Security Awareness Executive Summary - PowerPoint PPT Presentation

1 / 10
About This Presentation
Title:

Security Awareness Executive Summary

Description:

Why are privacy, security and compliance important? ... detection/prevention systems, anti-virus/anti-spyware, and network vulnerability ... – PowerPoint PPT presentation

Number of Views:1021
Avg rating:3.0/5.0
Slides: 11
Provided by: reed155
Category:

less

Transcript and Presenter's Notes

Title: Security Awareness Executive Summary


1
Privacy, Security and Compliance Have a
Framework/Plan Carol A. DiBattisteSenior Vice
PresidentPrivacy, Security, Compliance and
Government AffairsLexisNexis Group
2
Overview
  • Why are privacy, security and compliance
    important?
  • Information security breaches are a global,
    industry-wide problem affecting
  • Government/Military
  • Educational Institutions
  • Health Care
  • Banking/Credit/Financial Services
  • Businesses
  • Non Profits
  • A strong privacy, information security, and
    compliance framework into an organization will
    positively impact
  • Brand
  • Market share
  • Risk mitigation
  • Customers
  • Employees
  • Consumers
  • Shareholders
  • Stakeholders
  • Investors
  • Bottom line/top line

1
3
Getting Started
  • Make it part of your business model
  • Scale your program
  • Put your framework in writing
  • Things to consider
  • Inventory information assets with personally
    identifiable information
  • Data security
  • Credentialing
  • Policies, standards and guidelines
  • Audit and compliance
  • Corporate accountability
  • Education, outreach and
  • transparency

2
4
Creating Your Framework
  • Holistic framework, encompassing
  • People
  • Process
  • Technical management
  • Standards based
  • Industry security standards (ISO 27002)
  • Proprietary customer credentialing criteria
  • Process driven
  • Quarterly application inventory
  • Risk assessments
  • Customer verifications/credentialing program
  • Audit program (Internal and third party)
  • Key ISO 27002 Control Objectives
  • Security Policy
  • Organizing Information Security
  • Asset Management
  • Human Resources Security
  • Physical and Environmental Security
  • Communications and Operations Management
  • Access Control
  • Information Systems Acquisition, Development and
    Maintenance
  • Information Security Incident Management
  • Business Continuity Management
  • Compliance

3
5
Plan Elements Data Security
  • Steps you can take
  • Inventory PII/SPII
  • Update the inventory on a regular basis
  • Codify the collection, use and dissemination of
    PII/SPII in policies
  • Remove or truncate SPII when possible
  • Implement controls for the electronic
    transmission of SPII
  • Restrict/limit third party access to data
  • Create a Risk Management Control Framework
  • Utilize technology solutions, such as
  • IP Restrictions on customer access
  • Back-end anomalous activity detection
  • Network security controls, such as firewalls,
    intrusion detection/prevention systems,
    anti-virus/anti-spyware, and network
    vulnerability assessments
  • Application vulnerability assessments
  • Encryption of sensitive data in transit and at
    rest (where applicable)
  • Password assessments

4
6
Plan Elements Credentialing
  • Employees
  • Criminal
  • SSN verification
  • Education verification
  • Previous employment
  • Re-credentialing
  • Vendors
  • Credentialing questionnaire with scoring
  • Strong privacy/security safeguards
  • Contractual provisions
  • Re-credentialing
  • Customers
  • Centralized credentialing process
  • Proprietary checklist/process of verification
  • Internal and external verification
  • Scoring and review
  • Site visits and site visit scoring process

5
7
Plan Elements Policies
  • Policies, standards and guidelines should
    address
  • Data access
  • Protection
  • Transport
  • Restriction
  • Review and update
  • Key Policies
  • Privacy
  • Incident Response
  • Information Security
  • Physical Security
  • Audit and Compliance
  • Code of Conduct
  • Retention
  • Deletion
  • Classification
  • Credentialing and re-credentialing
  • Public Representations
  • Third Party Service Provider
  • Breach Notification
  • Web site privacy

6
8
Plan Elements Audit Compliance
  • Self regulate through audit and compliance
  • In-house audits
  • Customer
  • Consumer sampling
  • Policies
  • Regulatory compliance
  • Random
  • Reseller
  • Event-driven
  • Suspicious activity
  • Independent assessments
  • Third-party audits
  • Internal access to
  • Regulated data
  • Information systems
  • Administration tools
  • IP monitoring
  • Phishing log monitoring
  • Administrator verification
  • Hot list
  • Employee badge display
  • Public records menu compliance

7
9
Plan Elements Corporate Accountability
  • Establish an organization to oversee privacy,
    security and compliance
  • Establish a corporate governance model
  • Infuse participation and accountability at all
    levels
  • Create committees and working groups, such as
  • Senior Management Committee
  • Security Review Board
  • Security Working Group
  • Credentialing Working Group
  • Risk and Emerging Areas Working Group
  • Policy Working Group
  • International Working Group
  • Maintain applicable certifications for employees
    (CISM/CIPP)

8
10
Plan Elements Education, Outreach and
Transparency
  • Establish mandatory privacy and security training
    program with assessment
  • Distribute privacy and security-related reminders
    and updates
  • Establish an office or officer for Consumer
    Advocacy
  • Build relationships with privacy advocates,
    government, education institutions, consumers and
    customers
  • Institute a program to notify stakeholders of
    privacy/security-related announcements
  • Maintain hotlines for customers/consumers
  • Partner with privacy and security organizations
  • Establish liaison with law enforcement

9
Write a Comment
User Comments (0)
About PowerShow.com