SlideShare uma empresa Scribd logo

Cybersecurity in Shared Services Organizations

ScottMadden, Inc.
ScottMadden, Inc.

The number of cyber attacks against organizations continues to grow in complexity, frequency, and severity. SSOs handle confidential and restricted personal data, making them a target for cyber crimes. Since the SSO is accountable for protecting sensitive corporate and employee information, care must be taken to understand and protect the flow of this sensitive data. How do you properly manage cyber threats? A robust cybersecurity program is imperative to protect your organization, employees, and customers. In this report, find out about the building blocks needed for an effective SSO cybersecurity program. To learn more, please visit www.scottmadden.com.

Educação
1 de 16
Baixar para ler offline
Copyright © 2016 ScottMadden, Inc. All rights reserved. Cybersecurity in Shared Services Organizations June 2016
Copyright © 2016 by ScottMadden, Inc. All rights reserved. Contents ■ Introduction to Shared Services Cybersecurity ■ What’s at Risk? ■ Cyber Attack Trends ■ Key Shared Services Organization (SSO) Risk Factors ■ Building Blocks of an SSO Cybersecurity Program • Data Security • Education and Awareness • Governance and Compliance ■ SSO Cybersecurity Leading Practices ■ How ScottMadden Can Help 1
Copyright © 2016 by ScottMadden, Inc. All rights reserved. Introduction to Shared Services Cybersecurity Shared Service Organizations (SSOs) control much of an organization’s confidential and restricted personal information. While handling and using this data is routine for SSOs, it is exactly the kind of information that is highly prized by cyber criminals. A robust cybersecurity program is imperative to protect the organization, employees, and customers. Cyber threats can materialize in a number of ways but can be broken down into two main types: 2 Type Description Examples External ■ Cyber criminals use offensive maneuvers with the intent of stealing, altering, or destroying data, networks, infrastructure assets, and/or personal devices ■ Denial of service attacks designed to make network resources unavailable to its users ■ Unauthorized users gaining physical access to a computer and downloading sensitive data ■ Attempts to acquire usernames, passwords, and credit card details directly from users (e.g., phishing) Internal ■ Employees unintentionally compromise sensitive data or systems, potentially exposing the organization to cyber attacks ■ Employees maliciously circumvent data security protocols and/or willingly aid cyber criminals ■ Sending documents containing sensitive information via standard email rather than through secure email programs ■ Purposefully opening email attachments from external senders known to contain malicious code Many organizations have dedicated Information Security (InfoSec) groups that manage security programs enterprise wide. However, accountability for protecting sensitive shared services and employee information ultimately falls to the SSO.
Copyright © 2016 by ScottMadden, Inc. All rights reserved. Personal Data/PII Business/Organization Examples of Confidential Information  Name  Email address  Physical address  Phone number  Job title  Work experience  Evaluations  Gender  Marital status  Age  M&A or transactional activity  Ongoing lawsuits  Internal investigations  Proprietary content  Advance SEC filings  Press releases  Emails  Internal memos  Company presentations Examples of Restricted Information  SSN  Passport  Driver’s license  Ethnicity  Nationality  Sexual orientation  Medical history  Salary/compensation  Bank account information  Background checks  Credit reports  Criminal history  Strategic plans  Budgets  Reports  Legal materials  Audits and assessments  P-card numbers What’s At Risk? Confidential Information refers to data/information for which unauthorized access or disclosure could result in an adverse effect on the organization, an individual, or both. This information could either be personally identifiable information (PII) or confidential business information. Restricted Information includes the most sensitive Confidential Information and is typically protected by law or policy. 3
Copyright © 2016 by ScottMadden, Inc. All rights reserved. Cyber Attack Trends The number of cyber attacks against organizations continues to grow in complexity, frequency, and severity. Significant data breaches in 2015 included1: ■ VTech (children’s technology maker) – personal data compromised for 5 million parents and 6 million children ■ Kaspersky Lab (security vendor) – 13 million account records exposed ■ Experian (credit service provider) – personal data compromised for 15 million customers ■ US Office of Personnel Management (federal government) – PII and restricted data exposed for 21.5 million federal employees ■ Anthem Blue Cross Blue Shield (health insurer) – PII and restricted data exposed for 80 million patients and employees 4 0.0 0.5 1.0 1.5 2.0 2.5 3.0 $0.0 $2.0 $4.0 $6.0 $8.0 $10.0 $12.0 $14.0 $16.0 $18.0 2010 2011 2012 2013 2014 2015 AttacksperWeek AverageRemediation Cost($millions) 2015 Cyber Attack Trends2 Annual Cost of Attacks per Company No. of Attacks per Week 42% 36% 19% 2% 1% 2015 Cyber Attack Cost Breakdown2 Information Loss Business Disruption Revenue Loss Other Costs Equipment Damages Highest Reported Remediation Costs $51.9M $36.5M $46.2M $58.1M $60.5M $65.0M 2. Source: 2015 Cost of Cyber Crime Study, Ponemon Institute 1. CRN, 10 Biggest Data Breaches of 2015 In 2015, the average organization spent more than $15 million remediating the effects of cyber attacks. To mitigate potential costs, SSOs must take action to understand and protect the flow of their sensitive information.
Copyright © 2016 by ScottMadden, Inc. All rights reserved. ■ SSOs enhance their efficacy by integrating their primary systems with third-party systems for benefits management, time and attendance, etc. Each of these integrations typically transmits sensitive data over myriad secured and unsecured channels ■ Business process complexities, policies, and exceptions increase along with the amount of sensitive data flowing through the SSO ■ Email, chat, and open service tickets are common modes of sending communications in and out of SSOs. These regularly include sensitive information that can inadvertently fall into the wrong hands ■ Some SSO departments (e.g., workforce administration, call centers) can experience low employee engagement, especially for data security initiatives ■ These departments can also experience high turnover, opening the SSO up further to potential malicious insider activity The volume of sensitive data makes SSOs a target. While a high volume of data tends to correlate to increased operational efficiency, it also increases the risk that this data may be compromised. Despite this, data security is often overlooked in favor of gains in operational efficiency and customer service. Key SSO Risk Factors 5 SSO Risk Factors Complexity of an HR SSO Information Ecosystem SSO data is constantly moving through countless systems, applications, and individuals. Only a robust cybersecurity program can mitigate the complexities of the information ecosystem.
Copyright © 2016 by ScottMadden, Inc. All rights reserved. Building Blocks of SSO Cybersecurity Tiered SSO delivery models often include payroll and leave-of-absence specialists, AP clerks, and HRIS teams that have elevated privileges to sensitive data. SSOs need to provide employees the tools, awareness, and direction to properly handle, communicate, and use confidential and restricted data. 6 Building Block Key Questions Potential Vulnerabilities Data Security ■ Do you know where your confidential and restricted data is stored and for how long? ■ What controls are in place to ensure data safely reaches its intended destination? ■ Do you have secure methods for handling and collaborating with restricted data? ■ Who has access to confidential and restricted data? ■ It is not clear how many systems, applications, servers, etc. house PII ■ Old databases and files are left on shared drives “as is” after they are no longer needed ■ Some employees save files containing PII to their local drives ■ Third-party support vendors have access to applications that process/contain PII Education and Awareness ■ What information security training do SSO employees receive? ■ How often is the material refreshed and presented? ■ Employees receive minimal, ineffective training ■ Training documentation is not up to date with current trends and leading practices Security Governance and Compliance ■ Are there clear roles and responsibilities between the SSO, IT, and InfoSec? ■ Are you in compliance with enterprise data security standards and policies? ■ Lack of an overall governance structure that clearly outlines roles and accountabilities ■ Enterprise data retention policies require file deletion before statutory paystub regulations
Copyright © 2016 by ScottMadden, Inc. All rights reserved. Time and Attendance System Payroll Audit Check Print Database and System HR and Payroll System SSO Data Security SSO data is stored in and moves through countless on-premises and cloud applications and systems. Understanding where sensitive data is stored and how it is used and shared are essential to developing and implementing effective security controls. Data can be classified in three categories: ■ Data at rest: Anything that holds data in a static state, such as file shares, databases, servers, etc. ■ Data in motion: Data in transit (“on a wire”) between applications, systems, individuals, etc. via email, web, or other Internet protocols ■ Data in use: Data that resides on the end-user workstation and needs to be protected from being leaked through removable media devices like USBs, DVDs, CDs etc. The graphic below depicts a sample flow of data through an SSO’s payroll process: 7 Data in Use The payroll audit team uses computers and shared drives to audit payroll files prior to releasing for final printing. Key concerns include:  Frequency that drives and computers are wiped for sensitive information  Access restrictions to shared drives  Standards for sharing sensitive data Data in Motion Key concerns:  Level of encryption on data as it moves  Encryption key management/policies Data at Rest Data is stored in multiple locations in this diagram – the T&A database, the cloud HR/payroll solution, and the check printing software database. Key concerns include:  Level of encryption (e.g., full disk, file level)  Consistent use of encryption  Access restrictions to databases and servers
Copyright © 2016 by ScottMadden, Inc. All rights reserved. Mitigating Common SSO Data Security Challenges Many SSOs face similar data security challenges and risk points they must address: ■ Stale or outdated data maintained on servers and databases ■ Numerous locations and mechanisms for storing data ■ Necessity of cross-functional collaboration using sensitive data ■ Inconsistent use of encryption and secure file transfer protocols ■ Lack of clarity with regards to retention standards Formal data security standards can help mitigate these risks throughout the data life cycle. Key considerations include: ■ What data will be stored, and for how long ■ Where data will be stored, both physically and electronically ■ Who can access data, including both applications and users ■ How often and where data should be backed up ■ When and how to destroy data 8 User Data Creation Data Storage Archive Data Backup Data Disposal Ability to Recall/Access Application Life Cycle of SSO Data
Copyright © 2016 by ScottMadden, Inc. All rights reserved. Education and Awareness Cyber crimes are not the only sources of risk for SSOs—the action or inaction of employees can also lead to security incidents. It is vital SSOs maintain a security awareness program to ensure employees understand the importance of protecting sensitive information, how to handle it securely, and the risks of mishandling such information. 9 Source: PCI Security Standards Council Qualities of an effective and sustainable awareness program include: ■ Information is provided in a way that relates to the SSO culture (i.e., how employees think and behave) ■ Information is delivered in different formats to affect change and is consistently reinforced and repeated ■ Management is on-board and understands the holistic security risks (e.g., financial, reputational, legal) ■ Presentations are personal – “bring the message home,” “security is everyone’s job” ■ Information is relevant to current events and trends and is consistently updated with lessons learned
Copyright © 2016 by ScottMadden, Inc. All rights reserved. ■ Identify a clear set of roles and responsibilities for which each group is accountable ■ Leverage the insight of each group to determine risk points ■ Ensure communication between all groups is timely, efficient, and ongoing ■ Work together on policy creation to ensure the alignment on data security priorities and standards In addition to securing sensitive data and educating employees, SSOs must work with other parts of the organization to clearly define security roles and responsibilities. Establishing a governance model creates a structure that enables the SSO to operate with clear role definition, fosters appropriate accountabilities, and ensures compliance with corporate standards. 10 Establish Enterprise Data Security Standards Foster Collaboration between the SSO, IT, Legal and InfoSec Governance and Compliance ■ Conduct analysis to understand where the SSO is in relation to existing enterprise data security policies and identify highest priority gaps ■ Collaborate to establish overall data security standards taking into account special SSO situations and laws/regulations ■ Document policy and process documentation ■ Establish a process and standards audit cycle
Copyright © 2016 by ScottMadden, Inc. All rights reserved. SSO Cybersecurity Leading Practices 11 Building Block Leading Practice Benefit Description Impact Implementation Level Data Security Secure sensitive information that is not encrypted ■ Reduces the likelihood of a successful breach ■ Enhances the defense in depth through multiple avenues of layered security ■ Supports secure business processes High Enterprise/SSO Enhance physical security practices ■ Protects employees, hardware, programs, network, data, and other assets from physical intrusions and events that could cause loss or damage to an organization or individual High SSO Develop information sharing standards ■ Provides clarity of expectations, increases accountability, and ensures the most effective tools at the organization’s disposal are being used ■ Ensures the applications and tools used to share information meet organizational security and business requirements High Enterprise/SSO Develop information storage standards ■ Determines how SSOs will comply with the organization’s data retention policy High SSO Inventory information at rest, in motion, and in use ■ Allows an organization to: • Create policies and standards aligned with business needs • Secure data via encryption or other appropriate methods • Develop an effective defense in depth strategy High Enterprise/SSO Isolate restricted information and confidential information ■ Creates and designates repositories for the storage of sensitive information ■ Allows the organization to better understand where its data resides ■ Ensures security solutions and resources are prioritized and aligned with protecting the organization’s most valuable information High Enterprise/SSO Education and Awareness Develop a security awareness program ■ Regularly reminds and reinforces the need to keep sensitive information secure ■ Continuously promotes awareness High Enterprise/SSO
Copyright © 2016 by ScottMadden, Inc. All rights reserved. SSO Cybersecurity Leading Practices (Cont’d) 12 Building Block Leading Practice Benefit Description Impact Implementation Level Governance and Compliance Develop a data retention policy ■ Helps organizations manage data, comply with laws and regulations, and prepare for business continuity in case of a disaster High Enterprise/SSO Define security governance ■ Creates a structure that enables the organization to operate with clear role definition and accountabilities High Enterprise Develop policy and process documentation ■ Allows senior leadership to communicate philosophies, strategy, and broad requirements to the organization ■ Allows leadership to define and standardize how the requirements set forth in the policies will be accomplished High Enterprise/SSO Measure process effectiveness ■ Allows an organization to assess the effectiveness of its security controls ■ Facilitates decision making, improves performance, and increases accountability Medium Enterprise/SSO Audit processes, protocols, and standards ■ Instills a sense of confidence that the business is functioning well and is prepared to meet potential challenges ■ Encourages continuous improvement Medium Enterprise/SSO Perform risk assessments ■ Highlights the cybersecurity risk to organizational operations, assets, and individuals ■ Serves as a foundation for prioritizing improvement efforts and decision making Medium Enterprise Develop system requirements ■ Describes functions which systems, applications, and other tools should fulfill to meet security and business requirements Low Enterprise Develop a formal data loss prevention program ■ Improves data classification schemes ■ Provides an understanding of the data life cycle ■ Enhances controls over access to sensitive data Low Enterprise
Copyright © 2016 by ScottMadden, Inc. All rights reserved. Putting It All Together A programmatic approach is required to secure SSOs. Attempts to build and improve cybersecurity capabilities through individual or disjointed projects are expensive and ineffective. SSOs must pursue a programmatic approach that mitigates SSO- wide risks. 13 Engaging SSO leadership and stakeholders in cybersecurity decision making is the single most important factor in creating a successful cybersecurity program—more than technology or funding. In a formal cybersecurity program: ■ A roadmap is created to identify critical risks, take immediate action, and achieve long-term capabilities. Many leading practices can be implemented quickly with significant impact on SSO cybersecurity ■ Priorities are risk informed ■ Project management and organizational change management enable a successful implementation ■ Monitoring of indicators drives corrective actions and continuous improvement Cybersecurity Policies and Controls Technology and Automation Capabilities Business Processes and Employee Behaviors Changes SSO Mission and Strategic Objectives SSO Risks Governance: Evaluate, Direct, MonitorManagement: Plan, Do, Check, Act Program and Organizational Change Management
Copyright © 2016 by ScottMadden, Inc. All rights reserved. How ScottMadden Can Help 14 ■ Strategic planning support ■ Security program management ■ Design and implementation ■ Security policy alignment ■ Program assessments ■ Sensitive data inventories ■ Transformation ■ Policy framework design ■ Business policy and process assessments ■ Data security standards creation ■ Cybersecurity metric design and implementation ■ Access management strategy development ■ OCM support of implementation efforts ■ Cybersecurity awareness plan – design and implementation ■ Process design ■ Implementation project management ■ Cybersecurity threat- based risk assessments ■ Vendor selection Cybersecurity Program Services Cybersecurity Governance Design and Implementation Cybersecurity Organizational Change Management (OCM) Cybersecurity Capability Design and Implementation
Copyright © 2016 by ScottMadden, Inc. All rights reserved. Jon Kerner Partner and Information Technology Practice Lead ScottMadden, Inc. 3495 Piedmont Road Building 10, Suite 805 Atlanta, GA 30305 jkerner@scottmadden.com O: 678-702-8346 To learn more about SSO Cybersecurity, contact us. Contact Us 15

Recomendados

Transforming the Global HR Contact Center at EY
Transforming the Global HR Contact Center at EYTransforming the Global HR Contact Center at EY
Transforming the Global HR Contact Center at EY
Natalya Copeland
 
AI: A risk and way to manage risk
AI: A risk and way to manage riskAI: A risk and way to manage risk
AI: A risk and way to manage risk
Karan Sachdeva
 
Business Intelligence - Conceptual Introduction
Business Intelligence - Conceptual IntroductionBusiness Intelligence - Conceptual Introduction
Business Intelligence - Conceptual Introduction
Ahmed Rami Elsherif, PMP, ITBMC
 
Master IT balanced scorecard (final).pptx
Master IT balanced scorecard (final).pptxMaster IT balanced scorecard (final).pptx
Master IT balanced scorecard (final).pptx
Glen Alleman
 
Operating Model Design in a Digital World
Operating Model Design in a Digital WorldOperating Model Design in a Digital World
Operating Model Design in a Digital World
Robert Cade
 
Future Proofing Your IT Operating Model for Digital
Future Proofing Your IT Operating Model for DigitalFuture Proofing Your IT Operating Model for Digital
Future Proofing Your IT Operating Model for Digital
David Favelle
 
Business Focused IT Strategy
Business Focused IT StrategyBusiness Focused IT Strategy
Business Focused IT Strategy
muhammadsjameel
 
Strategy Design Framework
Strategy Design FrameworkStrategy Design Framework
Strategy Design Framework
Management Consultant | Global Transformation and Change | Strategy Design | Consulting Skills Coach
 

Recomendados

Transforming the Global HR Contact Center at EY
Transforming the Global HR Contact Center at EYTransforming the Global HR Contact Center at EY
Transforming the Global HR Contact Center at EY
Natalya Copeland
 
AI: A risk and way to manage risk
AI: A risk and way to manage riskAI: A risk and way to manage risk
AI: A risk and way to manage risk
Karan Sachdeva
 
Business Intelligence - Conceptual Introduction
Business Intelligence - Conceptual IntroductionBusiness Intelligence - Conceptual Introduction
Business Intelligence - Conceptual Introduction
Ahmed Rami Elsherif, PMP, ITBMC
 
Master IT balanced scorecard (final).pptx
Master IT balanced scorecard (final).pptxMaster IT balanced scorecard (final).pptx
Master IT balanced scorecard (final).pptx
Glen Alleman
 
Operating Model Design in a Digital World
Operating Model Design in a Digital WorldOperating Model Design in a Digital World
Operating Model Design in a Digital World
Robert Cade
 
Future Proofing Your IT Operating Model for Digital
Future Proofing Your IT Operating Model for DigitalFuture Proofing Your IT Operating Model for Digital
Future Proofing Your IT Operating Model for Digital
David Favelle
 
Business Focused IT Strategy
Business Focused IT StrategyBusiness Focused IT Strategy
Business Focused IT Strategy
muhammadsjameel
 
Strategy Design Framework
Strategy Design FrameworkStrategy Design Framework
Strategy Design Framework
Management Consultant | Global Transformation and Change | Strategy Design | Consulting Skills Coach
 
Service Management (ITSM) & Business Relationship Management (BRM) - Working ...
Service Management (ITSM) & Business Relationship Management (BRM) - Working ...Service Management (ITSM) & Business Relationship Management (BRM) - Working ...
Service Management (ITSM) & Business Relationship Management (BRM) - Working ...
John Kleist III
 
Qualys Corporate Brochure
Qualys Corporate BrochureQualys Corporate Brochure
Qualys Corporate Brochure
Qualys
 
What is the Next Generation for Application Managed Services?
What is the Next Generation for Application Managed Services?What is the Next Generation for Application Managed Services?
What is the Next Generation for Application Managed Services?
Hexaware Technologies
 
Cybersecurity risk management 101
Cybersecurity risk management 101Cybersecurity risk management 101
Cybersecurity risk management 101
Srinivasan Vanamali
 
Business Analyst Interview Questions SlideShare
Business Analyst Interview Questions SlideShareBusiness Analyst Interview Questions SlideShare
Business Analyst Interview Questions SlideShare
Invensis Learning
 
IT4IT™ - Managing the Business of IT
IT4IT™ - Managing the Business of ITIT4IT™ - Managing the Business of IT
IT4IT™ - Managing the Business of IT
The Open Group SA
 
A Data Driven Roadmap to Enterprise AI Strategy (Sponsored by Contino) - AWS ...
A Data Driven Roadmap to Enterprise AI Strategy (Sponsored by Contino) - AWS ...A Data Driven Roadmap to Enterprise AI Strategy (Sponsored by Contino) - AWS ...
A Data Driven Roadmap to Enterprise AI Strategy (Sponsored by Contino) - AWS ...
Amazon Web Services
 
Understanding LLMOps-Large Language Model Operations
Understanding LLMOps-Large Language Model OperationsUnderstanding LLMOps-Large Language Model Operations
Understanding LLMOps-Large Language Model Operations
My Gen Tec
 
Generative AI - Responsible Path Forward.pdf
Generative AI - Responsible Path Forward.pdfGenerative AI - Responsible Path Forward.pdf
Generative AI - Responsible Path Forward.pdf
Saeed Al Dhaheri
 
AI: Built to Scale
AI: Built to ScaleAI: Built to Scale
AI: Built to Scale
accenture
 
High Tech Digital Transformation
High Tech Digital TransformationHigh Tech Digital Transformation
High Tech Digital Transformation
accenture
 
Contact Center Assessment: Solution Overview and Approach
Contact Center Assessment: Solution Overview and ApproachContact Center Assessment: Solution Overview and Approach
Contact Center Assessment: Solution Overview and Approach
ScottMadden, Inc.
 
Netflix Recommender System : Big Data Case Study
Netflix Recommender System : Big Data Case StudyNetflix Recommender System : Big Data Case Study
Netflix Recommender System : Big Data Case Study
Ketan Patil
 
Optimize the IT Operating Model
Optimize the IT Operating ModelOptimize the IT Operating Model
Optimize the IT Operating Model
Info-Tech Research Group
 
Building Big Data Analytics Center Of Excellence
Building Big Data Analytics Center Of Excellence Building Big Data Analytics Center Of Excellence
Building Big Data Analytics Center Of Excellence
Dr. Mohan K. Bavirisetty
 
Data science - An Introduction
Data science - An IntroductionData science - An Introduction
Data science - An Introduction
Ravishankar Rajagopalan
 
Bank of the future: Digital Transformation Strategy
Bank of the future: Digital Transformation StrategyBank of the future: Digital Transformation Strategy
Bank of the future: Digital Transformation Strategy
Nawaf Albadia
 
Running the Business of IT on ServiceNow using IT4IT
Running the Business of IT on ServiceNow using IT4ITRunning the Business of IT on ServiceNow using IT4IT
Running the Business of IT on ServiceNow using IT4IT
cccamericas
 
Align IT and Enterprise Operating Models.pdf
Align IT and Enterprise Operating Models.pdfAlign IT and Enterprise Operating Models.pdf
Align IT and Enterprise Operating Models.pdf
JoelRodriguze
 
Gartner EA Presentation v1
Gartner EA Presentation v1Gartner EA Presentation v1
Gartner EA Presentation v1
Mark Mamone
 
Cyber Fraud - The New Frontiers
Cyber Fraud - The New FrontiersCyber Fraud - The New Frontiers
Cyber Fraud - The New Frontiers
Albert Hui
 
Security in the cloud
Security in the cloudSecurity in the cloud
Security in the cloud
Amazon Web Services
 

Mais conteúdo relacionado

Mais procurados

Service Management (ITSM) & Business Relationship Management (BRM) - Working ...
Service Management (ITSM) & Business Relationship Management (BRM) - Working ...Service Management (ITSM) & Business Relationship Management (BRM) - Working ...
Service Management (ITSM) & Business Relationship Management (BRM) - Working ...
John Kleist III
 
What is the Next Generation for Application Managed Services?
What is the Next Generation for Application Managed Services?What is the Next Generation for Application Managed Services?
What is the Next Generation for Application Managed Services?
Hexaware Technologies
 
AI: Built to Scale
AI: Built to ScaleAI: Built to Scale
AI: Built to Scale
accenture
 
Optimize the IT Operating Model
Optimize the IT Operating ModelOptimize the IT Operating Model
Optimize the IT Operating Model
Info-Tech Research Group
 
Building Big Data Analytics Center Of Excellence
Building Big Data Analytics Center Of Excellence Building Big Data Analytics Center Of Excellence
Building Big Data Analytics Center Of Excellence
Dr. Mohan K. Bavirisetty
 
Gartner EA Presentation v1
Gartner EA Presentation v1Gartner EA Presentation v1
Gartner EA Presentation v1
Mark Mamone
 

Mais procurados (20)

Service Management (ITSM) & Business Relationship Management (BRM) - Working ...
Service Management (ITSM) & Business Relationship Management (BRM) - Working ...Service Management (ITSM) & Business Relationship Management (BRM) - Working ...
Service Management (ITSM) & Business Relationship Management (BRM) - Working ...
 
Qualys Corporate Brochure
Qualys Corporate BrochureQualys Corporate Brochure
Qualys Corporate Brochure
 
What is the Next Generation for Application Managed Services?
What is the Next Generation for Application Managed Services?What is the Next Generation for Application Managed Services?
What is the Next Generation for Application Managed Services?
 
Cybersecurity risk management 101
Cybersecurity risk management 101Cybersecurity risk management 101
Cybersecurity risk management 101
 
Business Analyst Interview Questions SlideShare
Business Analyst Interview Questions SlideShareBusiness Analyst Interview Questions SlideShare
Business Analyst Interview Questions SlideShare
 
IT4IT™ - Managing the Business of IT
IT4IT™ - Managing the Business of ITIT4IT™ - Managing the Business of IT
IT4IT™ - Managing the Business of IT
 
A Data Driven Roadmap to Enterprise AI Strategy (Sponsored by Contino) - AWS ...
A Data Driven Roadmap to Enterprise AI Strategy (Sponsored by Contino) - AWS ...A Data Driven Roadmap to Enterprise AI Strategy (Sponsored by Contino) - AWS ...
A Data Driven Roadmap to Enterprise AI Strategy (Sponsored by Contino) - AWS ...
 
Understanding LLMOps-Large Language Model Operations
Understanding LLMOps-Large Language Model OperationsUnderstanding LLMOps-Large Language Model Operations
Understanding LLMOps-Large Language Model Operations
 
Generative AI - Responsible Path Forward.pdf
Generative AI - Responsible Path Forward.pdfGenerative AI - Responsible Path Forward.pdf
Generative AI - Responsible Path Forward.pdf
 
AI: Built to Scale
AI: Built to ScaleAI: Built to Scale
AI: Built to Scale
 
High Tech Digital Transformation
High Tech Digital TransformationHigh Tech Digital Transformation
High Tech Digital Transformation
 
Contact Center Assessment: Solution Overview and Approach
Contact Center Assessment: Solution Overview and ApproachContact Center Assessment: Solution Overview and Approach
Contact Center Assessment: Solution Overview and Approach
 
Netflix Recommender System : Big Data Case Study
Netflix Recommender System : Big Data Case StudyNetflix Recommender System : Big Data Case Study
Netflix Recommender System : Big Data Case Study
 
Optimize the IT Operating Model
Optimize the IT Operating ModelOptimize the IT Operating Model
Optimize the IT Operating Model
 
Building Big Data Analytics Center Of Excellence
Building Big Data Analytics Center Of Excellence Building Big Data Analytics Center Of Excellence
Building Big Data Analytics Center Of Excellence
 
Data science - An Introduction
Data science - An IntroductionData science - An Introduction
Data science - An Introduction
 
Bank of the future: Digital Transformation Strategy
Bank of the future: Digital Transformation StrategyBank of the future: Digital Transformation Strategy
Bank of the future: Digital Transformation Strategy
 
Running the Business of IT on ServiceNow using IT4IT
Running the Business of IT on ServiceNow using IT4ITRunning the Business of IT on ServiceNow using IT4IT
Running the Business of IT on ServiceNow using IT4IT
 
Align IT and Enterprise Operating Models.pdf
Align IT and Enterprise Operating Models.pdfAlign IT and Enterprise Operating Models.pdf
Align IT and Enterprise Operating Models.pdf
 
Gartner EA Presentation v1
Gartner EA Presentation v1Gartner EA Presentation v1
Gartner EA Presentation v1
 

Destaque

Cyber Fraud - The New Frontiers
Cyber Fraud - The New FrontiersCyber Fraud - The New Frontiers
Cyber Fraud - The New Frontiers
Albert Hui
 

Destaque (6)

Cyber Fraud - The New Frontiers
Cyber Fraud - The New FrontiersCyber Fraud - The New Frontiers
Cyber Fraud - The New Frontiers
 
Security in the cloud
Security in the cloudSecurity in the cloud
Security in the cloud
 
Get Ahead of Cyber Attacks with Microsoft Enterprise Mobility + Security
Get Ahead of Cyber Attacks with Microsoft Enterprise Mobility + SecurityGet Ahead of Cyber Attacks with Microsoft Enterprise Mobility + Security
Get Ahead of Cyber Attacks with Microsoft Enterprise Mobility + Security
 
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...
 
Securing the Cloud
Securing the CloudSecuring the Cloud
Securing the Cloud
 
Mobile Is Eating the World (2016)
Mobile Is Eating the World (2016)Mobile Is Eating the World (2016)
Mobile Is Eating the World (2016)
 

Semelhante a Cybersecurity in Shared Services Organizations

Keep Up with the Demands of IT Security on a Nonprofit Budget
Keep Up with the Demands of IT Security on a Nonprofit BudgetKeep Up with the Demands of IT Security on a Nonprofit Budget
Keep Up with the Demands of IT Security on a Nonprofit Budget
BVU
 
A data-centric program
A data-centric program A data-centric program
A data-centric program
at MicroFocus Italy ❖✔
 
Causes And Consequences Of Data Leakage
Causes And Consequences Of Data LeakageCauses And Consequences Of Data Leakage
Causes And Consequences Of Data Leakage
Patty Buckley
 
Mobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk ManagementMobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk Management
DMIMarketing
 
Southwestern Business Administration JournalVolume 16 Is.docx
Southwestern Business Administration JournalVolume 16 Is.docxSouthwestern Business Administration JournalVolume 16 Is.docx
Southwestern Business Administration JournalVolume 16 Is.docx
rosemariebrayshaw
 
Running Head SECURITY AWARENESSSecurity Awareness .docx
Running Head SECURITY AWARENESSSecurity Awareness .docxRunning Head SECURITY AWARENESSSecurity Awareness .docx
Running Head SECURITY AWARENESSSecurity Awareness .docx
toltonkendal
 
Cybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONS
Cybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONSCybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONS
Cybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONS
Randall Chase
 

Semelhante a Cybersecurity in Shared Services Organizations (20)

Cybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdfCybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdf
 
Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016
 
Keep Up with the Demands of IT Security on a Nonprofit Budget
Keep Up with the Demands of IT Security on a Nonprofit BudgetKeep Up with the Demands of IT Security on a Nonprofit Budget
Keep Up with the Demands of IT Security on a Nonprofit Budget
 
Data exfiltration so many threats 2016
Data exfiltration so many threats 2016Data exfiltration so many threats 2016
Data exfiltration so many threats 2016
 
A data-centric program
A data-centric program A data-centric program
A data-centric program
 
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnov
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnovProtecting Accounting Firms and their Clients - Eric Vanderburg - JurInnov
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnov
 
Information security management v2010
Information security management v2010Information security management v2010
Information security management v2010
 
A Survey On Data Leakage Detection
A Survey On Data Leakage DetectionA Survey On Data Leakage Detection
A Survey On Data Leakage Detection
 
Shariyaz abdeen data leakage prevention presentation
Shariyaz abdeen data leakage prevention presentationShariyaz abdeen data leakage prevention presentation
Shariyaz abdeen data leakage prevention presentation
 
Causes And Consequences Of Data Leakage
Causes And Consequences Of Data LeakageCauses And Consequences Of Data Leakage
Causes And Consequences Of Data Leakage
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdf
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdf
 
Spo2 t17
Spo2 t17Spo2 t17
Spo2 t17
 
5 Steps to Mobile Risk Management
5 Steps to Mobile Risk Management5 Steps to Mobile Risk Management
5 Steps to Mobile Risk Management
 
IRJET- Data Leak Prevention System: A Survey
IRJET- Data Leak Prevention System: A SurveyIRJET- Data Leak Prevention System: A Survey
IRJET- Data Leak Prevention System: A Survey
 
Mobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk ManagementMobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk Management
 
Southwestern Business Administration JournalVolume 16 Is.docx
Southwestern Business Administration JournalVolume 16 Is.docxSouthwestern Business Administration JournalVolume 16 Is.docx
Southwestern Business Administration JournalVolume 16 Is.docx
 
Running Head SECURITY AWARENESSSecurity Awareness .docx
Running Head SECURITY AWARENESSSecurity Awareness .docxRunning Head SECURITY AWARENESSSecurity Awareness .docx
Running Head SECURITY AWARENESSSecurity Awareness .docx
 
Cybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONS
Cybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONSCybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONS
Cybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONS
 
5 steps-to-mobile-risk-management-whitepaper-golden-gekko
5 steps-to-mobile-risk-management-whitepaper-golden-gekko5 steps-to-mobile-risk-management-whitepaper-golden-gekko
5 steps-to-mobile-risk-management-whitepaper-golden-gekko
 

Mais de ScottMadden, Inc.

Overcoming the Challenges of Large Capital Programs/Projects
Overcoming the Challenges of Large Capital Programs/ProjectsOvercoming the Challenges of Large Capital Programs/Projects
Overcoming the Challenges of Large Capital Programs/Projects
ScottMadden, Inc.
 
The ScottMadden Energy Industry Update Webcast: Everything Counts ... In Larg...
The ScottMadden Energy Industry Update Webcast: Everything Counts ... In Larg...The ScottMadden Energy Industry Update Webcast: Everything Counts ... In Larg...
The ScottMadden Energy Industry Update Webcast: Everything Counts ... In Larg...
ScottMadden, Inc.
 
ScottMadden's Energy Industry Update for the 2019 Utility Supply Chain Confer...
ScottMadden's Energy Industry Update for the 2019 Utility Supply Chain Confer...ScottMadden's Energy Industry Update for the 2019 Utility Supply Chain Confer...
ScottMadden's Energy Industry Update for the 2019 Utility Supply Chain Confer...
ScottMadden, Inc.
 
Capital Program Assessment Overview
Capital Program Assessment OverviewCapital Program Assessment Overview
Capital Program Assessment Overview
ScottMadden, Inc.
 

Mais de ScottMadden, Inc. (20)

Creating IT Value-A Better Way to Make IT Investment Decisions
Creating IT Value-A Better Way to Make IT Investment DecisionsCreating IT Value-A Better Way to Make IT Investment Decisions
Creating IT Value-A Better Way to Make IT Investment Decisions
 
Benchmarking for Natural Gas LDCs
Benchmarking for Natural Gas LDCsBenchmarking for Natural Gas LDCs
Benchmarking for Natural Gas LDCs
 
Benchmarking for Natural Gas LDCs
Benchmarking for Natural Gas LDCsBenchmarking for Natural Gas LDCs
Benchmarking for Natural Gas LDCs
 
ScottMadden Fossil Benchmarking Analysis
ScottMadden Fossil Benchmarking Analysis ScottMadden Fossil Benchmarking Analysis
ScottMadden Fossil Benchmarking Analysis
 
Overcoming the Challenges of Large Capital Programs/Projects
Overcoming the Challenges of Large Capital Programs/ProjectsOvercoming the Challenges of Large Capital Programs/Projects
Overcoming the Challenges of Large Capital Programs/Projects
 
ScottMadden HR Shared Services Benchmarking Study Highlights 2019
ScottMadden HR Shared Services Benchmarking Study Highlights 2019ScottMadden HR Shared Services Benchmarking Study Highlights 2019
ScottMadden HR Shared Services Benchmarking Study Highlights 2019
 
ScottMadden Fossil Benchmarking Analysis
ScottMadden Fossil Benchmarking Analysis ScottMadden Fossil Benchmarking Analysis
ScottMadden Fossil Benchmarking Analysis
 
ScottMadden Finance Shared Services Benchmark Highlights 2020
ScottMadden Finance Shared Services Benchmark Highlights 2020ScottMadden Finance Shared Services Benchmark Highlights 2020
ScottMadden Finance Shared Services Benchmark Highlights 2020
 
The ScottMadden Energy Industry Update Webcast: Everything Counts ... In Larg...
The ScottMadden Energy Industry Update Webcast: Everything Counts ... In Larg...The ScottMadden Energy Industry Update Webcast: Everything Counts ... In Larg...
The ScottMadden Energy Industry Update Webcast: Everything Counts ... In Larg...
 
ScottMadden's Energy Industry Update for the 2019 Utility Supply Chain Confer...
ScottMadden's Energy Industry Update for the 2019 Utility Supply Chain Confer...ScottMadden's Energy Industry Update for the 2019 Utility Supply Chain Confer...
ScottMadden's Energy Industry Update for the 2019 Utility Supply Chain Confer...
 
Energy Industry Update Webcast: Don't Stop Believin'
Energy Industry Update Webcast: Don't Stop Believin'Energy Industry Update Webcast: Don't Stop Believin'
Energy Industry Update Webcast: Don't Stop Believin'
 
Combined Cycles
Combined CyclesCombined Cycles
Combined Cycles
 
Technology for HR Shared Services
Technology for HR Shared ServicesTechnology for HR Shared Services
Technology for HR Shared Services
 
Building a Business Case for Shared Services
Building a Business Case for Shared ServicesBuilding a Business Case for Shared Services
Building a Business Case for Shared Services
 
Fundamentals of Designing, Building, & Implementing a Service Delivery Center
Fundamentals of Designing, Building, & Implementing a Service Delivery CenterFundamentals of Designing, Building, & Implementing a Service Delivery Center
Fundamentals of Designing, Building, & Implementing a Service Delivery Center
 
Next Generation Shared Services Centers
Next Generation Shared Services CentersNext Generation Shared Services Centers
Next Generation Shared Services Centers
 
California’s Combined Cycle Costs in the Age of the Duck Curve
California’s Combined Cycle Costs in the Age of the Duck CurveCalifornia’s Combined Cycle Costs in the Age of the Duck Curve
California’s Combined Cycle Costs in the Age of the Duck Curve
 
Capital Program Assessment Overview
Capital Program Assessment OverviewCapital Program Assessment Overview
Capital Program Assessment Overview
 
Value of Strategic Direction
Value of Strategic DirectionValue of Strategic Direction
Value of Strategic Direction
 
Generation Trends: What are the Impacts on Transmission?
Generation Trends: What are the Impacts on Transmission? Generation Trends: What are the Impacts on Transmission?
Generation Trends: What are the Impacts on Transmission?
 

Último

Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptx
negromaestrong
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
PECB
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
ciinovamais
 

Último (20)

Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptx
 
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin ClassesMixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
 
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptxINDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17
 
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
 
Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.ppt
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
Class 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfClass 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdf
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across Sectors
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdf
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104
 
SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...
SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...
SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...
 
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17
 
Unit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxUnit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptx
 
fourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writingfourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writing
 

Cybersecurity in Shared Services Organizations

  • 1. Copyright © 2016 ScottMadden, Inc. All rights reserved. Cybersecurity in Shared Services Organizations June 2016
  • 2. Copyright © 2016 by ScottMadden, Inc. All rights reserved. Contents ■ Introduction to Shared Services Cybersecurity ■ What’s at Risk? ■ Cyber Attack Trends ■ Key Shared Services Organization (SSO) Risk Factors ■ Building Blocks of an SSO Cybersecurity Program • Data Security • Education and Awareness • Governance and Compliance ■ SSO Cybersecurity Leading Practices ■ How ScottMadden Can Help 1
  • 3. Copyright © 2016 by ScottMadden, Inc. All rights reserved. Introduction to Shared Services Cybersecurity Shared Service Organizations (SSOs) control much of an organization’s confidential and restricted personal information. While handling and using this data is routine for SSOs, it is exactly the kind of information that is highly prized by cyber criminals. A robust cybersecurity program is imperative to protect the organization, employees, and customers. Cyber threats can materialize in a number of ways but can be broken down into two main types: 2 Type Description Examples External ■ Cyber criminals use offensive maneuvers with the intent of stealing, altering, or destroying data, networks, infrastructure assets, and/or personal devices ■ Denial of service attacks designed to make network resources unavailable to its users ■ Unauthorized users gaining physical access to a computer and downloading sensitive data ■ Attempts to acquire usernames, passwords, and credit card details directly from users (e.g., phishing) Internal ■ Employees unintentionally compromise sensitive data or systems, potentially exposing the organization to cyber attacks ■ Employees maliciously circumvent data security protocols and/or willingly aid cyber criminals ■ Sending documents containing sensitive information via standard email rather than through secure email programs ■ Purposefully opening email attachments from external senders known to contain malicious code Many organizations have dedicated Information Security (InfoSec) groups that manage security programs enterprise wide. However, accountability for protecting sensitive shared services and employee information ultimately falls to the SSO.
  • 4. Copyright © 2016 by ScottMadden, Inc. All rights reserved. Personal Data/PII Business/Organization Examples of Confidential Information  Name  Email address  Physical address  Phone number  Job title  Work experience  Evaluations  Gender  Marital status  Age  M&A or transactional activity  Ongoing lawsuits  Internal investigations  Proprietary content  Advance SEC filings  Press releases  Emails  Internal memos  Company presentations Examples of Restricted Information  SSN  Passport  Driver’s license  Ethnicity  Nationality  Sexual orientation  Medical history  Salary/compensation  Bank account information  Background checks  Credit reports  Criminal history  Strategic plans  Budgets  Reports  Legal materials  Audits and assessments  P-card numbers What’s At Risk? Confidential Information refers to data/information for which unauthorized access or disclosure could result in an adverse effect on the organization, an individual, or both. This information could either be personally identifiable information (PII) or confidential business information. Restricted Information includes the most sensitive Confidential Information and is typically protected by law or policy. 3
  • 5. Copyright © 2016 by ScottMadden, Inc. All rights reserved. Cyber Attack Trends The number of cyber attacks against organizations continues to grow in complexity, frequency, and severity. Significant data breaches in 2015 included1: ■ VTech (children’s technology maker) – personal data compromised for 5 million parents and 6 million children ■ Kaspersky Lab (security vendor) – 13 million account records exposed ■ Experian (credit service provider) – personal data compromised for 15 million customers ■ US Office of Personnel Management (federal government) – PII and restricted data exposed for 21.5 million federal employees ■ Anthem Blue Cross Blue Shield (health insurer) – PII and restricted data exposed for 80 million patients and employees 4 0.0 0.5 1.0 1.5 2.0 2.5 3.0 $0.0 $2.0 $4.0 $6.0 $8.0 $10.0 $12.0 $14.0 $16.0 $18.0 2010 2011 2012 2013 2014 2015 AttacksperWeek AverageRemediation Cost($millions) 2015 Cyber Attack Trends2 Annual Cost of Attacks per Company No. of Attacks per Week 42% 36% 19% 2% 1% 2015 Cyber Attack Cost Breakdown2 Information Loss Business Disruption Revenue Loss Other Costs Equipment Damages Highest Reported Remediation Costs $51.9M $36.5M $46.2M $58.1M $60.5M $65.0M 2. Source: 2015 Cost of Cyber Crime Study, Ponemon Institute 1. CRN, 10 Biggest Data Breaches of 2015 In 2015, the average organization spent more than $15 million remediating the effects of cyber attacks. To mitigate potential costs, SSOs must take action to understand and protect the flow of their sensitive information.
  • 6. Copyright © 2016 by ScottMadden, Inc. All rights reserved. ■ SSOs enhance their efficacy by integrating their primary systems with third-party systems for benefits management, time and attendance, etc. Each of these integrations typically transmits sensitive data over myriad secured and unsecured channels ■ Business process complexities, policies, and exceptions increase along with the amount of sensitive data flowing through the SSO ■ Email, chat, and open service tickets are common modes of sending communications in and out of SSOs. These regularly include sensitive information that can inadvertently fall into the wrong hands ■ Some SSO departments (e.g., workforce administration, call centers) can experience low employee engagement, especially for data security initiatives ■ These departments can also experience high turnover, opening the SSO up further to potential malicious insider activity The volume of sensitive data makes SSOs a target. While a high volume of data tends to correlate to increased operational efficiency, it also increases the risk that this data may be compromised. Despite this, data security is often overlooked in favor of gains in operational efficiency and customer service. Key SSO Risk Factors 5 SSO Risk Factors Complexity of an HR SSO Information Ecosystem SSO data is constantly moving through countless systems, applications, and individuals. Only a robust cybersecurity program can mitigate the complexities of the information ecosystem.
  • 7. Copyright © 2016 by ScottMadden, Inc. All rights reserved. Building Blocks of SSO Cybersecurity Tiered SSO delivery models often include payroll and leave-of-absence specialists, AP clerks, and HRIS teams that have elevated privileges to sensitive data. SSOs need to provide employees the tools, awareness, and direction to properly handle, communicate, and use confidential and restricted data. 6 Building Block Key Questions Potential Vulnerabilities Data Security ■ Do you know where your confidential and restricted data is stored and for how long? ■ What controls are in place to ensure data safely reaches its intended destination? ■ Do you have secure methods for handling and collaborating with restricted data? ■ Who has access to confidential and restricted data? ■ It is not clear how many systems, applications, servers, etc. house PII ■ Old databases and files are left on shared drives “as is” after they are no longer needed ■ Some employees save files containing PII to their local drives ■ Third-party support vendors have access to applications that process/contain PII Education and Awareness ■ What information security training do SSO employees receive? ■ How often is the material refreshed and presented? ■ Employees receive minimal, ineffective training ■ Training documentation is not up to date with current trends and leading practices Security Governance and Compliance ■ Are there clear roles and responsibilities between the SSO, IT, and InfoSec? ■ Are you in compliance with enterprise data security standards and policies? ■ Lack of an overall governance structure that clearly outlines roles and accountabilities ■ Enterprise data retention policies require file deletion before statutory paystub regulations
  • 8. Copyright © 2016 by ScottMadden, Inc. All rights reserved. Time and Attendance System Payroll Audit Check Print Database and System HR and Payroll System SSO Data Security SSO data is stored in and moves through countless on-premises and cloud applications and systems. Understanding where sensitive data is stored and how it is used and shared are essential to developing and implementing effective security controls. Data can be classified in three categories: ■ Data at rest: Anything that holds data in a static state, such as file shares, databases, servers, etc. ■ Data in motion: Data in transit (“on a wire”) between applications, systems, individuals, etc. via email, web, or other Internet protocols ■ Data in use: Data that resides on the end-user workstation and needs to be protected from being leaked through removable media devices like USBs, DVDs, CDs etc. The graphic below depicts a sample flow of data through an SSO’s payroll process: 7 Data in Use The payroll audit team uses computers and shared drives to audit payroll files prior to releasing for final printing. Key concerns include:  Frequency that drives and computers are wiped for sensitive information  Access restrictions to shared drives  Standards for sharing sensitive data Data in Motion Key concerns:  Level of encryption on data as it moves  Encryption key management/policies Data at Rest Data is stored in multiple locations in this diagram – the T&A database, the cloud HR/payroll solution, and the check printing software database. Key concerns include:  Level of encryption (e.g., full disk, file level)  Consistent use of encryption  Access restrictions to databases and servers
  • 9. Copyright © 2016 by ScottMadden, Inc. All rights reserved. Mitigating Common SSO Data Security Challenges Many SSOs face similar data security challenges and risk points they must address: ■ Stale or outdated data maintained on servers and databases ■ Numerous locations and mechanisms for storing data ■ Necessity of cross-functional collaboration using sensitive data ■ Inconsistent use of encryption and secure file transfer protocols ■ Lack of clarity with regards to retention standards Formal data security standards can help mitigate these risks throughout the data life cycle. Key considerations include: ■ What data will be stored, and for how long ■ Where data will be stored, both physically and electronically ■ Who can access data, including both applications and users ■ How often and where data should be backed up ■ When and how to destroy data 8 User Data Creation Data Storage Archive Data Backup Data Disposal Ability to Recall/Access Application Life Cycle of SSO Data
  • 10. Copyright © 2016 by ScottMadden, Inc. All rights reserved. Education and Awareness Cyber crimes are not the only sources of risk for SSOs—the action or inaction of employees can also lead to security incidents. It is vital SSOs maintain a security awareness program to ensure employees understand the importance of protecting sensitive information, how to handle it securely, and the risks of mishandling such information. 9 Source: PCI Security Standards Council Qualities of an effective and sustainable awareness program include: ■ Information is provided in a way that relates to the SSO culture (i.e., how employees think and behave) ■ Information is delivered in different formats to affect change and is consistently reinforced and repeated ■ Management is on-board and understands the holistic security risks (e.g., financial, reputational, legal) ■ Presentations are personal – “bring the message home,” “security is everyone’s job” ■ Information is relevant to current events and trends and is consistently updated with lessons learned
  • 11. Copyright © 2016 by ScottMadden, Inc. All rights reserved. ■ Identify a clear set of roles and responsibilities for which each group is accountable ■ Leverage the insight of each group to determine risk points ■ Ensure communication between all groups is timely, efficient, and ongoing ■ Work together on policy creation to ensure the alignment on data security priorities and standards In addition to securing sensitive data and educating employees, SSOs must work with other parts of the organization to clearly define security roles and responsibilities. Establishing a governance model creates a structure that enables the SSO to operate with clear role definition, fosters appropriate accountabilities, and ensures compliance with corporate standards. 10 Establish Enterprise Data Security Standards Foster Collaboration between the SSO, IT, Legal and InfoSec Governance and Compliance ■ Conduct analysis to understand where the SSO is in relation to existing enterprise data security policies and identify highest priority gaps ■ Collaborate to establish overall data security standards taking into account special SSO situations and laws/regulations ■ Document policy and process documentation ■ Establish a process and standards audit cycle
  • 12. Copyright © 2016 by ScottMadden, Inc. All rights reserved. SSO Cybersecurity Leading Practices 11 Building Block Leading Practice Benefit Description Impact Implementation Level Data Security Secure sensitive information that is not encrypted ■ Reduces the likelihood of a successful breach ■ Enhances the defense in depth through multiple avenues of layered security ■ Supports secure business processes High Enterprise/SSO Enhance physical security practices ■ Protects employees, hardware, programs, network, data, and other assets from physical intrusions and events that could cause loss or damage to an organization or individual High SSO Develop information sharing standards ■ Provides clarity of expectations, increases accountability, and ensures the most effective tools at the organization’s disposal are being used ■ Ensures the applications and tools used to share information meet organizational security and business requirements High Enterprise/SSO Develop information storage standards ■ Determines how SSOs will comply with the organization’s data retention policy High SSO Inventory information at rest, in motion, and in use ■ Allows an organization to: • Create policies and standards aligned with business needs • Secure data via encryption or other appropriate methods • Develop an effective defense in depth strategy High Enterprise/SSO Isolate restricted information and confidential information ■ Creates and designates repositories for the storage of sensitive information ■ Allows the organization to better understand where its data resides ■ Ensures security solutions and resources are prioritized and aligned with protecting the organization’s most valuable information High Enterprise/SSO Education and Awareness Develop a security awareness program ■ Regularly reminds and reinforces the need to keep sensitive information secure ■ Continuously promotes awareness High Enterprise/SSO
  • 13. Copyright © 2016 by ScottMadden, Inc. All rights reserved. SSO Cybersecurity Leading Practices (Cont’d) 12 Building Block Leading Practice Benefit Description Impact Implementation Level Governance and Compliance Develop a data retention policy ■ Helps organizations manage data, comply with laws and regulations, and prepare for business continuity in case of a disaster High Enterprise/SSO Define security governance ■ Creates a structure that enables the organization to operate with clear role definition and accountabilities High Enterprise Develop policy and process documentation ■ Allows senior leadership to communicate philosophies, strategy, and broad requirements to the organization ■ Allows leadership to define and standardize how the requirements set forth in the policies will be accomplished High Enterprise/SSO Measure process effectiveness ■ Allows an organization to assess the effectiveness of its security controls ■ Facilitates decision making, improves performance, and increases accountability Medium Enterprise/SSO Audit processes, protocols, and standards ■ Instills a sense of confidence that the business is functioning well and is prepared to meet potential challenges ■ Encourages continuous improvement Medium Enterprise/SSO Perform risk assessments ■ Highlights the cybersecurity risk to organizational operations, assets, and individuals ■ Serves as a foundation for prioritizing improvement efforts and decision making Medium Enterprise Develop system requirements ■ Describes functions which systems, applications, and other tools should fulfill to meet security and business requirements Low Enterprise Develop a formal data loss prevention program ■ Improves data classification schemes ■ Provides an understanding of the data life cycle ■ Enhances controls over access to sensitive data Low Enterprise
  • 14. Copyright © 2016 by ScottMadden, Inc. All rights reserved. Putting It All Together A programmatic approach is required to secure SSOs. Attempts to build and improve cybersecurity capabilities through individual or disjointed projects are expensive and ineffective. SSOs must pursue a programmatic approach that mitigates SSO- wide risks. 13 Engaging SSO leadership and stakeholders in cybersecurity decision making is the single most important factor in creating a successful cybersecurity program—more than technology or funding. In a formal cybersecurity program: ■ A roadmap is created to identify critical risks, take immediate action, and achieve long-term capabilities. Many leading practices can be implemented quickly with significant impact on SSO cybersecurity ■ Priorities are risk informed ■ Project management and organizational change management enable a successful implementation ■ Monitoring of indicators drives corrective actions and continuous improvement Cybersecurity Policies and Controls Technology and Automation Capabilities Business Processes and Employee Behaviors Changes SSO Mission and Strategic Objectives SSO Risks Governance: Evaluate, Direct, MonitorManagement: Plan, Do, Check, Act Program and Organizational Change Management
  • 15. Copyright © 2016 by ScottMadden, Inc. All rights reserved. How ScottMadden Can Help 14 ■ Strategic planning support ■ Security program management ■ Design and implementation ■ Security policy alignment ■ Program assessments ■ Sensitive data inventories ■ Transformation ■ Policy framework design ■ Business policy and process assessments ■ Data security standards creation ■ Cybersecurity metric design and implementation ■ Access management strategy development ■ OCM support of implementation efforts ■ Cybersecurity awareness plan – design and implementation ■ Process design ■ Implementation project management ■ Cybersecurity threat- based risk assessments ■ Vendor selection Cybersecurity Program Services Cybersecurity Governance Design and Implementation Cybersecurity Organizational Change Management (OCM) Cybersecurity Capability Design and Implementation
  • 16. Copyright © 2016 by ScottMadden, Inc. All rights reserved. Jon Kerner Partner and Information Technology Practice Lead ScottMadden, Inc. 3495 Piedmont Road Building 10, Suite 805 Atlanta, GA 30305 jkerner@scottmadden.com O: 678-702-8346 To learn more about SSO Cybersecurity, contact us. Contact Us 15