Cyber security
Download as PPTX, PDF0 likes315 views
This document provides an overview of cyber security issues for not-for-profit organizations and recommendations for developing a cyber security plan. It discusses understanding risks, protecting systems and data, and reacting to potential breaches. Key components of a security plan include inventorying hardware, software, data and policies; assessing risks; and developing breach response and ongoing maintenance procedures. The document provides examples of security best practices and recommendations such as encrypting laptops, implementing intrusion detection, and purchasing data breach insurance.
Cyber security
- 1. Protecting Your Not-For-Profit Cyber Security
- 2. Approach • Understand the issues • Evaluate your risks • Protect your company • React to a breach Title of Slide Deck 2
- 3. Technology Profile • IT as a strategic asset not a cost • IT Spending levels • Security • Governance • Your place on the adoption curve • Training • Constituent touch points Title of Slide Deck 3
- 4. Security Profile • Risk aversion • User technical expertise • Presence of PII • Security budget – Outsourced services – Equipment • Use of remote access and the cloud • Number of In-house IT staff and expertise • Whether laptops are used • Physical characteristics of offices; stand alone, high rise • Specific password policy: – Length – Complexity – Expiration – Number of attempts before lockout – Lockout time length – Number of password changes before reuse Title of Slide Deck 4
- 5. Anatomy Of A Breach • Compromise credentials • Escalate permissions • Search and access data • Exfiltration • Sale of data Cyber Security 5
- 6. Know The Basics • Security is all about perception • Balance – Cost, user access, protection complexity • Physical, logical, social • Data at rest, and data in transit • Components – Inventory, Risk, Assessment Title of Slide Deck 6
- 7. Security Plan Components • Inventory – Data – Hardware – Software – Policies – Skills and Knowledge • Internal, consultants • Risks • Assessment – Action Items – Policy Changes – User Education • Breach Response Plan • Ongoing Maintenance – Priorities – Accountability Title of Slide Deck 7
- 8. Data Inventory • Where is the data and who has access to it? – Low risk vs. High business impact (HBI) – Personally Identifiable Information (PII) – Product designs – Customer database, AR – Financial information – E-mail – Vendor contracts – Software configurations Title of Slide Deck 8
- 9. Cloud • Inventory • AICPA SOC 2 report (formerly SAS70, now SSAE16 ) • Pass-through reports • Applications’ data locations Title of Slide Deck 9
- 10. Mobile • Inventory • Device encryption • Password • Time out • Ability to wipe device Title of Slide Deck 10
- 11. Mitigation Examples – Before And After • Account retry lockout • Pass phrases instead of complex passwords • Signed security policies • Two factor authentication • Training • Hard drive encryption • Web site certificates • Inactivity timeout with password required • Disallowing personally identifiable information (PII) Title of Slide Deck 11
- 12. Data Breach Insurance • Identify the cause and the individuals affected • Notification • Credit monitoring for individuals affected • Public relations management • Legal expenses to work with regulators Title of Slide Deck 12
- 13. Action Items • Inventory personally identifiable information (PII) • Assess the likelihood of a breach of PII • Encrypt all laptops and other selected computers • Have an outside security assessment performed • Implement an Intrusion Detection System • Purchase insurance • Develop an after-breach plan – tech and non-tech • Training, awareness Title of Slide Deck 13
- 14. Questions • peterhenley@clarknuber.com • 425-454-4919 • http://slideshare.net/peterhenley Title of Slide Deck 14
- 15. Resources • Washington state notification law: http://apps.leg.wa.gov/rcw/default.aspx?cite=19.255 .010 • Sample privacy policy: http://www.privacyaffiliates.com/ps/ps0709192337. html • Sample IT policy: http://slideshare.net/peterhenley Title of Slide Deck 15
- 16. Logical Security Terms • Confidentiality—who should have access to the data? – Username and password (pass phrase) – Encryption • Authorization—what permissions does the user have for working with the data? – Data classification • Accountability—what has the recipient done with the data? – System logs, policy • Integrity—how do you know if the data has been altered? – Data attributes – time stamp, size, author • Authenticity—how do you know where the data came from? Title of Slide Deck 16
- 17. More Security Terms • Physical Security, "In the Room" - the ability to physically protect and secure systems and components from theft • User Security, "At the Keyboard" - the processes and policies used to assure user authentication • System Security, "In the Box" - the ability to protect the integrity of a system from malicious attack • Network Security, "On the Net" - the ability to interact with internal and external users and remote systems in a secure manner Title of Slide Deck 17