Kerry Mickelson from Marcum LLP presented on the importance of conducting regular IT assessments. The presentation covered topics such as industry best practices, network infrastructure, security, disaster recovery, budget reviews, and compliance. Mickelson emphasized that assessments help identify risks, ensure compliance, and improve business processes. Regular assessments also benefit IT staff by providing coaching to help address any issues.

1. marcumllp.com
Time for an IT Assessment
marcumllp.com
Presented by:
Kerry Mickelson
November 15, 2018

2. 2
0914000N
Agenda
 What we do
 Why do an IT Assessment?
 Is this a threat to my IT Staff?
 Industry best practices
 Network Infrastructure
 Network Security
 IT Budget Review
 Disaster Recovery/Business continuity
 What’s New

3. 3
0914000N
Before We start

4. 4
0914000N
Not trying to scare you… but
 https://youtu.be/zGUR6kao9ys

5. 5
0914000N
Why Do an Assessment?

6. 6
0914000N
Poor planning Make big Headlines

7. 7
0914000N
Planning for the future
• time for upgrades?
• Preparing for an RFP
• Time to introduce new technology
• Improve Business Processes
• PCI or HIPPa compliance
• Seeking Cyber-Insurance

8. 8
0914000N
Risk is a business decision

9. 9
0914000N
What’s my risk?
Downtime?
Reputation?
$$$ ?

10. 10
0914000N
Why? Was there a Problem?
• Was there a server outage?
• An Audit is coming up
• Staff assessments or potential loss of staff
• Recurring issues
• Security concerns (this is big.. Really)

11. 11
0914000N
What about my IT Staff?

12. 12
0914000N
Coaches not Adversaries

13. 13
0914000N
How does the process Work - IT
Infrastructure assessment?
Raffa Assessment Methodology
IT Structure Analysis
- Perform Interviews with key stakeholders
- Identify current/future IT needs in line with your vision
- Review current system architecture
- Review current servers and storage hardware configurations
- Review network configurations and their capacities

14. 14
0914000N
IT Infrastructure analysis
 Review domain configurations
 Review enterprise back-office components and their configurations
 Review existing security requirements and compliance
 Review disaster recovery requirements and strategies including existing data
backup/restore mechanisms, hardware, software
 Review current Total Cost of Ownership (TCO)

15. 15
0914000N
Who am I connected to?
My
Network
Hosting
VOIP
Managed
Services

16. 16
0914000N
Does your network look like this?

17. 17
0914000N
Or this?

18. 18
0914000N
Everyone has something to protect
 Intellectual Property
 Human Resources Information
 Your Financial Data
 Your Customer Databases
 Your Customer’s Data
 Marketing and Sales Data
It’s not Just About
compliance with state and
federal regulations.
It’s about protecting your
company, your employees
and your customers.
Is it time for a Security and Compliance Assessment?
Financial
Healthcare Legal
Professional Services

19. 19
0914000N
What are our concerns?
• Unauthorized Access
• Concerns with in-house staff
• External threats
• Privacy audit

20. 20
0914000N
Security Considerations and Actions
 Strong password policy is the first line of defense against a data breach
STRONG PASSWORD POLICIES
Benefit: Strong password policies help to reduce the risk of a breach. Policies should also provide
guidance to reduce the risk of human error breaches. Strong passwords should meet these
standards at a minimum:
• Lower case characters
• Upper case characters
• Numbers
• "Special characters"(@#$%^&*()_+|~-=`{}[]:";'<>/)
• Contain at least 12 but preferably 15 characters.
Is it Time for a Security and Compliance Assessment?

21. 21
0914000N
Compliance Definitions (PII)
 Definitions are generally accepted by most states
 However, exceptions do exist on a state by state basis
Personal Information: An individual’s first name or first initial and
last name plus one or more of the following data elements:
1. Social Security number,
2. Driver’s license number or state- issued ID card number
3. Account number, credit card number or debit card number
combined with any security code, access code, PIN or password
needed to access an account and generally applies to
computerized data that includes personal information.
Personal Information shall not include publicly available information
that is lawfully made available to the general public from federal,
state or local government records, or widely distributed media. In
addition, Personal Information shall not include publicly available
information that is lawfully made available to the general public from
federal, state, or local government records.
Breach of Security: The unlawful and unauthorized acquisition of
personal information that compromises the security, confidentiality,
or integrity of personal information.
DEFINITIONS
Is it Time for a Security and Compliance Assessment?

22. 22
0914000N
Federal, state & Private Requirements
 It is important to understand that these laws don’t only apply to health
and financial institutions.
HIPAA: Health Insurance Portability and Accountability Act, a US law designed to
provide privacy standards to protect patients' medical records and other health
information provided to health plans, doctors, hospitals and other health care
providers. Developed by the Department of Health and Human Services, these
new standards provide patients with access to their medical records and more
control over how their personal health information is used and disclosed. They
represent a uniform, federal floor of privacy protections for consumers across the
country. State laws providing additional protections to consumers are not affected
by this new rule.
The Gramm-Leach-Bliley Act: (GLB Act or GLBA), is a federal law
enacted to control the ways that financial institutions deal with the private
information of individuals. The Act consists of three sections:
1. The Financial Privacy Rule, which regulates the collection and disclosure
of private financial information
2. The Safeguards Rule, which stipulates that financial institutions must
implement security programs to protect such information
3. The Pretexting provisions, which prohibit the practice of pretexting
(accessing private information using false pretenses).
The Act also requires financial institutions to give customers written privacy
notices that explain their information-sharing practices.
Is it Time for a Security and Compliance Assessment?

23. 23
0914000N
Federal, state & Private Requirements
 The Payment Card Industry Council established rules governing how
credit card data would be secured
Short for Payment Card Industry (PCI) Data Security Standard (DSS), PCI DSS is a standard that all
organizations, including online retailers, must follow when storing, processing and transmitting
their customer's credit card data.
The Data Security Standard (DSS) was developed and the standard is maintained by
The Payment Card Industry Security Standards Council (PCI SSC). To be PCI complaint
companies must use a firewall between wireless networks and their cardholder data
environment, use the latest security and authentication such as WPA/WPA2 and also change
default settings for wired privacy keys, and use a network intrusion detection system.
The PCI DSS standard, as of September 2009 (DSS v 1.2), includes 12 requirements for best
security practices
PRIVATE REQUIREMENTS
Payment Card Industry (PCI) Data Security Standard (DSS)
Is it Time for a Security and Compliance Assessment?

24. 24
0914000N
Security Considerations and Actions
 Security is as much about people and good process and well
documented policy as it is about your IT infrastructure
PROCESS AND PEOPLE MANAGEMENT

25. 25
0914000N
Disaster Recovery
Vs.
Business continuity

26. 26
0914000N

27. 27
0914000N
IT Budget Review

28. 28
0914000N
Questions?
Kerry Mickelson
202-955-6767
Kerry.Mickelson@marcumllp.com