SlideShare uma empresa Scribd logo

Information+security rutgers(final)

Amy Stowers
Amy Stowers
Tecnologia
1 de 47
INFORMATION SECURITY FOR INFORMATICS PROFESSIONALS Amy M. Walker, MS, RN, CPHQ, FACHE, NEA-BC CEO OptimizeIT Consulting LLC Healthcare IT Strategist A Proud EDWOSB, Cage Code 6 TH50
Amy Walker MS, RN, CPHQ, FACHE, NEA-BC .  Healthcare System  Critical Care RN, Certified and Nurse Manager  Director of Informatics, CIO Boot Camp-CHIME  Chief Clinical Information Officer (CCIO)  Technology Provider-Large Scale  Development  Implementation  Strategic Account Management  Consulting  DoD Health Affairs  HIPAA, Healthcare Compliance, Security, and Data Exchange  Interim CIO  Entrepreneur  Fellow in the American College of Healthcare Executives  Certified as a Healthcare Quality Professional  Certified as an Advanced Nurse Executive  2010 President of the National Capital of Healthcare Executives  Nominated Member of the Women’s Business Leader’s of the U.S. Healthcare Industry Foundation 2
We Will Discuss Today  IT Security Pillars  How to Appropriately Construct Policies and Procedures  Develop, Implement, Enforce  Security Standards and Risk Assessment Effective Strategies  System Architecture and Design  An Overview of Security Issues and Solutions 3
SWOT-Analysis • Identified Security Officer • Tight Integration Between RolesStrengths • Knowledge Deficit • Not Practicing to Standards • Deficient Risk Assessment Process Weaknesses • Are GreatOpportunities • Are GreatThreats 4
5 Obama meets with CEOs to push cyber-security legislation The meeting in hopes of getting the stalled legislation passed comes a day after intelligence officials warn of the threat to national security. March 13, 2013|By Ken Dilanian and Jessica Guynn, Los Angeles Times "What is absolutely true is that we have seen a steady ramping up of cyber-security threats," President Obama said on ABC's "Good Morning America." "Some are state-sponsored. Some are just sponsored by criminals." (Evan Vucci / Associated Press)
Security Problems Hit Close To Home Dear user: As a follow up to our last email communication about the identified security vulnerability in the XYZ system , the U.S. General Services Administration (GSA) is taking all possible steps to protect and inform xyz users, especially those that use their social security numbers for purposes of doing business with the federal government. Your entity’s data has been identified to be at greater risk for potential identity theft because you used your social security number as your Tax Identification Number to do business with the federal government. This vulnerability enabled government entity administrators and delegated entity registration representatives to potentially gain access to information of any entity’s registration -- enabling visibility of entity management data at all sensitivity levels. As a precaution, GSA is taking proactive steps to protect and inform xyz users. The agency is offering users at higher risk, like you, access to credit monitoring services and will follow up with information about these services. If you wish to take additional steps to protect against possible identity theft, visit www.xyz for specific information. If you would like additional background or have questions, you may call 1-800-FED-INFO (1-800-333-4636), from 8 a.m. to 8 p.m. (ET), Monday-Friday starting Monday, March 18. We recommend that you monitor your bank accounts and notify your financial institution immediately if you see any discrepancies. We apologize for any inconvenience or concern this situation may cause. We believe it is important for you to be fully informed of any potential risk resulting from this incident. The security of your information is a critical priority to us and we will work to ensure the system remains secure. Sincerely, 6
In the News Forget hackers, the fool next to you is the real threat 7
Statistics on Data Breaches 8
Internet Security Alliance Larry Clinton, the longtime head of the Internet Security Alliance delivered the keynote at the March PHI Protection Forum. Mr. Clinton focused on PHI Security and Privacy, he cited an important study of the state of health care information security, PWC’s 2013 State of Info Security Survey data regarding health care organizations. 9
PWCs 2013 State of Info Security Survey  Most executives in the HC industry are confident in the effectiveness of their security practices. They believe their strategies are sound and many consider themselves to be leaders in the field  (And yet, only) 42% have a strategy & (are) proactive in executing it  Of the 4 key criteria of information security leadership, ONLY 6% RANK AS LEADERS  60% do NOT have a policy for third parties to comply with privacy policies  73% use mal code detection tools; DOWN 16%  48% use tools to find unauthorized devices; DOWN 14%  51% use intrusion detection tools; DOWN 19% 10 PWC’s 2013 State of Info Security Survey, http://www.pwc.com /gx/en/consulting- services/information -security- survey/index.jhtml
 48% use vulnerability scanning tools; DOWN 15%  31% DON’T KNOW when info sec is part of major projects –ONLY 18% at project inception  90% HC respondents say protecting employee & customer data is important - few know where the data is stored (43% have an accurate inventory of data)  Adopting new technology (is outpacing) security – new technology referring to cloud 28%, mobile 46%, soc media 45%, personal devices 51% 11 PWCs 2013 State of Info Security Survey
The Reasons? As Noted by Larry  Lack of funding 53%  20% top leadership “is an impediment to improved security.”  Only 43% report security breaches  Diminished budgets have resulted in degraded security programs, incidents are on the rise, new technologies are being adopted faster than safeguards  There are short-term economic incentives to be insecure (VoIP, use personal devices, the Cloud)  HC providers report lower $ loss from incidents but many do not perform thorough or consistent analysis to appraising those losses, e.g. only 33% consider damage to brand as a financial loss 12
June 26, 2012 Alaska Department of Health and Social Services A USB hard drive possibly containing ePHI was stolen from the vehicle of a DHHS employee.  DHHS did not have adequate safeguard policies and procedures in place.  DHHS had not completed a risk analysis, implemented sufficient risk management measures, completed security training for its workforce, implemented device and media controls, or addressed device and media encryption.  Pay a $1.7 million fine and take corrective action to ensure compliance with the Security Rule Staggers, N., Gallagher, L., Goncalves, L., & Nelson, R. (in press). Confidentiality, safety and security. In R. Nelson & N. Staggers, Health Informatics: An Interdisciplinary Approach. St Louis: Elsevier 13
April 17, 2012 Phoenix Cardiac Surgery Staff were posting clinical and surgical appointments for patients on an Internet-based calendar that was publicly accessible.  PC failed to implement adequate policies and procedures to safeguard patient information  PC failed to document that it trained any employees on policies and procedures.  PC failed to identify a security official and conduct a risk analysis.  PC failed to obtain business associate agreements with Internet- based email and calendar services where the provision of the service included storage of and access to its ePHI.  Pay a $100,000 fine and develop a corrective action plan to ensure compliance with the Security Rule Staggers, N., Gallagher, L., Goncalves, L., & Nelson, R. (in press). Confidentiality, safety and security. In R. Nelson & N. Staggers, Health Informatics: An Interdisciplinary Approach. St Louis: Elsevier 14
March 13, 2012 Blue Cross Blue Shield of Tennessee Fifty-seven unencrypted computer hard drives were stolen from a leased facility. The drives contained the ePHI of more than 1 million individuals, including member names, Social Security numbers, diagnosis codes, dates of birth, and health plan identification numbers.  BCBST failed to implement appropriate administrative safeguards by not performing the required security evaluation.  BCBST failed to implement appropriate physical safeguards.  Pay a $1.5 million fine and implement a corrective action plan to address gaps in its HIPAA compliance program Staggers, N., Gallagher, L., Goncalves, L., & Nelson, R. (in press). Confidentiality, safety and security. In R. Nelson & N. Staggers, Health Informatics: An Interdisciplinary Approach. St Louis: Elsevier 15
The Foundation 16
Security Triangle Confidentiality Integrity Availability 17
10 Domains of Information Security Access Control •Operations Security Business Continuity and Disaster Recover Planning •Physical (Environment Security) Cryptography •Security Architecture and Design Information Security Governance and Risk Management •Software Development Security Legal, Regulations, Investigation, and Compliance •Telecommunications and Network Security 18 International Information Systems Security Certification Consortium https://www.isc2.org/
Basic Requirements  Security  Reliability  Transparency  Scalability 19  Maintainability  Audit ability  Integrity  Authentic International Information Systems Security Certification Consortium https://www.isc2.org/
20 Operations security (OPSEC) is a process that identifies critical information to determine if friendly actions can be observed by adversary intelligence systems, determines if information obtained by adversaries could be interpreted to be useful to them, and then executes selected measures that eliminate or reduce adversary exploitation of friendly critical information.
Construction of Policies and Procedures 21
Security Enterprise Ecosystem People Processes Core Business Technology
23
Policy Framework Implementation Standards Procedures Protocols Guidelines Policies Directives You Shall Overarching Management Direction Regulations Strategy Standards Laws 24
Policies and Procedures  Acceptable Use  Access Control  Accreditation  Acquisition  Business Continuity  Certification  Change Control Management  Code of Ethics  Confidentiality  Data Classification  Internet Use 25
System Architecture and Design 26
System Architecture Components  Hardware  Firmware  Central Processing Units  Input/Output Devices  Software  Architectural Structures  Storage and Memory 27 Analyze security risks, limitations, and positive attributes of each.
Open Source  A study by Mitre corporation, sponsored by the Defense Information Systems Agency, found extensive and diverse use of open software at the DoD, with over 100 open products being used in more than 250 applications.  Security applications were most noted as a reason open source should be expanded.  Widely used open security tools included SNORT, a light weight intrusion detection tool used for plugging “network security holes when new attacks emerge” and SARA, the security auditors research Assistant, used for relatively straightforward network security risk analyses. The MITRE report lists more than 100 open source products that have demonstrated superior records of security and reliability. 28
The Abdus Salam International Centre for Theoretical Physics
System Security Risk Assessment 30
Risk Management Purpose  The purpose of an organization’s risk management process should be to protect the organization and it’s ability to perform it’s mission-including but not limited to its IT assets.  Risk is a function of the likelihood of a given threat source’s exercising a particular vulnerability and the resulting impact of that adverse event. NIST SP 800-30 www.csrc.nist.gov 31
Risk Analysis Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the organization. 32
Details of a System Security Risk Assessment  Qualitative  Scenario oriented  No $$ values  Ranking of threats  Perform to the goal of reasonableness  Quantitative  Assign $$ values  Resource extensive  More difficult to determine  Hybrid 33 International Information Systems Security Certification Consortium https://www.isc2.org/
Risk Assessment SP 800-30  Step 1 Characterization  Step 2 Threat Identification  Step 3 Vulnerability Identification  Step 4 Control Analysis  Step 5 Likelihood Determination  Step 6 Impact Analysis  Step 7 Risk Determination  Step 8 Control Recommendations  Step 9 Results Documentation  Steps 2, 3, 4, and 6 can be conducted in parallel after Step 1 has been completed. 34
CMS Security Risk Analysis Process Review existing security of protected health information Identify threats and vulnerabilities Assess risks for likelihood and impact Mitigate security risks Monitor results 35 CMS, Information Security Overview,
36
10 Best Practices for the Small Health Care Environment  Use Strong Passwords and Change Them Regularly  Passwords and Strong Authentication  Install and Maintain Anti-Virus Software  Use a Firewall  Control Access to Protected Health Information  Limit Network Access  Plan for the Unexpected  Maintain Good Computer Habits  Software Maintenance  Protect Mobile Devices  Establish a Security Culture 37 CMS, Information Security Overview, http://cms.gov/Research-Statistics-Data-and- Systems/CMS-Information- Technology/InformationSecurity/index.html?redirec t=/InformationSecurity/
Security IT Issues and Solutions 38
Overview of Healthcare IT Security Issues and Solutions  Lack of Effective Ecosystem Governance  Lack of Budget  Lack of Appropriate Risk Assessment with CAP  MU  Core Objective and Measure 12  Core Objective and Measure 15  HIPAA Privacy and Security Federal Regulations 39
Overview of Healthcare IT Security Issues and Solutions  Attacks  Vulnerabilities  Complex Systems Change Control  Doing More with Less  Mobile and Wireless Technologies  Outsourcing 40
HITRUST ™  The Health Information Trust Alliance (HITRUST) was born out of the belief that information security should be a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges.  HITRUST, in collaboration with healthcare, business, technology and information security leaders, has established the Common Security Framework (CSF), a certifiable framework that can be used by any and all organizations that create, access, store or exchange personal health and financial information.  The CSF is an information security framework that harmonizes the requirements of existing standards and regulations, including federal (HIPAA, HITECH), third party (PCI, COBIT) and government (NIST, FTC). As a framework, the CSF provides organizations with the needed structure, detail and clarity relating to information security tailored to the healthcare industry. The CSF is available through HITRUST Central. 41
Retain absolute faith that you can and will prevail in the end, regardless of the difficulties, and at the same time confront the most brutal facts of your current reality, whatever they might be. (Jim Collins Good to Great) 42
Thought Questions 1. In your own experience, what are your recommendations on the highest IT security priorities? 2. Are there resources related to IT security that you suggest must be given greater visibility? 3. What is your organization’s SWOT analysis tell you? 43
References  CMS, Information Security Overview, http://cms.gov/Research- Statistics-Data-and-Systems/CMS-Information- Technology/InformationSecurity/index.html?redirect=/InformationSec urity/  HITRUST, http://hitrustalliance.net/  International Information Systems Security Certification Consortium https://www.isc2.org/  National Institute of Standards and Technology, http://csrc.nist.gov/publications/PubsSPs.html  Office of the National Coordinator, http://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and- security-guide.pdf 44
References  PHI Protection Network, Linked In Group  PWC’s 2013 State of Info Security Survey, http://www.pwc.com/gx/en/consulting-services/information-security- survey/index.jhtml  Staggers, N., Gallagher, L., Goncalves, L., & Nelson, R. (in press). Confidentiality, safety and security. In R. Nelson & N. Staggers, Health Informatics: An Interdisciplinary Approach. St Louis: Elsevier  The Betterly Report, http://thebetterleyreport.wordpress.com/2013/03/18/larry-clinton-of- the-internet-security-alliance-and-some-startling-statistics-about- privacy-security-in-the-health-care- industry/?goback=%2Egde_4493923_member_223850708  The Operations Security Professional’s Association, http://www.opsecprofessionals.org/ 45
SWOT-Analysis • Identified Security Officer • Tight Integration Between RolesStrengths • Knowledge Deficit • Not Practicing to Standards • Deficient Risk Assessment Process Weaknesses Opportunities Threats 46
Thank You! Contact us at: 4031 University Drive, Suite 100 Fairfax, Virginia 22030 P: 703-283-4678 E: awalker@optimizeitconsulting www.optimizeitconsulting.com OptimizeIT Consulting LLC is a proud EDWOSB Cage Code 6TH50

Recomendados

Tech Refresh - Cybersecurity in Healthcare
Tech Refresh - Cybersecurity in HealthcareTech Refresh - Cybersecurity in Healthcare
Tech Refresh - Cybersecurity in HealthcareCompTIA
 
Healthcare and Cyber security
Healthcare and Cyber securityHealthcare and Cyber security
Healthcare and Cyber securityBrian Matteson, CISSP CISA
 
Tcs cybersecurity for healthcare
Tcs cybersecurity for healthcareTcs cybersecurity for healthcare
Tcs cybersecurity for healthcareComtech TCS
 
Detroit ISSA Healthcare Cybersecurity
Detroit ISSA Healthcare CybersecurityDetroit ISSA Healthcare Cybersecurity
Detroit ISSA Healthcare CybersecurityDoug Copley
 
Ijnsa050201
Ijnsa050201Ijnsa050201
Ijnsa050201IJNSA Journal
 
INCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITAL
INCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITALINCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITAL
INCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITALIJNSA Journal
 
Avior Healthcare Security Compliance Webcast Final1
Avior Healthcare Security Compliance Webcast Final1Avior Healthcare Security Compliance Webcast Final1
Avior Healthcare Security Compliance Webcast Final1jhietala
 
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnov
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnovProtecting Accounting Firms and their Clients - Eric Vanderburg - JurInnov
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnovEric Vanderburg
 

Recomendados

Tech Refresh - Cybersecurity in Healthcare
Tech Refresh - Cybersecurity in HealthcareTech Refresh - Cybersecurity in Healthcare
Tech Refresh - Cybersecurity in HealthcareCompTIA
 
Healthcare and Cyber security
Healthcare and Cyber securityHealthcare and Cyber security
Healthcare and Cyber securityBrian Matteson, CISSP CISA
 
Tcs cybersecurity for healthcare
Tcs cybersecurity for healthcareTcs cybersecurity for healthcare
Tcs cybersecurity for healthcareComtech TCS
 
Detroit ISSA Healthcare Cybersecurity
Detroit ISSA Healthcare CybersecurityDetroit ISSA Healthcare Cybersecurity
Detroit ISSA Healthcare CybersecurityDoug Copley
 
Ijnsa050201
Ijnsa050201Ijnsa050201
Ijnsa050201IJNSA Journal
 
INCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITAL
INCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITALINCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITAL
INCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITALIJNSA Journal
 
Avior Healthcare Security Compliance Webcast Final1
Avior Healthcare Security Compliance Webcast Final1Avior Healthcare Security Compliance Webcast Final1
Avior Healthcare Security Compliance Webcast Final1jhietala
 
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnov
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnovProtecting Accounting Firms and their Clients - Eric Vanderburg - JurInnov
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnovEric Vanderburg
 
Healthcare Attorneys Feel the Healthcare Industry Is More Vulnerable to Cyber...
Healthcare Attorneys Feel the Healthcare Industry Is More Vulnerable to Cyber...Healthcare Attorneys Feel the Healthcare Industry Is More Vulnerable to Cyber...
Healthcare Attorneys Feel the Healthcare Industry Is More Vulnerable to Cyber...mosmedicalreview
 
ZoomLens - Loveland, Subramanian -Tackling Info Risk
ZoomLens - Loveland, Subramanian -Tackling Info RiskZoomLens - Loveland, Subramanian -Tackling Info Risk
ZoomLens - Loveland, Subramanian -Tackling Info RiskJohn Loveland
 
Haystax carbon for Insider Threat Management & Continuous Evaluation
Haystax carbon for Insider Threat Management & Continuous EvaluationHaystax carbon for Insider Threat Management & Continuous Evaluation
Haystax carbon for Insider Threat Management & Continuous EvaluationHaystax Technology
 
Data Breach Response Checklist
Data Breach Response ChecklistData Breach Response Checklist
Data Breach Response Checklist- Mark - Fullbright
 
What Is Security Risk Analysis? By: MedSafe
What Is Security Risk Analysis? By: MedSafeWhat Is Security Risk Analysis? By: MedSafe
What Is Security Risk Analysis? By: MedSafeMedSafe
 
Panel Cyber Security and Privacy without Carrie Waggoner
Panel Cyber Security and Privacy without Carrie WaggonerPanel Cyber Security and Privacy without Carrie Waggoner
Panel Cyber Security and Privacy without Carrie Waggonermihinpr
 
Cybersecurity Seminar March 2015
Cybersecurity Seminar March 2015Cybersecurity Seminar March 2015
Cybersecurity Seminar March 2015Lawley Insurance
 
Whitepaper | Cyber resilience in the age of digital transformation
Whitepaper | Cyber resilience in the age of digital transformationWhitepaper | Cyber resilience in the age of digital transformation
Whitepaper | Cyber resilience in the age of digital transformationNexon Asia Pacific
 
Enabling Science with Trust and Security – Guest Keynote
Enabling Science with Trust and Security – Guest KeynoteEnabling Science with Trust and Security – Guest Keynote
Enabling Science with Trust and Security – Guest KeynoteGlobus
 
The Future of Advanced Analytics
The Future of Advanced AnalyticsThe Future of Advanced Analytics
The Future of Advanced AnalyticsHaystax Technology
 
Medical Data Encryption 101
Medical Data Encryption 101Medical Data Encryption 101
Medical Data Encryption 101SecurityMetrics
 
CISO Survey Report 2010
CISO Survey Report 2010CISO Survey Report 2010
CISO Survey Report 2010Scientia Groups
 
How to Effectively Manage a Data Breach
How to Effectively Manage a Data Breach How to Effectively Manage a Data Breach
How to Effectively Manage a Data Breach SecurityMetrics
 
HIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business AssociatesHIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business AssociatesRedspin, Inc.
 
2015 Atlanta CHIME Lead Forum
2015 Atlanta CHIME Lead Forum 2015 Atlanta CHIME Lead Forum
2015 Atlanta CHIME Lead Forum Carolyn Slade, MS-HIM
 
Improving Collaboration Through Identity Management
Improving Collaboration Through Identity ManagementImproving Collaboration Through Identity Management
Improving Collaboration Through Identity ManagementGov BizCouncil
 
Haystax: Actionable Intelligence Platform
Haystax: Actionable Intelligence PlatformHaystax: Actionable Intelligence Platform
Haystax: Actionable Intelligence PlatformHaystax Technology
 
Compliance
ComplianceCompliance
ComplianceMark Lanterman
 
Sarah Kim HIPAA for Small Providers
Sarah Kim HIPAA for Small ProvidersSarah Kim HIPAA for Small Providers
Sarah Kim HIPAA for Small ProvidersSarah Kim
 
The 10 Most Trusted Healthcare IT Security Solution Providers 2018
The 10 Most Trusted Healthcare IT Security Solution Providers 2018The 10 Most Trusted Healthcare IT Security Solution Providers 2018
The 10 Most Trusted Healthcare IT Security Solution Providers 2018insightscare
 
DIGITAL TRANSFORMATION
DIGITAL TRANSFORMATIONDIGITAL TRANSFORMATION
DIGITAL TRANSFORMATIONProf. Jacques Folon (Ph.D)
 
Diabetes And Bhramari Dr Shriniwas Kashalikar
Diabetes And Bhramari Dr Shriniwas KashalikarDiabetes And Bhramari Dr Shriniwas Kashalikar
Diabetes And Bhramari Dr Shriniwas Kashalikardrkshitija
 

Mais conteúdo relacionado

Mais procurados

Healthcare Attorneys Feel the Healthcare Industry Is More Vulnerable to Cyber...
Healthcare Attorneys Feel the Healthcare Industry Is More Vulnerable to Cyber...Healthcare Attorneys Feel the Healthcare Industry Is More Vulnerable to Cyber...
Healthcare Attorneys Feel the Healthcare Industry Is More Vulnerable to Cyber...mosmedicalreview
 
ZoomLens - Loveland, Subramanian -Tackling Info Risk
ZoomLens - Loveland, Subramanian -Tackling Info RiskZoomLens - Loveland, Subramanian -Tackling Info Risk
ZoomLens - Loveland, Subramanian -Tackling Info RiskJohn Loveland
 
Haystax carbon for Insider Threat Management & Continuous Evaluation
Haystax carbon for Insider Threat Management & Continuous EvaluationHaystax carbon for Insider Threat Management & Continuous Evaluation
Haystax carbon for Insider Threat Management & Continuous EvaluationHaystax Technology
 
What Is Security Risk Analysis? By: MedSafe
What Is Security Risk Analysis? By: MedSafeWhat Is Security Risk Analysis? By: MedSafe
What Is Security Risk Analysis? By: MedSafeMedSafe
 
Panel Cyber Security and Privacy without Carrie Waggoner
Panel Cyber Security and Privacy without Carrie WaggonerPanel Cyber Security and Privacy without Carrie Waggoner
Panel Cyber Security and Privacy without Carrie Waggonermihinpr
 
Cybersecurity Seminar March 2015
Cybersecurity Seminar March 2015Cybersecurity Seminar March 2015
Cybersecurity Seminar March 2015Lawley Insurance
 
Whitepaper | Cyber resilience in the age of digital transformation
Whitepaper | Cyber resilience in the age of digital transformationWhitepaper | Cyber resilience in the age of digital transformation
Whitepaper | Cyber resilience in the age of digital transformationNexon Asia Pacific
 
Enabling Science with Trust and Security – Guest Keynote
Enabling Science with Trust and Security – Guest KeynoteEnabling Science with Trust and Security – Guest Keynote
Enabling Science with Trust and Security – Guest KeynoteGlobus
 
The Future of Advanced Analytics
The Future of Advanced AnalyticsThe Future of Advanced Analytics
The Future of Advanced AnalyticsHaystax Technology
 
Medical Data Encryption 101
Medical Data Encryption 101Medical Data Encryption 101
Medical Data Encryption 101SecurityMetrics
 
How to Effectively Manage a Data Breach
How to Effectively Manage a Data Breach How to Effectively Manage a Data Breach
How to Effectively Manage a Data Breach SecurityMetrics
 
HIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business AssociatesHIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business AssociatesRedspin, Inc.
 
Improving Collaboration Through Identity Management
Improving Collaboration Through Identity ManagementImproving Collaboration Through Identity Management
Improving Collaboration Through Identity ManagementGov BizCouncil
 
Haystax: Actionable Intelligence Platform
Haystax: Actionable Intelligence PlatformHaystax: Actionable Intelligence Platform
Haystax: Actionable Intelligence PlatformHaystax Technology
 
Sarah Kim HIPAA for Small Providers
Sarah Kim HIPAA for Small ProvidersSarah Kim HIPAA for Small Providers
Sarah Kim HIPAA for Small ProvidersSarah Kim
 
The 10 Most Trusted Healthcare IT Security Solution Providers 2018
The 10 Most Trusted Healthcare IT Security Solution Providers 2018The 10 Most Trusted Healthcare IT Security Solution Providers 2018
The 10 Most Trusted Healthcare IT Security Solution Providers 2018insightscare
 

Mais procurados (20)

Healthcare Attorneys Feel the Healthcare Industry Is More Vulnerable to Cyber...
Healthcare Attorneys Feel the Healthcare Industry Is More Vulnerable to Cyber...Healthcare Attorneys Feel the Healthcare Industry Is More Vulnerable to Cyber...
Healthcare Attorneys Feel the Healthcare Industry Is More Vulnerable to Cyber...
 
ZoomLens - Loveland, Subramanian -Tackling Info Risk
ZoomLens - Loveland, Subramanian -Tackling Info RiskZoomLens - Loveland, Subramanian -Tackling Info Risk
ZoomLens - Loveland, Subramanian -Tackling Info Risk
 
Haystax carbon for Insider Threat Management & Continuous Evaluation
Haystax carbon for Insider Threat Management & Continuous EvaluationHaystax carbon for Insider Threat Management & Continuous Evaluation
Haystax carbon for Insider Threat Management & Continuous Evaluation
 
Data Breach Response Checklist
Data Breach Response ChecklistData Breach Response Checklist
Data Breach Response Checklist
 
What Is Security Risk Analysis? By: MedSafe
What Is Security Risk Analysis? By: MedSafeWhat Is Security Risk Analysis? By: MedSafe
What Is Security Risk Analysis? By: MedSafe
 
Panel Cyber Security and Privacy without Carrie Waggoner
Panel Cyber Security and Privacy without Carrie WaggonerPanel Cyber Security and Privacy without Carrie Waggoner
Panel Cyber Security and Privacy without Carrie Waggoner
 
Cybersecurity Seminar March 2015
Cybersecurity Seminar March 2015Cybersecurity Seminar March 2015
Cybersecurity Seminar March 2015
 
Whitepaper | Cyber resilience in the age of digital transformation
Whitepaper | Cyber resilience in the age of digital transformationWhitepaper | Cyber resilience in the age of digital transformation
Whitepaper | Cyber resilience in the age of digital transformation
 
Enabling Science with Trust and Security – Guest Keynote
Enabling Science with Trust and Security – Guest KeynoteEnabling Science with Trust and Security – Guest Keynote
Enabling Science with Trust and Security – Guest Keynote
 
The Future of Advanced Analytics
The Future of Advanced AnalyticsThe Future of Advanced Analytics
The Future of Advanced Analytics
 
Medical Data Encryption 101
Medical Data Encryption 101Medical Data Encryption 101
Medical Data Encryption 101
 
CISO Survey Report 2010
CISO Survey Report 2010CISO Survey Report 2010
CISO Survey Report 2010
 
How to Effectively Manage a Data Breach
How to Effectively Manage a Data Breach How to Effectively Manage a Data Breach
How to Effectively Manage a Data Breach
 
HIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business AssociatesHIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business Associates
 
2015 Atlanta CHIME Lead Forum
2015 Atlanta CHIME Lead Forum 2015 Atlanta CHIME Lead Forum
2015 Atlanta CHIME Lead Forum
 
Improving Collaboration Through Identity Management
Improving Collaboration Through Identity ManagementImproving Collaboration Through Identity Management
Improving Collaboration Through Identity Management
 
Haystax: Actionable Intelligence Platform
Haystax: Actionable Intelligence PlatformHaystax: Actionable Intelligence Platform
Haystax: Actionable Intelligence Platform
 
Compliance
ComplianceCompliance
Compliance
 
Sarah Kim HIPAA for Small Providers
Sarah Kim HIPAA for Small ProvidersSarah Kim HIPAA for Small Providers
Sarah Kim HIPAA for Small Providers
 
The 10 Most Trusted Healthcare IT Security Solution Providers 2018
The 10 Most Trusted Healthcare IT Security Solution Providers 2018The 10 Most Trusted Healthcare IT Security Solution Providers 2018
The 10 Most Trusted Healthcare IT Security Solution Providers 2018
 

Destaque

Diabetes And Bhramari Dr Shriniwas Kashalikar
Diabetes And Bhramari Dr Shriniwas KashalikarDiabetes And Bhramari Dr Shriniwas Kashalikar
Diabetes And Bhramari Dr Shriniwas Kashalikardrkshitija
 
The little red riding hood the book coloring pages - dots
The little red riding hood the book coloring pages - dotsThe little red riding hood the book coloring pages - dots
The little red riding hood the book coloring pages - dotsRaúl Martín Santodomingo
 
Personal Mandalas
Personal MandalasPersonal Mandalas
Personal Mandalasathenamilis
 
Wellness Mandala: Emerging Opportunities at the Intersection of Quantified Se...
Wellness Mandala: Emerging Opportunities at the Intersection of Quantified Se...Wellness Mandala: Emerging Opportunities at the Intersection of Quantified Se...
Wellness Mandala: Emerging Opportunities at the Intersection of Quantified Se...QiCrafting
 
Identity mandala
Identity mandalaIdentity mandala
Identity mandalaMary Hendra
 
Rhea final ppt
Rhea final pptRhea final ppt
Rhea final pptRHEA SINGH
 
Application for Yoga for Stress Management
Application for Yoga for Stress ManagementApplication for Yoga for Stress Management
Application for Yoga for Stress ManagementSatwa Yoga
 
International Day of Yoga-Common Yoga Protocol Book
International Day of Yoga-Common Yoga Protocol BookInternational Day of Yoga-Common Yoga Protocol Book
International Day of Yoga-Common Yoga Protocol BookYogacharya AB Bhavanani
 
Mandala and its symbolic buddhist teachings
Mandala and its symbolic buddhist teachingsMandala and its symbolic buddhist teachings
Mandala and its symbolic buddhist teachingsTerry Tong
 
Mandalas All Around Us2[1]
Mandalas All Around Us2[1]Mandalas All Around Us2[1]
Mandalas All Around Us2[1]Jenna Freck
 
How to improve your concentration with 3 simple exercises-www.kkkbi.com
How to improve your concentration with 3 simple exercises-www.kkkbi.comHow to improve your concentration with 3 simple exercises-www.kkkbi.com
How to improve your concentration with 3 simple exercises-www.kkkbi.comkkkbi
 

Destaque (20)

DIGITAL TRANSFORMATION
DIGITAL TRANSFORMATIONDIGITAL TRANSFORMATION
DIGITAL TRANSFORMATION
 
Diabetes And Bhramari Dr Shriniwas Kashalikar
Diabetes And Bhramari Dr Shriniwas KashalikarDiabetes And Bhramari Dr Shriniwas Kashalikar
Diabetes And Bhramari Dr Shriniwas Kashalikar
 
The Three Little Pigs (Pictogram)
The Three Little Pigs (Pictogram)The Three Little Pigs (Pictogram)
The Three Little Pigs (Pictogram)
 
The little red riding hood the book coloring pages - dots
The little red riding hood the book coloring pages - dotsThe little red riding hood the book coloring pages - dots
The little red riding hood the book coloring pages - dots
 
Quote art
Quote artQuote art
Quote art
 
Personal Mandalas
Personal MandalasPersonal Mandalas
Personal Mandalas
 
Wellness Mandala: Emerging Opportunities at the Intersection of Quantified Se...
Wellness Mandala: Emerging Opportunities at the Intersection of Quantified Se...Wellness Mandala: Emerging Opportunities at the Intersection of Quantified Se...
Wellness Mandala: Emerging Opportunities at the Intersection of Quantified Se...
 
Identity mandala
Identity mandalaIdentity mandala
Identity mandala
 
Rhea final ppt
Rhea final pptRhea final ppt
Rhea final ppt
 
Application for Yoga for Stress Management
Application for Yoga for Stress ManagementApplication for Yoga for Stress Management
Application for Yoga for Stress Management
 
International Day of Yoga-Common Yoga Protocol Book
International Day of Yoga-Common Yoga Protocol BookInternational Day of Yoga-Common Yoga Protocol Book
International Day of Yoga-Common Yoga Protocol Book
 
Pranayama (mt)
Pranayama (mt)Pranayama (mt)
Pranayama (mt)
 
Benefits of yoga
Benefits of yogaBenefits of yoga
Benefits of yoga
 
Mandala and its symbolic buddhist teachings
Mandala and its symbolic buddhist teachingsMandala and its symbolic buddhist teachings
Mandala and its symbolic buddhist teachings
 
Градови у Србији
Градови у СрбијиГрадови у Србији
Градови у Србији
 
Упознајмо Косово
Упознајмо КосовоУпознајмо Косово
Упознајмо Косово
 
Mandalas All Around Us2[1]
Mandalas All Around Us2[1]Mandalas All Around Us2[1]
Mandalas All Around Us2[1]
 
Art Therapy Thesis-Mandalas
Art Therapy Thesis-MandalasArt Therapy Thesis-Mandalas
Art Therapy Thesis-Mandalas
 
Identity Access Management (IAM)
Identity Access Management (IAM)Identity Access Management (IAM)
Identity Access Management (IAM)
 
How to improve your concentration with 3 simple exercises-www.kkkbi.com
How to improve your concentration with 3 simple exercises-www.kkkbi.comHow to improve your concentration with 3 simple exercises-www.kkkbi.com
How to improve your concentration with 3 simple exercises-www.kkkbi.com
 

Semelhante a Information+security rutgers(final)

HEALTHCARE IT: IS YOUR INFORMATION AT RISK?
HEALTHCARE IT: IS YOUR INFORMATION AT RISK? HEALTHCARE IT: IS YOUR INFORMATION AT RISK?
HEALTHCARE IT: IS YOUR INFORMATION AT RISK? IJNSA Journal
 
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020Jessica Graf
 
Where in the world is your PII and other sensitive data? by @druva inc
Where in the world is your PII and other sensitive data? by @druva incWhere in the world is your PII and other sensitive data? by @druva inc
Where in the world is your PII and other sensitive data? by @druva incDruva
 
2018 01-25 Introduction to PCI and HIPAA Compliance
2018 01-25 Introduction to PCI and HIPAA Compliance 2018 01-25 Introduction to PCI and HIPAA Compliance
2018 01-25 Introduction to PCI and HIPAA Compliance Raffa Learning Community
 
The Role of Information Security Policy
The Role of Information Security PolicyThe Role of Information Security Policy
The Role of Information Security PolicyRobot Mode
 
Identity Theft ResponseYou have successfully presented an expa
Identity Theft ResponseYou have successfully presented an expaIdentity Theft ResponseYou have successfully presented an expa
Identity Theft ResponseYou have successfully presented an expaLizbethQuinonez813
 
SANS 2013 Critical Security Controls Survey
SANS 2013 Critical Security Controls SurveySANS 2013 Critical Security Controls Survey
SANS 2013 Critical Security Controls SurveyEdgar Alejandro Villegas
 
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...FireEye, Inc.
 
wp-follow-the-data
wp-follow-the-datawp-follow-the-data
wp-follow-the-dataNumaan Huq
 
Where In The World Is Your Sensitive Data?
Where In The World Is Your Sensitive Data?Where In The World Is Your Sensitive Data?
Where In The World Is Your Sensitive Data?Druva
 
Healthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINALHealthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINALSteve Knapp
 
[AIIM18] GDPR: whose job is it now? - Paul Lanois
[AIIM18] GDPR: whose job is it now? - Paul Lanois[AIIM18] GDPR: whose job is it now? - Paul Lanois
[AIIM18] GDPR: whose job is it now? - Paul LanoisAIIM International
 
HIMSS seeks HIPAA Cybersecurity Framework clarifications from NIST
HIMSS seeks HIPAA Cybersecurity Framework clarifications from NISTHIMSS seeks HIPAA Cybersecurity Framework clarifications from NIST
HIMSS seeks HIPAA Cybersecurity Framework clarifications from NISTDavid Sweigert
 
LD7009 Information Assurance And Risk Management.docx
LD7009 Information Assurance And Risk Management.docxLD7009 Information Assurance And Risk Management.docx
LD7009 Information Assurance And Risk Management.docxstirlingvwriters
 
Hot Topics in Privacy and Security
Hot Topics in Privacy and SecurityHot Topics in Privacy and Security
Hot Topics in Privacy and SecurityPYA, P.C.
 
Target Data Security Breach Case Study
Target Data Security Breach Case StudyTarget Data Security Breach Case Study
Target Data Security Breach Case StudyAngilina Jones
 

Semelhante a Information+security rutgers(final) (20)

HEALTHCARE IT: IS YOUR INFORMATION AT RISK?
HEALTHCARE IT: IS YOUR INFORMATION AT RISK? HEALTHCARE IT: IS YOUR INFORMATION AT RISK?
HEALTHCARE IT: IS YOUR INFORMATION AT RISK?
 
CYVA_EMA3PageVentureSummaryAngelAM020150717
CYVA_EMA3PageVentureSummaryAngelAM020150717CYVA_EMA3PageVentureSummaryAngelAM020150717
CYVA_EMA3PageVentureSummaryAngelAM020150717
 
CYVA_EMA3PageVentureSummaryAngelAM020150717
CYVA_EMA3PageVentureSummaryAngelAM020150717CYVA_EMA3PageVentureSummaryAngelAM020150717
CYVA_EMA3PageVentureSummaryAngelAM020150717
 
CYVA_EMA3PageVentureSummaryAngelAM020150717
CYVA_EMA3PageVentureSummaryAngelAM020150717CYVA_EMA3PageVentureSummaryAngelAM020150717
CYVA_EMA3PageVentureSummaryAngelAM020150717
 
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
 
Where in the world is your PII and other sensitive data? by @druva inc
Where in the world is your PII and other sensitive data? by @druva incWhere in the world is your PII and other sensitive data? by @druva inc
Where in the world is your PII and other sensitive data? by @druva inc
 
2018 01-25 Introduction to PCI and HIPAA Compliance
2018 01-25 Introduction to PCI and HIPAA Compliance 2018 01-25 Introduction to PCI and HIPAA Compliance
2018 01-25 Introduction to PCI and HIPAA Compliance
 
The Role of Information Security Policy
The Role of Information Security PolicyThe Role of Information Security Policy
The Role of Information Security Policy
 
Identity Theft ResponseYou have successfully presented an expa
Identity Theft ResponseYou have successfully presented an expaIdentity Theft ResponseYou have successfully presented an expa
Identity Theft ResponseYou have successfully presented an expa
 
SANS 2013 Critical Security Controls Survey
SANS 2013 Critical Security Controls SurveySANS 2013 Critical Security Controls Survey
SANS 2013 Critical Security Controls Survey
 
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
 
wp-follow-the-data
wp-follow-the-datawp-follow-the-data
wp-follow-the-data
 
Where In The World Is Your Sensitive Data?
Where In The World Is Your Sensitive Data?Where In The World Is Your Sensitive Data?
Where In The World Is Your Sensitive Data?
 
Healthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINALHealthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINAL
 
[AIIM18] GDPR: whose job is it now? - Paul Lanois
[AIIM18] GDPR: whose job is it now? - Paul Lanois[AIIM18] GDPR: whose job is it now? - Paul Lanois
[AIIM18] GDPR: whose job is it now? - Paul Lanois
 
HIMSS seeks HIPAA Cybersecurity Framework clarifications from NIST
HIMSS seeks HIPAA Cybersecurity Framework clarifications from NISTHIMSS seeks HIPAA Cybersecurity Framework clarifications from NIST
HIMSS seeks HIPAA Cybersecurity Framework clarifications from NIST
 
LD7009 Information Assurance And Risk Management.docx
LD7009 Information Assurance And Risk Management.docxLD7009 Information Assurance And Risk Management.docx
LD7009 Information Assurance And Risk Management.docx
 
Nicolas Terry, "Big Data, Regulatory Disruption, and Arbitrage in Health Care"
Nicolas Terry, "Big Data, Regulatory Disruption, and Arbitrage in Health Care"Nicolas Terry, "Big Data, Regulatory Disruption, and Arbitrage in Health Care"
Nicolas Terry, "Big Data, Regulatory Disruption, and Arbitrage in Health Care"
 
Hot Topics in Privacy and Security
Hot Topics in Privacy and SecurityHot Topics in Privacy and Security
Hot Topics in Privacy and Security
 
Target Data Security Breach Case Study
Target Data Security Breach Case StudyTarget Data Security Breach Case Study
Target Data Security Breach Case Study
 

Último

The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 

Último (20)

The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 

Information+security rutgers(final)

  • 1. INFORMATION SECURITY FOR INFORMATICS PROFESSIONALS Amy M. Walker, MS, RN, CPHQ, FACHE, NEA-BC CEO OptimizeIT Consulting LLC Healthcare IT Strategist A Proud EDWOSB, Cage Code 6 TH50
  • 2. Amy Walker MS, RN, CPHQ, FACHE, NEA-BC .  Healthcare System  Critical Care RN, Certified and Nurse Manager  Director of Informatics, CIO Boot Camp-CHIME  Chief Clinical Information Officer (CCIO)  Technology Provider-Large Scale  Development  Implementation  Strategic Account Management  Consulting  DoD Health Affairs  HIPAA, Healthcare Compliance, Security, and Data Exchange  Interim CIO  Entrepreneur  Fellow in the American College of Healthcare Executives  Certified as a Healthcare Quality Professional  Certified as an Advanced Nurse Executive  2010 President of the National Capital of Healthcare Executives  Nominated Member of the Women’s Business Leader’s of the U.S. Healthcare Industry Foundation 2
  • 3. We Will Discuss Today  IT Security Pillars  How to Appropriately Construct Policies and Procedures  Develop, Implement, Enforce  Security Standards and Risk Assessment Effective Strategies  System Architecture and Design  An Overview of Security Issues and Solutions 3
  • 4. SWOT-Analysis • Identified Security Officer • Tight Integration Between RolesStrengths • Knowledge Deficit • Not Practicing to Standards • Deficient Risk Assessment Process Weaknesses • Are GreatOpportunities • Are GreatThreats 4
  • 5. 5 Obama meets with CEOs to push cyber-security legislation The meeting in hopes of getting the stalled legislation passed comes a day after intelligence officials warn of the threat to national security. March 13, 2013|By Ken Dilanian and Jessica Guynn, Los Angeles Times "What is absolutely true is that we have seen a steady ramping up of cyber-security threats," President Obama said on ABC's "Good Morning America." "Some are state-sponsored. Some are just sponsored by criminals." (Evan Vucci / Associated Press)
  • 6. Security Problems Hit Close To Home Dear user: As a follow up to our last email communication about the identified security vulnerability in the XYZ system , the U.S. General Services Administration (GSA) is taking all possible steps to protect and inform xyz users, especially those that use their social security numbers for purposes of doing business with the federal government. Your entity’s data has been identified to be at greater risk for potential identity theft because you used your social security number as your Tax Identification Number to do business with the federal government. This vulnerability enabled government entity administrators and delegated entity registration representatives to potentially gain access to information of any entity’s registration -- enabling visibility of entity management data at all sensitivity levels. As a precaution, GSA is taking proactive steps to protect and inform xyz users. The agency is offering users at higher risk, like you, access to credit monitoring services and will follow up with information about these services. If you wish to take additional steps to protect against possible identity theft, visit www.xyz for specific information. If you would like additional background or have questions, you may call 1-800-FED-INFO (1-800-333-4636), from 8 a.m. to 8 p.m. (ET), Monday-Friday starting Monday, March 18. We recommend that you monitor your bank accounts and notify your financial institution immediately if you see any discrepancies. We apologize for any inconvenience or concern this situation may cause. We believe it is important for you to be fully informed of any potential risk resulting from this incident. The security of your information is a critical priority to us and we will work to ensure the system remains secure. Sincerely, 6
  • 7. In the News Forget hackers, the fool next to you is the real threat 7
  • 8. Statistics on Data Breaches 8
  • 9. Internet Security Alliance Larry Clinton, the longtime head of the Internet Security Alliance delivered the keynote at the March PHI Protection Forum. Mr. Clinton focused on PHI Security and Privacy, he cited an important study of the state of health care information security, PWC’s 2013 State of Info Security Survey data regarding health care organizations. 9
  • 10. PWCs 2013 State of Info Security Survey  Most executives in the HC industry are confident in the effectiveness of their security practices. They believe their strategies are sound and many consider themselves to be leaders in the field  (And yet, only) 42% have a strategy & (are) proactive in executing it  Of the 4 key criteria of information security leadership, ONLY 6% RANK AS LEADERS  60% do NOT have a policy for third parties to comply with privacy policies  73% use mal code detection tools; DOWN 16%  48% use tools to find unauthorized devices; DOWN 14%  51% use intrusion detection tools; DOWN 19% 10 PWC’s 2013 State of Info Security Survey, http://www.pwc.com /gx/en/consulting- services/information -security- survey/index.jhtml
  • 11.  48% use vulnerability scanning tools; DOWN 15%  31% DON’T KNOW when info sec is part of major projects –ONLY 18% at project inception  90% HC respondents say protecting employee & customer data is important - few know where the data is stored (43% have an accurate inventory of data)  Adopting new technology (is outpacing) security – new technology referring to cloud 28%, mobile 46%, soc media 45%, personal devices 51% 11 PWCs 2013 State of Info Security Survey
  • 12. The Reasons? As Noted by Larry  Lack of funding 53%  20% top leadership “is an impediment to improved security.”  Only 43% report security breaches  Diminished budgets have resulted in degraded security programs, incidents are on the rise, new technologies are being adopted faster than safeguards  There are short-term economic incentives to be insecure (VoIP, use personal devices, the Cloud)  HC providers report lower $ loss from incidents but many do not perform thorough or consistent analysis to appraising those losses, e.g. only 33% consider damage to brand as a financial loss 12
  • 13. June 26, 2012 Alaska Department of Health and Social Services A USB hard drive possibly containing ePHI was stolen from the vehicle of a DHHS employee.  DHHS did not have adequate safeguard policies and procedures in place.  DHHS had not completed a risk analysis, implemented sufficient risk management measures, completed security training for its workforce, implemented device and media controls, or addressed device and media encryption.  Pay a $1.7 million fine and take corrective action to ensure compliance with the Security Rule Staggers, N., Gallagher, L., Goncalves, L., & Nelson, R. (in press). Confidentiality, safety and security. In R. Nelson & N. Staggers, Health Informatics: An Interdisciplinary Approach. St Louis: Elsevier 13
  • 14. April 17, 2012 Phoenix Cardiac Surgery Staff were posting clinical and surgical appointments for patients on an Internet-based calendar that was publicly accessible.  PC failed to implement adequate policies and procedures to safeguard patient information  PC failed to document that it trained any employees on policies and procedures.  PC failed to identify a security official and conduct a risk analysis.  PC failed to obtain business associate agreements with Internet- based email and calendar services where the provision of the service included storage of and access to its ePHI.  Pay a $100,000 fine and develop a corrective action plan to ensure compliance with the Security Rule Staggers, N., Gallagher, L., Goncalves, L., & Nelson, R. (in press). Confidentiality, safety and security. In R. Nelson & N. Staggers, Health Informatics: An Interdisciplinary Approach. St Louis: Elsevier 14
  • 15. March 13, 2012 Blue Cross Blue Shield of Tennessee Fifty-seven unencrypted computer hard drives were stolen from a leased facility. The drives contained the ePHI of more than 1 million individuals, including member names, Social Security numbers, diagnosis codes, dates of birth, and health plan identification numbers.  BCBST failed to implement appropriate administrative safeguards by not performing the required security evaluation.  BCBST failed to implement appropriate physical safeguards.  Pay a $1.5 million fine and implement a corrective action plan to address gaps in its HIPAA compliance program Staggers, N., Gallagher, L., Goncalves, L., & Nelson, R. (in press). Confidentiality, safety and security. In R. Nelson & N. Staggers, Health Informatics: An Interdisciplinary Approach. St Louis: Elsevier 15
  • 18. 10 Domains of Information Security Access Control •Operations Security Business Continuity and Disaster Recover Planning •Physical (Environment Security) Cryptography •Security Architecture and Design Information Security Governance and Risk Management •Software Development Security Legal, Regulations, Investigation, and Compliance •Telecommunications and Network Security 18 International Information Systems Security Certification Consortium https://www.isc2.org/
  • 19. Basic Requirements  Security  Reliability  Transparency  Scalability 19  Maintainability  Audit ability  Integrity  Authentic International Information Systems Security Certification Consortium https://www.isc2.org/
  • 20. 20 Operations security (OPSEC) is a process that identifies critical information to determine if friendly actions can be observed by adversary intelligence systems, determines if information obtained by adversaries could be interpreted to be useful to them, and then executes selected measures that eliminate or reduce adversary exploitation of friendly critical information.
  • 23. 23
  • 24. Policy Framework Implementation Standards Procedures Protocols Guidelines Policies Directives You Shall Overarching Management Direction Regulations Strategy Standards Laws 24
  • 25. Policies and Procedures  Acceptable Use  Access Control  Accreditation  Acquisition  Business Continuity  Certification  Change Control Management  Code of Ethics  Confidentiality  Data Classification  Internet Use 25
  • 27. System Architecture Components  Hardware  Firmware  Central Processing Units  Input/Output Devices  Software  Architectural Structures  Storage and Memory 27 Analyze security risks, limitations, and positive attributes of each.
  • 28. Open Source  A study by Mitre corporation, sponsored by the Defense Information Systems Agency, found extensive and diverse use of open software at the DoD, with over 100 open products being used in more than 250 applications.  Security applications were most noted as a reason open source should be expanded.  Widely used open security tools included SNORT, a light weight intrusion detection tool used for plugging “network security holes when new attacks emerge” and SARA, the security auditors research Assistant, used for relatively straightforward network security risk analyses. The MITRE report lists more than 100 open source products that have demonstrated superior records of security and reliability. 28
  • 29. The Abdus Salam International Centre for Theoretical Physics
  • 30. System Security Risk Assessment 30
  • 31. Risk Management Purpose  The purpose of an organization’s risk management process should be to protect the organization and it’s ability to perform it’s mission-including but not limited to its IT assets.  Risk is a function of the likelihood of a given threat source’s exercising a particular vulnerability and the resulting impact of that adverse event. NIST SP 800-30 www.csrc.nist.gov 31
  • 32. Risk Analysis Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the organization. 32
  • 33. Details of a System Security Risk Assessment  Qualitative  Scenario oriented  No $$ values  Ranking of threats  Perform to the goal of reasonableness  Quantitative  Assign $$ values  Resource extensive  More difficult to determine  Hybrid 33 International Information Systems Security Certification Consortium https://www.isc2.org/
  • 34. Risk Assessment SP 800-30  Step 1 Characterization  Step 2 Threat Identification  Step 3 Vulnerability Identification  Step 4 Control Analysis  Step 5 Likelihood Determination  Step 6 Impact Analysis  Step 7 Risk Determination  Step 8 Control Recommendations  Step 9 Results Documentation  Steps 2, 3, 4, and 6 can be conducted in parallel after Step 1 has been completed. 34
  • 35. CMS Security Risk Analysis Process Review existing security of protected health information Identify threats and vulnerabilities Assess risks for likelihood and impact Mitigate security risks Monitor results 35 CMS, Information Security Overview,
  • 36. 36
  • 37. 10 Best Practices for the Small Health Care Environment  Use Strong Passwords and Change Them Regularly  Passwords and Strong Authentication  Install and Maintain Anti-Virus Software  Use a Firewall  Control Access to Protected Health Information  Limit Network Access  Plan for the Unexpected  Maintain Good Computer Habits  Software Maintenance  Protect Mobile Devices  Establish a Security Culture 37 CMS, Information Security Overview, http://cms.gov/Research-Statistics-Data-and- Systems/CMS-Information- Technology/InformationSecurity/index.html?redirec t=/InformationSecurity/
  • 38. Security IT Issues and Solutions 38
  • 39. Overview of Healthcare IT Security Issues and Solutions  Lack of Effective Ecosystem Governance  Lack of Budget  Lack of Appropriate Risk Assessment with CAP  MU  Core Objective and Measure 12  Core Objective and Measure 15  HIPAA Privacy and Security Federal Regulations 39
  • 40. Overview of Healthcare IT Security Issues and Solutions  Attacks  Vulnerabilities  Complex Systems Change Control  Doing More with Less  Mobile and Wireless Technologies  Outsourcing 40
  • 41. HITRUST ™  The Health Information Trust Alliance (HITRUST) was born out of the belief that information security should be a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges.  HITRUST, in collaboration with healthcare, business, technology and information security leaders, has established the Common Security Framework (CSF), a certifiable framework that can be used by any and all organizations that create, access, store or exchange personal health and financial information.  The CSF is an information security framework that harmonizes the requirements of existing standards and regulations, including federal (HIPAA, HITECH), third party (PCI, COBIT) and government (NIST, FTC). As a framework, the CSF provides organizations with the needed structure, detail and clarity relating to information security tailored to the healthcare industry. The CSF is available through HITRUST Central. 41
  • 42. Retain absolute faith that you can and will prevail in the end, regardless of the difficulties, and at the same time confront the most brutal facts of your current reality, whatever they might be. (Jim Collins Good to Great) 42
  • 43. Thought Questions 1. In your own experience, what are your recommendations on the highest IT security priorities? 2. Are there resources related to IT security that you suggest must be given greater visibility? 3. What is your organization’s SWOT analysis tell you? 43
  • 44. References  CMS, Information Security Overview, http://cms.gov/Research- Statistics-Data-and-Systems/CMS-Information- Technology/InformationSecurity/index.html?redirect=/InformationSec urity/  HITRUST, http://hitrustalliance.net/  International Information Systems Security Certification Consortium https://www.isc2.org/  National Institute of Standards and Technology, http://csrc.nist.gov/publications/PubsSPs.html  Office of the National Coordinator, http://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and- security-guide.pdf 44
  • 45. References  PHI Protection Network, Linked In Group  PWC’s 2013 State of Info Security Survey, http://www.pwc.com/gx/en/consulting-services/information-security- survey/index.jhtml  Staggers, N., Gallagher, L., Goncalves, L., & Nelson, R. (in press). Confidentiality, safety and security. In R. Nelson & N. Staggers, Health Informatics: An Interdisciplinary Approach. St Louis: Elsevier  The Betterly Report, http://thebetterleyreport.wordpress.com/2013/03/18/larry-clinton-of- the-internet-security-alliance-and-some-startling-statistics-about- privacy-security-in-the-health-care- industry/?goback=%2Egde_4493923_member_223850708  The Operations Security Professional’s Association, http://www.opsecprofessionals.org/ 45
  • 46. SWOT-Analysis • Identified Security Officer • Tight Integration Between RolesStrengths • Knowledge Deficit • Not Practicing to Standards • Deficient Risk Assessment Process Weaknesses Opportunities Threats 46
  • 47. Thank You! Contact us at: 4031 University Drive, Suite 100 Fairfax, Virginia 22030 P: 703-283-4678 E: awalker@optimizeitconsulting www.optimizeitconsulting.com OptimizeIT Consulting LLC is a proud EDWOSB Cage Code 6TH50

Notas do Editor

  1. No deep dive.
  2. Social engineering- often used in conjunction with blind and double blind testing, social engineering is gaining critical or sensitive information through social interaction, typically with the organization’s employees, suppliers, and contractors. Techniques may include posing as a representative of the IT department’s help desk and gaining users account and password information, posing as an employee and gaining physical access to restricted areas, intercepting mail, or even dumpster diving to search for sensitive materials. It tests the organization’s people to contribute to or prevent unauthorized access to information and information systems.
  3. Security posture is not static It is dynamic and can change based on the quality of the continued execution of the program elements. It requires active management of the security program to maintain a certain security posture.
  4. Proprietary is not always more secure.Open source software is often misunderstood as “free” software. With open source software, the source code is available to the user or purchaser, whereas with most software, only the executable or object code is available. The security implications are debated, but most believe that users are able to examine open source code results in systems with fewer unanticipated vulnerabilities.
  5. Record keeping is mandatory The OSI open system interconnect model was first dfined and published as an international standard (ISO/IEC) 7498-1). In 1984 Last revised in 1994. Strenghts and Weakensses, Estalished, flexible,Weaknesses complex,Encapsultaiotn the process of wrapping the data using headers and somethins, traliers before ending. Layering-separating function of each laayer. TCP/IP model functions like the OSI Model. Maps to the IP modle. Simplier it is network centric doesn’t/ describe the function of the applictiont in enough detail..Does your organization keep records on or otherwise keeps track of network and data , and systems intrusions. How long is it kept?How about insider intrusions?Network security is a cornerstone for business operations because network connectivity. provide an easy and consistent venue or an attack.Availability- uptime, here we look for single points of failure. Non redundant components, can be reinforced. Redundancy has to be built into the a system at the network, application, and/or process level. Backups networks.Confidentiaily =wireless network are vulnerable to sniffing. Message protection,, non repudiation is the assurance that a specific author did actually send a specific item to a specifi recipients. Effective non-repudiation is accomplished through the use of digital signatures, and encryption. Hi redundancy. 8) Defense in depth, hurdles.
  6. Network attackers-The types of attacks, attacker would take a path of least resistance. Most know issues from both the defender and attacker. It is important to have a documented topology. Single point of failures are to be avoided.Wireless 803.11 From the wired network to station, wireless local area networks. Both wireless and wired technologies are susceptible to sniffing( the collection of sniffing)Cloud computing cloud computing is the provisioning of IT services over the cloud, the internet. The term cloud is based on the depiction of the internet as a cloud .Some of the services provided in the cloud are data storage, software, security, communications, etc. Security issues since the services are being provided at a third party, trust is a major concern. Connections-VPN?Sharing of data-Cross Border Data Transfer-cloud services are provided may be challenging to ensure cross border transmission of traffic. Network partitions- firewalls are used to make trusted vsuntrustednewtorks, again no single point of failures, defenise in depth, stateful inspection. A complete firewardcolution would be having the firewall handling traccic and denying or permitting access correctly the funcationrequiremetn and the logging and monitroing aspect addressing the assurance requirements of the firewall solution by ensuring that the fireall is workign properly and providing the expected level of protection in relation to the risks that the firewall was inteneded to control
  7. There are a number of risk assessment models available:OCTAVE- Operational Critical Threat, Asset, and Vulnerability EvaluationNIST SP 800-30SSE-CMM System Security Engineering Capability Maturity ModelOther……..
  8. Administrative Categories to AssessReview of Policies and ProceduresImplementationEnforcementPenetration TestingVulnerabilitiesDemonstrationLogsWalkthroughTechnical SafeguardsDetailed wired/wireless network designsSecure workstation use (documentation of specific guidelines for each class of workstation)Procedures for encryption and decryption of EPHIPhysical SafeguardsData Backup and StorageDisposalAdministration safeguardsRisk Management Methodology Information Access ManagementSecurity Awareness and TrainingPrivacy PoliciesBusiness Association AgreementsQuantative- estimate single loss expectancy, annualized rate of occurance, annual loss expectancy,- estimate potential losses.
  9. An organization should take a positive proactive actions.National Institute of Standards and TechnologyRecognizing that the national and economic security of the United States depends on the reliable functioning of critical infrastructure, the President under the Executive Order “Improving Critical Infrastructure Cybersecurity” has directed NIST to work with stakeholders to develop a voluntary framework for reducing cyber risks to critical infrastructure. The Framework will consist of standards, guidelines, and best practices to promote the protection of information and information systems supporting critical infrastructure operations. The prioritized, flexible, repeatable, and cost-effective approach of the framework will help owners and operators of critical infrastructure to manage cybersecurity-related risk while protecting business confidentiality, individual privacy and civil liberties.Vulnerability Assessment Tools A audit trail is a record of system activities. More specifically, an audit trail is a chronological record of system activities that makes it possible a reconstruction , review, and examination of the sequence of activities that can then be used to indicate a possible intrusion, or to investigate and incident.Data generated by the system, network, application, or user activities are recorded.The configuration of an audit trail should include data about network connections, system-level events, application-level events, user level events ie keystroke activity, event filtering. It may be necessary to use some type of event filtering or clipping level. Attackers often try to scrub audit logs to cover their attacks. Vulnerability assessment tools. Penetration Testing-pen tests (also called ethical hacking) consists of a formal set of steps and procedures similar to those tricks and techniques an intruder would be likely to use. The purpose is to evaluate how well the enterprise can thwart an attack and how it might be compromised by a potential attack.
  10. Core Measure 15:Regardless of which Risk Assessment process is selected there is a likely to be a gap or need of a correction action plan Analyze current stateIdentify assets, threats, vulnerabilities and business impact.Perform technical risk assessment through appropriate testing,Review existing control documentationInterview key personnel to understand concernsDevelop Strategy for Improvement or corrective action planPrioritize identified risk and exposurePerform root cause analysisDevelop potential solutionsPrepare recommendations for improvementsAssess existing versus target process maturityCommunicate and Manage RiskConsider high-level strategies to facilitate improvementRate proposed recommendations by impact and success potentialPrepare business case for identified solutions.
  11. Risk Mitigation Risk appetitePrioritizationAppreciation to dealing with risk accept risk transfer risk eliminate risk reduce riskEvolving process
  12. Best practicesFirewallsPhysical security systems, electronic access, control systems, badging systems, CCTV, etc.Encryption of critical data in transitRole-based access controlIntrusion detection systems monitored by personInformation assurance technologies that track access and use of organizational dataAutomated patch managementIntrusion detection systems monitored by automate systems with built in alarmsTwo factor authenticationWireless monitoringKeystroke monitoring of individual users