boston springfield albany enter presentation title here presenter name © 2009 wolf & company,...
TRANSCRIPT
![Page 1: Boston Springfield Albany Enter Presentation Title Here Presenter Name © 2009 Wolf & Company, P.C. Presentation date Location 1 Boston Springfield Albany](https://reader035.vdocuments.mx/reader035/viewer/2022062511/55144b41550346284e8b4e5d/html5/thumbnails/1.jpg)
Boston • Springfield • Albany
Enter Presentation Title Here
Presenter Name© 2009 Wolf & Company, P.C.
Presentation dateLocation
1Boston • Springfield • Albany
Hackers at the Gate: Protecting your Important
Data
© 2009 Wolf & Company, P.C.
Matt Putvinski, CPA, CISA, CISSP
Northeast Disaster Recovery Information X-ChangeOctober 19, 2009
![Page 2: Boston Springfield Albany Enter Presentation Title Here Presenter Name © 2009 Wolf & Company, P.C. Presentation date Location 1 Boston Springfield Albany](https://reader035.vdocuments.mx/reader035/viewer/2022062511/55144b41550346284e8b4e5d/html5/thumbnails/2.jpg)
Wolf’s Risk Management Services• Risk Management Services
• IT Assurance Services– Internal Audit Services– Compliance Services– WolfPAC Solutions
• Risk Management perform work with over 200 organizations
• Diverse experience• WAN & LAN Network Engineering• Regulatory and Legal Services• Various Industry Operations • IT Operations and Management• Software Development• Financial Accounting• Information Security
• Commitment to industry excellence with certifications as CPA, CISA, CIA, CISSP, CRCM, and JD.
![Page 3: Boston Springfield Albany Enter Presentation Title Here Presenter Name © 2009 Wolf & Company, P.C. Presentation date Location 1 Boston Springfield Albany](https://reader035.vdocuments.mx/reader035/viewer/2022062511/55144b41550346284e8b4e5d/html5/thumbnails/3.jpg)
Agenda
Data privacy statistics
Data breach costs
Information Security Threats
Data privacy rules and regulations
![Page 4: Boston Springfield Albany Enter Presentation Title Here Presenter Name © 2009 Wolf & Company, P.C. Presentation date Location 1 Boston Springfield Albany](https://reader035.vdocuments.mx/reader035/viewer/2022062511/55144b41550346284e8b4e5d/html5/thumbnails/4.jpg)
What is Information Security?
It is the protection from unauthorized:– Access (Confidentiality)– Modification (Integrity)– Destruction (Availability)– Disclosure (Confidentiality)
![Page 5: Boston Springfield Albany Enter Presentation Title Here Presenter Name © 2009 Wolf & Company, P.C. Presentation date Location 1 Boston Springfield Albany](https://reader035.vdocuments.mx/reader035/viewer/2022062511/55144b41550346284e8b4e5d/html5/thumbnails/5.jpg)
Why is Information Security Important?
• Need to provide confidentiality, integrity, and availability of information assets:
• To maintain trust, image, credibility: people entrust us with their personal information so that we can help protect them and build a solid foundation for their financial security
• Security Incidents cost $$$$
• For legal compliance: Gramm-Leach-Bliley Act (GLBA)/State Privacy laws
![Page 6: Boston Springfield Albany Enter Presentation Title Here Presenter Name © 2009 Wolf & Company, P.C. Presentation date Location 1 Boston Springfield Albany](https://reader035.vdocuments.mx/reader035/viewer/2022062511/55144b41550346284e8b4e5d/html5/thumbnails/6.jpg)
“As we know,There are known knowns.There are things we know we know.We also knowThere are known unknowns.That is to sayWe know there are some thingsWe do not know.But there are also unknown unknowns,The ones we don't knowWe don't know.”
— Donald Rumsfeld, Feb. 12, 2002, Department of Defense news briefing
![Page 7: Boston Springfield Albany Enter Presentation Title Here Presenter Name © 2009 Wolf & Company, P.C. Presentation date Location 1 Boston Springfield Albany](https://reader035.vdocuments.mx/reader035/viewer/2022062511/55144b41550346284e8b4e5d/html5/thumbnails/7.jpg)
Last year (10/1/08 – 9/30/09)
498 ‘Reported’ security breaches involving sensitive personal information
Representing approximately 168 million records.
Total records affected for 145 Breaches considered “Unknown”
Source: datalossdb.org
![Page 8: Boston Springfield Albany Enter Presentation Title Here Presenter Name © 2009 Wolf & Company, P.C. Presentation date Location 1 Boston Springfield Albany](https://reader035.vdocuments.mx/reader035/viewer/2022062511/55144b41550346284e8b4e5d/html5/thumbnails/8.jpg)
www.privacyrights.org
![Page 9: Boston Springfield Albany Enter Presentation Title Here Presenter Name © 2009 Wolf & Company, P.C. Presentation date Location 1 Boston Springfield Albany](https://reader035.vdocuments.mx/reader035/viewer/2022062511/55144b41550346284e8b4e5d/html5/thumbnails/9.jpg)
Security Breaches Summary…
• Stolen laptops / computers• Stolen paper reports• Hacking incidents• Vendor mismanagement• Improper destruction of files• Lost backup tapes• Dishonest employees selling
information
![Page 10: Boston Springfield Albany Enter Presentation Title Here Presenter Name © 2009 Wolf & Company, P.C. Presentation date Location 1 Boston Springfield Albany](https://reader035.vdocuments.mx/reader035/viewer/2022062511/55144b41550346284e8b4e5d/html5/thumbnails/10.jpg)
Causes of Data Breaches
5% - Other
10% - Internal Fraud
11% - Lost Media/Documents
15% - Hack by external party
29% - Accidental release
29% - Lost/Stolen Device/Documents
Source: datalossdb.org
![Page 11: Boston Springfield Albany Enter Presentation Title Here Presenter Name © 2009 Wolf & Company, P.C. Presentation date Location 1 Boston Springfield Albany](https://reader035.vdocuments.mx/reader035/viewer/2022062511/55144b41550346284e8b4e5d/html5/thumbnails/11.jpg)
What does a breach cost?
Average Cost per Record: $202
Average Cost per Breach: 6.6 Million (Ranged from $613,000 to $32 Million)
Source: Ponemon Institute
![Page 12: Boston Springfield Albany Enter Presentation Title Here Presenter Name © 2009 Wolf & Company, P.C. Presentation date Location 1 Boston Springfield Albany](https://reader035.vdocuments.mx/reader035/viewer/2022062511/55144b41550346284e8b4e5d/html5/thumbnails/12.jpg)
Cost Per Record, by Industry
Source: Ponemon Institute
131.1
184
240.4282.1
Retail ConsumerProducts
Financial Healthcare
![Page 13: Boston Springfield Albany Enter Presentation Title Here Presenter Name © 2009 Wolf & Company, P.C. Presentation date Location 1 Boston Springfield Albany](https://reader035.vdocuments.mx/reader035/viewer/2022062511/55144b41550346284e8b4e5d/html5/thumbnails/13.jpg)
What’s Trust got to do with it?
If you do not trust a company:77% refuse to buy products or services
72% criticized them to people you know
75% refused to do business with them
34% shared opinion and experiences on the web
Source: Edelman Trust Barometer (2009) – World’s largest public relations firm.
![Page 14: Boston Springfield Albany Enter Presentation Title Here Presenter Name © 2009 Wolf & Company, P.C. Presentation date Location 1 Boston Springfield Albany](https://reader035.vdocuments.mx/reader035/viewer/2022062511/55144b41550346284e8b4e5d/html5/thumbnails/14.jpg)
Factors Important to Trust
94% high quality products and services93% treats employees well91% communicates frequently and honestly on
the state of its business91% gives value for money90% strong financial future89% senior leadership that can be trusted86% create and keeps job in my area85% commits time, money, resources to greater
good
Source: Edelman Trust Barometer (2009)
![Page 15: Boston Springfield Albany Enter Presentation Title Here Presenter Name © 2009 Wolf & Company, P.C. Presentation date Location 1 Boston Springfield Albany](https://reader035.vdocuments.mx/reader035/viewer/2022062511/55144b41550346284e8b4e5d/html5/thumbnails/15.jpg)
“I’ve done nothing wrong, I can't be responsible for a company I hire.” - Owner
![Page 16: Boston Springfield Albany Enter Presentation Title Here Presenter Name © 2009 Wolf & Company, P.C. Presentation date Location 1 Boston Springfield Albany](https://reader035.vdocuments.mx/reader035/viewer/2022062511/55144b41550346284e8b4e5d/html5/thumbnails/16.jpg)
http://www.theregister.co.uk/2009/10/14/microsoft_windows_bank_thefts/
“The obvious solution for many is to simply close all online banking accounts. Contrary to what banks say, writing checks really isn't that much of a hassle, at least if you don't write that many of them. But if you insist on making online payments and transfers, the best decision you can make is to stop using Windows to make those transactions.”
![Page 17: Boston Springfield Albany Enter Presentation Title Here Presenter Name © 2009 Wolf & Company, P.C. Presentation date Location 1 Boston Springfield Albany](https://reader035.vdocuments.mx/reader035/viewer/2022062511/55144b41550346284e8b4e5d/html5/thumbnails/17.jpg)
http://www.networkworld.com/news/2009/090209-court-allows-suit-against-bank.html
![Page 18: Boston Springfield Albany Enter Presentation Title Here Presenter Name © 2009 Wolf & Company, P.C. Presentation date Location 1 Boston Springfield Albany](https://reader035.vdocuments.mx/reader035/viewer/2022062511/55144b41550346284e8b4e5d/html5/thumbnails/18.jpg)
http://cbs13.com/local/identity.theft.scheme.2.1066693.html
“Federal agents say Nelson said it was easy to find new victims: All he needed to do was visit a local bank and search their dumpsters.”
![Page 19: Boston Springfield Albany Enter Presentation Title Here Presenter Name © 2009 Wolf & Company, P.C. Presentation date Location 1 Boston Springfield Albany](https://reader035.vdocuments.mx/reader035/viewer/2022062511/55144b41550346284e8b4e5d/html5/thumbnails/19.jpg)
http://voices.washingtonpost.com/securityfix/2009/09/construction_firm_sues_bank_af.html#more
![Page 20: Boston Springfield Albany Enter Presentation Title Here Presenter Name © 2009 Wolf & Company, P.C. Presentation date Location 1 Boston Springfield Albany](https://reader035.vdocuments.mx/reader035/viewer/2022062511/55144b41550346284e8b4e5d/html5/thumbnails/20.jpg)
20
Information Security Threats
Phishing and Pharming
What are they?
Phishing - is the process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. Phishing is carried out by e-mail or instant messaging and directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. Phishing is a type of social engineering.
Pharming - is a hacker’s attack aiming to redirect a website's traffic to another, bogus website. Pharming is technically harder to accomplish than phishing, but also sneakier because it can be done without any active mistake on the part of the victim. Pharming is a type of Bot.
Both phishing and pharming have been used to steal identity information
![Page 21: Boston Springfield Albany Enter Presentation Title Here Presenter Name © 2009 Wolf & Company, P.C. Presentation date Location 1 Boston Springfield Albany](https://reader035.vdocuments.mx/reader035/viewer/2022062511/55144b41550346284e8b4e5d/html5/thumbnails/21.jpg)
21
Information Security Threats
Botnets/Zombie Networks
What is it?
Bot - software applications that run automated tasks over the Internet
Zombie – an infected computer
Botnet/Zombie Network – a collection of compromised computers
Bot Herder – an individual or group that develops or obtains Bot’s and sells them to hackers
![Page 22: Boston Springfield Albany Enter Presentation Title Here Presenter Name © 2009 Wolf & Company, P.C. Presentation date Location 1 Boston Springfield Albany](https://reader035.vdocuments.mx/reader035/viewer/2022062511/55144b41550346284e8b4e5d/html5/thumbnails/22.jpg)
22
Information Security Threats
Botnets/Zombie Networks
Threats– Data Theft– Keystroke logging– DDoS attacks– Pharming attacks– Viruses, Trojans and Worms– Email spam
Preventive Controls– Install personal firewall– Install anti-virus & anti spyware– Use strong passwords and authentication such as
secure tokens
![Page 23: Boston Springfield Albany Enter Presentation Title Here Presenter Name © 2009 Wolf & Company, P.C. Presentation date Location 1 Boston Springfield Albany](https://reader035.vdocuments.mx/reader035/viewer/2022062511/55144b41550346284e8b4e5d/html5/thumbnails/23.jpg)
23
Information Security ThreatsMalware/Mobile Malware
What is it?
Malware - malicious software including computer viruses, worms, trojan horses, most rootkits, spyware, dishonest adware
Mobile Malware - attacks portable devices such as lap top computers, cell phones, PDA’s, and Blackberries
![Page 24: Boston Springfield Albany Enter Presentation Title Here Presenter Name © 2009 Wolf & Company, P.C. Presentation date Location 1 Boston Springfield Albany](https://reader035.vdocuments.mx/reader035/viewer/2022062511/55144b41550346284e8b4e5d/html5/thumbnails/24.jpg)
24
Information Security Threats
Malware/Mobile Malware
Threats– Theft of email and text messages– Theft of client and employee personal information– Attack on critical systems
Preventive Controls– Encrypt portable devices– Install anti-virus software– Use WiFi and Bluetooth at home or at trusted
locations– Do not save business data on your mobile– Communicate to employees the type of information to
be accessed using these devices
![Page 25: Boston Springfield Albany Enter Presentation Title Here Presenter Name © 2009 Wolf & Company, P.C. Presentation date Location 1 Boston Springfield Albany](https://reader035.vdocuments.mx/reader035/viewer/2022062511/55144b41550346284e8b4e5d/html5/thumbnails/25.jpg)
25
Information Security ThreatsOutsourcing
What is it?
Specifically when a third party hosts, manages and/or maintains technology resources
Threats– How safe is the contracted party?
Preventive Controls– Obtain a SAS 70 and copies of audits– Ensure contracts define responsibilities– Obtain certification from vendor
![Page 26: Boston Springfield Albany Enter Presentation Title Here Presenter Name © 2009 Wolf & Company, P.C. Presentation date Location 1 Boston Springfield Albany](https://reader035.vdocuments.mx/reader035/viewer/2022062511/55144b41550346284e8b4e5d/html5/thumbnails/26.jpg)
26
Information Security Threats
Social Engineering
What is it?
Low tech form of hacking
Tries to trick individuals into giving out sensitive information
Can be performed in person or via the telephone or email
Social engineers will try to access facilities and play the part of supervisors, employees, vendors or auditors
![Page 27: Boston Springfield Albany Enter Presentation Title Here Presenter Name © 2009 Wolf & Company, P.C. Presentation date Location 1 Boston Springfield Albany](https://reader035.vdocuments.mx/reader035/viewer/2022062511/55144b41550346284e8b4e5d/html5/thumbnails/27.jpg)
27
Information Security Threats
Social Engineering
Threats– Unauthorized access to data, systems and sites– Phishing attacks
Preventive Controls– Train staff to be alert of suspicious activity and
unknown individuals– Restrict access to the facility to individuals with a
valid business reason to enter– Enact company policies on when to give out
personal information and passwords– Conduct security awareness campaigns
![Page 28: Boston Springfield Albany Enter Presentation Title Here Presenter Name © 2009 Wolf & Company, P.C. Presentation date Location 1 Boston Springfield Albany](https://reader035.vdocuments.mx/reader035/viewer/2022062511/55144b41550346284e8b4e5d/html5/thumbnails/28.jpg)
28
Information Security Threats
Natural Disasters
What are they?
Hurricanes, Tornadoes, Floods, Fires, Etc.
Threats– Loss of data – Loss of systems availability– Loss of site access
Preventive Controls– Backup all files in a remote location/s– Store files on secure online storage sites– Secondary computing environment– Business Continuity Planning
![Page 29: Boston Springfield Albany Enter Presentation Title Here Presenter Name © 2009 Wolf & Company, P.C. Presentation date Location 1 Boston Springfield Albany](https://reader035.vdocuments.mx/reader035/viewer/2022062511/55144b41550346284e8b4e5d/html5/thumbnails/29.jpg)
Rules and Regulations
Gramm Leach Bliley Act (GLBA)
Payment Card Industry Data Security Standard (PCI DSS)
State Laws
Federal Laws
![Page 30: Boston Springfield Albany Enter Presentation Title Here Presenter Name © 2009 Wolf & Company, P.C. Presentation date Location 1 Boston Springfield Albany](https://reader035.vdocuments.mx/reader035/viewer/2022062511/55144b41550346284e8b4e5d/html5/thumbnails/30.jpg)
GLBA
The GLBA gives authority to eight federal agencies and the states to administer and enforce the Financial Privacy Rule and the Safeguards Rule.
Apply to "financial institutions," includes banks, securities firms, insurance companies, and other companies providing many other types of financial products and services to consumers.
![Page 31: Boston Springfield Albany Enter Presentation Title Here Presenter Name © 2009 Wolf & Company, P.C. Presentation date Location 1 Boston Springfield Albany](https://reader035.vdocuments.mx/reader035/viewer/2022062511/55144b41550346284e8b4e5d/html5/thumbnails/31.jpg)
PCI DSS
Comprehensive requirements for payment account data security.
– Build and Maintain a Secure Network• Requirement 1: Install and maintain a firewall
configuration to protect cardholder data• Requirement 2: Do not use vendor-supplied defaults
for system passwords and other security parameters – Protect Cardholder Data
• Requirement 3: Protect stored cardholder data• Requirement 4: Encrypt transmission of cardholder
data across open, public networks – Maintain a Vulnerability Management Program
• Requirement 5: Use and regularly update anti-virus software
• Requirement 6: Develop and maintain secure systems and applications
![Page 32: Boston Springfield Albany Enter Presentation Title Here Presenter Name © 2009 Wolf & Company, P.C. Presentation date Location 1 Boston Springfield Albany](https://reader035.vdocuments.mx/reader035/viewer/2022062511/55144b41550346284e8b4e5d/html5/thumbnails/32.jpg)
PCI DSS– Implement Strong Access Control Measures
• Requirement 7: Restrict access to cardholder data by business need-to-know
• Requirement 8: Assign a unique ID to each person with computer access
• Requirement 9: Restrict physical access to cardholder data
– Regularly Monitor and Test Networks• Requirement 10: Track and monitor all access to
network resources and cardholder data• Requirement 11: Regularly test security systems and
processes – Maintain an Information Security Policy
• Requirement 12: Maintain a policy that addresses information security
![Page 33: Boston Springfield Albany Enter Presentation Title Here Presenter Name © 2009 Wolf & Company, P.C. Presentation date Location 1 Boston Springfield Albany](https://reader035.vdocuments.mx/reader035/viewer/2022062511/55144b41550346284e8b4e5d/html5/thumbnails/33.jpg)
State Laws (New England)
NE states define personal information similarly.
Combination of name and any one or more of the following:
1) Social Security number; 2) Driver's license number or state identification
card number; or 3) Account number, credit or debit card number,
in combination with any required security code, access code or password that would permit access to an individual's financial account
![Page 34: Boston Springfield Albany Enter Presentation Title Here Presenter Name © 2009 Wolf & Company, P.C. Presentation date Location 1 Boston Springfield Albany](https://reader035.vdocuments.mx/reader035/viewer/2022062511/55144b41550346284e8b4e5d/html5/thumbnails/34.jpg)
State Laws (New England)
Notification of breach to compromised parties through various communication methods– Substitute notices based on
cost/number of compromised records
In all states, law enforcement agencies may delay notification of breaches if it is deemed that disclosure will impede or compromise an investigation
![Page 35: Boston Springfield Albany Enter Presentation Title Here Presenter Name © 2009 Wolf & Company, P.C. Presentation date Location 1 Boston Springfield Albany](https://reader035.vdocuments.mx/reader035/viewer/2022062511/55144b41550346284e8b4e5d/html5/thumbnails/35.jpg)
NE State Laws - Penalties
CT: “unfair trade practice and enforced by Attorney General” (Civil penalties up to $500,000)
ME: Civil violation, not more than $500 per violation, max of $2,500 each day in violation
MA: “The attorney general may bring an action pursuant to section 4 of chapter 93A”
![Page 36: Boston Springfield Albany Enter Presentation Title Here Presenter Name © 2009 Wolf & Company, P.C. Presentation date Location 1 Boston Springfield Albany](https://reader035.vdocuments.mx/reader035/viewer/2022062511/55144b41550346284e8b4e5d/html5/thumbnails/36.jpg)
NE State Laws – Penalties (cont.)
NH: If the violation is willful or knowing the court awards as much as 3 times but not less than 2 times of actual damages…as well as the costs of the suit and reasonable attorney’s fees.– Attorney general’s office shall enforce the
provisions
RI: Civil violation not more than $100 per occurrence and not more than $25,000 total
VT: Attorney general and state’s attorney have full authority to investigate, enforce, prosecute, obtain and impose remedies
![Page 37: Boston Springfield Albany Enter Presentation Title Here Presenter Name © 2009 Wolf & Company, P.C. Presentation date Location 1 Boston Springfield Albany](https://reader035.vdocuments.mx/reader035/viewer/2022062511/55144b41550346284e8b4e5d/html5/thumbnails/37.jpg)
M.G.L. 93H 201 CMR 17.00 (MA Law)
Goes beyond just notification
Establishes minimum security– 17.03: Duty to Protect and Standards for
Protecting Personal Information– 17.04: Computer System Security
Requirements
Implementation of standards by March 1, 2010
![Page 38: Boston Springfield Albany Enter Presentation Title Here Presenter Name © 2009 Wolf & Company, P.C. Presentation date Location 1 Boston Springfield Albany](https://reader035.vdocuments.mx/reader035/viewer/2022062511/55144b41550346284e8b4e5d/html5/thumbnails/38.jpg)
Background– Passed by the Office of Consumer Affairs
and Business Regulation on September 19, 2008
– Originally scheduled to be effective on January 1, 2009. Deadline extended to March 1, 2010.
– One of the first state privacy laws to go beyond requiring notifications.
– Established to make companies assume more ownership of sensitive data and be penalized if they abuse that access
![Page 39: Boston Springfield Albany Enter Presentation Title Here Presenter Name © 2009 Wolf & Company, P.C. Presentation date Location 1 Boston Springfield Albany](https://reader035.vdocuments.mx/reader035/viewer/2022062511/55144b41550346284e8b4e5d/html5/thumbnails/39.jpg)
Who is Affected?
Any person who owns, licenses, stores, or maintains personal information about a resident of Massachusetts.
Applies to ANY organization in possession of personal information of Massachusetts residents, whether or not that business maintains a presence in the state.
![Page 40: Boston Springfield Albany Enter Presentation Title Here Presenter Name © 2009 Wolf & Company, P.C. Presentation date Location 1 Boston Springfield Albany](https://reader035.vdocuments.mx/reader035/viewer/2022062511/55144b41550346284e8b4e5d/html5/thumbnails/40.jpg)
What is Covered?Personal Information:
Means a Massachusetts resident’s first name or initial, and last name in combination with one or more of the following:
– Social Security number– Driver’s license or state ID card number– Financial account (not just bank account numbers),
credit / debit card number (with or without security / access codes, PINs, or passwords needed to access the account)
Excludes information lawfully obtained from publicly available information or government records
Includes employee information thus requiring almost all organizations in MA and surrounding states to comply
![Page 41: Boston Springfield Albany Enter Presentation Title Here Presenter Name © 2009 Wolf & Company, P.C. Presentation date Location 1 Boston Springfield Albany](https://reader035.vdocuments.mx/reader035/viewer/2022062511/55144b41550346284e8b4e5d/html5/thumbnails/41.jpg)
What is CoveredEmployee Type Information:
– Payroll records
– Health benefits
– Direct deposit records
– 401(k)
![Page 42: Boston Springfield Albany Enter Presentation Title Here Presenter Name © 2009 Wolf & Company, P.C. Presentation date Location 1 Boston Springfield Albany](https://reader035.vdocuments.mx/reader035/viewer/2022062511/55144b41550346284e8b4e5d/html5/thumbnails/42.jpg)
Required Elements Designated Employee - One or more
employees must be designated to maintain the information security program (ISP)
‘Written’– ISP must be formally documented
Risk Assessment - ISP must identify and assess reasonably foreseeable risks
– Internal and external– Provide an inventory of sensitive data– Evaluate the effectiveness of the safeguards
currently in place to mitigate such risks
![Page 43: Boston Springfield Albany Enter Presentation Title Here Presenter Name © 2009 Wolf & Company, P.C. Presentation date Location 1 Boston Springfield Albany](https://reader035.vdocuments.mx/reader035/viewer/2022062511/55144b41550346284e8b4e5d/html5/thumbnails/43.jpg)
Required Elements
Continuous Employee Security Awareness Training
Disciplinary measures
Preventing terminating employees from accessing records
Third Party Service Providers – ISP must require by contract that the third party
service providers with access to personal information protect it.
Physical Restrictions
![Page 44: Boston Springfield Albany Enter Presentation Title Here Presenter Name © 2009 Wolf & Company, P.C. Presentation date Location 1 Boston Springfield Albany](https://reader035.vdocuments.mx/reader035/viewer/2022062511/55144b41550346284e8b4e5d/html5/thumbnails/44.jpg)
Required Elements
Regular Monitoring
Annual update of Security Program
Breach Responses
![Page 45: Boston Springfield Albany Enter Presentation Title Here Presenter Name © 2009 Wolf & Company, P.C. Presentation date Location 1 Boston Springfield Albany](https://reader035.vdocuments.mx/reader035/viewer/2022062511/55144b41550346284e8b4e5d/html5/thumbnails/45.jpg)
Required ElementsTechnical controls:
– Security Access Controls – Password controls, access levels, lock out settings.
– Encryption – Encryption of data when residing on portable devices or transported over public networks
– Firewalls - up-to-date firewall protection as well as operating system security patches are installed.
– Malware and Virus Protection - up-to-date malware and virus definitions.
– Employee Training - education and training of employees on the proper use of computer information security systems and the importance of personal information security
– Monitoring - reasonable monitoring of systems for the unauthorized use of or access to personal information
![Page 46: Boston Springfield Albany Enter Presentation Title Here Presenter Name © 2009 Wolf & Company, P.C. Presentation date Location 1 Boston Springfield Albany](https://reader035.vdocuments.mx/reader035/viewer/2022062511/55144b41550346284e8b4e5d/html5/thumbnails/46.jpg)
![Page 47: Boston Springfield Albany Enter Presentation Title Here Presenter Name © 2009 Wolf & Company, P.C. Presentation date Location 1 Boston Springfield Albany](https://reader035.vdocuments.mx/reader035/viewer/2022062511/55144b41550346284e8b4e5d/html5/thumbnails/47.jpg)
Compliance and Enforcement
Attorney General Enforcement Attorney General may enforce violations of Chapter 93H via actions brought under Chapter 93A
Compliance Standards– Size, scope and type of business *– Amount of resources available to such person *– Amount of personal information stored *– The need for security *
* No guidance on minimum requirements
![Page 48: Boston Springfield Albany Enter Presentation Title Here Presenter Name © 2009 Wolf & Company, P.C. Presentation date Location 1 Boston Springfield Albany](https://reader035.vdocuments.mx/reader035/viewer/2022062511/55144b41550346284e8b4e5d/html5/thumbnails/48.jpg)
Federal Laws
Privacy law in draft that could override state laws
9 Bills introduced over the last few years but have not been successful– Consumer Notification– Penalties– Enforcement– Centralized reporting
![Page 49: Boston Springfield Albany Enter Presentation Title Here Presenter Name © 2009 Wolf & Company, P.C. Presentation date Location 1 Boston Springfield Albany](https://reader035.vdocuments.mx/reader035/viewer/2022062511/55144b41550346284e8b4e5d/html5/thumbnails/49.jpg)
Matthew Putvinski, CPA, CISA, CISSPDirector – IT Assurance Services617-428-5479
twitter.com/mattputvinski
http://www.linkedin.com/in/mattputvinski
Thank You!