Data Security - United Way Conferences Site

Report
How Secure Is Your Data?
Financial Management and Human Resources Forum
Atlanta – October 7, 2013
Data Security – Essential for Trust
Robert E. Berdelle
2013 Finance and HR Forum
Brian A. Gallagher
3
Atlanta
October 7, 2013
The Speed of Trust by Stephen M R Covey
The 5 Waves of Trust
 Self Trust
 Relationship Trust
 Organizational Trust
 Market Trust
 Societal Trust
Trust begins with each of us personally, continues to our
relationships, expands to our organizations, extends into our
marketplace relationships and encompasses our global society at
large. To build trust with others, we must first start with ourselves.
4
Atlanta
October 7, 2013
The Speed of Trust
CHARACTER
COMPETENCE
• Integrity: honesty, walking
your talk, ethics
• Capabilities: talents, skills,
knowledge to produce
results
• Intent: motives, agendas,
mutual benefit
5
Atlanta
October 7, 2013
• Results: track record,
performance, getting the
right things done
U.S.
Trust Trends
– United
Way, Red Cross,
Organizational
Metric
- Trust
Salvation Army, and the Charitable Sector
95%
85%
75%
65%
55%
45%
35%
United Way
Charitable Organizations
Red Cross
Salvation Army
U.S. NGO's (Edelman's Trust Barometer)
2001
36%
2002
79%
82%
86%
93%
41%
2003
75%
84%
84%
92%
49%
2004
77%
86%
89%
91%
47%
2005
76%
82%
85%
92%
55%
2006
79%
83%
86%
92%
54%
2007
75%
79%
85%
89%
57%
2008
81%
83%
88%
90%
63%
2009
71%
71%
89%
90%
45%
2010
70%
74%
89%
90%
63%
2011
69%
70%
86%
90%
55%
2012
70%
74%
89%
89%
58%
Tracker: Q. For the next list of charitable organizations that I read, I would like you to tell me how much trust you have in the
organization to accomplish what they say they will do. (Top 2 Box, 4-point scale, General Population, age 18+)
Edelman: Q. Below is a list of institutions. For each one, please indicate how much you trust that institution to do what is right using a 9point scale where one means that you “do not trust them at all” and nine means that you “trust them a great deal”. (NGOs, Top 4
Box, Informed Publics ages 25-64)
6
Atlanta
October 7, 2013
6
Data Security - Essential for Trust
•
United Way Strategy – Enhance Corporate and Individual
Engagement
 More personal donor information is essential
 Companies require employee information to be secure and
confidential
 Imperative for United Ways to competently handle donor information
•
Two United Way Initiatives:
1)
2)
7
Atlanta
UWW data security assessment

Engaged Clifton Larson Allen

Controls review and penetration/vulnerability testing

Recommend corrective actions
FIC initiative to create best practices document for UW network
October 7, 2013
United Way Worldwide
Financial Issues Committee (FIC)
Data Security Update
Financial Management and Human Resources Forum
Atlanta – October 7, 2013
What Led to the Work?
FIC Meeting – New Orleans March 2013
 As United Ways, we want more information about our donors
– are we being proactive enough to show the companies we
are going to “secure” it?
 Companies who are running our United Way campaigns are
asking what steps are being taken to secure their employee
information
 Higher expectations/demand for protection of personal
information (not just credit card information – PCI
Compliance)
9
Atlanta
October 7, 2013
Scope of Project
Document Structure
 Best Practice Not a Policy
 What Information Is At Risk?
10
Atlanta
October 7, 2013
Scope of Project (cont.)
Table of Contents – DRAFT
 Executive Summary – Donor Expectations and Trust
 What Information Is At Risk?
o
Information Protected by Federal and State Laws (US focused)
o
Constituent Information
o
United Way (Local or Worldwide) Information
o
Information Governed by Contracts, Grants, etc., with Companies/Agencies
 Risk Assessment
11
Atlanta
o
Physical Data Center
o
Access to Local Information
o
Third Party Service Providers
o
Storage Media
o
PCI Compliance
October 7, 2013
Scope of Project (cont.)
Table of Contents – DRAFT
 Internal Controls to Mitigate Risks
o
Limiting Access to Information
o
Encryption
o
Internal Controls
o
Antivirus Deployment
o
Employee Onboarding/Offboarding Policy
o
Mobile Devices
 Other Risk Management Issues
12
Atlanta
o
Insurance
o
Response to an Information Breach
o
Security Awareness Training
o
Security Review Plan
o
Incident Response Plan
October 7, 2013
Scope of Project (cont.)
Table of Contents – DRAFT
 Other Risk Management Issues (cont.)
o
IT Policies and Procedures Document
o
Network Diagram and Documentation
o
Business Continuity/Disaster Recovery Plan
 Assessment Tools
o
Self-Assessment Questionnaire
o
Performance Matrix
o
Resources
 Appendix
o
13
Atlanta
Sample Polices
October 7, 2013
Team Assigned
 Finance Professionals
o
Amy Maziarka, Co-Chair, United Way of the Greater Chippewa Valley
o
Mark Erickson, Co-Chair, United Way of Palm Beach County
o
Ray Berry, United Way of Pioneer Valley
o
Kathy Doty, United Way of Greater Toledo
o
Patricia Latimore, United Way of Massachusetts Bay & Merrimack Valley
o
Darren Minks, United Way of the Plains
o
Taryn Vidovich, Orange County United Way
 IT Professionals
14
Atlanta
o
Chris Keightley, United Way Worldwide
o
Michael Parker, United Way for Southeastern Michigan
o
Chris Reese, Orange County United Way
o
Javier Torner, CSU San Bernardino
o
Brian Weber, United Way Worldwide
October 7, 2013
©2012 CliftonLarsonAllen LLP
Data Security Awareness
Presentation
Gil Bohene CISA, CRISC, CISM – Partner
Laura Faulkner - Senior IT Consultant,
CliftonLarsonAllen, LLP
Atlanta
1515
October 7, 2013
©2012 CliftonLarsonAllen LLP
General Control Reviews
•
Information Technology General Control Review (IT GCR):
– An IT General Controls Review is focused on processes that support the proper
management of information technology assets and the protection of information
from a best practices perspective
•
Benefits:
– Provide an overview of the operating environment including locations, contacts,
personnel resources, services, business processes, application systems and
technical infrastructure.
– Identify IT control weaknesses and breakdowns i.e. perform gap analysis for
desired controls
– Improve overall IT infrastructure
•
Deliverable:
– Detailed GCR report that contains specific finding and recommended
remediation for one aspect of application access controls including assignment of
risk, priority, and level of effort.
16
©2012 CliftonLarsonAllen LLP
Technical IT Services
•
Internal Vulnerability Assessments (IVA):
– The Internal Vulnerability Assessment will be a technical evaluation of the key
devices (file servers, mail servers, production servers, routers, switches, etc.) that
reside on your trusted business networkPromotes deeper knowledge of the client’s
business.
•
External Penetration Testing (EPT):
– The External Network Penetration Test is designed to aggressively test your
network perimeter to identify exposure to security breaches from outside your
network.
•
Deliverable:
– Our deliverable report will provide your network administrators with detailed
recommendations for how to address specific findings and harden IT infrastructure.
– Identify potential vulnerabilities inside/outside the network that might be used to:
– Gain unauthorized access to sensitive confidential information.
– Modify or destroy data.
– Operate trusted business systems for non-business purposes.
17
©2012 CliftonLarsonAllen LLP
IT General Control Approach
• Approach and execution
– Interview key staff
– Review documentation
– Observe current processes and testing controls within the organization.
• Scope – 10 Key Information Technology domains were assessed
–
–
–
–
–
–
–
–
–
–
18
Governance controls
Server controls
Network controls
Software controls
Application controls
Workstations
User Access controls
Business Continuity Planning (BCP)
Disaster Recovery Planning (DRP)
Physical Security & Environmental controls
©2012 CliftonLarsonAllen LLP
General Control Reviews - Scope
19
©2012 CliftonLarsonAllen LLP
Internal Vulnerability Assessment Approach
• Approach and execution - Based on two (2) phases:
1. Penetration Testing – based on limited access, we apply hacker like
tools and techniques
2. Configuration auditing - validates the issues identified during the first
phase and further tests system configurations
• Scope – 3 Information Technology domains are
assessed
◊ Authentication
◊ Patch management
◊ Configuration
20
©2012 CliftonLarsonAllen LLP
External Penetration Testing Approach
• Approach and execution - Based on four (4) phases:
1.
2.
3.
4.
Discovery– find your “entry” points
Reconnaissance- gather specifics about the systems
Scanning- locate potential vulnerabilities that would allow access
Penetrate- try to gain access by exploiting the vulnerabilities
• Scope – 3 Information Technology domains are
assessed
◊ Authentication
◊ Patch Management
◊ Configuration
21
©2012 CliftonLarsonAllen LLP
What does this mean for your Organization?
• You’re only as strong as your weakest link
– Employees
– Vendors
– Customers/Donors
• Have an ongoing discussion about RISK
–
–
–
–
22
Review your controls
Identify weaknesses
Secure what you can
Knowledge is key
©2012 CliftonLarsonAllen LLP
Best Practices to consider…
• Access Control
– Assign access permissions based on the theory of least privilege
– Segregation of duties
• Assign user accountability
– Limit generic or shared accounts
• Implement strong password policies
–
–
–
–
–
23
Minimum 8 characters
24 passwords remembered i.e. no re-use of last 24 passwords
Expiration of 90 days
Complexity enabled
Lockout policy
©2012 CliftonLarsonAllen LLP
Best Practices, etc.
• Vendor Management
– Identify your critical vendors
– Assign risk
– Perform due diligence
• Change Management
– Changes should be documented and approved prior to
implementation
• Network Administration
– Stay current on patches/updates
– Restrict external access as much as possible
– Implement monitoring
24
©2012 CliftonLarsonAllen LLP
Best Practices, etc.
• Disaster Recovery/Business Continuity
– Identify the critical processes that drive your business
– Develop your “what if” scenarios
– Determine your recovery strategies
• Physical Security
– Restrict physical access to data center
– Implement environmental controls
25
©2012 CliftonLarsonAllen LLP
Conclusion
• Identify what’s critical
• Be PROACTIVE, not reactive
• Use a different perspective
• Educate yourself and your employees
THANK YOU!
Presenter - Laura Faulkner
26
©2012 CliftonLarsonAllen LLP
CONTACT INFORMATION
Laura Faulkner – 612.397.3090
[email protected]
Gil Bohene – 571.227.9500
[email protected]
27
©2012 CliftonLarsonAllen LLP
Security Awareness Training
Michael Parker
UW for Southeastern Michigan
Financial Management and Human Resources Forum
Atlanta – October 7, 2013
What is “Security Awareness”?
Security awareness is “the knowledge and attitude
members of an organization possess regarding the
protection of the physical and especially, information
assets of that organization.”
• Organizational-wide culture, with behavioral change component
• Includes people, process and technology
29
Atlanta
October 7, 2013
Why do we need Security Awareness Training?
• Organizational value statement – drives credibility and transparency
• Ethical responsibility to our constituents
• Compliance with federal and state laws (HIPAA, PCI, PII, etc.)
• Contractual mandates by companies we work with
• Risk management
30
Atlanta
October 7, 2013
Elements of successful security awareness programs
• C-Level support – buy-in is critical
• Partnering with key departments – mutual interests can drive
support
• Creativity – materials, communication, events
• Metrics – use of attitude surveys, # of security related incidents
• Emphasize “how to” rather than “don’t do this”
• 90 day plans focusing on 3 topics vs. annual plan – reinforces
knowledge, changes behaviors
• Multiple forms of training materials – online systems, newsletters,
posters, games, etc.; tailored to generational differences
31
Atlanta
October 7, 2013
Typical topics covered in awareness training
programs
32
•
The nature of sensitive material and physical assets individuals may come in contact
with
•
Employee and contractor responsibilities in handling sensitive information, including
review of nondisclosure agreements
•
Requirements for proper handling of sensitive material in physical form, including
marking, transmission, storage and destruction
•
Proper methods for protecting sensitive information on computer systems, including
password policies, encryption and network access
•
Other computer security concerns, including malware, phishing, social engineering
etc.
•
Workplace security, including building access, wearing of security badges, reporting
of incidents, forbidden articles, websites, etc.
•
Consequences of failure to properly protect information, including potential loss of
employment, economic consequences to the firm, damage to individuals whose
private records are divulged, and possible civil and criminal penalties
Atlanta
October 7, 2013
Typical content covered in training
General security awareness (all employees)
• High level review of network logins/passwords, viruses/malware, mobile
data, physical security, phishers, acceptable use policies, incident
response, security services, risk management, encryption, backups
Security awareness for managers
• Lead by example, security management practices, legal issues
Security awareness for IT professionals
• Common forms of attack, network security, disaster recovery, best practices
Security awareness for web application developers
• Open Web Application Security Project (OWASP) Top Ten list
33
Atlanta
October 7, 2013
Typical content covered in training, continued
Physical security
• Workplace violence, theft, physical access controls, emergencies
Data and records retention
• Document creation, laws, best practices for retention and
destruction
Privacy awareness - public/non-public information, laws, best practices
PCI requirements and compliance
HIPAA/HITECH – PHI (protected health information)
34
Atlanta
October 7, 2013
Handling Security Breaches
Notification considerations
• Legal requirements
• UWW requirements
• Constituent response
• Media response
Incident Response Plans – covers physical and network breaches
• Notification contact lists
• Assessment phase
• Response determination
• Containment phase
35
Atlanta
October 7, 2013
Handling Security Breaches, continued
• Documentation – logs of who, what, where, pictures, etc.
• Evidence preservation – pictures, damage
• Damage assessment – costs/values
• Notification – insurance, legal, police
• Evaluation of plan
36
Atlanta
October 7, 2013
Questions??

similar documents