The Role Of Compliance In Cybersecurity
The Role of Compliance inCybersecurityMegan MoloneySenior Strategy, Risk, and Compliance MangerFederal Bureau of InvestigationSCCE CONFERENCE OCTOBER 2018UNCLASSIFIEDSCCE CONFERENCE OCTOBER 2018UNCLASSIFIEDIndian Hills Community SignPAGE 21
I welcome audience participationWallingford SignSCCE CONFERENCE OCTOBER 2018UNCLASSIFIEDPAGE 3COMPLIANCE:Merriam Webster Definition “the act or process of complying to adesire, demand, proposal, or regimen or tocoercion; “conformity in fulfilling officialrequirements; “a disposition to yield to others “the ability of an object to yield elasticallywhen a force is applied.”SCCE CONFERENCE OCTOBER 2018UNCLASSIFIEDPAGE 42
CYBERSECURITY:Merriam Webster Definitionmeasures taken to protect a computer orcomputer system (as on the Internet)against unauthorized access or attackSCCE CONFERENCE OCTOBER 2018UNCLASSIFIEDPAGE 5Epidemic of Rising Cybercrime CostsGLOBAL COST OF CYBERSRIME ESTIMATES7,000,000,000,0006,000,000,000,000Average cost of a data breach is up to 3.86 million, 6.4 percent over theprevious year Average cost of 148 perlost/stolen record - 2018 Ponemon/IBMCost of a Data Breach Study5,000,000,000,0004,000,000,000,000Between 2016 and 2017,successful breaches rose by 27percent- 2017 Cost of CybercrimeStudy by Ponemon InstituteLLC 6T CybersecurityVenturesOn average, cybersecurity iscosting organizations US 11.7million per year. - 2017 Costof Cybercrime Study byPonemon Institute LLC3,000,000,000,000 2.1T Juniper2,000,000,000,0001,000,000,000,00002012SCCE CONFERENCE OCTOBER 2018 400B Llyods 100B WallStreet 9202020212022PAGE 63
SCCE CONFERENCE OCTOBER 2018UNCLASSIFIEDSCCE CONFERENCE OCTOBER 2018UNCLASSIFIEDPAGE 7Indian Hills Community SignPAGE 84
So what does this have to do with me?SCCE CONFERENCE OCTOBER 2018UNCLASSIFIEDPAGE 9The cyber regulatory environment is maturing.PCI DSS * HIPPA *Sarbanes-Oxley * GDPRIt’s our responsibility to ensure compliance with those laws, regulations, andpolicies.But even total regulatory compliance does not guaranteecybersecurity.Compliance has a continuous role to play in preparingfor, responding to, and recovering from cyber incidents.SCCE CONFERENCE OCTOBER 2018UNCLASSIFIEDPAGE 105
Cybersecurity Road Map for Compliance ProfessionalsWhat questions should you be asking? Does the organization have an Enterprise Risk ManagementStrategy and does it address cyber risk? What is the Cybersecurity Governance Structure? Has the organization performed a Risk Assessment and/orBusiness Impact Analysis for cybersecurity risks? Does the organization have a Crisis Management Team for cyberevents? Does the organization have a Crisis Response Plan for cyberevents? What third party service provider policies and governingagreements (SLAs) are in place and are they appropriatelymanaged and adhered to?SCCE CONFERENCE OCTOBER 2018UNCLASSIFIEDPAGE 11Indian Hills Community SignSCCE CONFERENCE OCTOBER 2018UNCLASSIFIEDPAGE 126
Enterprise Risk Management Strategy NIST Maturity Framework and model under NIST 800-53 COSO Enterprise Risk Management–Integrating with Strategy and Performance (updated2017) (greater emphasis on culture, business value of ERM, and role of IT) Cybersecurity-specific Frameworks: ISO/IEC Security Control Standards (focuses on information securitymanagement systems) Federal Financial Institutions Examination Council (FFICE) CybersecurityAssessment (focuses on financial institutions) SEC/OCIE Cybersecurity Initiative (focuses on Investment Firms) FCC Cyber Security Planning Guide (focuses on Small Businesses) NIST Cybersecurity Framework (focuses on Manufacturing)SCCE CONFERENCE OCTOBER 2018UNCLASSIFIEDPAGE 13Cybersecurity Governance Structure Guidance: ISO 27001: This is a key resource for Cybersecurity Governanceprocesses; NIST SP 800-53 also provides a selection of controls. Ways to measure meaningfulness of a Cybersecurity GovernanceStructure: Robust Policy Framework Metrics (e.g. statistics on phishingemail click rate, repeat offenders,intrusion attempts, trainingcompletion rates, etc.) Culture (transparency/ accountability) Budget Audit/Risk Committee ReportingPractices (frequency/audience) Internal Reporting Mechanisms(communication & escalationpractices; bifurcated channels) Compliance Penalties/IncentivesSCCE CONFERENCE OCTOBER 2018UNCLASSIFIEDPAGE 147
Let’s take a moment to talk aboutReporting . How are you informed? Do you play any role in determiningwhen and how to inform regulators,other government authorities,shareholders, and/or customers?SCCE CONFERENCE OCTOBER 2018UNCLASSIFIEDPAGE 15Let’s take a moment to talk aboutIncentives . Sentencing Guidelines (2004 amendments) Opportunity to build cross-functional relationships Compliance can provide added value to management Tangible Assets Monetary On the Spot PublicationTake the 1374872d70e53c18019013ba93.jpgSCCE CONFERENCE OCTOBER ?view detailV2&ccid DearhQ4l&id E1E45F660D0AAF9DC6B64155CFD1AB828A78EA8C&thid OIP.DearhQ4lBMDAdYYCXlCTRQHaFK&mediaurl http%3a%2f%2f1.bp.blogspot.com%2fqtbSyH3u 00%2fReturn%2bBook%2bon%2bTime.gif&exph 360&expw 516&q bart simpson overdue books chalkboard return on time&simid 608002066993383093&selectedIndex 1&ajaxhist 0AGEP168
Risk Assessments Four Key Aspects Assets (physical assets/personnel/intellectualproperty/data) Threats (insiders/cybercriminals/competitors/nationstates) Vulnerabilities (lack of robust controls/poorly trainedworkforce) Impact (safety/mission/business)U.S. Navy photo by Mass Communication Specialist Seaman William P. Gatlin 2010;Wikimedia CommonsBusiness Impact AnalysisNIST SP 800-34 Rev. 1 provides a BIA Template, consisting of three steps:1. Determine mission/business processes and recovery criticality(mission/business/safety)2. Identify Resource Requirements3. Identify Recovery Priorities for System ResourcesSCCE CONFERENCE OCTOBER 2018UNCLASSIFIEDPAGE 17Cyber EventCrisis Management TeamCommitmentStrategic directionDesignated ResponsibilityThe Crisis Management TeamMUSTconsist of executive levelprofessionals beyond ITCEO; CIO; CISO; General Counsel; System Administrators/Application owners;Human Resources; Public RelationsSCCE CONFERENCE OCTOBER 2018UNCLASSIFIEDHADLEY 1978; WIKIMEDIA COMMONSPAGE 189
Was someone missing from that list?Yes. You.SCCE CONFERENCE OCTOBER 2018UNCLASSIFIEDPAGE 19Wallingford SignSCCE CONFERENCE OCTOBER 2018UNCLASSIFIEDPAGE 2010
CRISIS RESPONSE PLAN General veryPost-Event AnalysisSCCE CONFERENCE OCTOBER 2018ProactiveReactiveM. J. RICHARDSON 2007; WIKIMEDIA COMMONSUNCLASSIFIEDPAGE 21PreventionPerhaps the step with which organizations are most familiar, but also most remiss . Patching Anti-virusIs there a IDS/IPS systemscompliance element Data minimizationto prevention? Multifactor Authentication Encryption Access Control ManagementSCCE CONFERENCE OCTOBER 2018UNCLASSIFIEDPAGE 2211
Preparation Draft Incident Response Plan* Form Incident Response Team (lower level than Crisis Response Team; Must also bemulti-disciplinary; Consider several for different incident types/impacted systems) Prepare cyber-specific Crisis Communication Plan (specific standards of proceduresfor communicating internally or externally, e.g. with stakeholders, governmentalauthorities, regulators, press, customers, etc.)* Create Robust Policy* Create Checklists Conduct Training (consider incentivized war games, not just tabletop exercises)* Testing Regimes Gather Threat Intelligence Jumpbags (Standalone Computer Essentials, Printer, Camera, Hardcopies ofChecklists, Incident Response Plan, Crisis Communication Plan, etc.) Outsourced monitoring, auditing, penetration testing*See, 2016 European Union Agency For Network And Information Security document “Strategies for Incident Response and Cyber Crisis Cooperation,” for additional insights.SCCE CONFERENCE OCTOBER 2018UNCLASSIFIEDPAGE ff.com/funny-traffic-signs.html;Last accessed September 17, 2018SCCE CONFERENCE OCTOBER 2018UNCLASSIFIEDPAGE 2412
Detection Indicators: Logs reflecting unauthorized use of vulnerability scanners, vulnerabilityintelligence (public/government-issued), direct threats (Sony Entertainment), sluggishsystems, unusually heavy network traffic, antivirus deactivation, bounced emails, erased logs,etc. Tools: Firewalls; Intrusion Detection Systems (IDSs); Intrusion Prevention Systems (IPSs);Antivirus and Anti-Spam Software; System Activity Logs; Application Activity Logs;Network Analyzers; File Integrity Check Products; System Information and EventManagement Products (SIEM); and Vulnerability ScannersAnalysis Is it a legitimate threat (or a false positive)?What type of attack is it? What stage is it in?What impact would it have if successful?If it has succeeded, what systems, networks, data breached?What are the origins of the attack?SCCE CONFERENCE OCTOBER 2018UNCLASSIFIEDAttack DDoS, Joey VillaPAGE 25Containment Isolate affected systems, hardware, etc. Shutdown not always advisable,because it may limit monitoring and attribution.Frank SchwichtenbergSCCE CONFERENCE OCTOBER 2018UNCLASSIFIEDPAGE 2613
Wallingford SignSCCE CONFERENCE OCTOBER 2018UNCLASSIFIEDPAGE 27CommunicationTimelyAccurateHonestRauantiques 2016; Wikimedia CommonsNote: There is no requirement for information to be complete.SCCE CONFERENCE OCTOBER 2018UNCLASSIFIEDPAGE 2814
Do you have your privacy officer on speed dial?You should.SCCE CONFERENCE OCTOBER 2018UNCLASSIFIEDPAGE 29Evolution of Reporting RequirementsState Laws: All 50 states have reporting lawsPCI DSS: Varies based upon merchant levelHIPAA: Covered entities must providenotification of the breach to affected individuals nolater than 60 days after discovery of breachSarbanes Oxley: Auditing IT InfrastructureGDPR: 72 hours after discovery of CIA breachOCTOBER 2018UNCLASSIFIEDPAGE 3015
Wallingford SignSCCE CONFERENCE OCTOBER 2018UNCLASSIFIEDPAGE 31Feared Consequencesof Reporting . Reputational Damage Loss of Business Decreased Value Legal LiabilityOCTOBER 2018UNCLASSIFIEDPAGE 3216
Wallingford SignOCTOBER 2018UNCLASSIFIEDPAGE 33Actual Consequencesof Non- Reporting . Reputational Damage Loss of Business Decreased Value Legal LiabilityOCTOBER 2018UNCLASSIFIEDPAGE 3417
Wallingford SignOCTOBER 2018UNCLASSIFIEDPAGE 35RecoveryRebuilding * Restoring * Reinstalling * PatchingThe old adage, if it’s notbroke don’t fix it, may helpbudgets and bottom lines,but also helps youradversary.It’s a marathon, not a sprintNIST CyberRecovery PlaybookEssentials: Documentation Communication Practice- Kevin Hiltpold, OptivSenior Airman Laura TurnerSCCE CONFERENCE OCTOBER 2018UNCLASSIFIEDPAGE 3618
Recovery presents a window of opportunity for Compliance.http://www.pickellbuilders.com. Photography by Linda Oyama Bryan. Stone and Stucco French Provincial with Hand Hewn Window Headers and Shutters on Lake Geneva.Don’t waste it.SCCE CONFERENCE OCTOBER 2018UNCLASSIFIEDPAGE 37Wallingford SignSCCE CONFERENCE OCTOBER 2018UNCLASSIFIEDPAGE 3819
Third Party Risk Management According to Soha Systems, Despite Record Breaches, Secure Third Party Access Still Not an ITPriority, June14, 2016): “Research has revealed that third parties cause 63 percent of all data breaches.” For example: Target/HVAC breach; Reported cost to Target was 148M (See, Rachel Abrams, TargetPuts Data Breach Costs at 148 Million, and Forecasts Profit Drop, Aug. 5, 2014) “Deloitte, in its Global Survey 2016 of third party risk, reported that 87 percent of respondents had faceda disruptive incident with third parties in the last two to three years.” In May 2016, Ponemon Institute published “survey that revealed that 75 percent of IT and securityprofessionals said the risk of a breach from a third party is serious and increasing.” 2018 Examples: BestBuy/Kmart/Delta/Sears; Saks Fifth Avenue/Lord & Taylor;Applebee’s; Chili’s; UnderArmour; My Heritage Potential Mitigations Include: Perform thorough Due Diligence (with emphasis on cyber hygiene)Map your data and vendors (Determine which vendors are of highest impact; Update regularly)Perform active oversight (Consider creating a Third-party Management Committee)Ensure robust contractual provisions (Access; Audit; Incident Reporting; Liability; Termination)SCCE CONFERENCE OCTOBER 2018UNCLASSIFIEDSCCE CONFERENCE OCTOBER 2018UNCLASSIFIEDPAGE 39Indian Hills Community SignPAGE 4020
PRIMARY TAKEAWAY:Be engaged in your organization’scybersecurity Enhances your organization’s resiliency posture Builds relational ties between compliance and otherverticals Demonstrates value of Compliance to organizationSCCE CONFERENCE OCTOBER 2018UNCLASSIFIEDPAGE 41QUESTIONS?Wallingford SignSCCE CONFERENCE OCTOBER 2018UNCLASSIFIEDPAGE 4221
Cybersecurity ResourcesThe following sites are an array of recognized sites/blogs that offer cybersecurity background and news https://krebsonsecurity.com https://www.privacyrights.org https://www.csoonline.com https://www.securityforum.org https://bankinfosecurity.com http://www.lawandsecurity.org https://darkwebnews.com https://thehackernews.com https://www.tripwire.com/state‐of‐security/ https://www.schneier.com/ https://nakedsecurity.sophos.com/ https://www.darkreading.com/ https://taosecurity.com/ https://twitter.com/threatpost http://resources.infosecinstitute.comSCCE CONFERENCE OCTOBER 2018UNCLASSIFIEDPAGE 4322
FCC Cyber Security Planning Guide (focuses on Small Businesses) NIST Cybersecurity Framework (focuses on Manufacturing) Cybersecurity Governance Structure Guidance: ISO 27001: This is a key resource for Cybersecurity Governance processes; NIST
May 02, 2018 · D. Program Evaluation ͟The organization has provided a description of the framework for how each program will be evaluated. The framework should include all the elements below: ͟The evaluation methods are cost-effective for the organization ͟Quantitative and qualitative data is being collected (at Basics tier, data collection must have begun)
Silat is a combative art of self-defense and survival rooted from Matay archipelago. It was traced at thé early of Langkasuka Kingdom (2nd century CE) till thé reign of Melaka (Malaysia) Sultanate era (13th century). Silat has now evolved to become part of social culture and tradition with thé appearance of a fine physical and spiritual .
On an exceptional basis, Member States may request UNESCO to provide thé candidates with access to thé platform so they can complète thé form by themselves. Thèse requests must be addressed to esd rize unesco. or by 15 A ril 2021 UNESCO will provide thé nomineewith accessto thé platform via their émail address.
̶The leading indicator of employee engagement is based on the quality of the relationship between employee and supervisor Empower your managers! ̶Help them understand the impact on the organization ̶Share important changes, plan options, tasks, and deadlines ̶Provide key messages and talking points ̶Prepare them to answer employee questions
Dr. Sunita Bharatwal** Dr. Pawan Garga*** Abstract Customer satisfaction is derived from thè functionalities and values, a product or Service can provide. The current study aims to segregate thè dimensions of ordine Service quality and gather insights on its impact on web shopping. The trends of purchases have
Chính Văn.- Còn đức Thế tôn thì tuệ giác cực kỳ trong sạch 8: hiện hành bất nhị 9, đạt đến vô tướng 10, đứng vào chỗ đứng của các đức Thế tôn 11, thể hiện tính bình đẳng của các Ngài, đến chỗ không còn chướng ngại 12, giáo pháp không thể khuynh đảo, tâm thức không bị cản trở, cái được
Le genou de Lucy. Odile Jacob. 1999. Coppens Y. Pré-textes. L’homme préhistorique en morceaux. Eds Odile Jacob. 2011. Costentin J., Delaveau P. Café, thé, chocolat, les bons effets sur le cerveau et pour le corps. Editions Odile Jacob. 2010. Crawford M., Marsh D. The driving force : food in human evolution and the future.
Le genou de Lucy. Odile Jacob. 1999. Coppens Y. Pré-textes. L’homme préhistorique en morceaux. Eds Odile Jacob. 2011. Costentin J., Delaveau P. Café, thé, chocolat, les bons effets sur le cerveau et pour le corps. Editions Odile Jacob. 2010. 3 Crawford M., Marsh D. The driving force : food in human evolution and the future.
