Real vs. Regulatory Risk

Posted by Venkat Rajaji on Thu, Apr 28, 2016

Risk is a word you hear every day and it has become common place across the security industry. What is risk? What does it really mean? And why is it so important? Most importantly, how should we think about the impact of these risks and how we mitigate it?


Riisk is composed of: Impact x Likelihood. 

Impact- The damage caused by the risk, criticality of the assets, the actual data in the systems, the liability associated with an audit finding

Likelihood - The probability that an event will occur. When we think about likelihood we think about usage patterns, access levels for individuals and accounts,and exposure or vulnerability of such systems.

 

Within the context of Information Security there are two types of risk that companies face, real risk and regulatory risk.

 

Regulatory risk is associated with not being complaint with any number iStock_000026774677_Large_1.jpgof regulations. The penalty for this might be financial penalties, incarceration or a drop in stock prices if said issues are "material" enough to require reporting. For example, compliance within the healthcare industry with data privacy and HIPAA, companies within the Financial Services industry and SOX compliance, or retail organizations or anyone else accepting credit cards who must adhere to PCI compliance. What regulatory risk calls for is the implementation of a governance process for which to ensure compliance.

 

When you think about real risk, you're thinking about things like customer and consumer data, credit card information, employee data, SSNs, and access to processes like the recent Iranian nuclear processing  centrifuges that were hacked into and then stopped and started over and over until they blew up.  Here, governance process is not enough. This is now about protection and the impact is far greater than just a fine. Reputational damage, brand image, liability, and other major financial damages will impact the company.

 

Compliance regulations have helped and have forced companies to put in place governance processes to mitigate some risk. However, this drive for compliance has led to a lot of rubber stamping. Reason being, there is too much data and we don't know what is important and what is just another request. So the compliance checks themselves often don't do enough to protect the companies or their customers.

 

cyber-311111.jpgWe need the ability to really understand risk within the constricts of impact and likelihood. In order to satisfy both regulatory needs and to mitigate against real risk we need solutions that provide context for these risks. Context might be things like access levels, known vulnerabilities to systems, criticality of business systems and the data stored in those systems. This helps us better understand our enterprise risk.  Done correctly, this automation and intelligence also dramatically improves understanding of how you are actually doing and how that is changing over time (read actually managing this stuff), efficiency (read cost savings) and efficacy (real and regulatory risk reduction).

 

To manage both real and regulatory risk, you need to deter bad touches (inappropriate access) to information and processes. Since motivated bad guys have proven that they still might find creative ways in, you need to detect when that happens, and ebook_Assessing_the_Risk.pngonce you do that, you better figure out how to remediate the issues really quickly. The Courion suite of solutions are designed to solve exactly this problem across both the physical (vulnerability management) and logical (access management) worlds.

 

Looking for more information on how to mitigate both real and regulatory risk? Download Assessing the Risk of Identity and Access to learn how to identify and remediate both your real and regulatory risk. 

Tags: risk management, security risk, cyber risk, risk

New Version of TeslaCrypt, Cisco Patches Five Vulnerabilities, Sony Confirms Two-Factor Authentication Coming to PlayStation and More in This Week's #TechTuesday.

Posted by Harley Boykin - Marketing Coordinator on Tue, Apr 26, 2016
In this week's #TechTuesday: A new TeslaCrypt variant is being hidden in delivery tracker emails, Cisco patches five product vulnerabilities, researcher finds backdoor that accessed Facebook employee passwords, man arrested in data breach that exposed 55M Filipino voters, and Sony confirms two-factor authentication for PlayStation network. 

Tags: authentication, #techtuesday, data breach, malware, password, vulnerability

Guest Post- Alex Naveira, Director, ITGA & CISO on Compliance

Posted by Ashley Sims - Marketing Manager on Thu, Apr 21, 2016

To continue this month's conversation on compliance, we have another special guest joining us on the blog today. Alex Naveira is the Director, ITGA & CISO at Miami Children's Hospital and oversees multiple locations. We asked Alex what compliance meant to him and he had a list of different kinds of compliance and said "which one?" Needless to say, a CISO's job is quite complex when it comes to compliance and we are thrilled to have Alex join us to explain what he sees in his day to day life. 

An elderly man falls off of a subway platform and onto the train tracks.  A stranger pulls the man to safety while the train screeches to a stop.  Witnesses called the rescuer a hero, but he said: “No, my intuition made me do it and I just did what was right.”  Now, what does this story have to do with compliance?  What is compliance?

 

compliance.jpg

According to the Oxford English Dictionary, Compliance is defined as “acting in accordance with, and fulfilment of … conditions, or regulations.”, but with Information Security this goes further and it is more than just acting in accordance with regulatory conditions or requirements.  It is consistently acting with initiative, which according to Victor Hugo is “doing the right thing without being told.”  For one reason or another, some wait until they are told what is right or wrong prior to acting, but this places industries at risk, especially if they are not taking steps to proactively protect their technologies and the information housed within.

 

The first thing we need to understand before having a well-established information security governance, risk and “compliance” program is what we are striving to protect (e.g. resources, systems, identities).  Subsequently, we need to act on the processes and tools required to protect the information and technical resources within the environment.  Examples of these processes include access authorizations, continuous monitoring of infrastructure and system access threats, prioritization, and remediation of these threats.  Adaptive tools in today’s protection arsenal include Identity and Access Intelligence (IAI) systems, SIEMs with threat intelligence capabilities, and intelligent Network Access Control (NAC) systems.  Before regulations required it, we were already implementing passwords, role-based security, putting up firewalls, IPSs, and Identity and Access Management systems.  Why?  Because experience and intuition told us that it was the right thing to do.

 

iStock_000023256305_Full.jpgToday, we leverage these processes and tools to provide us a more intelligent path to management and control over our networked devices and most importantly, our identities.  In consequence, this naturally allows us to comply with regulatory requirements and institutes a culture of doing not only what is within the strict parameters of the law, but also what is right.  In less proactive organizations, compliance can certainly be used as a catalyst in approving the necessary funds to optimize security and operations, but it should never be used as the sole factor for doing what is right.

 

When an elderly man falls off a subway platform and is immediately rescued by a stranger, does the stranger wait for others to provide him “the law” of correctness before acting?  Of course not!  He just does what is right, even if difficult or expensive.  In the current world of nefarious movements, we need to establish an inherent culture of doing the right thing, not because a regulation tells us that it is right, but because our experience and intuition has assured us that it is the right thing to do.

Alex Naveira, CISSP, CISA

Director, ITGA & CISO

Information Technology

Miami Children's HospitalImpact_Pro_Demo.png

 

Looking for ways to keep your organization compliant? Check out our Attack Intelligence for Healthcare Organizations data sheet and you can even request a demoto see the solution at work. 

Tags: continuous compliance, hipaa compliance, compliance

Windows Users Warned to Dump QuickTime, Hybrid Malware Targets 24 Financial Institutions, and More in this Week's #TechTuesday Roundup

Posted by Harley Boykin - Marketing Coordinator on Tue, Apr 19, 2016
In this week's #TechTuesday: Windows users are warned to dump QuickTime, hybrid GozNym malware targets the customers of 24 financial institutions, Facebook scam delivers malware instead of a friend's video, an unsecure database leads to a potential healthcare data breach, and a new home security device that can create a sound fingerprint of your home.

Tags: IOT, healthcare, #techtuesday, financial services security, data breach, security, malware

What does “Compliance” mean to a Healthcare CISO?

Posted by William "Buddy" Gillespie HCISPP, ITILv3 on Thu, Apr 14, 2016

The role of the healthcare CISO has expanded exponentially since the HITECH Act of 2009.  CISOs were traditionally charged with the responsibility to maintain the IT environment consisting of applications and infrastructure.  Today they are taking on an expanded organizational role consisting of innovation, operational responsibility and compliance.  Although, the governance for compliancy consists of a village when it comes to leadership and stakeholders, CISOs still remain at the center of the universe.  A multitude of federal and state regulations are at the CISO’s doorstep and pressing on the their scope of responsibility.

iStock_000021946209_Full.jpg

 

Among these regulations are PCI, ICD-10, Meaningful Use and, the biggest and most daunting of all, HIPAA.  If a Healthcare Organization (HCO) fails to meet the compliancy standards required by these regulations, the results may be penalties consisting of fees, possible imprisonment and the loss of credibility. 

The “experts” all agree that the following are the largest and most challenging force vectors for the healthcare CIO to confront in order to achieve and sustain compliance:

 


  • Mobile Devices:
    • The sprawl of mobile devices in the Internet of Things (IoT) has created multiple and diverse conduits into the patient data.  A strong Mobile Device Management solution should be implemented along with encryption where appropriate.  CIOs are taking responsibility to map the information flow of patient data to ensure that the data is following the authorized path.
  • Rogue Applications:
    • None of the enterprise applications in healthcare can meet all the point specific needs across the HCO enterprise.  This void has spawned the sprawl of rogue applications.  These apps are often acquired without the knowledge of the CISO.  The CISO and IS are not able to provide the best controls without being a part of those 3rd party solutions.

The Cloud:

  • The use of Cloud Service Providers (CSP) in healthcare has its advantages and benefits.  Lower cost and scalability are two of the most common benefits.  However, the CISO must ensure that the CSP is HIPAA compliant and a strong Service Level Agreement is negotiated.
  • Payment Card Industry (PCI):PCI_Demo.png
  • HIPAA:
    • The number one compliancy challenge for CISOs is HIPAA.  The HITECH Act expanded the scope of HIPAA and the Omnibus bill in 2013 gave definition and guidance for the implementation of the HITECH requirements.  The Meaningful Use requirements expanded the access to the electronic medical records thus creating additional opportunities for security breaches.  The good news is that CISOs have the technical controls available in the market place to build a fortress against the onslaught of breach opportunities.  The other side of the coin the CISOs must build the case for a security budget that will allow for the acquisition and implementation of those controls.

In order to be successful and achieve the appropriate level of compliance, the CISO must advocate for a Compliance Governance within the HCO.  The CISO can be the catalyst but it will take a village of leadership and stakeholders to weather the strong currents that drive compliancy.Privacy_and_Security_ini_Healthcare.png

 

 

Want to hear more from Buddy on the role of HIPAA and compliance in healthcare? Download his free on-demand webinar Privacy and Security in Healthcare  

Tags: hipaa compliance, compliance, PCI DSS, HIPAA

Costa Rica Investigating Rigged Elections, Georgetown University Hit by Cyberattack and More in This Week's #TechTuesday Roundup

Posted by Harley Boykin - Marketing Coordinator on Tue, Apr 12, 2016

Costa Rica investigating rigged elections by political hacker, Adobe updates flash player patching active zero-day vulnerability, Georgetown University hit by cyberattack, NCT breach compromised info on 15,085 new and expectant parents, and Apple lockscreen flaw lays open contacts and photos.

Tags: #techtuesday, cyber attack, breach, security flaw

What does "Compliance" mean to you?

Posted by Ashley Sims - Marketing Manager on Thu, Apr 07, 2016

Compliance is a word that we hear a lot in our business. Broadly, it is defined as "the action or fact of complying with a wish or command." 

If that seems like a simple definition, it's because it is. It's too simple. In today's world, not only do you have to comply with the wishes of customers, vendors, and board members; you have to make sure that you are compliant with any one of several governing boards in your industry. 

HIPAA. SOX. NIST. PCI-DSS. These are just a few of the most well-known regulations that businesses have to follow, and they all create very unique challenges for organizations. 

In order to get a better handle on what "compliance" means outside of Webster's definition, we asked some of our Brent_quote.jpgfriends around the cyber-security industry to help us out and answer the seemingly simple question: "What does 'Compliance' mean to you? 

"What does compliance mean to me? In short, it’s the bare minimum standard we must meet in order to be able to demonstrate security. Compliance gives us a common language to use between regulators, auditors and security to evaluate the effectiveness of our controls."

Brent Comstock - VP, Identity & Access Management, Elavon 

"Compliance is simply defined as the ability to comply with a set of rules or requests.  As a CFO, we typically think of this as ensuring the organization has the requisite systems of internal control that adequately manage the risks that the corporation faces in multiple areas (such as legal risk, financial risk, regulation risk, IT risk, data risk, etc). Interesting to note that organizations continue to equate compliance with security with an inappropriate reliance on historical system compliance procedures leading them to mistakenly believe that their company is more secure."

Curtis Cain - CFO, Courion Corporation 

"With Information Security this goes further and it is more than just acting in accordance with regulatory conditions or requirements.  It is consistently acting with initiative, which according to Victor Hugo is “doing the right thing without being told.”  For one reason or another, some wait until they are told what is right or wrong prior to acting, but this places industries at risk, especially if they are not taking steps to proactively protect their technologies and the information housed within."

Alex Naveira, CISSP, CISA - Director, ITGA & CISO, Miami Children's Hospital 

"In order to be successful and achieve the appropriate level of compliance, the CIO must advocate for a Compliance Governance within the HCO.  The CIO can be the catalyst but it will take a village of leadership and stakeholders to weather the strong currents that drive compliancy."

William "Buddy" Gillespie, HCISPP, ITILv3 - WJGillespie HIT Consulting  

Do these definitions ring true in your business? If not, tell us what compliance means to you in the comments. 

Looking for more information on how your organization can become or remain compliant? Courion and Core Security have multiple options for maintaining compliance across all industry and government regulations. Find out more here or contact us at info@courion.com

 

Tags: access compliance, hipaa compliance, access risk, compliance

DIY Hacking Kits, Phishing Scams, and Ransomware in This Week's #TechTuesday Roundup

Posted by Harley Boykin - Marketing Coordinator on Tue, Apr 05, 2016
In this week's #TechTuesday: Android and iPhone do-it-yourself hacking kits are available to security experts and wannabes, scammers are phishing using fake Macy's delivery emails, more than 55 companies have fallen victim to W-2 phishing scams, another Canadian hospital is hit with ransomware, and e-Commerce platform Magento is targeted with a new type of ransomware. 

Tags: ransomware, #techtuesday, Hacking, phishing

How does Vulnerability and Access Risk Management Work?

Posted by Felicia Thomas on Thu, Mar 31, 2016
When a company wants to prevent breaches that come through vulnerabilities, it can detect them with a vulnerability scanner. These scanners will show all vulnerabilities in the iStock_000074019755_Double.jpginfrastructure, from tens to thousands, based on the size of the network. In addition, many vulnerability management solutions offer antivirus software capable of fact-finding analysis to discover undocumented malware. If it finds software behaving suspiciously—such as attempting to overwrite a system file—it will provide an alert.
 
Fast-acting correction to these vulnerabilities, such as adding security solutions, or educating users about social engineering, will be the difference between exposing a system to potential threats and protecting the system from those threats.
 
iStock_000076260879_Full.jpgAccess risk management (ARM) is the part of an IAM solution that identifies, assesses, and prioritizes risks from an access provisioning and compliance perspective. Because there are various sources from where risk comes from, utilizing access risk management helps to continuously monitor a system while providing preventative measures to manage user access and account entitlements.
 
Having VARM as a threat solution helps when identifying the sources of potential risk. Risk sources are more often identified and located not only in technological assets but within infrastructure and other tangible elements. It is extremely difficult for IT security personnel to be able to apply an objective and systematic observation of the state of their network without a solution in place. Utilizing VARM helps to identify not only that something is wrong, but it can support the clear
understanding of how, when and where to act on a potential threat. 
 

Want to learn more about Vulnerability and Access Risk Management and how it can help your organization?VARM_600x315.png Download our new eBook and learn: 

 

  • How Vulnerability and Access Risk Management really works
  • VARM's impact on governance and remediation 
  • Tools to remediate vulnerabilities 
  • Prioritization for reducing risk 
  • Check list for a VARM solution 

Tags: access governance, access risk, access management, vulnerability management, vulnerability risk management, vulnerability, Vulnerability and access risk management, VARM

Uber Launches Hacker Bounty Program, Google Enhances Gmail Security, and More in This Week's #TechTuesday

Posted by Harley Boykin - Marketing Coordinator on Tue, Mar 29, 2016
In this week's #TechTuesday: Uber launches hacker bounty program, Google enhances Gmail security, new ransomware created from PowerShell, wireless mice leaves billions at risk of computer hacks, and online ticket scams soar 55% in 2015. 

Tags: ransomware, #techtuesday, hack, hacker, malicicious