150 likes | 163 Views
Gain insights from a CEO's perspective on planning strategies to avoid financial and reputation risk, meet cyber and compliance standards, and prevent cyber breaches. Learn about reviewing maturity, compliance requirements, policies, training, staff capabilities, and back-up processes. Discover short, medium, and long-term planning steps to enhance cyber security and compliance.
E N D
Cyber Security and Compliance are no longer just an IT Topic David kane Ceo ethical intruder September 24, 2019
Session Overview • This session will address the issue from a CEO’s perspective and include discussions on planning to avoid financial and reputation risk and business obligations to meet cyber and compliance standards.
Issues to be addressed include: • Guidelines for reviewing the maturity of an organization’s cyber security and compliance position • Short, medium and long term cyber and compliance planning steps. • The basics in preventing a cyber breach today while minimizing additional product or software purchase. • Navigating the latest state and industry compliance requirements.
Break out and review different key competencies • Review requirements to comply with various financial compliances. Many organizations are choosing to comply with the leading regulatory requirements • SEC Cyber Security Requirements – Required by any organization that manages over $25,000,000 in customer assets • NYS FDS cr 500 – Required by all financial organizations that do business with eth State of NY.
Review how key functional areas receive, store and transmit data • Conduct an interview and by functional area review key roles by department. • What are the differences between departments • Identify best practice gaps • Do practices follow along with policies and compliance requirements
Understanding your policies and requirements is one key element. • How your teams actually interact with data will help identify the gaps. • Review what policies are in place for compliance or security. • User Acceptance Policy • General IT Policy • Incident Response Policy • Business Continuity Policy • BYOD • Data Classification Policy • Cyber Liability Policy • Vendor Management Policy • Are the polices actually being reviewed and utilized? • If policies are not in place, which polices are a priority based on compliance obligation, business obligations and best practices for your organization.
How does internal organizational training match up to your security or compliance requirements? • Once you have a plan for security or a compliance requirement documented, if it is not shared with the employees then the plan is only useful on paper. • What types of knowledge transfer is in place for employees • Are there annual required compliance trainings in place • Are there annual required security training in place • Are there annual required social engineering (phishing) training in place
Once you have policies and training in place, does your internal support staff have the capability to fulfil your plan? • Once an organization has their core compliance and security policies in place, training is rolled out and resources are allocated, what is the process to review the effectiveness of these areas? • Review level of IT support staff and 3rd party relationships to fulfill compliance and Security Requirements • Map requirements to specific staff to gain awareness of personnel coverage
Back up processes will help in the event of a security breach or compliance issue. • Conduct Risk Management Reviews • Conduct Vulnerability Evaluations • Conduct Penetration Testing • Conduct Social Engineering Evaluations
Backoffice review of security and compliance requirements (Legal, Insurance, 3rd party relationships) • Review corporate employee contracts to include compliance and security language • Review Vendor Management Plans and Implement 3rd Party Questionnaires • Review or Implement Cyber Liability Insurance
Short, medium and long term cyber and compliance planning steps. • Have an internal, or 3rd party review of the above steps to get a broad understanding of maturity. • Build a roadmap of attainable actions your organization can handle from a resource perspective that matches key criteria
start in one of three main sub groups of the initially provided information. • Pre breach or compliance issue - Review business obligations, security and compliance requirements – Policy building. • Validation of existing polices and control - Review how you would do in the event of an actual compliance issues or security attack. This can be an audit of existing controls, a phish of users or a vulnerability evaluation • Plan for post breach or compliance issue - Focus on response and recovery activities – Incident Response, Backup and Recovery, Disaster Recovery
The basics in preventing a cyber breach today while minimizing additional product or software purchase.
Compliance basics and minimum requirements that get you ahead of the game • Encrypt data at rest • Phishing and social engineering testing or training • Enable multi-factor authentication • Review Password security – enable NIST standards • Have a segmented wi-fi network and keep corporate “work” off of the “guest” network.
Navigating the latest state and industry compliance requirements • Review and know you gaps compared to a standard • NYS FDS Cyber Requirements • SEC Cyber Requirements • CIS 20 Controls (free downloadable tools) • Utilize CSI Implementation groups for your size and maturity. • Understand timelines and exceptions for compliance requirements • Prepare for when the compliance or framework will be expected, do not delay.