Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Industrial Engineering
  3. Systems Engineering

Now

advertisement 
360° OF IT
COMPLIANCE
Threats &
Countermeasures
Mark Jennings
SymQuest Group, Inc.
Mjennings@symquest.com
What is Compliance?
From a business perspective, compliance is simply the act of
meeting the standards associated with regulatory requirements
within your industry.
Compliance within these regulations typically extends beyond the
handling of digital data.
Compliance is really about being a responsible custodian of
Protected information.
Protected Information
Examples of Personally Identifiable Information (PII)









Name
Address
Phone numbers
Fax Numbers
Email addresses
Social Security Numbers
Date of Birth
Medical Record Numbers
Health Plan ID Numbers






Dates of Treatment
Account Numbers
License Numbers
Vehicle Identifiers
IP addresses
Biometric Identifiers (fingerprints,
retinal scans, etc)
 Full face photos
Recent Incidents
Target




40 Million debit and credit cards exposed
$67M settlement
Damaged Target’s reputation
CEO resigned
Sony Pictures
 Email stolen and leaked
 Digital content stolen
 Computers disabled
U.S. Office of Personnel Management
 Over 18 Million Employee records stolen
 Director resigns
Ramifications of a Breach
HIPAA
 Potential fines - $50,000 per violation up to $1.5M
 Potential Jail sentences – Up to 10 years
 Inclusion on HHS “Wall of Shame”
PCI
 Fines
 Monetary settlements with card services providers
 Suspension of Card Services
THREATS
External Cyber Attack
 Direct attempt to
infiltrate a
company or
organization
 Distributed Denial
of Service (DDoS)
Attack
 Broadcast Viruses
and Worms
Source: Akamai Technologies
Internal Security Breaches
• The Disgruntled Employee
• The “Entrepreneurial” Employee
• The Curious Employee
Social Engineering
Social Engineering takes advantage of an employee’s willingness
to trust, desire to be helpful, or simply their ignorance.
Examples of Social Engineering
 Impersonating IT
 Very convincing but rogue emails
 The old “Lost USB stick” trick
Mobile Computing
 The rise of laptops, tablets, and smartphones
 The desire to work from anywhere
 The “Bring you own Device” (BYOD) trend
Problems




How secure is the data on the mobile device?
What other applications are in use on the device?
Can you control the flow of corporate data on those devices?
Can you control the protection of those devices (antivirus, antimalware, web filtering)?
 Are these devices using public wifi and, if so, are your employees
protecting those communications properly?
Untrained Employees
Most of the threats above can be magnified by
employees that are not aware of the threats.
 Employees are not aware of the security protocols
 Employees are not aware of the warning signs
 Employees are not aware of the regulations
System Failure
A system failure can create multiple problems
 Inability to service clients, customers, or patients
 Recovery time
 Data Loss
Catastrophic Event
 In the event of a major disaster are you prepared to resume
business in a reasonable timeframe?
 Can you recover your data?
 What is your plan?
 Are your employees (or at least your managers) aware of the
plan?
Catastrophic Event
COUNTERMEASURES
Countermeasures for Compliance
 Many of the regulatory standards require implementation of
countermeasures for each of these threats
 In some cases these are specific requirements
 In other cases the requirements are broad
Examples
 The HIPAA Security Rule includes “required” requirements
and “addressable” requirements
 PCI may require different levels of auditing based on the
volume or type of credit card transactions
Countermeasure Concepts
Layered Security Model
 Each threat can occur at various “layers” within the network
 Make sure that you have adequate controls at each layer to
thwart particular threats:
 Email Filtering
 Web filtering
 Firewall
 Network Access Control/Wireless Security
 Network Security monitoring
 Operating system security patches
 Anti Virus/Anti Malware
 Application Security Patches
 Employee Education
Countermeasures for External
Cyber Attacks
 Reduce your public “footprint”
 Employ email filtering
 Employ web filtering
Countermeasures for Internal
Security Breaches
 Review your internal security practices
 Know where information is stored and who has
access to it
 Maintain an audit trail
Countermeasures for Social Engineering
 Establish policies and procedures
 Never give out your password to ANYONE.
 Verify the identity of anyone attempting to perform a transaction with
you.
 Acceptable Use Policies
 Implement employee identifiers
 Badges
 Name tags
 Employee training
 Educate employees on the policies and procedures
 Provide training on the fundamentals of safe computing
Countermeasures for Mobile Computing
 Employ Mobile Device Management (MDM)
 Employ 2-factor authentication
 Ensure mobile users are using encrypted means
to communicate with the organization
 Ensure data is encrypted on the local device
Countermeasures for Untrained Employees
Top Ten Things your employees should
know about safe computing
1.
2.
3.
4.
5.
6.
7.
Never divulge your password…to anyone
Lock your screen when you are away from your PC
Scrutinize the email addresses of senders
Do not open emails from people you do not know
Be very careful clicking on hyperlinks embedded in emails
Use a PIN to access your smartphone or tablet
Never leave your laptop, smartphone, or tablet unattended in a
public space
8. Report the loss of a laptop, smartphone, or tablet immediately
9. Be wary of public wifi
10. Report any security incident (email scam, suspicious behavior, etc.)
to your IT administrator immediately
Countermeasures for System
Failure
 Redundant System Design
 Recovery server
 Virtualization with redundant hosts and shared storage
 Good backup strategy
 Practice the 3-2-1 Rule
Countermeasures for Catastrophic
Disaster
 Develop a plan
 Determine your Recovery Time Objective (RTO)
 Determine your Recovery Point Objective (RPO)
 Plan your recovery strategy in accordance with your RTO/RPO
 Document the plan
 Communicate the plan
 Exercise the plan
Cloud Options
Cloud Options
 Software as a Service (SaaS) systems
 Only the specific software and data is hosted by provider
 Data contained within hosted software system is protect by provider
 Difficult to integrate with other systems
 Infrastructure as a Service (IaaS)
 Entire systems are hosted within vendors data center
 All data within the hosted systems (excluding mobile devices) is
protected by provider
 Typically requires IT expertise in house to manage
 IaaS with a Managed Service Provider (MSP)
 All systems are hosted within vendors data center
 Mobile devices and end user support is managed by the MSP
Advantages of the Cloud
 Systems are maintained by IT professionals
 Systems implemented using industry standard best practices
 Systems run on enterprise-class equipment
 Systems are hosted in enterprise class facilities





Air handling
Battery backup
Redundant communications lines
Generators
Physical Security
 Systems (should be) Redundant
 Redundant data centers
 Systems are protected by Multilayered Security
The SymQuest Cloud
 Two completely redundant and replicated data centers in South
Burlington, VT and Portland, Maine
 Hosted clients receive a completely segregated Virtual Network
with dedicated virtual servers and an independent firewall
 Full service management of hosted servers and workstations




Backup
Patching
Replication
AV/AM
 Management of on-premises equipment
 99.9% uptime Service Level Agreement
 Compliance assistance
 SymQuest will provide documentation to auditors upon request to assist
you in proving compliance
Final Thoughts
 Security and compliance is a complex topic
 The IT industry is only going to become more complex
 The use of managed IT services, either on premise or in the cloud, does
not absolve an organization of its regulatory responsibilities but it does
ensure that trained and dedicated professionals are in charge of that
aspect of the business.

In the event of an audit an IT Managed service provider should be able to
assist you in proving compliance
 Having a professional managed services team should put the organization
in a better position to defend against common threats, however …
there is no 100%.
THANK YOU
Mark Jennings
Director of Sales | Network Solutions
mjennings@SymQuest.com
(802)-658-9836
Let’s Connect
Related documents
View course syllabus - Cleveland Institute of Electronics
View course syllabus - Cleveland Institute of Electronics
Understanding A3 Thinking
Understanding A3 Thinking
Problem solving A3 guidelines
Problem solving A3 guidelines
End of Chapter Solutions Template
End of Chapter Solutions Template
Business Plan Scope Sheet - Cleveland Clinic Academy
Business Plan Scope Sheet - Cleveland Clinic Academy
How Cities Work - Urban Systems Collaborative
How Cities Work - Urban Systems Collaborative
Security & Loss Prevention: An Introduction
Security & Loss Prevention: An Introduction
W T O
W T O
Download
advertisement