is it time for an it assessment?
Post on 17-Jan-2017
188 Views
Preview:
TRANSCRIPT
Thrive. Grow. Achieve.
De-Mystifying the IT Assessment
Nate Solloway May 11, 2016
WHAT’S ON TAP?
• What we do
• Why do an IT Assessment?
• Is this a threat to my IT Staff?
• Procedure
• Network Infrastructure
• Network Security
• Disaster Recovery
• What’s New?
• IT Budget Review
2
WHY DO AN ASSESSMENT?
3
WHY? PLANNING FOR THE FUTURE
• IS IT TIME FOR UPGRADES?
• PREPARING FOR AN RFP
• TIME TO INTRODUCE NEW TECHNOLOGY
• IMPROVE BUSINESS PROCESSES
• PCI OR HIPPA COMPLIANCE
• SEEKING CYBER-INSURANCE
4
WHY? WAS THERE A PROBLEM?
• WAS THERE A SERVER OUTAGE?
• AN AUDIT IS COMING UP
• STAFF NEED ASSESSING OR THERE IS POTENTIAL LOSS OF STAFF
• RECURRING ISSUES
• SECURITY CONCERNS
5
ITEMS FOR REVIEW
• STAFF
• TECHNOLOGY
• INFRASTRUCTURE
• POLICIES, PROCEDURES AND PRIVACY
• PLANNING FOR A MOVE?
• SOFTWARE , AMS
• IT PLANNING FOR THE NEXT FEW YEARS
6
WHAT ABOUT MY IT STAFF?
7
COACHES NOT ADVERSARIES
8
LOOKING FOR AN ASSET MANAGER, NOT A STOCK BROKER
• THEY ARE PART OF YOUR TEAM
• EXPERIENCES FROM OTHER SIMILAR ORGANIZATIONS
• TRAINING RECOMMENDATIONS
• IN-HOUSE OR THE CLOUD?
9
HOW DOES THE PROCESS WORK - IT INFRASTRUCTURE ASSESSMENT?
Raffa Assessment Methodology
IT Structure Analysis
- Perform Interviews with key stakeholders
- Identify current/future IT needs in line with your vision
- Review current system architecture
- Review current servers and storage hardware configurations
- Review network configurations and their capacities
IT INFRASTRUCTURE ANALYSIS
Review domain configurations
Review enterprise back-office components and their configurations
Review existing security requirements and compliance
Review disaster recovery requirements and strategies including existing data backup/restore mechanisms, hardware, software
Review current Total Cost of Ownership (TCO)
1
WHO AM I CONNECTED TO?
12
My Network
Hosting
VOIP
Managed Services
DOES YOUR NETWORK LOOK LIKE THIS?
13
OR THIS?
14
EVERYONE HAS SOMETHING TO PROTECT
• Intellectual Property
• Human Resources Information
• Your Financial Data
• Your Customer Databases
• Your Customer’s Data
• Marketing and Sales Data
It’s not Just About compliance with state and federal regulations.
It’s about protecting your company, your employees and your customers
PaIs it time for a Security and Compliance Assessment?
Financial Healthcare Legal
Professional Services
WHAT ARE OUR DATA CONCERNS?
• UNAUTHORIZED ACCESS
• CONCERNS WITH IN-HOUSE STAFF
• EXTERNAL THREATS
• PRIVACY AUDIT
16
SECURITY CONSIDERATIONS AND ACTIONS
Strong password policy is the first line of defense against a data breach
Pa
STRONG PASSWORD POLICIES
Benefit: Strong password policies help to reduce the risk of a breach. Policies should also provide guidance to reduce the risk of human error breaches. Strong passwords should meet these standards at a minimum:
• Lower case characters
• Upper case characters
• Numbers
• "Special characters"(@#$%^&*()_+|~-=\`{}[]:";'<>/)
• Contain at least 12 but preferably 15 characters.
Is it Time for a Security and Compliance Assessment?
COMPLIANCE DEFINITIONS
Definitions are generally accepted by most states
However, exceptions do exist on a state by state basis
Pa
Personal Information: An individual’s first name or first initial and last name plus one or more of the following data elements:
1. Social Security number,
2. Driver’s license number or state- issued ID card number
3. Account number, credit card number or debit card number combined with any security code, access code, PIN or password needed to access an account and generally applies to computerized data that includes personal information.
Personal Information shall not include publicly available information that is lawfully made available to the general public from federal, state or local government records, or widely distributed media. In addition, Personal Information shall not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
Breach of Security: The unlawful and unauthorized acquisition of personal information that compromises the security, confidentiality, or integrity of personal information.
DEFINITIONS
Is it Time for a Security and Compliance Assessment?
FEDERAL, STATE & PRIVATE REQUIREMENTS
It is important to understand that these laws don’t only apply to health and financial institutions.
Pa
HIPAA: Health Insurance Portability and Accountability Act, a US law designed to provide privacy standards to protect patients' medical records and other health information provided to health plans, doctors, hospitals and other health care providers. Developed by the Department of Health and Human Services, these new standards provide patients with access to their medical records and more control over how their personal health information is used and disclosed. They represent a uniform, federal floor of privacy protections for consumers across the country. State laws providing additional protections to consumers are not affected by this new rule.
The Gramm-Leach-Bliley Act: (GLB Act or GLBA), is a federal law enacted to control the ways that financial institutions deal with the private information of individuals. The Act consists of three sections:
1. The Financial Privacy Rule, which regulates the collection and disclosure of private financial information
2. The Safeguards Rule, which stipulates that financial institutions must implement security programs to protect such information
3. The Pretexting provisions, which prohibit the practice of pretexting (accessing private information using false pretenses).
The Act also requires financial institutions to give customers written privacy notices that explain their information-sharing practices. Is it Time for a Security and Compliance Assessment?
FEDERAL, STATE & PRIVATE REQUIREMENTS
The Payment Card Industry Council established rules governing how credit card data would be secured
Pa
Short for Payment Card Industry (PCI) Data Security Standard (DSS), PCI DSS is a standard that all organizations, including online retailers, must follow when storing, processing and transmitting their customer's credit card data.
The Data Security Standard (DSS) was developed and the standard is maintained by The Payment Card Industry Security Standards Council (PCI SSC). To be PCI complaint companies must use a firewall between wireless networks and their cardholder data environment, use the latest security and authentication such as WPA/WPA2 and also change default settings for wired privacy keys, and use a network intrusion detection system.
The PCI DSS standard, as of September 2009 (DSS v 1.2), includes 12 requirements for best security practices
PRIVATE REQUIREMENTS
Payment Card Industry (PCI) Data Security Standard (DSS)
Is it Time for a Security and Compliance Assessment?
SECURITY CONSIDERATIONS AND ACTIONS
Security is as much about people and good process and well documented policy as it is about your IT infrastructure
Is it Time for a Security and Pa
PROCESS AND PEOPLE MANAGEMENT
DISASTER RECOVERY
22
23
ARE YOU BEING SERVED?
24
IT BUDGET REVIEW
25
QUESTIONS?
26
top related