1 / 26

What Is Information Security? – Security Basics 101

What Is Information Security? – Security Basics 101. Shannon M. Culp Manager Information Security – Information Security Officer (CISO) . What is Information Security?.

damali
Download Presentation

What Is Information Security? – Security Basics 101

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. What Is Information Security? – Security Basics 101 Shannon M. Culp Manager Information Security – Information Security Officer (CISO)

  2. What is Information Security? • Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction. • The terms information security, computer security and information assurance are frequently incorrectly used interchangeably. These fields are interrelated often and share the common goals of protecting the Confidentiality, IntegrityandAvailabilityof information; however, there are some subtle differences between them. From Wikipedia on the internet

  3. Information Security in Business • Governments, military, corporations, financial institutions, hospitals, and private businesses amass a great deal of confidential information about their employees, customers, products, research, and financial status. Most of this information is now collected, processed and stored on electronic computers and transmitted across networks to other computers. • Should confidential information about a business' customers or finances or new product line fall into the hands of a competitor, such a breach of security could lead to lost business, law suits or even bankruptcy of the business. Protecting confidential information is a business requirement, and in many cases also an ethical and legal requirement. From Wikipedia on the internet

  4. FTC Act Gramm Leach Bliley Act HIPAA + HITECH Act EU Data Privacy Directive Sarbanes Oxley Bank Secrecy Act General Negligence Law Downstream Liability PCI DSS (electronic payments) Regulatory Requirements • California Data Privacy Law • Feinstein Data Privacy Reporting Proposal • OFAC –OCC Rules • State Security Breach • USA Patriot I and II • Fair Credit Reporting Act • SEC Regulations 10(b)(5) • Minnesota Plastic Card Security Act • Ohio Privacy Law

  5. Why? For financial gain or theft - “Flaw Causes Credit Card Chaos” To steal information - “Netspionage Costs Firms Millions” For revenge! “Due to the Economy - Layoffs lead to revenge hacking by X-Employees” To make a statement “Most do it for profit but there are those that don’t” Because they can! “Teen hacker intended to disable 10,000 sites”

  6. Why Do I Need Security? • CSI Computer Crime Survey, December 2009 – 443 Respondents • Types of attacks experienced by respondents • 64.3% - Malware infection • 42.2% - Laptop / mobile device theft • 30% - Insider abuse of Net access or email • 29.2% - Denial of service • 19.5% - Financial Fraud • 15% - Unauthorized access or privilege escalation by insider • 17.3% - Password sniffing • 8% - Exploit of wireless network • 57.1% of respondents require HIPAA compliance • 18.1% HITECH Act Compliance • 42.9% Payment Card Industry (PCI) 2009 CSI Computer Crime and Security Survey

  7. Why Do I Need Security • Same respondents that reported breaches • 99.1% had Anti-virus software • 97.9% had a Firewall • 89.9% had Anti-spyware • 85.7% used Virtual Private Networks (VPN) • 75.3% Encrypted data in transit • 72.6% utilized an Intrusion Detection System • 65.9% had Vulnerability / Patch Management • 62.2% Encrypted data at rest • 60.4% Utilized Web / URL Filtering • 40.9% had Data Loss Protection / Content Monitoring 2009 CSI Computer Crime and Security Survey

  8. Why? INFORMATION IS MONEY!!!!!!

  9. What Information? • Personal Health Information • Social Security Number • Account password • Bank Account Number • Bank Routing (Transit Number) • Credit Card Number/Primary Access Number • Credit Card Verification Code • Date of Birth • Drivers License Number • Loan Number

  10. What is Information Worth? • Your full identity goes for $10 - $150. That includes name, DOB, address and social security number. Surprisingly, your social security number will fetch a paltry $5 - $7. They are more valuable when attached to the rest of your personal info. • Identity theft continues to be the fasted growing crime in the world. • It’s now bringing in more money than drug trafficking. From a thief’s point of view, online identity theft is a safe and profitable business. Don’t look for it to slow down any time in the near future. Protect yourself with Identity Theft Solutions.

  11. What is Information Worth? • Credit card numbers are the most popular items for sale. Even though they bring considerably less money than bank numbers, they are the easiest to steal. Their value is anywhere from $.50 to $5. • The next most valuable piece of info is your email password. It can bring from $1 - $150 depending on whether your account has been used for spamming previously. Email passwords allow access to an email account and are typically used for sending spam. They can also be used to recover a user’s passwords from various Web sites that will email password-reset information to the user’s email account.  Here’s another kick - email accounts with usernames in standard English are generally higher priced. Kinda makes you want to change your name to "Qwerty". • Medical Information and Social Security Numbers are not as easy to come by but go much further.

  12. Where Do I Start With Information Security? The overall goal is to ensure that Information Security and resources are protected and used according to the following: • Consistent with your company’s mission and security standards • Compliance with state and federal law, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) • Safeguard the confidentiality, integrity and availability of Electronic Protected Health Information (EPHI) as required by HIPAA

  13. Accountability and Ownership • Security must be incorporated into a “program” and collaborated as part of all employees every day activity – Security is EVERYONE’S job! • For a Security Program to be successful • Not one-time or situational • Must have senior management support and leadership buy-in • Accountability must be assigned to individuals • Policies must be designed to be enforced • Auditing and reviews must occur frequently

  14. Accountability and Ownership • Implement user security policies and procedures to ensure that information accessed via electronic resources is protected. • EVERY person who performs work for your organization through employment, contract, residency, or as a student, vendor, or volunteer, etc., must be accountable for protecting electronic information, especially protected health information (PHI).

  15. Accountability and Ownership • The accountabilities discussed in your program include: • accessing and storing electronic information • email use and all communications • internet usage • printing, faxing, transporting and disposing of information • Everyone in your organization should: • use good security practices • know how to identify potential security risks • report anything unusual or suspicious

  16. Simple Security Program Guidance • Policies must enforce along with the organization’s technology and infrastructure must support: • Prohibiting sharing of passwords • All users should be accountable for any activity performed under their ID • Never write passwords down! • Regular random audits as well as on-demand audits for HIPAA complaints • Security Awareness – education is KEY!

  17. Simple Security Program Guidance • Make sure mobile devices are protected • PDA’s, Smart Phones, iPads, Blackberries, iPhones, Windows Mobile, etc. • Force a PIN, device security wipe, remote wipe on demand • Encrypt Laptops = “safe harbor” • Encrypt Patient data and credit card data • Make sure credit card numbers handled according to PCI DSS (Payment Card Industry Data Security Standards)

  18. Simple Security Program Guidance • Never store confidential or patient data on workstations or mobile devices • Make sure monitors and screens are positioned so that “shoulder surfers” can’t see things they aren’t supposed to • Implement “need to know” policy • Make sure internet browsing is filtered and controlled for business purposes and protection of PHI (Protected Health Information)

  19. Simple Security Program Guidance • Remind staff that it is “not okay” to discuss patient activities on Facebook, MySpace, and other blogs or post pictures • Opens door for HIPAA complaints, investigations and fines • Even if a name is not mentioned – still PHI • Use good security practices when opening emails and attachments • Make sure education includes shredding of documentation and secure faxing

  20. Simple Security Program Guidance • Don’t allow employees to use personal email accounts for business (i.e. yahoo, hotmail, etc) • Put policy, tools and processes in place to track and monitor email messages, and internet activity • Put policy, tools and processes in place to ensure secure handling of paper documents containing PHI or confidential information

  21. Simple Security Program Guidance • Use “strong” passwords • protecting your password helps to protect our organization’s information. Here are some tips for selecting strong passwords (Remember some systems may have password limitations – do your best to make these system passwords strong): • Do not use your name or personal information • Create passwords that are at least 6 or more characters • Use upper and lower case letters • Use a combination of letters and numbers • Use special characters (like %, $ @) in your password • Use Misspelled words • Use phrases

  22. Vanity Plate – compound words • Too late again = 2L8aga1n • Music is for me = MusikS4m3 • Day after today = dayFter2day • 15djoth! (15 dogs jumped over the house) • Seashore = Se@shor • Deadbolt = Ded&bowlt8 • Easy money = Ea$ymon3y • Blackboard = blaK4borD • Substitute letters for numbers in your phrases • 5 or $ = S • 1 = L or I • 3 = E • 0 = O

  23. Simple Security Program Guidance • Make sure your data is available when you need it • Business continuity planning (BCP) is the creation and validation of a practiced logisticalplan for how an organization will recover and restore partially or completely interrupted critical (urgent) functions within a predetermined time after a disaster or extended disruption. The logistical plan is called a business continuity plan. • In plain language, BCP is working out how to stay in business in the event of disaster. Incidents include local incidents like building fires, regional incidents like earthquakes, or national incidents like pandemic illnesses.

  24. Simple Security Program Guidance • Remember the three keys of Security • Confidentiality – “need to know” • Integrity – information is not modified and maintains original properties • Availability – information is always available when needed

  25. Helpful Links • National Institute Standards and Technology www.NIST.org • Special Publication 800-66 – HIPAA security rule • FIPS 200 and NIST SP 800-53 – security controls • Computer Security Institute – www.gocsi.com • HITECH Act - http://www.hipaasurvivalguide.com/hitech-act-text.php • Security Awareness Materials - http://www.infosecuritylab.com/ • http://www.sans.org/security_awareness.php

  26. Good Luck! • What questions do you have? • My contact information Shannon M. Culp TriHealth, Inc. Shannon_culp@trihealth.com 513-569-6744

More Related