Thrive. Grow. Achieve.

De-Mystifying the IT Assessment

Nate Solloway May 11, 2016

WHAT’S ON TAP?

• What we do

• Why do an IT Assessment?

• Is this a threat to my IT Staff?

• Procedure

• Network Infrastructure

• Network Security

• Disaster Recovery

• What’s New?

• IT Budget Review

2

WHY DO AN ASSESSMENT?

3

WHY? PLANNING FOR THE FUTURE

• IS IT TIME FOR UPGRADES?

• PREPARING FOR AN RFP

• TIME TO INTRODUCE NEW TECHNOLOGY

• IMPROVE BUSINESS PROCESSES

• PCI OR HIPPA COMPLIANCE

• SEEKING CYBER-INSURANCE

4

WHY? WAS THERE A PROBLEM?

• WAS THERE A SERVER OUTAGE?

• AN AUDIT IS COMING UP

• STAFF NEED ASSESSING OR THERE IS POTENTIAL LOSS OF STAFF

• RECURRING ISSUES

• SECURITY CONCERNS

5

ITEMS FOR REVIEW

• STAFF

• TECHNOLOGY

• INFRASTRUCTURE

• POLICIES, PROCEDURES AND PRIVACY

• PLANNING FOR A MOVE?

• SOFTWARE , AMS

• IT PLANNING FOR THE NEXT FEW YEARS

6

WHAT ABOUT MY IT STAFF?

7

COACHES NOT ADVERSARIES

8

LOOKING FOR AN ASSET MANAGER, NOT A STOCK BROKER

• THEY ARE PART OF YOUR TEAM

• EXPERIENCES FROM OTHER SIMILAR ORGANIZATIONS

• TRAINING RECOMMENDATIONS

• IN-HOUSE OR THE CLOUD?

9

HOW DOES THE PROCESS WORK - IT INFRASTRUCTURE ASSESSMENT?

Raffa Assessment Methodology

IT Structure Analysis

- Perform Interviews with key stakeholders

- Identify current/future IT needs in line with your vision

- Review current system architecture

- Review current servers and storage hardware configurations

- Review network configurations and their capacities

IT INFRASTRUCTURE ANALYSIS

Review domain configurations

Review enterprise back-office components and their configurations

Review existing security requirements and compliance

Review disaster recovery requirements and strategies including existing data backup/restore mechanisms, hardware, software

Review current Total Cost of Ownership (TCO)

1

WHO AM I CONNECTED TO?

12

My Network

Hosting

VOIP

Managed Services

DOES YOUR NETWORK LOOK LIKE THIS?

13

OR THIS?

14

EVERYONE HAS SOMETHING TO PROTECT

• Intellectual Property

• Human Resources Information

• Your Financial Data

• Your Customer Databases

• Your Customer’s Data

• Marketing and Sales Data

It’s not Just About compliance with state and federal regulations.

It’s about protecting your company, your employees and your customers

PaIs it time for a Security and Compliance Assessment?

Financial Healthcare Legal

Professional Services

WHAT ARE OUR DATA CONCERNS?

• UNAUTHORIZED ACCESS

• CONCERNS WITH IN-HOUSE STAFF

• EXTERNAL THREATS

• PRIVACY AUDIT

16

SECURITY CONSIDERATIONS AND ACTIONS

Strong password policy is the first line of defense against a data breach

Pa

STRONG PASSWORD POLICIES

Benefit: Strong password policies help to reduce the risk of a breach. Policies should also provide guidance to reduce the risk of human error breaches. Strong passwords should meet these standards at a minimum:

• Lower case characters

• Upper case characters

• Numbers

• "Special characters"(@#$%^&*()_+|~-=\`{}[]:";'<>/)

• Contain at least 12 but preferably 15 characters.

Is it Time for a Security and Compliance Assessment?

COMPLIANCE DEFINITIONS

Definitions are generally accepted by most states

However, exceptions do exist on a state by state basis

Pa

Personal Information: An individual’s first name or first initial and last name plus one or more of the following data elements:

1. Social Security number,

2. Driver’s license number or state- issued ID card number

3. Account number, credit card number or debit card number combined with any security code, access code, PIN or password needed to access an account and generally applies to computerized data that includes personal information.

Personal Information shall not include publicly available information that is lawfully made available to the general public from federal, state or local government records, or widely distributed media. In addition, Personal Information shall not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

Breach of Security: The unlawful and unauthorized acquisition of personal information that compromises the security, confidentiality, or integrity of personal information.

DEFINITIONS

Is it Time for a Security and Compliance Assessment?

FEDERAL, STATE & PRIVATE REQUIREMENTS

It is important to understand that these laws don’t only apply to health and financial institutions.

Pa

HIPAA: Health Insurance Portability and Accountability Act, a US law designed to provide privacy standards to protect patients' medical records and other health information provided to health plans, doctors, hospitals and other health care providers. Developed by the Department of Health and Human Services, these new standards provide patients with access to their medical records and more control over how their personal health information is used and disclosed. They represent a uniform, federal floor of privacy protections for consumers across the country. State laws providing additional protections to consumers are not affected by this new rule.

The Gramm-Leach-Bliley Act: (GLB Act or GLBA), is a federal law enacted to control the ways that financial institutions deal with the private information of individuals. The Act consists of three sections:

1. The Financial Privacy Rule, which regulates the collection and disclosure of private financial information

2. The Safeguards Rule, which stipulates that financial institutions must implement security programs to protect such information

3. The Pretexting provisions, which prohibit the practice of pretexting (accessing private information using false pretenses).

The Act also requires financial institutions to give customers written privacy notices that explain their information-sharing practices. Is it Time for a Security and Compliance Assessment?

FEDERAL, STATE & PRIVATE REQUIREMENTS

The Payment Card Industry Council established rules governing how credit card data would be secured

Pa

Short for Payment Card Industry (PCI) Data Security Standard (DSS), PCI DSS is a standard that all organizations, including online retailers, must follow when storing, processing and transmitting their customer's credit card data.

The Data Security Standard (DSS) was developed and the standard is maintained by The Payment Card Industry Security Standards Council (PCI SSC). To be PCI complaint companies must use a firewall between wireless networks and their cardholder data environment, use the latest security and authentication such as WPA/WPA2 and also change default settings for wired privacy keys, and use a network intrusion detection system.

The PCI DSS standard, as of September 2009 (DSS v 1.2), includes 12 requirements for best security practices

PRIVATE REQUIREMENTS

Payment Card Industry (PCI) Data Security Standard (DSS)

Is it Time for a Security and Compliance Assessment?

SECURITY CONSIDERATIONS AND ACTIONS

Security is as much about people and good process and well documented policy as it is about your IT infrastructure

Is it Time for a Security and Pa

PROCESS AND PEOPLE MANAGEMENT

DISASTER RECOVERY

22

23

ARE YOU BEING SERVED?

24

IT BUDGET REVIEW

25

QUESTIONS?

26