Recent it security breaches how organizations prepare
1 / 17

Recent IT Security Breaches & How Organizations Prepare - PowerPoint PPT Presentation

  • Uploaded on

Recent IT Security Breaches & How Organizations Prepare. Evan McGrath Spohn Consulting September 8, 2014. Agenda. Recent Breaches Cost of a Security Breach What Hackers Target Regulatory Compliances & State Codes Cyber-Terrorism Things You can do. Recent Security Breaches.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Recent IT Security Breaches & How Organizations Prepare' - oberon

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Recent it security breaches how organizations prepare

Recent IT Security Breaches& How Organizations Prepare

Evan McGrath

Spohn Consulting

September 8, 2014


  • Recent Breaches

  • Cost of a Security Breach

  • What Hackers Target

  • Regulatory Compliances & State Codes

  • Cyber-Terrorism

  • Things You can do

High value data for hackers
High value data for hackers

  • Protected Health Information (PHI)

    • First responders, Ambulatory services

  • Personal Identifiable Information (PII)

    • Citizen records, Utility & water records

    • Criminal records, sheriff departments

  • Credit card numbers

    • Property tax payments

    • Traffic & court fees

    • Utility bills, water, power

    • Vehicle registration

  • Bank account / payroll information

Regulatory compliance state codes
Regulatory compliance & state codes

  • Texas Business & Commerce Code


    • NIST SP 800 – 122

    • FIPS 200


  • Payment Card Industry (PCI)

Texas Business and Commerce Code

Title 11, Personal Identity Information, Subtitle B. Identity Theft, Chapter 521. Unauthorized Use of Identifying Information


(a) A business shall implement and maintain reasonable procedures, including taking any appropriate corrective

action, to protect from unlawful use or disclosure any sensitive personal information collected or maintained by the business in the regular course of business.


“…shall disclose any breach of system security, after discovering or receiving notification of the breach, to any

resident of this state whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure shall be made as quickly as possible,…”

Federal Information Security Management Act


FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, is a mandatory, non-waiverable standard developed in response to the Federal Information Security Management Act of 2002.

To comply with the federal standard, agencies must first determine the security category of their information system in accordance with the provisions of FIPS 199, Standards for Security Categorization of Federal Information and Information Systems, and then apply the appropriate set of baseline security controls in NIST Special Publication 800-53

The combination of FIPS 200 and NIST Special Publication 800-53 requires a foundational level of security for all federal information and information systems.

The agency's Risk Assessment validates the security control set and determines if any additional controls are needed to protect agency operations (including mission, functions, image, or reputation), agency assets, individuals, other organizations, or the Nation. The resulting set of security controls establishes a level of “security due diligence” for the federal agency and its contractors.

In addition to the security requirements established by FISMA, there may also be specific security requirements in different business areas within agencies that are governed by other laws, Executive Orders, directives, policies, regulations, or associated governing documents, (e.g., the Health Insurance Portability and Accountability Act of 1996)

It is important that agency officials (including authorizing officials, chief information officers, senior agency information security officers, information system owners, information system security officers, and acquisition authorities) take steps to ensure that: (i) all appropriate security requirements are addressed in agency acquisitions of information systems and information system services; and (ii) all required security controls are implemented in agency information systems.

See for additional information on FISMA compliance.

HITECH Notification of Breach Laws

Issued August 2009

  • Section 13402 of the Health Information Technology for Economic and Clinical Health (HITECH) Act by requiring HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information. 

  • Individual Notice: Covered entities must provide this individual notice in written form by first-class mail, or alternatively, by e-mail if the affected individual has agreed to receive such notices electronically.  If the covered entity has insufficient or out-of-date contact information for 10 or more individuals, the covered entity must provide substitute individual notice by either posting the notice on the home page of its web site or by providing the notice in major print or broadcast media where the affected individuals likely reside.

  • Media Notice: Covered entities that experience a breach affecting more than 500 residents of a State or jurisdiction are required to provide notice to prominent media outlets serving the State or jurisdiction.  

  • Notice to the (HHS) Secretary: Covered entities must notify the Secretary of breaches of unsecured protected health information. 

  • A maximum penalty amount of $1.5 million for all violations of an identical provision.

  • Enforcement: HIPAA covered entities were required to comply with the Security Rule beginning on April 20, 2005. OCR became responsible for enforcing the Security Rule on July 27, 2009. (Summary: While HIPAA was established in 1996, it was not until 2009 that we saw widespread enforcement )


Payment card industry pci
Payment Card Industry (PCI)

  • Anyone who stores, process, or transmits credit card data must be PCI compliant

  • Common PCI validation requirements

    • Report on Compliance (ROC)

    • Self-Assessment Questionnaire (SAQ)

    • Letter of Attestation

    • Quarterly PCI scans

  • Sample PCI Data Security Standards Requirements

    • Annual Penetration Testing (DSS 11.3)

    • Security Awareness Training (DSS 12.6)

    • Quarterly PCI scans (DSS 11.2)

PCI – Frequently Asked Questions

Myth – Outsourcing card processing makes us compliant

Outsourcing simplifies payment card processing but does not provide automatic compliance.

Don’t forget to address policies and procedures for cardholder transactions and data

processing. Your business must protect cardholder data when you receive it, and process

charge backs and refunds. You must also ensure that providers’ applications and card payment

terminals comply with respective PCI standards and do not store sensitive cardholder data. You

should request a certificate of compliance annually from providers.

Things you can do
Things you can do…

  • Implement Security Policies & Incident Response Plans

  • Education: Security Awareness Training

  • Vulnerability Assessments – Internal & External

  • Penetration Testing – Internal & External

  • Wireless Penetration Testing

  • Social Engineering Exercises

  • Enterprise Security Assessments

    • Administrative Safeguards

    • Technical Safeguards

    • Physical Safeguards

Thank you
Thank you!

Evan McGrath

Spohn Consulting

Phone: 512.685.1804

Email: [email protected]