1 1 Confidential Monday, October 10, 2016 The Venetian | The Palazzo | Sands Expo | Sands Bethlehem | Paiza | Sands Macao The Venetian Macao | Four Seasons Hotel Macao | The Plaza Macao | Sands Cotai Central | Marina Bay Sands INFORMATION SECURITY AND THE COMPLIANCE OFFICER Ralph Villanueva CISA CISM CRMA CIA CFE ITIL Presented for the 15th Annual Compliance and Ethics Institute Sheraton Grand Chicago, September 25 to 28, 2016 2 Confidential OBJECTIVES Discuss the role of the compliance officer in an IT Department How to handle IT professionals at work How to get results from your IT professionals and enhance IT security 3 Confidential ABOUT THE SPEAKER IT Compliance Analyst for over 5 years and Internal Auditor, Accounting Manager and Financial Controller for over 20 years, Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA), Certification in Risk Management and Assurance (CRMA), Certified Internal Auditor (CIA), Certified Fraud Examiner (CFE) and IT Infrastructure Library (ITIL) , Spoke about audit, fraud and compliance topics since 2010, Believes that effective information security depends on effective communication between compliance and IT professionals, and Believes that the compliance officer is the most important person in the C Suite.
16
Embed
Ralph Villanueva SCCE Presentation 2016-Sands Format (3).ppt€¦ · Monday, October 10, 2016 The Venetian | The Palazzo | Sands Expo | Sands Bethlehem | Paiza | Sands Macao The Venetian
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1
1Confidential
Monday, October 10, 2016
The Venetian | The Palazzo | Sands Expo | Sands Bethlehem | Paiza | Sands Macao
The Venetian Macao | Four Seasons Hotel Macao | The Plaza Macao | Sands Cotai Central | Marina Bay Sands
INFORMATION SECURITY AND THE COMPLIANCE OFFICER
Ralph Villanueva CISA CISM CRMA CIA CFE ITIL
Presented for the 15th Annual Compliance and Ethics Institute
Sheraton Grand Chicago, September 25 to 28, 2016
2Confidential
OBJECTIVES
� Discuss the role of the compliance officer in an IT Department
� How to handle IT professionals at work
� How to get results from your IT professionals and enhance IT security
3Confidential
ABOUT THE SPEAKER� IT Compliance Analyst for over 5 years and Internal Auditor, Accounting
Manager and Financial Controller for over 20 years,
� Certified Information Security Manager (CISM), Certified Information
Systems Auditor (CISA), Certification in Risk Management and Assurance (CRMA), Certified Internal Auditor (CIA), Certified Fraud
Examiner (CFE) and IT Infrastructure Library (ITIL) ,
� Spoke about audit, fraud and compliance topics since 2010,
� Believes that effective information security depends on effective communication between compliance and IT professionals, and
� Believes that the compliance officer is the most important person in the C Suite.
2
4Confidential
WHY IS INFORMATION SECURITY IMPORTANT?
�Intellectual Property Theft
�Cyber Crime Threats
�Regulatory Penalties
5Confidential
INTELLECTUAL PROPERTY THEFT
“MIDWEST AGRICULTURE IS A PRIME TARGET FOR THEFT OF INTELLECTUAL PROPERTY AND CYBER ATTACKS”
Laurie Bedord, Successful Farming online magazine, April 5, 2016
6Confidential
CYBER CRIME THREATS
Source: McAfee 2015 Cyber Security Study
3
7Confidential
Clip from March 2016 Verizon Data Breach
8Confidential
PENALTY FOR LACK OF INFORMATION SECURITY
Source: 2016 Cost of Data Breach Study by Ponemon Institute and IBM
9Confidential
REGULATORY PENALTIES
“HOME HEALTH CARE PROVIDER HIT WITH $240,000 HIPAA PENALTY”
Tim Mulaney, Home Health Care News online magazine, February 3, 2016
4
10Confidential
Information Security is top of mind in fellow compliance professionals“Even if they are technologically challenged, CCOs, senior
managers and principals should become familiar with the security measures that can help to thwart a cyber attack.”
- Les Abromovitz, Put Compliance Chores on your To Do List, Compliance and Ethics Professional magazine, June
2016 issue
“Organizations need to treat each privacy incident as a
potential breach.”
- Mahmood Sher-Jan, Data Mishaps: Everyday Events,
Inevitable Incidents and Data Breach Disasters, Compliance and Ethics Professional magazine, September
2016 issue
11Confidential
Information Security is top of mind in fellow compliance professionals“Companies seeking to strengthen data security should
heed the findings of a recent survey showing workers have careless security habits and poor security training.”
- Survey: Data Security Risks Heightened by Bad Habits, Poor Training, Compliance and Ethics Professional
magazine, July 2016 issue
“Once you have identified the information that should be
protected, how do you protect it? It goes without saying that you have to have a policy.”
- Mary Ellen O’Neill: Every Company Needs a Comprehensive Confidential Data Protection Program,
Compliance and Ethics Professional magazine, July 2016
issue
12Confidential
WHAT IS INFORMATION SECURITY?
“Information security is the practice of defending information from unauthorized access, use,
disclosure, disruption, modification, inspection, recording or destruction”
From US Code, Title 44, Chapter 35, Subchapter III, Section 3542
5
13Confidential
THREE INFORMATION SECURITY CONSIDERATIONS
�Confidentiality
�Integrity
�Availability
14Confidential
SEVEN ROLES OF A COMPLIANCE OFFICER
� Designing, implementing, overseeing and monitoring the compliance program
� Reporting on a regular basis to the organization’s governing body, CEO
and compliance committee
� Revising the compliance program periodically as appropriate
� Developing, coordinating and participating in a multifaceted educational
and training program
� Assisting with internal compliance review and monitoring activities
� Assuring management has mechanisms in place to mitigate risks
� Assuring management takes corrective action to resolve the
noncompliance problems identified
Source: Compliance 101, 2nd edition by Debbie Troklus and Sheryl Vacca
15Confidential
IT SECURITY AND COMPLIANCE
IT Security Confidentiality, integrity and
availability of data
CompliancePolicies, rules and regulations
6
16Confidential
INFORMATION SECURITY AND COMPLIANCE
Confidentiality, Integrity and Availability Model (from ISACA)
Requirement Impact and Potential
Consequences
Method of Control
Confidentiality-the protection of
information from unauthorized
disclosure
Disclosure of information protected
by privacy laws
Loss of public confidence
Loss of competitive advantage
Legal action against company
Access controls
File permissions
Encryption
Integrity-the accuracy and
completeness of information in
accordance with business values and
expectations
Inaccuracy
Erroneous decision
Fraud
Access controls
Logging
Digital signatures
Hashes
Encryption
Availability-the ability to access
information and resources required
by the business process
Loss of functionality and operational
effectiveness
Loss of productive time
Interference with company
objectives
Redundancy
Back ups
Access controls
17Confidential
INFORMATION SECURITY AND COMPLIANCE
Examples of what compliance officers can do to enhance IS
� Ask about compliance with IS aspects of regulations applicable to their
industry (i.e. PCI, HIPAA, BASEL II etc.)
� Look into information security portion of compliance programs
� Gauge degree of management involvement in information security
� Discuss with peers the current issues about information security and
compliance
� Talk to the IT Department about processes and technologies geared
towards information security
18Confidential
WHEN IT COMES TO ENFORCING IT
COMPLIANCE POLICY…………….SITUATIONS ARE
7
19Confidential
“I DON’T CARE” SITUATION
20Confidential
“WHAT TOOK YOU SO LONG” SITUATION
21Confidential
“SPEAKING IN CODES” SITUATION
8
22Confidential
THREE PROBLEMS WITH INFORMATION SECURITY COMPLIANCE
�Communication with IT professionals
�Management culture
�Budget
23Confidential
COMMUNICATION WITH IT PROFESSIONALS
Does your IT Dept communicate this way?
(clip from The IT Crowd)
24Confidential
First, recognize the problem.
“The communication gap between IT and the business
community is a contributing factor in the underestimation
and lack of appreciation of each other.” Robert Putrus,
CISM and IT Professional (A Nontraditional Approach to
Prioritizing and Justifying Cybersecurity Investments,
ISACA Journal, Volume 2, 2016)
COMMUNICATION WITH IT PROFESSIONALS
9
25Confidential
COMMUNICATION AND TECHNICAL KNOWLEDGE ARE IMPORTANT
“The communication gap between IT and the business
community is a contributing factor in the underestimation and
lack of appreciation of each other.” Robert Putrus, CISM and IT
Professional (A Nontraditional Approach to Prioritizing and