Contenu connexe
Similaire à Information Security and Corporate Risk
Similaire à Information Security and Corporate Risk (20)
Information Security and Corporate Risk
- 3. 3
© 2012 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only
and may not be copied nor distributed to another third party.
- 4. AP Twitter Feed Hacked
April 23, 2013 1:07 PM
April 23, 2013 1:08 PM
150 point
drop
1:10 PM – AP tweets they have been hacked and it is erroneous
1:13 PM – News states bogus tweet, DOW recovers
1:16 PM – Jay Carney confirms POTUS is fine
1:17 PM – The Syrian Electronic Army takes responsibility
Previous attacks include Reuters, CBS, and FIFA
1:30 PM – Mike Baker (AP) says attack occurred one hour after phishing email
2:28 PM – AP posts story and blames phishing attack
4
© 2012 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only
and may not be copied nor distributed to another third party.
- 5. Data Centric Security
Security Program and
Policy
•
•
•
•
•
•
•
•
•
•
•
•
Data Governance
Data Classification
Data Leakage
Encryption & Storage Strategy
Privacy Management & Implementation
PCI, HITRUST and Security Compliance
Planning, Readiness & Assessment
• Vendor Due Diligence
Security Policy & Program
Security Strategy & Architecture
Security Metrics
Incident Response Program
Awareness & Training
Other Security
Identity and Access
Management
• Access Mgmt Policy &
Standards
• IDAM Design & Implementation
• Identity Credential Selection
• Identity Federation Strategy &
Implementation
Incident Response and
Forensics
Security Operations &
Implementation
• Incident Response Strategy and
Planning
• Emergency Response
• Computer Forensics
• Proactive eDiscovery Planning
• Reactive eDiscovery Support
• Security Monitoring & Intelligence
• SIEM Technology
• SOC Training & Staffing Solutions
Vulnerability/Pen Testing
•
•
•
•
•
5
© 2012 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only
and may not be copied nor distributed to another third party.
Infrastructure Vulnerability
Application Vulnerability
Network Vulnerability
Database Vulnerability
Secure Code Reviews
• Security Product Implementation
- 6. The Lifecycle of a Breach
6
© 2012 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only
and may not be copied nor distributed to another third party.
- 7. Managing the Communication
• What is your sensitive data you are protecting and has there been a security breach
– IE…has the sensitive information left the building
• Have you had cybercrime experts confirm the breach
• How and when to release info
– Sony had significant failures due to reporting breach information too quickly without all the facts
– Hannaford sent notice to 4.2MM customers although only 1800 affected
• Have you tested the process
– Incident response is a significant portion in a proper data security program. Role playing and
scenario modeling are important training tools
• Regulatory requirements
– Immediately work with your legal teams before sending anything out to understand what you are
required by law to state
• What is your response…how are you correcting the problem?
7
© 2012 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only
and may not be copied nor distributed to another third party.