenComputers disabledU.S. Office of Personnel ManagementOver 18 Million Employee records stolen
Director resignsSlide6
Ramifications of a Breach
HIPAA
Potential fines - $50,000 per violation up to $1.5M
Potential Jail sentences – Up to 10 yearsInclusion on HHS “Wall of Shame”PCIFinesMonetary settlements with card services providersSuspension of Card ServicesSlide7
THREATSSlide8
External Cyber Attack
Direct attempt to infiltrate a company or organization
Distributed Denial of Service (DDoS) Attack
Broadcast Viruses and WormsSource: Akamai TechnologiesSlide9
Internal Security Breaches
The Disgruntled Employee
The “Entrepreneurial” Employee
The Curious EmployeeSlide10
Social Engineering
Social Engineering takes advantage of an employee’s willingness to trust, desire to be helpful, or simply their ignorance.
Examples of Social Engineering
Impersonating ITVery convincing but rogue emailsThe old “Lost USB stick” trickSlide11
Mobile Computing
The rise of laptops, tablets, and smartphones
The desire to work from anywhere
The “Bring you own Device” (BYOD) trendProblemsHow secure is the data on the mobile device?What other applications are in use on the device?Can you control the flow of corporate data on those devices?Can you control the protection of those devices (antivirus, anti-malware, web filtering)?Are these devices using public wifi and, if so, are your employees protecting those communications properly?Slide12
Untrained Employees
Most of the threats above can be magnified by employees that are not aware of the threats.
Employees are not aware of the
security protocols Employees are not aware of the warning signsEmployees are not aware of the regulationsSlide13
System Failure
A system failure can create multiple problems
Inability to service clients, customers, or patients
Recovery timeData LossSlide14
Catastrophic Event
In the event of a major disaster are you prepared to resume business in a reasonable timeframe?
Can you recover your data?
What is your plan?Are your employees (or at least your managers) aware of the plan?Slide15
Catastrophic Event
COUNTERMEASURESSlide16
Countermeasures for Compliance
Many of the regulatory standards require implementation of countermeasures for each of these threats
In some cases these are specific requirements
In other cases the requirements are broadExamples The HIPAA Security Rule includes “required” requirements and “addressable” requirementsPCI may require different levels of auditing based on the volume or type of credit card transactionsSlide17
Countermeasure Concepts
Layered Security Model
Each threat can occur at various “layers” within the network
Make sure that you have adequate controls at each layer to thwart particular threats:Email FilteringWeb filteringFirewallNetwork Access Control/Wireless SecurityNetwork Security monitoringOperating system security patchesAnti Virus/Anti Malware
Application Security PatchesEmployee Education Slide18
Countermeasures for External Cyber Attacks
Reduce your public “footprint”
Employ email filtering
Employ web filteringSlide19
Countermeasures for Internal Security Breaches
Review your internal security practices
Know where information is stored and who has access to it
Maintain an audit trailSlide20
Countermeasures
for Social Engineering
Establish policies and proceduresNever give out your password to ANYONE. Verify the identity of anyone attempting to perform a transaction with you.Acceptable Use PoliciesImplement employee identifiersBadges Name tagsEmployee training
Educate employees on the policies and proceduresProvide training on the fundamentals of safe computing Slide21
Countermeasures for Mobile Computing
Employ Mobile Device Management (MDM)
Employ 2-factor authentication
Ensure mobile users are using encrypted means to communicate with the organizationEnsure data is encrypted on the local deviceSlide22
Countermeasures for Untrained Employees
Never divulge your password…to anyone
Lock your screen when you are away from your PC
Scrutinize the email addresses of sendersDo not open emails from people you do not knowBe very careful clicking on hyperlinks embedded in emailsUse a PIN to access your smartphone or tabletNever leave your laptop, smartphone, or tablet unattended in a public spaceReport the loss of a laptop, smartphone, or tablet immediatelyBe wary of public wifi
Report any security incident (email scam, suspicious behavior, etc.) to your IT administrator immediately
Top Ten Things your employees should know about safe computingSlide23
Countermeasures for System Failure
Redundant System Design
Recovery server
Virtualization with redundant hosts and shared storageGood backup strategyPractice the 3-2-1 RuleSlide24
Countermeasures for Catastrophic Disaster
Develop a plan
Determine your Recovery Time Objective (RTO)
Determine your Recovery Point Objective (RPO)Plan your recovery strategy in accordance with your RTO/RPODocument the planCommunicate the plan
Exercise the planSlide25
Cloud
Options
Software as a Service (SaaS) systems
Only the specific software and data is hosted by provider Data contained within hosted software system is protect by providerDifficult to integrate with other systems Infrastructure as a Service (IaaS)Entire systems are hosted within vendors data centerAll data within the hosted systems (excluding mobile devices) is protected by providerTypically requires IT expertise in house to manageIaaS with a Managed Service Provider (MSP)
All systems are hosted within vendors data centerMobile devices and end user support is managed by the MSP
Cloud OptionsSlide26
Advantages of the Cloud
Systems are maintained by IT professionals
Systems implemented using industry standard best practices
Systems run on enterprise-class equipmentSystems are hosted in enterprise class facilitiesAir handlingBattery backupRedundant communications linesGeneratorsPhysical SecuritySystems (should be) Redundant
Redundant data centersSystems are protected by Multilayered SecuritySlide27
The SymQuest Cloud
Two completely redundant and replicated data centers in South Burlington, VT and Portland, Maine
Hosted clients receive a completely segregated Virtual Network with dedicated virtual servers and an independent firewall
Full service management of hosted servers and workstationsBackupPatchingReplicationAV/AMManagement of on-premises equipment99.9% uptime Service Level AgreementCompliance assistanceSymQuest will provide documentation to auditors upon request to assist you in proving complianceSlide28
Final Thoughts
Security and compliance is a complex topic
The IT industry is only going to become more complex
The use of managed IT services, either on premise or in the cloud, does not absolve an organization of its regulatory responsibilities but it does ensure that trained and dedicated professionals are in charge of that aspect of the business. In the event of an audit an IT Managed service provider should be able to assist you in proving complianceHaving a professional managed services team should put the organization in a better position to defend against common threats, however …there is no 100%. Slide29
THANK YOU
Mark Jennings
Director of Sales | Network Solutions
mjennings@SymQuest.com (802)-658-9836 Let’s Connect