overcoming hidden risks in a shared security model
TRANSCRIPT
Overcoming Hidden Risks in a Shared Security Model
Agenda
• Introduction
• Compliance and Security Landscape
• Evolution to a 3rd Party Ecosystem
• Data Risks and Challenges
• Deep Dive Into Shared Responsibilities
• Best Practices
• Q&A
Speakers
Chad Kissinger
Founder
OnRamp
OnRamp is a leading HITRUST-certified data centerservices company that guides businesses throughthe complexities of data security and compliance.Our solutions help organizations in healthcare,financial services and education services meetcompliance standards.
OnRamp operates multiple enterprise-classSSAE16/AICPA SOC 2 Type 2 and SOC 3 datacenters, where we deploy hybrid computingsolutions that enable our customers to blendsecure cloud computing, managed hosting, andcolocation service to best meet their uniquerequirements. Our team’s consultative approachhelps you develop the right mix of solutions tofree your resources to focus on agility anddifferentiation in your industry.
Speakers
Maria Horton
CEO
EmeSec
EmeSec uses cybersecurity and privacy practices to build competitive advantage in today’s connected world for clients.
Our intuitive, adaptive and game-changing solutions are designed to help organizations protect their reputation and growth engines while harnessing the power of security and automated technologies. The company is an accredited Third Party Assessor (3PAO) under the Federal Risk and Authorization Management Program (FedRAMP). EmeSec Incorporated is a Woman-Owned Service Disabled Veteran Owned Small Business (SDVOSB), founded in 2003. EmeSec holds certifications in ISO 9001:2015, ISO 20000-1:2011, ISO/IEC 27001:2013, ISO/IEC 17020:2012.
Speakers
Michael Casey
Managing Director & Chief Payments Officer
EPMG Advisors
EPMG Advisors was founded in 2008 with the purpose of providing clients the best payments management and advisory services with boutique customer care. Our firm is driven to provide our clients with the understanding and ability to build and maintain a truly transparent payments environment.
Whether your objective is to identify new opportunities for growth or to maximize profits from existing operations, EPMG Payment Advisors can deliver the enterprise-wide solutions you require.
Current Landscape
Ponemon Institute, Cost of Data Breach Study: 2017 Global Analysis
https://healthitsecurity.com/news/mobile-security-at-center-of-2.5m-ocr-hipaa-settlement
The average consolidated cost of a data breach reached $3.62 million in 2017
50%
$4M2017
The risk of non-compliance is
significant. Ignorance is not
excused.
Pennsylvania-based
CardioNet agreed to a $2.5 million
OCR HIPAA settlement stemming
from improper safeguards of PII
data.
50% of organizations don’t know who has access to their data, how they’re using it, or what safeguards are in place to mitigate a security incident.
Multi-Vendor Management
Agility and Responsiveness
Retaining Talent
Patient or Customer
Engagement
Team SkillsetsCybersecurity
Managing Budgets
Evolution to 3rd Party Ecosystem
Ability to Innovate & Differentiate
Leadership offloads their IT infrastructure and computing needs in order to:
• Increase Operational Efficiency
• Rely on Subject Matter Experts
• Gain a Competitive Advantage
• Reduce Costs
C-LEVEL RESPONSIBILITIES
Compliance regulations are written as though one party is responsible for compliance and security.
Regulators Leadership TalentProviders/ Suppliers
THE PLAYERS
Where is the Breakdown?
Data Risks and Top Challenges with Shared Responsibilities
• Confusing Guidance
• Insufficient Policies and Processes
• Unclear Roles and Responsibilities
• No Accountability
• Lack of Due Diligence (Choosing & Monitoring 3rd Parties)
• Insufficient Technology
THE FUMBLES
Guidance is Not Prescriptive
www.hhs.gov;
https://www.pcicomplianceguide.org/faq/http
s://www2.ed.gov/
NIST publications (800-145, 800-66, 800-52); FIPS 140-2
Office for Civil Rights (OCR)
HIPAA
FISMA
Cloud Council
Security Rule
Breach Notification Rule
PCI Data Security Standards (DSS)
U.S. Department of Education- FERPA (20 U.S.C. § 1232g; 34 CFR Part 99)
The Privacy Act
FedRAMP
THE PLAYBOOK: GOVERNING BODIES AND FRAMEWORKS
Guidance is vague and up for interpretation.(i.e. "reasonable and appropriate ” measures for HIPAA
Certain regulations do not require or recognize audits or certifications.(i.e. FERPA)
Establishing the Right Policies and Processes
• Aren’t able to determine the number of 3rd parties with access to confidential information.
• Lack of confidence in third parties’ data safeguards, security policies and procedures.
• Rarely conduct reviews of vendor management policies and procedures to ensure they address 3rd party data risk.
• Rely on contractual agreements instead of audits and assessments to evaluate the security and privacy practices of their vendors.
Standard Policies
• Information Classification
Policy
• Risk Management Policy
• Information Systems
Security Policy
• Ongoing Management
• Clearly Defined Roles
Symptoms
Why Are Companies Unable to Determine Who Has Access to Their Data?
• No accountability for 3rd party risk management
• No one department or function owns this responsibility
• Not a priority
• Lack of resources to track third parties
• Complexity in vendor relationships
• Frequent turnover in partners
Ponemon Institute, Data Risk in the Third Party Ecosystem
Roles, Responsibility, & Accountability
Senior leadership and boards of directors are rarely involved in third-party risk management.
36%of CEOs play a key role in security & compliance strategy
79%
Of CEOs cited over-regulation as a top threat to their organizations’ growth.
PWC State of Compliance 2016
Only 16% of respondents indicated that they view their CEO as the compliance and champion at their organizations.
Roles, Responsibility, & Accountability INTERNAL – SHARED ACROSS DEPARTMENTS
Shared Responsibility Varies by Model Responsibility Colocation IaaS PaaS SaaS
DataClassification
End-point Protection
Identity & Access Management
Application Controls
Network Controls
Infrastructure
Physical Security
Customer
Customer
Customer
Customer
Provider Provider
Provider
Customer Customer Customer
Customer Customer Customer Both Parties
Both Parties
Both Parties
Both Parties
Customer
Customer
Both Parties
Provider Provider
Both Parties
Provider
Provider
Provider
Both Parties
Provider
Accountability and Ownership
Organizations admit they are sharing sensitive data with third parties that might have poor security policies.
Ponemon Institute, Data Risk in the Third Party Ecosystem
Figure 2: Perceptions about vendors’ security policies and procedures
Beware of These 3rd Party Risk Indicators
• Turnover of the vendor’s key personnel
• IT glitches, operational failures and stoppages
• Outdated IT systems and equipment
• History of frequent data breach incidents
• Legal actions against the vendor
• Poorly written security and privacy policies and procedures
Case Studies
• Target breach due to HVAC vendor hack. Ultimately, two-factor authentication and anti-malware would have mitigated the breach.
• Hackers breach Equifax’s portal, stealing W-2 data. Only a PIN code was used to protect sensitive data.
• Uber pays hackers $100,000 to hide year-old breach of 57 million users. Hackers accessed Github.com, a third-party cloud storage website used by Uber software engineers. Employee training could have prevented passwords from being published on a public forum.
ZDNForbes.comUSA today.com
Best Practices: Risk Management Life Cycle
DUE DILLIGENCE
CONTRACT
ONGOING MONITORING
TERMINATION
PLANNING
OVERSIGHT AND ACCOUNTABILITY
Best Practices: Technology, People, Processes
Technology
• Data encryption in transit and at rest
• Firewalls
• Multi-factor authentication
• Cloud encryption
• Audit logs showing access to data
• Vulnerability scanning, intrusion detection/prevention
• Hardware and OS patching
• Security Audits
• Contingency Planning
People & Processes
• Audit operational and business processes
• Audit access management
• Enforce privacy policies
• Ensure cloud networks and connections are secure
• Evaluate security controls: physical infrastructure and facilities
• Data decommissioning process
• Be prepared for incidents
1 -Risk Assessment
3-Vendor Security Alignment
2 –Assign Owners
Best Practices: Choosing a Vendor
Understands Your Business Goals
Credentials & Certifications
Service Level Agreements (SLAs) & Business Associate Agreements (BAAs)
Security
Availability & Scalability
Expertise in Your Industry
Questions?
