Panel Discussion David Lewis OperationsInc Patrick Manzo Monster Steve Roosa Holland amp Knight Andy Hibel HigherEdJobs 2015 IAEWS Fall Congress Data Security IAEWS Fall Congress ID: 618737
Download Presentation The PPT/PDF document "Strategies & Tactics for Data Securi..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Strategies & Tactics for Data Security
Panel Discussion David Lewis, OperationsInc; Patrick Manzo, Monster; Steve Roosa, Holland & Knight; Andy Hibel, HigherEdJobs
2015
IAEWS Fall CongressSlide2
Data Security?IAEWS Fall CongressSlide3
2015 MasterCard Security Survey
Being Pick Pocketed 46%Home Being Robbed 59%Email Being Hacked 62%Financial Info Stolen 77%Check Financial Info on Public Networks 39%“Rarely if at All” Change Passwords for Financial Info46%IAEWS Fall Congress
Concerned About
BehaviorsSlide4
Naked . . . But Secure . . .IAEWS Fall Congress
55% of Americans Would Prefer Naked Leaked Pictures Than Financial DataSlide5
Matter of TrustIAEWS Fall CongressSlide6
Distinguishing Security v. Privacy
6Slide7
Privacy Issues—Intentional Collection, Use, and Sharing
Privacy Involves the Consequences of Collection, Use, and Sharing of Data (Especially Personally Identifiable Information) with:Advertisers and marketing companiesAnalytics companiesHosted solutionsSocial network functions3rd party service providersOther users
Other businessesData brokers
7Slide8
Security Issues—When Things Break
Unintended or Unauthorized Access/Disclosure:MalwareStolen passwordsExploits of vulnerabilities (e.g., Heartbleed)Insider data theftRemote hacks and network intrusionInjection attacks against databases8Slide9
Technical Safeguards, Protections, CountermeasuresIntrusion detection systems
LoggingFirewalls2FAAnti-VirusSanitizing database inputsEncryption in transitEncryption at restSecure coding practices9Slide10
Incident Response PlansTrain on themUpdate them
Must be short enough to be actionableCommunications should maintain privilegeInvolve: Legal, PR, and Information SecurityHave breach counsel and response vendor vetted and selected in advance10Slide11
The Cloud…
11Slide12
Cloud ServicesDetermine if you can even use a cloud solution based on legal requirements.
If you don’t encrypt data before it is sent to the cloud, the cloud provider technically has physical access to the dataHave your security team compare the security procedures you follow internally to those of the cloud, and identify any shortcomings on the part of the cloud provider.Push back against cloud providers on termsAWS v. AzureBegin with the end in mind: intercloud transition12Slide13
Managing 3rd Party Risk
Contractual ConstraintsIndemnityRight to auditInsurance requirementsReps and WarrantiesIncident Response provisionsStatic code analysis for 3rd party vulnerabilitiesCompliance with OWASP ASVS Level 2 (see next slide)Other due diligence13Slide14
OWASP’s Standards Are Excellent (O
pen Web Application Security Project)ASVS – Application Security Verification Standard ProjectThe primary aim of the OWASP Application Security Verification Standard (ASVS) Project is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. The standard provides a basis for testing application technical security controls, as well as any technical security controls in the environment, that are relied on to protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection
.
https://www.owasp.org/images/5/58/OWASP_ASVS_Version_2.
pdf
14Slide15
15Slide16
16Slide17
Conclusion - Contact Info
Write Down Something You Will Do As First StepDavid Lewis, OperationsInc dlewis@operationsinc.comPatrick Manzo, Monster Patrick.Manzo@monster.comSteve Roosa, Holland & Knight steven.roosa@hklaw.com Andy Hibel, HigherEdJobs ahibel@higheredjobs.com
IAEWS Fall Congress