Take the Test: Today Ebola, Tomorrow Who Knows? Can Your Business Survive a Pandemic?

Read this article on assessing whether your business can survive a pandemic written in Dec 2014 by Farhaad Nero who was VP of Enterprise Security at Bank of Tokyo-Mitsubishi at that time

Pandemics are epidemics occurring on a scale that crosses international boundaries, usually affecting a large number of people.

We may have had near misses, Ebola most recently but the threat of a pandemic is always with us.

What is the possible impact to your business and how should you prepare? According to one State Public Health Organization addressing a hypothetical influenza pandemic said:

Unlike other natural disasters or terrorist events, where any disruption to business service provision is likely to be infrastructure related, disruption to business operations in the event of a pandemic is anticipated to be human- and material-oriented. A pandemic has the potential to cause illness in a very large number of people, overwhelm the health care system, and jeopardize services by causing high levels of absenteeism in the workforce. Basic services, such as health care, law enforcement, fire, emergency response, communications, transportation, and utilities could be disrupted during a pandemic.

It is business critical to prepare for such an event. So to better measure your skills and get your plans on the table, solidified, or revised, here’s a short questionnaire to help out. The test does not aim to cover everything but will give you a good idea of where you stand. Feel free to modify it to fit your enterprise’s needs.

There are 25 questions, each with a maximum of 2 points.

Please note that many people would say “yes” to every question below when asked about the application of these guidelines to their internal environment.

When you’re done, just multiply the total score by 2 to obtain the percentage that is your final score.

You may ask what percent is a good one. It’s all about knowing your shortcomings and what’s right for your business.

Assign a number from 0 to 2 for each question.  The following is the meaning for each response:

0 = No or Not Applicable

1 = Somewhat or Partially Proficient

2 = Yes

1. Do you understand the difference between business continuity and a pandemic?
2. Does your pandemic plan reflect your enterprise’s size, complexity, and business activities?  (0/1/2)
3. Is it incorporated in your ongoing business impact analysis and risk assessment processes?  (0/1/2)
4. Does it have a preventive program that includes: monitoring of potential outbreaks, educating employees, communicating and coordinating with critical service providers and suppliers, in addition to providing appropriate hygiene training and tools to employees?(0/1/2)
5. Does it have a documented strategy that includes: scaling your enterprise’s pandemic efforts such as first human cases overseas, first human cases in the USA, and first cases in your enterprise? (0/1/2)
6. Does it include a comprehensive framework of facilities, systems, or procedures that provide the capability to continue critical operations for prolonged periods? (0/1/2)
7. Does it include a testing program to ensure that your plans are effective? (0/1/2)
8. Does your testing include coordination with local health officials and health care providers like hospitals? (0/1/2)
9. Does it include an oversight program to ensure continuous monitoring of your standards, policies, and procedures? (0/1/2)
10. Have you evaluated your critical service providers for support and continued operation during a pandemic? (0/1/2)
11. Have you reviewed the legal and regulatory requirements that may be impacted during a pandemic? (0/1/2)
12. Have you assessed the cross training required for key business functions and processes? (0/1/2)
13. Have you estimated the maximum downtime associated with your enterprise’s business functions and processes that may occur during a pandemic? (0/1/2)
14. Have you assessed your remote access and telecommuting capabilities? (0/1/2)
15. Is your pandemic plan incorporated in your BCP? (0/1/2)
16. Have you communicated and disseminated the pandemic plan and the current status of pandemic phases to all employees? (0/1/2)
17. Have you identified triggering events that require management to implement its response plans? (0/1/2)
18.  Have you identified and trained individuals in your organization who would interact with local public health officials so that your efforts are coordinated with those of the communities you work in? (0/1/2)
19. Have you determined your critical employees? (0/1/2)
20. What about data security? Have you incorporated secure connections and encryption for a mobile workforce? (0/1/2)
21. Do your pandemic plans cover your local, regional, and international offices? (0/1/2)
22. Have you taken into consideration succession planning due to employees not being available to work? (0/1/2)
23. Have you built a skills matrix – i.e. an assessment of employees’ skills? (0/1/2)
24. Have you identified essential business functions, essential jobs and roles to maintain proper business operations? (0/1/2)
25. Are there documented HR provisions that spell out employee actions when they become ill? (0/1/2)

The post Flashback: Read this article on assessing whether your business can survive a pandemic written in Dec 2014 by Farhaad Nero who was VP of Enterprise Security at Bank of Tokyo-Mitsubishi at that time appeared first on Security Current.

We live in a time when data breaches are the norm. As information security and risk professionals we are tasked with trying to mitigate the risks posed by these impending breaches. We constantly are learning and striving to locate and fill gaps in our processes and architecture. But it is only a matter of time before an attack occurs.

Before we proceed let’s review how Verizon defines a breach versus an incident in its 2015 Data Breach Investigations Report (DBIR).

• An incident is a security event that compromises the integrity, confidentiality or availability of an information asset.
• A Breach is an incident that results in the confirmed disclosure (not just potential exposure) of data to an unauthorized party.

Let us reiterate what Verizon, in its 2015 DBIR, lists as the 9 leading causes of data breaches, in the following order:

1.Point-of-Sale Intrusions (28.5% of all confirmed data breaches).

2.Crime-ware – malware attacks that were not point-of-sale or cyber- (18.8% of all confirmed data breaches).

3.Cyber- (18% of all confirmed data breaches).

4.Insider Misuse (10.6% of all confirmed data breaches). 55% of that was privilege abuse!

5.Web App Attacks (9.4% of all confirmed data breaches). Use of stolen credit cards ranked the highest!

6.Miscellaneous Errors (8.1% of all confirmed data breaches). This ranked highest for Incidents at just about 30%. 60% of miscellaneous errors originated internally and 30% of this was when sensitive information was sent to incorrect recipients.

7.Physical Theft and Loss (3.3% of all confirmed data breaches). Health Care and the Public Sector suffered the most. 55% occurred in the work area and 22% in employee-owned vehicles.

8.Payment Card Skimmers (3.1% of all confirmed data breaches). Has updating to the chip-and-PIN systems helped? This was pretty limited, as expected, to the financial and retail arenas.

9.Denial Of Service Attacks (only 0.1% of all confirmed data breaches). Significant improvement from the year before due to stronger security measures.

Verizon’s 2015 DBIR found that most attackers were external actors driven by financial gain – using hacking, distributing malware and phishing. Stolen credentials also started trending.

It also found that Microsoft and Adobe vulnerabilities were exploited within days while Mozilla and Apple took longer. And yes, old vulnerabilities continued to get exploited. Patience pays off!

Look again at what measures you are taking to safeguard your enterprise. Ask yourself the following questions:

• How do they line up with Verizon’s findings?
• Are you throwing your resources at the right place?
• Are you hiring information security and risk professionals with the needed skill sets?
• Are you able to produce metrics on a regular basis that demonstrate how your security measures are addressing the above Verizon findings?

From one security professional to another — feel the pulse of your enterprise!

The post Data Breach Information You Can Chew On appeared first on Security Current.

Try and do an information security risk assessment of a law firm your company uses. Give them an InfoSec security questionnaire to fill out and request key information security documents. And if they host a lot of your sensitive data ask for a SOC2 report or even a penetration test report.

What are the chances you will not get a major push back? What about your right to audit? Can you come onsite and validate some key security controls?

Do you think law firms have had a free pass? Do you think the Panama Papers lawsuit will change anything? The Panama Papers refers to more than 11.5 million of leaked documents that detail financial and attorney-client information of more than 214,000 offshore entities. Panamian law firm Mossack Fonseca created the leaked documents.

Do you think cyber crooks will take a peek at law firms more now – especially knowing how much sensitive data about people and corporations they may have? Is it all just about contractual terms and conditions?

Many of the bigger law firms have indeed taken information security seriously and thus have a sound information security program in place. But, as is with many industries, the real challenges continue to haunt in particular the medium and small firms, some of which have significant engagements with many big companies putting sensitive data at risk.

Let us just restate some of the facts we now know of the Panama Papers:

• 11.5 million documents were revealed.
• 2.6 Terabytes of data leaked.
• Snitched by hackers and mooring at the feet of the Consortium of Investigative Journalists (ICIJ), who broke the story a year after obtaining them.
• WIRED says it is “the biggest leak in whistleblower history” – bigger than Wikileaks Cablegate (2010) and Snowden’s NSA (2013) combined.
• Law firm at the center of it – Mossack Fonseca.
• Data spans almost 40 years (1977 to 2015) covering people and companies from more than 200 countries and territories – more than 214,000 companies – all available now in a searchable database.
• Only 211 people with U.S. addresses. Bill Gates, on CNBC, said that was a surprise.
• Anonymous whistleblower in 2014 at Mossack Fonesca contacted reporter Bastian Obermayer of the German newspaper Suddeutsche Zeitung and notified him about information related to criminal activities in Mossack Fonseca’s possession.
• File types revealed: 4.8 million emails, 3 million in database formats, 2.1 million PDFs, 1.1 million images, 0.3 million text documents.

So what really was the issue? We may never know. But what we have so far gathered is that the Mossack Fonseca used two of the more popular content management systems (CMS) – WordPress and Drupal to run their public and client-facing websites respectively. The client portal was used to share sensitive documents with its clients. The code was written in PHP and is open source.

Wordfence, a WordPress security company, after in-depth analysis, figured out that the WordPress site was over three months out of date and their Drupal site was almost two years out of date. That’s not all – Mossack Fonseca used obsolete third-party plugins for WordPress that may have given hackers the free pass they needed.

Two industry stalwarts had weighed in:

“As far as hackers are concerned, any legal firm represents a treasure trove of personal and financial data – but this latest attack is an absolute goldmine. Protecting your clients’ data is a fundamental part of being a lawyer, so it’s difficult to see how this firm can recover from a hack of this magnitude.” – Brian Spector, CEO at MIRACL.

“I think it is arguable that no-one individual should have been able to access all of that information. Very often you find that information is not properly ring-fenced so if you know where you’re going, you can go onto a firm’s server and go into a different department. That kind of free access across a network should not be permitted.” – Peter Wright, solicitor and managing director at Digital Law UK.

Do you think that this, the largest data breach in Internet history, was caused by a lack of security best practices? Proper due diligence may not have been done. Improper access controls seemingly were in place.

How was the information protected? Were penetration tests and vulnerability assessments done on a regular basis and timely action taken to remediate at least the high and moderate findings?

All companies, not just law firms, must again look at this as an eye-opener – and rethink their information security strategy short term and long term. Know where your crown jewels are and how they are protected. Sounds simple and it makes sense – but often enough does not translate into serious action. Data leakage is a serious issue and one simple start is with information security awareness in a formal way across the depth of your organization – covering employees, contractors, and yes, senior management equally!

The post Did the Panama Papers End the Honeymoon for Law Firms? appeared first on Security Current.

Third-party vendors are essential to businesses big and small, national and global. Outsourcing is big. Offshoring is big. You can’t just move or outsource part of your business halfway across the world or even across the street and have no way of ensuring that it is being well run.

You put your hard-earned money in the bank for someone else to keep safe for you until you need it. You trust the bank but you would surely want to confirm that it’s all there.

You check your balance daily and look at transactions frequently to decipher if there are any illegitimate transactions. The bottom line, as President Ronald Reagan said: trust but verify.  It stands to reason that you should approach your business in the same way?

There are many ways to confirm that proper due diligence is conducted when onboarding a vendor and the subsequent monitoring. But many challenges are on the road to a establishing a secure and mature third-party program.

Following are 10 challenges you might face:

1.  Getting the right vendor documents

Onboarding a new vendor and performing ongoing monitoring of an existing vendor requires collecting certain documents and completed questionnaires from the vendor.

Challenge

• Most vendors take their sweet time to submit the requested documents, especially during ongoing monitoring. When onboarding, they could be pretty cooperative to some extent – wonder why!
• Some documents submitted may not be exactly within the scope and service.
• Some documents could be altogether not what was requested.

What you can do

• Specify clearly what you need. Any ambiguity will lead to confusion and delays.
• Set roles, responsibilities and deadlines with the vendor and their relationship manager.
• Actively follow up on deadlines.
• Don’t be bashful to escalate to the vendor’s business and relationship management.
• Let the vendor and in-house vendor relationship manager crosscheck what was requested against what was submitted – in terms of scope, service, and date of document, etc. This ensures that by the time it gets to you, some quality checking would have been done.

2.  Contract provisions that protect

Contract provisions are the means to the end in order to protect your business, your company, and its reputation from any negative impact a vendor could have on your organization and its future.

Challenge

• Including the right security provisions in the contract.
• Information security and risk management do not work hand in hand with legal, sourcing, and other groups (for example, business continuity management, privacy, and compliance).
• Legal does not have templates to work with based on the vendor scope and its service.
• Contract negotiations do not include subject matter experts.

What you can do

• Create a list of standard contract provisions that should be included in contracts. Categorize the list based on the scope, service and potential use cases. Work with the legal department to create templates to drive the contract process.
• Work with all potentially impacted groups in the contract process to make certain all bases are covered.
• Be integral part of the contract negotiation process – especially with critical and high-risk vendors.

3.  Risk appetite, risk ranking, risk remediation

An organization’s risk appetite is what drives how to rank vendor issues and how to look at vendor remediation and compensating controls.

Challenge

• Though risk management is not a new discipline it may be very new to many information security professionals.
• Defining the organization’s risk appetite so as not to leave it open for interpretation.
• Baseline requirements or key controls also may not be defined.
• The vendor remediation process may not be a properly defined.

What you can do

• Solidify your information security risk management program and ensure corporate buy in.
• Once the organization’s risk appetite is determined, determine and document the risk acceptance process.
• Determine minimum-security requirements and key controls.
• Include inherent risk and residual risk as part of the daily language.
• Vendor remediation can be easily overlooked so put this task on steroids.
• Identify who is response and the process to provide continuous assessments.

4.  Staff

The importance of vendor assessments is at an all time high now – across all kinds of businesses, including regulated environments. This necessitates adequate staffing to guarantee that the correct level of focus is provided to manage a vendor management program and the changing threat landscape.

Challenge

• Good vendor assessors in an information security world are a hard-to-find commodity.

What you can do

• Be prepared to make it a financially lucrative position and create a stable in-house environment to keep staff challenged and content. Pay attention to the employee and their welfare.

5.  Fourth-party vendors and beyond

Everyone has a third-party vendor these days. It’s the way to do business or so it seems. And that third-party vendor could be anywhere in the world.

Challenge

• We engage third-party vendors but rarely know what vendors they are using downstream who may have access to your data day in and day out.
• No significant due diligence is being done against these fourth parties and beyond.

What you can do

• This needs to be addressed during the contract and onboarding phase.  Ensure you know the downstream vendors and if and when they change. Regulations are quickly changing and are putting increasing emphasis on this recognition and its due diligence. So keep on top of it.

If you can implement just a few of the above suggestions you already are on the way towards a mature third-party vendor program. Perhaps the auditors and regulators will give you a pass seeing you have an action plan. Think small. Scale big!

The post Don’t Sweep These Third-Party Vendor Challenges Under the Rug appeared first on Security Current.

Recall these 2 famous quotes:

“The horse is here to stay but the automobile is only a novelty – a fad.” Michigan Savings Bank president advising Henry Ford’s lawyer, Horace Rackham, not to invest in Ford Motor Company (1903).

“There is no reason anyone would want a computer in their home.” Ken Olson, president, chairman and founder of Digital Equipment Corp (DEC), the maker of big business computers, arguing against the PC (1977).

These are but a few examples of when experts have dismissed technologies that now are integral parts of our daily lives, and as some would say, make up the very fabric of our existence.

Without much of an argument, cloud computing can be listed as one of those potent technologies that are now a mainstay and have forever changed our lives.

Here are some notable quotes, both positive and negative, on cloud computing (and software as a service, SaaS, solutions) in recent years:

1. Tom Siebel, founder of Siebel CRM Systems in 2001, on Salesforce:
   “There’s no way that company exists in a year.”
2. Larry Ellison of Oracle in 2008:
   “The computer industry is the only industry that is more fashion-driven than women’s fashion. Maybe I’m an idiot, but I have no idea what anyone is talking about. What is it? It’s complete gibberish. It’s insane. When is this idiocy going to stop? We’ll make cloud-computing announcements. I’m not going to fight this thing. But I don’t understand what we would do differently in the light of cloud.”
3. Vivek Kundra, Federal CIO, US Government, on a simple definition of Cloud Computing in 2010:
   “There was a time when every household, town, farm or village had its own water well. Today, shared public utilities give us access to clean water by simply turning on the tap; cloud computing works in a similar fashion. Just like water from the tap in your kitchen, cloud-computing services can be turned on or off quickly as needed. Like at the water company, there is a team of dedicated professionals making sure the service provided is safe, secure and available on a 24/7 basis. When the tap isn’t on, not only are you saving water, but you aren’t paying for resources you don’t currently need.”

As a CISO or an executive in a role with information security oversight, you will, if you haven’t already, be tasked to move parts of your business (and sensitive data) onto the cloud.

There are many reasons to move to the cloud. And though you may not have much choice in any event — you’ve done your research, the RFIs, the RFPs, and the POCs — you are left with the following concerns that make you wonder if you actually could, should and would avoid the cloud:

1. Will my data will be kept overseas?
2. Can I validate that there are data segmentation and separation capabilities between clients?
3. Will my data be encrypted at rest?
4. Are penetration tests are not performed on a regular basis – automated or otherwise?
5. Is two-factor authentication is not required to access the production environment?
6. Which personnel from the cloud provider have access to my data?
7. Are the suppliers of the critical hardware, network services and facility involved in annual continuity and recovery tests?
8. Is there a contractual penalty or remediation clause for breach of availability and a guaranteed SLA included?
9. How easily can I switch providers?
10. Do they provide the kind of technical support I am looking for?
11. Will I really save money going to the cloud?

As well, you could be faced with regulatory issues, data leakage, unacceptable downtime, and more. What is paramount is that you thoroughly know your assets, where they are and who has access to them so that you can ensure the proper protections are in force both by the provider and in your organizations. Defense in depth.

Above all, you must be able to monitor that protections the cloud provider implements to track trends, sniff any changes, and sound the alarm at the right times.

So it may be inevitable but are you really ready to move to the cloud?

The post A CISO Checklist: 11 Reasons to Avoid the Cloud appeared first on Security Current.

Well, ‘tis the season – a season for celebrating and a season for shopping. You are the CISO, the head honcho for everything information security. So who’re you gonna call when everyone and their mothers come running your way asking how their information can be kept safe this holiday season?

Here’s your cheat sheet. A compendium of facts, tips and references.

QUICK FACTS

1. According to the Ponemon Institute:
   • The costliest cybercrimes are those caused by malicious insiders, denial of services and web-based attacks.
   • 64% experienced web-based attacks and 62% experienced phishing and social engineering attacks. Most companies also experienced malicious code and botnets (both 59%) and denial of service attacks (51%).
   • Malicious code is the costliest problem for U.S. companies. Countries with the highest costs related to denial of services attacks are the UK and Australia. Malware is most costly in the Russian Federation. In most countries, botnets are the least costly type of attack.
   • The number of attacks is increasing. The percentage increase of successful attacks per year, per company was 46% increase in four years.
   • The time required to resolve attacks is growing. The average number of days to resolve incidents increased 229% in six years.
   • Average total cost of a data breach increased 23% over the past two years to $3.79 million.
   • The average cost paid for each lost or stolen record containing sensitive and confidential information increased 6% jumping from $145 in 2014 to $154 in 2015. The retail industry’s average cost increased dramatically, from $105 last year to $165.
2. Gemalto 2014 Breach Level Index:
   • Most Notable Data Breaches – Home Depot: 109 million records, Korean Credit Bureau: 104 million records, JP Morgan Chase: 83 million records, AliExpress: 300 million records, Sony Pictures Entertainment: 47 thousand records.
   • United States is at the top of the list with 1107 breaches. Europe had 190 breaches, which compromised million records.
   • No industry experienced as many data breaches as the healthcare sector, which had 391 breaches in 2014. That amounted to one quarter of all the breaches reported for the year.
   • The most common source was malicious outsiders, who were involved in 854 breaches, or 55% of the total.
   • The most common type of attack was identity theft. Organizations were hit with 827 of these attacks, which accounted for more than half of the total (54%). That’s up dramatically from just 20% in 2013.
3. Verizon Data Breach Report 2015
   • In 60% of cases, attackers are able to compromise an organization in minutes.
   • 23% of recipients now open e-mails and click on phishing links within the first hour.
   • 0.03% out of tens of millions of mobile devices; the number infected with truly malicious exploits was negligible.
   • In October 2015, the chip-and-PIN mandate went into full effect in the United States. A word of caution—poor implementations are still vulnerable to attack.
   • Malware used to launch DoS attacks jumped from #8 to #2 in threat action variety, while command and control remains at #1.

So you’ve got them impressed with these facts.

Here are a few tips to provide your business partners, your hairdresser, your closest confidantes, your extended family and friends to keep them safe this jolly season. Check these out.

TIPS

1. Make sure you continuously check your bank and credit card statements – paper and online.
2. Run antivirus and anti-malware software on all devices with current updates. Be very diligent about this – no exception.
3. Use strong passwords. Even try two-factor authentication with your email accounts. Yes, it’s tough at first but you’ll get used to it.
4. Always use websites you know well.
5. Look for the lock next to the https in the URL when you are ready to purchase and ready to divulge your personal information.
6. Why would companies need your social security number or your birth date? Think twice, ask questions – someone may be in the process of stealing your identity!
7. Don’t use public computers to make purchases!
8. Watch your back when doing online shopping in public places.
9. Just don’t jump on to any unknown Wi-Fi network to do your shopping or banking.
10. Look out for scams (see below).

Safety and security at this time of the year go hand-in-hand. On the Internet, you will be able to find a number of infographics that you can print and share with family and friends as well. Here are some references you can use in the meantime.

REFERENCES:

1. McAfee – 12 Scams of Christmas: http://www.mcafee.com/us/about/news/2011/q4/20111109-01.aspx
2. StaySafeOnline – Online Shopping: https://www.staysafeonline.org/stay-safe-online/protect-your-personal-information/online-shopping
3. US Computer Emergency Readiness Team – Shopping Safety Online: https://www.us-cert.gov/ncas/tips/ST07-001
4. Kaspersky Lab – Safer Online Shopping: https://usa.kaspersky.com/internet-security-center/internet-safety/online-shopping#.Vm3zhPkrKHs
5. Parents – Planning and Safety: http://www.parents.com/holiday/christmas/safety/

Last but not least. Above all in information security is the value of human life and safety. Take a read at what the Los Angeles Police Department has put out on Holiday Safety Tips:

http://www.lapdonline.org/crime_prevention/content_basic_view/1376

Read it over and over. Be familiar with it and spread the word.

To you and yours – Happy Holidays! Hopefully 2016 will bring about the very best in every way.

The post Facts, Tips, and References for CISOs this Holiday Season appeared first on Security Current.

As a CISO or an executive responsible for the Information Security organization at your company, one thing that you ought to keep in real focus is the Silo Effect. Be conscious of it, work against it, and prevent it from derailing your vision and longevity!

So what is the Silo Effect? It’s when departments do not wish to share information with others in the same company. Of course, all of us understand why this may be the case and all of us also understand the effects of this stand.

But I would like to stretch the usual definition a bit further. I would like to include when lack of resources, time, and transparency forces us to operate in such a way – yes, a conscious decision or an unconscious decision or both!

How do you know if you’re operating in a silo? Here are some situations to consider:

1. Are projects, meetings, etc. run top-down so that there is limited free exchange of ideas and information?
2. Are there different cultures in conflict reaching common goals? Think mergers and acquisitions for one.
3. Are your customers, partners, stakeholders, staff, senior management seem demanding or intolerant?

How can you reduce the Silo Effect? Though there are more, I am limiting this initial discussion to just 10 ways. I chose the following 10 to start with. Feel free to keep adding to the list as you muster the courage and organizational prowess to add more!

1. I don’t meet with my staff, partners, stakeholders, and senior management on a regular basis.

How to reduce the Silo Effect: Maybe you don’t like meetings or too many meetings. I don’t want to say that perhaps you’re in the wrong business or suggest that you are at the wrong level but a well-crafted meeting session is one interactive medium that can do wonders for your relationships, your vision, and yes, your longevity. How often do you meet with the business, IT, Legal, Compliance, Privacy, and Audit colleagues, and your critical vendors? You don’t need to schedule an hour, not even a half-hour. You can do 15-minute sessions to get the most bang for your buck. Be sure to meet with everyone who works for you at one time or another.

2. I don’t encourage feedback routinely.

How to reduce the Silo Effect: Ever heard of the “Suggestion” box? That’s for starters. It can be anonymous and take the form of a real physical box and/or to a monitored mailbox. Make sure that this is a routine line for you in meetings as well – ask for comments, positive or negative. Write it down – and please do follow up!

3. I don’t normally encourage participation in new projects and new approaches.

How to reduce the Silo Effect: You’ve got talent all over. But what you may not know is exactly what talent you have and where – plus, what talent you may be able to leverage for that tough project with a tight deadline. You need an inventory of such talent, skills if you will. Then you need to make sure your projects are not only just known to you and your direct managers but visible throughout your responsibility zone. Call on the human spirit and they will respond in kind. Such transparency brings immense rewards to you, your people, and the organization as a whole.

4. I don’t normally share best practices with staff, partners, stakeholders, and senior management.

How to reduce the Silo Effect: Maybe you don’t have enough best practices to share, simple. If you don’t, no problem, just pen it as a top priority on your to do list, and draw on your talent base to get it done. Your partners and stakeholders within your organization can see how efficient, how transparent, and how well you run your team. And, of course, the auditors will for once love you. And maybe the regulators too! Get it up on a SharePoint site if that is just for starters and then onto your intranet site.

5. I have not had the time to create and share my vision.

How to reduce the Silo Effect: This is one component that can lead to being a great leader. Should I say more? Every politician is expected to do so. Are you any different?

6. I find myself not motivating others or providing incentives.

How to reduce the Silo Effect: Motivating others, even by providing incentives, is one of the biggest ways of tapping the unknown potential in each one of us. This is also one way to get 150% out of everyone without them cursing you out or overworking them to tears. Yes, motivation is a whole different topic and training class all by itself, understood!

7. I don’t encourage collaboration as I really should.

How to reduce the Silo Effect: You have the skill set inventory, you got your project list with ongoing status published, now you just need to get collaboration going efficiently within your organization – for those under your responsibility as well as those throughout the organization who need to be your partner or a stakeholder. Collaboration is also another different topic altogether and a whole 3-day class! Think teamwork, conflicts, project management, etc.

8. It would be nice to share my team’s performance metrics with others, but…

How to reduce the Silo Effect: Okay, I am supposing that you produce all kinds of metrics on a routine basis. But if you are doing so just to appease your management, I’m afraid you’ve got some work ahead of you. You see, sharing metrics with your staff, your partners, your stakeholders, the business – will surely help you develop stronger relationships, lower your blood pressure, score higher on company surveys, and the like. Folks will see how busy you are, how much more staff you need, and demand less of you. No need to hide under your metrics anymore. It’s like milk, it will do the body good!

9. I don’t communicate enough to my staff and others.

How to reduce the Silo Effect: Communication skills – oral and written. We are all judged by that at least once a year by our manager. Why shouldn’t you be judged too? As such a critical position as a CISO is to ensure that communication is of a high caliber. As busy as you are, the easiest way to reach out into your organization from New York to California to Florida and across the globe is by well-crafted communication. Think of the different cultures, the different audience you’re addressing. Highlight your requested action items. Highlight your main points. Emails are a skill yet to be mastered by many. Work on it.

10. I can’t say me and my team work towards a common goal.

How to reduce the Silo Effect: How do you know if you and your team are working towards a common goal? What is that goal? If you can’t answer that (easily), then you may not have developed and shared that vision (see above). It’s that vision that gets translated via metrics into the results and compensation you’re desperately looking for. Think football, think baseball.

I bet after you’ve read the above 10 pointers, you are going to say to yourself, “I knew that.” I agree – I know you know, otherwise you would not be in the position you are. But sometimes, we get hardened, we get distracted, our own agenda gets derailed for one reason or another, or simply put, we lose focus. This is meant as a reminder, as a checklist, to guide you towards your original agenda, your passion, why you occupy the seat you’re in. Keep that seat warm, don’t let it go cold! Good luck!

The post A CISO Checklist: How to Reduce the Silo Effect appeared first on Security Current.

According to ITRC (Identity Theft Resource Center), in 2015 thus far there have been over 450 breaches with over 135 million records exposed.

They define a breach as an event in which an individual’s name plus Social Security Number (SSN), driver’s license number, medical record, or a financial record/credit/debit card is potentially put at risk – either in electronic or paper format.

As a CISO, or a person in a position with CISO powers, your organization looks up to you to help protect its most important data. It’s a powerful position for certain. But with such power comes great responsibilities. Sometimes politics gets in the way and hinders proper data protection. Sometimes complacency gets in the way too, even an inability to form real partnerships with stakeholders.

Well, for starters, you should have that innate knack to identify past failures, current gaps, and be able to forecast issues. We all commit sins, we all make mistakes. We ask for forgiveness each of us in our own ways. But how many of us actually try to figure out what we need to do to reduce the risk to commit that same sin again?

Below I have chosen 10 common issues we face over and over again. Whether you are in a CISO or CISO-like position, I urge you to take note, ponder, revise your plans, strategize, and finally implement solutions that will reduce the risks to your organization and most importantly, reduce risks towards your career.

1. I do not know which are my critical vendors

This is one area, even with developed third party programs, that is still not well defined. How do you define a critical vendor? How do you arrive at an inherent risk? Uncertainty can lead to an endless number of gaps, improper residual risks, and remediation failures. How do you know what vendors you should conduct an onsite assessment on? The regulators are looking for your critical vendors. Hackers may be looking for them too. Are you?

2. I don’t know where all my sensitive data is and how to properly classify it

How do you define sensitive data? Can you spell it out to actual data elements? Does the business understand this? Yes, you define different classes of data, provide examples – and then you leave it up to the business to take the data and throw it into whatever bucket they feel? Who assures your organization that the data elements are properly categorized and protected? You’re hired to protect the organization’s crown jewels. Are you doing so?

3. My message doesn’t get to the Board Room

Do you feel that your vision, your wisdom, your accomplishments and challenges don’t get up to the board? Is your organization structured in such a way that prevents you from being properly represented/heard at the board level, the executive and highest level of management? In many organizations, security is part of IT, “security and IT working hand in hand”– even that sounds like conflicts of interest. Are the first, second, and third line of defense properly aligned and with the proper oversight? All of this begins at the top. The top folks need to be educated, i.e. very well educated on risks, not just on a quarterly basis, or “need to know” – but on an ongoing basis. They have got to start feeling that heat as that heat can easily burn through dollars and reputation rather quickly. So you can’t change the organizational structure overnight. What plans then do you have to tunnel your way into the boardroom?

4. I struggle getting my patches in on a regular schedule

You’ve got a whole lot of off the shelf software, in-house developed software, some of it with the help of vendors within the US and overseas. How do you keep up with patches? Do you know what needs to be patched and when? What is your zero day patch plan? At least Microsoft and Apple are now keeping on top of their OS patches. Do you?

5 .I should be conducting more vulnerability assessments and penetration tests

Regular vulnerability assessments, penetration tests – network and application– are the way to go. These are very important to conduct on a regular basis. In fact pen testers are now among the most valued InfoSec professionals. Auditors and regulators find comfort in vulnerability assessment and pen test reports. Do you?

6. I still struggle with what I need to encrypt

Encryption is one of those things that can take the back seat. If sensitive data is not identified and classified correctly, you could be leaving the back door open if that data is not encrypted properly. If identified and classified correctly, you could still believe that there are enough controls around to properly protect that data without encrypting.   Perhaps you do not  wantto suffer from performance hits. What about encrypting only some fields in the database instead? Well, at the very least, let’s hope all your end computing devices have encryption where your sensitive data exist. How about data in motion and data at rest behind your firewalls? A lot to consider, and not cheap, when you’re considering encryption. But do you have a choice succumbing to the direction to keep costs down?

7. I gotta get my arms around this access control monster

We all need some level of access to get our jobs done. Some more than others. Some have permissions that are under the radar. Not being monitored. No alerts. Administrators may have open access to your sensitive data. And if their credentials are compromised? Do you get your users re-certified periodically? Do you know who has access to your sensitive data? And don’t say your users, or some users have admin access to end user devices. Do you believe improper access control can lead to a breach at your enterprise? Do you check if your doors are locked before you retire at night?

8. I need to get into the Risk business and figure out all my high risks at the very least

We should be periodically assessing the security of our hardware and software, of our vendors – all on an ongoing basis. We discover risks and very often fail to properly document and centralize in some sort of a risk register, rank the risks, and hence, properly remediate in a timely manner. Yes, you say you don’t have the resources, time, and money. Maybe you don’t have auditors or regulators on your back to make you do it. Excuses, excuses, excuses. How long are you going to make excuses?

9. I don’t pay attention to what security provisions are in the vendor contracts

So you think you’ve got all your vendors figured out. You control them well. Monitor them well. You are Information Security, maybe part of Information Technology. You’ve done your job. But have you partnered well with your legal department in making sure the proper security provisions are in the vendor contracts? That the proper templates are being used? And these templates are being revised annually? How do you include vendor risks  in contracts? You need to develop partnerships that last, partnerships that are fruitful for all involved. Maybe you don’t like to deal with lawyers and contracts. But can you avoid it for too much longer?

10. I am up night after night thinking about the inevitable data breach

You read about all the security breaches that occur across industry and size. Breaches don’t discriminate. Sure, it will happen one day. But you do want to be prepared if one should happen. You have to have the script ready – the incident response plan that works almost flawlessly. A plan that you need to test on a regular basis, to keep all employees in tune with, aware of such a possibility if it should ever occur, and what they need to do in a timely manner. Of course, you do participate in frequent fire drills, don’t you? You’re not the one who ignores the test alarm to gather at the nearest exit because you’re too busy?

Don’t keep making excuses. Elevate your game, regardless of your resources, time, and money. Put your plan together – start with the board, present your case. Don’t keep on sinning! Forgiveness starts with you!

The post A CISO Checklist: 10 Deadly Sins appeared first on Security Current.

Do you know how Merriam-Webster defines vacation?

Believe it or not – this is what it says:

– A period of time that a person spends away from home, school, or business usually in order to relax or travel

– The number of days or hours per year for which an employer agrees to pay workers while they are not working

In this connected digital age, things certainly seemed to have changed.

As  Elon Musk once said, “I’d like to dial it back 5% or 10% and try to have a vacation that’s not just email with a view.”

Stand up. Pause. Take a deep breath. Say aloud so you can hear yourself, “I really deserve a vacation!”

Doesn’t that feel good?

Now you can sit.

So let’s start getting you ready for your vacation. I’ve come up with a number of to-dos, which may fit your style, your industry, your organization, or your priorities. If they don’t fit, feel free to modify the list. They’re in no special order. Main thing is: getting ready is so crucial for you to make sure that, when you’re not around, your organization is prepared to run with processes and procedures you’ve already implemented.

Here goes:

1.Meet with all your direct managers one-on-one

Get the list of their projects and project plans for at least the period you will be out – and discuss timelines, deliverables, dependencies, resources, and challenges. Of course, you’re already doing this on a regular basis – but this should be a bit more focused towards the time you will be out.

**Pay particular attention to deliverables and areas of potential delays.

2.Get up to date metrics

I am sure you’re also doing this on a regular basis – collecting all kinds of numbers for your national and international priorities – and transposing them into business terms. If all your reported metrics are not already feeding into a CISO Dashboard, then it’s something you need to pencil in on your to do list to get done when you get back. But, either way, you should take a closer look at the metrics before you go on vacation to make sure you understand the dimensions of the issues and challenges facing the organization and that they will continue to be addressed or resolved during your absence.

**Pay particular attention to the high risks, threat assessments, and scheduled audits.

3.Review RACI matrix of team responsibilities

A RACI matrix is essential for everyone to fully understand roles in tasks and deliverables – especially those responsible and accountable. This is a basic tool that is commonly missing in many organizations and as such leads to a lot of finger pointing. You may not have this fully developed and implemented – but if you do, kudos to you.

**Pay particular attention to those tasks and deliverables, for the time you will be out, that could lead to responsibility and accountability challenges.

4.Review your Budget

Spend some time on this. Make sure the numbers make sense – especially if you have any deliverables or challenges during your absence. If you have a financial analyst, that’s great. If you have project management well laid out, kudos to you again. However, it’s up to you to make sure you prepare an adequate budget forecasting.  Frequent budget oversight will prevent budget overruns. So run through this one more time before you leave.

**Pay particular attention to those projects that may have scope creep or resource issues that could present budget nightmares if left alone for too long.

5.Review the time off schedule of your staff

Most of your managers may already have their own methods in tracking time-off for their employees. But it’s very important that your entire InfoSec group have a single place, like a SharePoint site, where everyone under you can easily see a calendar displaying who’s out and when. It’s so important that there be ample coverage, especially during your absence so that business support and projects doesn’t suffer – and your reputation too!

**Pay particular attention to coverage issues or challenges and address those as quickly as possible.

6.It’s time to email your Out of Office Notification

Make sure you notify your team, senior management, the Board, business partners, and stakeholders at least a week prior to you being out. This way you will avoid (to a large extent) any last moment fire drills.  You will have a chance to implement proper delegation and easy transfer of responsibilities to your designee(s) whilst you’re out. Of course, you will set your Out of Office email notification that spells out who’s standing in for you and for what area(s).

**Pay particular attention to the responsibilities and accountabilities for your appointed designees.

7.How they can reach you. How you can reach them.

Once you get your vacation plans whirring, this is one thing you will quickly forget. Don’t depend on the assumption that all the contact information will be in your Blackberry or some online list. Be cautious enough to get it on paper.  Take the paper with you and don’t lose it.

**Pay particular attention to write down key contact information and also be willing to share your contact information with a few key individuals as you see fit.

8.Need to seriously review your Incident Management process

Here’s hoping you have an Incident Management process well in place – well documented, tested, and reviewed on a regular basis. If you do, a high five! If you don’t, make a calendar entry to address that when you get back. You don’t want to be out and no one on your team really knows what steps to take, who to get involved, timeline, chain of custody, etc.  In the absence of thorough incident management procedures, a major incident during your absence can, not only ruin your vacation, but also can start the downward spiral of your passion, your reputation, and perhaps even your career!

**Pay particular attention to the people and the steps around this process. Meet with the incident management team, whether it is a separate team or a collection of individuals, to review the process.

9.Reschedule meetings

Reschedule or cancel those meetings you can do without before your vacation. Same with meetings during your vacation. For the important meetings scheduled during your vacation, make sure you appoint appropriate designee(s). It’s also important to block off time on your calendar, if you can, for a couple of days when you return allowing you to catch up. You may even want to schedule one-on-ones with some of your managers during this time to help you catch up – better than reading several hundred emails!

**Pay particular attention to meetings with auditors, regulators, critical business partners, senior management, and board members.

10.Get all of the above on your calendar!

It’s nice to have a checklist. But you need to make all of the above (or those you feel are necessary) into actionable items. Get them on your calendar ASAP.

**Pay particular attention to the most important items and schedule those first in case you need follow-ups.

11.Ready, set, go! Enjoy your vacation!

Don’t forget the sunscreen, your digital books and magazines, sunglasses, camera, converters, extra batteries for all your essential toys, appropriate clothing, adequate storage for all your photos and videos. Most of all, please review all the do’s and don’ts, not only regarding information security, but also very much so for the area(s) you will be traveling to.

**Pay particular attention to note to spend extra time doing the things you truly love!

Just make sure you prepare well for your vacation – so work interruptions are kept to a minimum: not only for you, but also for the lovely company you plan to be with! Your fun in the sun may well depend on how well you prepare for your vacation.

Now you can shout aloud for everyone to hear – “I really deserve a vacation!”

Bon Voyage!

The post A CISO Checklist – 11 Tips to Get Ready for Your Much Needed Vacation appeared first on Security Current.

The world of the CISO is becoming an almost  thankless job. No matter what you do, how well you present to the Board, how complete your program is, it seems your back is always against the wall.

The business complains of the burden security places on operations, the delays it causes, the relationships it destroys, etc. Whatever you do, you know that a data breach is coming. What you really hope for is that it never happens on your watch.

At the end of each and every day, it is the passion that we security professionals have that bring us back the next morning into that hot seat once again. We love the challenge; we love the cat and mouse game.

I’ve picked 10 items from a long list that can help the CISO get back on track. Your 10 may be different based on your industry and priority but hopefully these 10 tips can help you take less aspirin, less Tums, perhaps allow you to once again have lunch in the park or a stroll down Main Street – enjoying the beautiful sights and sounds that is summer.

Funds may not allow it. But if you don’t have an established security architecture, you  might be kissing your sensitive data goodbye and not knowing it! Even if it takes getting an outside firm to help you build one, just do it. It is perhaps one of the best moves you can make.

There are scheduled monthly/quarterly patch releases by the big ones – Microsoft, Adobe, Oracle, etc. If you are not getting at least these patches in on a timely basis, you are allowing a lot of room for attacks.

Don’t let the business always decide when you patch your servers, your infrastructure devices, your desktops, mobile devices, and applications. Advertise your patch schedule and barely allow any wiggle room for deviation or compromise. Give enough notice. Publicize how you may need to handle zero-day malware as well. Sometimes all it takes is communication, education and awareness.

Laptops, tablets, smartphones. These devices may be on the move with your data. Hopefully, that data is encrypted. Hopefully, as applicable, you have full disk encryption. Hopefully, you are able to track these devices globally in almost real-time and you have the ability to erase them at will if need be.

Now, more than ever before your users, the executive management, need to understand and be fully aware of the dangers of having a device lost or stolen close to home and on the road. Constant preaching helps.

You’ve got your sensitive data in the cloud. Not your cloud but somebody else’s. Yes, it is way cheaper to host it externally than internally. We hear you! “Quick win” you say! But lo and behold, did you do your thorough due diligence – encryption for data in motion and data at rest, exit strategy, access controls, making darn sure you have the right security provisions in the contract including reasonable audit rights?

Hope you’re smart enough by now not to allow removable media to be able to remove your data from your company’s possession without explicit permissions and the proper sign-offs. USB sticks are no longer a miserly 256MB, now they can store gigs and gigs of your precious data.  Don’t forget encryption.

You provide Internet-facing web portals to your employees and customers. A perfect entry point for anyone near or in a land far, far away. How regularly do you perform penetration tests and follow up against any high and medium findings? That’s easy.

Don’t forget to pay attention to your vendor who’s hosting a web site for you and your data and doesn’t want to show you their penetration test report. They may give you a redacted executive summary report or just show you the report over WebEx or in person. Would they allow you to do a pen test against their production environment where your data lives or would they allow it against their UAT environment? Would that suffice? Getting pen test reports from vendors is getting more and more difficult as it is becoming more and more important.

DDoS attacks are on the rise. Do you know how secure your services, such as DNS, SSDP, and NTP are? Go through the exercise to make sure that you’ve done thorough due diligence. But also make sure that you have a backup plan in case it happens – especially during critical business periods.

Think where your data live – the data center, the office, in the cloud, storage facilities, vendors, trash, etc. I am sure you can think of many more places. Do you know how your data are protected in each of these places? Don’t let the auditors discover your weaknesses. Find them first. Perform your own internal audits. Physical security that  ensures that only  the right folks are permitted the right access is paramount.

Well if you’ve got boat loads of sensitive data that keep you up at nights – let’s hope you’ve got a DLP solution or at least one in your near future. Data can leave your organization unencrypted, in a zip file, via emails, via SMS, via portable media. Does your DLP solution only work within your network? What happens when a user has data on their laptop, vacationing in Moscow?

Yes, your DLP must talk to you – provide you with alerts, reports, and the right information that can be actioned if need be. Surely this is one way to make sure that you just don’t get to bed  each and every night but that you actually get some sleep!

You are a security professional and you are amazed how easily people can be duped. Run phishing campaigns so you can learn who in your organization is most vulnerable to these attacks. Follow up with effective targeted training for those users and departments even if that amounts to as much as 20-25% of your user population.

After that dangle the hook in front of them again.  See who nibbles (opens the email) and who bites (clicks the link/surrenders their credentials).  Phishing and Spear Phishing are still big and your users are the trophies! Don’t let them get duped.

The post A CISO Checklist: 10 Tips to Get Back on Track appeared first on Security Current.