protecting information cybersecurity and risk
play

Protecting Information: Cybersecurity and Risk Management Peter - PowerPoint PPT Presentation

Oct 04, 2023 •132 likes •397 views

Protecting Information: Cybersecurity and Risk Management Peter Miller Jennifer Romano Nathanial Wood Overview Cybersecurity and Risk, Generally Internet of Things New FAR Safeguarding Clause and Old DFARS Safeguarding

  1. Protecting Information: Cybersecurity and Risk Management Peter Miller Jennifer Romano Nathanial Wood

  2. Overview • Cybersecurity and Risk, Generally – Internet of Things • New FAR Safeguarding Clause and “Old” DFARS Safeguarding Clause • Data Incidents and Litigation 100

  3. Cybersecurity and Risk, Generally 101

  4. Managing Cybersecurity Risk • No “one size fits all” approach • Not a one-and-done activity: ongoing • Variety of risk management frameworks and policy initiatives • Federal government – carrot and stick – Statutes, guidance, and high-profile enforcement actions across industry sectors and activities (HHS, FTC, FCC, CFPB, SEC, DHS, DOJ, DOD…) – NIST Guidance (voluntary), e.g., Framework for Improving Critical Infrastructure Cybersecurity, Guide to Cyber Threat Information Sharing • State government – privacy/cybersecurity teams, incident response, and risk reduction practices 102

  5. Federal Cybersecurity Policy Initiatives • NIST, Framework for Improving Critical Infrastructure Cybersecurity (www.nist.gov/cyberframework/) – Voluntary, customizable, and provides a common vocabulary: “Identify, Protect, Detect, Respond, Recover” – “Supply chain risk is an essential part of the risk landscape that should be included in organizational risk management” • NIST SP 800-150, Guide to Cyber Threat Information Sharing (http://csrc.nist.gov/publications/) – Information Sharing & Analysis Centers/Organizations (ISACs/ISAOs) – Cybersecurity Information Sharing Act of 2015 (12/15/15) • Any “non-federal entity” can share information with federal government “notwithstanding any other provision of law.” • Information-sharing portals 103

  6. Internet of Things • “Cyber-physical systems (CPS) [including IoT] are smart systems that include engineered interacting networks of physical and computational components.” NIST Cyber Physical Systems Public Working Group, DRAFT Framework for Cyber-Physical Systems , Release 0.8 (September 2015) • $11 Trillion Global Economy – $2 Trillion Today – Est. $11 Trillion in 2025 • More Devices than Humans – 25 Billion Devices  50 Billion devices in 2020 • 127 New Devices/Second Added to Internet • Exponential increase in data collection and analysis 104

  7. With Benefits Come Risks… • • Ubiquity Homes • • Complexity Healthcare and medical devices • Inconspicuousness • Vehicles and drones • Limited user interface • Business environments • Low cost, little • incentive to secure Physical and logical access • Long life: limited • patching, upgrades, Critical infrastructure or technology refresh • Industrial and • Communications: manufacturing who else involved? processes • • Interactions Supply chains • • And on and on… And on and on… 105

  8. With Risks Come Regulation… and More Risk • No common IoT standards or interoperability principles or “reasonable security” safe harbors • Congress: “more than 30 different congressional committees” Politico (June 2015) • Federal Government: Alphabet Soup FTC – consumer catch-all FDA – medical devices FCC – spectrum DOE(nergy) – smart grid DOT – vehicles, aircraft, pipelines DHS – critical infrastructure DOJ – law enforcement DOD – advanced technology HHS – healthcare An estimated two dozen agencies with IoT-related interests … • State Government: “little FTC Acts,” general privacy and data security statutes, IoT-specific legislation • Private enforcement actions 106

  9. New FAR Safeguarding Rule and “Old” DFARS Safeguarding Rule 107

  10. Background • OPM Breach (along with other high-profile incidents, including IRS, DOE, TRICARE) result in internal initiatives to improve cybersecurity within agencies and across federal government (OMB, GAO, IGs) • Increased recognition that federal government is out of step with private sector cybersecurity practices • Return to basics: robust risk management practices, reasonable data security measures, vendor management, and accountability • Cybersecurity practices aren’t (yet) harmonized across federal agencies or within larger agencies. • Cybersecurity tensions are reflected in agency administration of government contracts as well. 108

  11. FAR 52.204-21: Basic Safeguarding of Covered Contractor Information Systems • Newly published (5/16/16), effective in 30 days (proposed rule dates back to 8/4/12) • Safeguards systems rather than specific information • Covers any contractor and subcontractor information system that “processes, stores, or transmits” information “not intended for public release” that is “provided by or generated for” the Government • Does not pre-empt more specific security requirements (DFARS, classified, CUI, agency, etc.), including “forthcoming FAR rule to protect CUI” • “[I]ntent is that the scope and applicability of this rule be very broad, because [it] requires only the most basic level of safeguarding.” – No exemption for simplified acquisition threshold – Applies to commercial acquisitions, but exempts Commercial Off the Shelf (COTS) items 109

  12. FAR 52.204-21: Basic Safeguarding of Covered Contractor Information Systems • Requires contractors and subcontractors to implement 15 security controls taken from the security control families in NIST SP 800-171, Protecting CUI in Nonfederal Information Systems and Organizations – Access Control (4 specific controls) – Identification and Authentication (2) – Media Protection (sanitization and disposal) (1) – Physical Protection (2) – System and Communications Protection (2) – System and Information Integrity (4) • “[A]s long as the safeguards are in place, failure of the controls to adequately protect the information does not constitute a breach of contract.” 110

  13. DFARS 252.204-7012: Safeguarding Covered Defense Information and Cyber Incident Reporting • Final Rule pending (“second interim rule” 12/30/15) • Mandatory in all defense contracts and solicitations • Requires “adequate security” to protect information systems handling covered defense information • Requires written DoD CIO approval of “alternative but equally effective security measures” • NIST SP 800-53 v. NIST SP 800-171 • Imposes cyber incident reporting requirements • Exposes contractors to potential for extensive audits • Growing concern over risk of contractor liability – Supply chain compliance – False Claims Act – Suspension & debarment 111

  14. Data Incidents and Litigation 112

  15. Responding to an Incident 1. Assemble the Team • Form your team per the incident response plan • Investigative team—internal resources v. outside vendor – Consider creating separate team for obtaining legal advice • Involve in-house/outside counsel immediately • Privileged communications/work product • Assess claims/positions vs. vendor • Strategize for long-run – investigation through class actions • Involve risk management to assess insurance coverage and report incident to commence/preserve claim • Involve corporate communications to ensure consistency with media statements • Ensure effective internal reporting 113

  16. Responding to an Incident 2. Investigate/mitigate/remediate • Forensics – Can you identify type of infiltration and impact? – Can you show forensically that data not accessed? – Can you determine if data exfiltrated? – In case of missing device, can you determine what data it contained? • Mitigate/Remediate – Can you track and recover lost data? – If technical cause, can it be fixed? – Are the cyber attackers still in the system? 114

  17. Responding to an Incident 3. Notification • Numerous constituencies: Law enforcement, Regulators, Customers, Public, Media, Business partners • DFARS 252.204-7012 • OCR/HIPAA – HITECH • State/Other Breach Notification Laws – Standards vary by state – AGs have enforcement authority – Timing: “in the most expedient time possible,” “without unreasonable delay” – If required to notify in some states, notify in all states? • Don’t sugarcoat notification letter • What do you do if you cannot determine extent of incident? 115

  18. Responding to an Incident 4. Working with Regulators • Be proactive with regulators • Establish relationship/bring them in the loop • Beware of turf wars re regulators with overlapping jurisdiction • Make sure they know that situation is fluid and you will update them 116

  19. Responding to an Incident 5. Prepare for Litigation • Include litigation counsel in incident response • Preserve critical evidence • Document investigation/remediation efforts 117

  20. Data Security Incidents Lead to Litigation on Many Fronts Other Govt. Whistle- Public Regulators Prosecutors Impacted Customer blowers Parties Class Breach of Fines Contract Actions Ex.: False Target Statutory Civil Criminal Claims Indemnity damages penalties Penalties credit Act card class Consent Suspension Injunctions Decrees 118

  21. Litigation Trends: Creative Pleading Breach of Unfair Trade Negligence Contract/Warranty Practices State Statutes (e.g. Misrepresentation Violation of Privacy CMIA, Customer Records Act) Misappropriation Conversion 119

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Cybersecurity No Need to Panic A Practical Approach to Protecting Yourself Tom Clark Chief

Cybersecurity No Need to Panic A Practical Approach to Protecting Yourself Tom Clark Chief

Cybersecurity No Need to Panic A Practical Approach to Protecting Yourself Tom Clark Chief Information Officer November 7, 2018 Remember This One? Clip is located at https://www.youtube.com/watch?v=KXzNo0vR_dU 2 So What Changed? Whats

313 views • 15 slides
Personal CyberSecurity Protecting Yourself from the Evils of the Internet Steve McEvoy March 6 th

Personal CyberSecurity Protecting Yourself from the Evils of the Internet Steve McEvoy March 6 th

Personal CyberSecurity Protecting Yourself from the Evils of the Internet Steve McEvoy March 6 th , 2020 Austin, TX The Internet has some scary s**t going on This is a self defense course Goals What is the #1 Security Risk to your

786 views • 60 slides
Managing Cyber Risk for State Governments IU Cybersecurity Risk Management Program

Managing Cyber Risk for State Governments IU Cybersecurity Risk Management Program

Managing Cyber Risk for State Governments IU Cybersecurity Risk Management Program Multidisciplinary (Law, Secure Computing, & Business) Built on IUs Cybersecurity Certificates Applied Cybersecurity Risk Management Capstone

1.22k views • 75 slides
Cybersecurity, the Law, and Protecting America's Cities October 2019 A S S U R E D E N T E R P

Cybersecurity, the Law, and Protecting America's Cities October 2019 A S S U R E D E N T E R P

N E X T G E N E R A T I O N C Y B E R S E C U R I T Y Cybersecurity . . . Tested, Trusted, Transformative Cybersecurity, the Law, and Protecting America's Cities October 2019 A S S U R E D E N T E R P R I S E S C O N F I D E N T I A L

614 views • 36 slides
Basics of Cryptography and Cybersecurity Protecting Against Harm That May Come via Network

Basics of Cryptography and Cybersecurity Protecting Against Harm That May Come via Network

Basics of Cryptography and Cybersecurity Protecting Against Harm That May Come via Network Access Security Goal: Confidentiality q Suppose you are a customer using a credit card to order an item from a website q Threat: - An adversary may

305 views • 27 slides
Cybersecurity & HIPAA: Protecting Your Organization PETE SEEBER CHRIS RAFFORD Rocus

Cybersecurity & HIPAA: Protecting Your Organization PETE SEEBER CHRIS RAFFORD Rocus

Cybersecurity & HIPAA: Protecting Your Organization PETE SEEBER CHRIS RAFFORD Rocus Networks The Single-Source Cybersecurity Provider for the SMB Pete Seeber Founder & CEO Chris Rafford Cybersecurity Strategist Before we begin

552 views • 30 slides
Florida SBDC at UCF's Cybersecurity for Small Businesses: Protecting Your Digital Assets in 2018

Florida SBDC at UCF's Cybersecurity for Small Businesses: Protecting Your Digital Assets in 2018

Helping Businesses Grow & Succeed Florida SBDC at UCF's Cybersecurity for Small Businesses: Protecting Your Digital Assets in 2018 BYTE-SIZE: The Small Business Cybersecurity Program of the FSBDC Network This presentation is a companion to

573 views • 55 slides
Smart Factories, Dumb Policy? Prof. Scott Shackelford JD, PhD IU Cybersecurity Risk Management

Smart Factories, Dumb Policy? Prof. Scott Shackelford JD, PhD IU Cybersecurity Risk Management

Smart Factories, Dumb Policy? Prof. Scott Shackelford JD, PhD IU Cybersecurity Risk Management Multidisciplinary Program (Law, Secure Computing, & Business) Built on IUs Cybersecurity Certificates Applied Cybersecurity Risk

391 views • 21 slides
Managing Cybersecurity & Safety Risk CTO, Industrial Cybersecurity CRO, TV Rheinland 2mc

Managing Cybersecurity & Safety Risk CTO, Industrial Cybersecurity CRO, TV Rheinland 2mc

Nigel Stanley MSc CEng FIET MIEEE Anthony Dickinson BSc MBA Managing Cybersecurity & Safety Risk CTO, Industrial Cybersecurity CRO, TV Rheinland 2mc In the Aluminium Industry nigel.stanley@us.tuv.com adickinson@2mc.co Building Cyber

405 views • 12 slides
Cybersecurity: Protecting Your Buildings - and Your Company Michael Chipley, PhD GICSP PMP LEED

Cybersecurity: Protecting Your Buildings - and Your Company Michael Chipley, PhD GICSP PMP LEED

Cybersecurity: Protecting Your Buildings - and Your Company Michael Chipley, PhD GICSP PMP LEED AP President April 23, 2015 mchipley@pmcgroup.biz Agenda Cyber attacks on Building Control Systems and IT New federal Acquisition and

801 views • 53 slides
Cybersecurity A presentation to the National Association of Black Accountants Cleveland

Cybersecurity A presentation to the National Association of Black Accountants Cleveland

Cybersecurity A presentation to the National Association of Black Accountants Cleveland Chapter Contents Cybersecurity and risk management 1 Cybersecurity and the regulatory 2 environment Cybersecurity and the audit 3 4 Appendix

685 views • 37 slides
Presented by: Islanders Bank Cybersecurity Awareness Cybersecurity Awareness Objectives:

Presented by: Islanders Bank Cybersecurity Awareness Cybersecurity Awareness Objectives:

Presented by: Islanders Bank Cybersecurity Awareness Cybersecurity Awareness Objectives: Define Cybersecurity & why its important Provide information about Dept. Homeland Security Cybersecurity Campaigns: National

328 views • 22 slides
Analysis and BINDU CHANNAVEERAPPA Cybersecurity AND PETER THOMPSON i - Perceptions Objectives

Analysis and BINDU CHANNAVEERAPPA Cybersecurity AND PETER THOMPSON i - Perceptions Objectives

Business BA MANAGER FORUM Analysis and BINDU CHANNAVEERAPPA Cybersecurity AND PETER THOMPSON i - Perceptions Objectives This workshop will provide the necessary insights into the role that can be played by BAs in protecting information

530 views • 18 slides
Infusing Risk Management into Cybersecurity Education Barbara.Fox@gatech.edu Georgia Tech

Infusing Risk Management into Cybersecurity Education Barbara.Fox@gatech.edu Georgia Tech

Infusing Risk Management into Cybersecurity Education Barbara.Fox@gatech.edu Georgia Tech Research Institute 1 Fear Uncertainty Doubt 2 Mid-career Leaders, Decision Makers Cybersecurity is an overwhelming sea. The more I learn,

307 views • 19 slides
CYBERSECURITY Situational awareness Franois Thill, Director Cybersecurity, Ministry of the

CYBERSECURITY Situational awareness Franois Thill, Director Cybersecurity, Ministry of the

CYBERSECURITY Situational awareness Franois Thill, Director Cybersecurity, Ministry of the economy Agenda The actual situation Strategy of the ministry Risk management a common language Some good practice examples 2 The

427 views • 21 slides
U.S. National U.S. National Why are we talking about Cybersecurity Cybersecurity

U.S. National U.S. National Why are we talking about Cybersecurity Cybersecurity

U.S. National U.S. National Why are we talking about Cybersecurity Cybersecurity cybersecurity? William J. Perry Martin Casado Keith Coleman Dan Wendlandt MS&E 91SI Spring 2004 Stanford University U.S. National Cybersecurity

79 views • 7 slides
Differing Perspectives Activity LAYER 1 1 3/31/19 Carrot vs. Stick Avoid stigma Focus

Differing Perspectives Activity LAYER 1 1 3/31/19 Carrot vs. Stick Avoid stigma Focus

3/31/19 Approaches to Blended Management at HMHI MEGAN SCHECK, LISW-S MATT SMABY HMHI is: A nonprofit managing nearly 300 units of: CoC PSH (disabled, homeless) Singles Single parent families Tax Credit (55+, various income

90 views • 4 slides
What Action Causes This? Towards Naive Physical Action-Effect Prediction Qiaozi Gao 1 , Shaohua

What Action Causes This? Towards Naive Physical Action-Effect Prediction Qiaozi Gao 1 , Shaohua

What Action Causes This? Towards Naive Physical Action-Effect Prediction Qiaozi Gao 1 , Shaohua Yang 1 , Joyce Y. Chai 1 , Lucy Vanderwende 2 1 Department of Computer Science and Engineering, Michigan State University, East Lansing, MI 48824 2

514 views • 35 slides
Regional Groundwater Workshops Kate Williams January & February 2015 An initiative of

Regional Groundwater Workshops Kate Williams January & February 2015 An initiative of

Custom Layout Regional Groundwater Workshops Kate Williams January & February 2015 An initiative of Resources Legacy Fund Overview CWF Who we are Overview of SGMA Steps to Forming a GSA Governance Models California Water Foundation

528 views • 27 slides
HOUGHTON HALL HOUGHTON ORGANIC FARM STARTED CONVERTING LAND IN THE ENTIRE ESTATE IS NOW IN

HOUGHTON HALL HOUGHTON ORGANIC FARM STARTED CONVERTING LAND IN THE ENTIRE ESTATE IS NOW IN

HOUGHTON HALL HOUGHTON ORGANIC FARM STARTED CONVERTING LAND IN THE ENTIRE ESTATE IS NOW IN TO ORGANIC PRODUCTION 1998 ORGANIC PRODUCTION TOTAL LAND 4,286 ACRES ORGANIC PIGS BQP 10,500 FATTENING PIGS PER TENANTED 414 ACRES

173 views • 13 slides
Take pictures and tag us! @stoneandsonsws @stoneandsonsworkshop #WORKBENCHCON2019

Take pictures and tag us! @stoneandsonsws @stoneandsonsworkshop #WORKBENCHCON2019

Building an Authentic Following Download this presentation at stoneandsons.net/building-an-authentic-following Take pictures and tag us! @stoneandsonsws @stoneandsonsworkshop #WORKBENCHCON2019 #BuildingAnAuthenticFollowing Building an

808 views • 67 slides
Carrot Creek Enhanced Recovery Scheme Water Diversion: Water Conservation/ Educational Program

Carrot Creek Enhanced Recovery Scheme Water Diversion: Water Conservation/ Educational Program

Carrot Creek Enhanced Recovery Scheme Water Diversion: Water Conservation/ Educational Program www.zargon.ca Zargon Core Values: Translated to Water Use Safety and Health Ensure the Health and Safety of Zargon Employees, the Public and

364 views • 12 slides
Tangle Creek Corporate May 2018 FORWARD-LOOKING STATEMENTS This presentation contains

Tangle Creek Corporate May 2018 FORWARD-LOOKING STATEMENTS This presentation contains

Tangle Creek Corporate May 2018 FORWARD-LOOKING STATEMENTS This presentation contains forward-looking statements. More particularly, this presentation contains statements concerning anticipated: business strategies, plans and objectives;

576 views • 28 slides
INTRODUCTION TO WESTERN CANADIAN MINES & MINERALS OWNERSHIP SPE April 7, 2016 Presentation

INTRODUCTION TO WESTERN CANADIAN MINES & MINERALS OWNERSHIP SPE April 7, 2016 Presentation

INTRODUCTION TO WESTERN CANADIAN MINES & MINERALS OWNERSHIP SPE April 7, 2016 Presentation Presented by: Michelle Radomski Vice-President, Land, PrairieSky Royalty Ltd. Past President, CAPL INTRODUCTION TO WESTERN CANADIAN MINES &

729 views • 37 slides

More recommend