Leading Practices in Information Security & Privacy

IIIINTRAPRISENTRAPRISENTRAPRISENTRAPRISETTTTECHECHECHECHKKKKNOWLOGIESNOWLOGIESNOWLOGIESNOWLOGIES LLCLLCLLCLLC

NTEN Nonprofit Technology Conference

Atlanta, Georgia

Leading Practices inLeading Practices inLeading Practices inLeading Practices inInformation Security & PrivacyInformation Security & PrivacyInformation Security & PrivacyInformation Security & Privacy

Atlanta, Georgia

April 9, 2010

Presented by

Donny C. Shimamoto, CPA.CITP

Today’s AgendaToday’s AgendaToday’s AgendaToday’s Agenda

� About the Presenter

� About the Audience

� Information Risks and Losses are Increasing

Information Security Requirements� Information Security Requirements

– ID Theft & Privacy Laws

– Payment Card Industry Data Security Standard

� Your Role in Protecting Information

– A SAS 70 is not enough

– Risk Assessment Methodology

– Generally Accepted Privacy Principles (GAPP)

How Was this Session?How Was this Session?How Was this Session?How Was this Session?

Call InCall InCall InCall In TextTextTextText OnlineOnlineOnlineOnline

Call 404.939.4909404.939.4909404.939.4909404.939.4909

Enter Code 165165165165Text 165165165165 to

69866698666986669866

Visit nten.org/nten.org/nten.org/nten.org/ntcntcntcntc----evalevalevaleval

Enter Code 165165165165

Session feedback powered by:Session feedback powered by:Session feedback powered by:Session feedback powered by:

Tell Us and You Could Win a Free 2011 NTC Registration!Tell Us and You Could Win a Free 2011 NTC Registration!Tell Us and You Could Win a Free 2011 NTC Registration!Tell Us and You Could Win a Free 2011 NTC Registration!

Donny C. Shimamoto, Donny C. Shimamoto, Donny C. Shimamoto, Donny C. Shimamoto, CPA.CITPCPA.CITPCPA.CITPCPA.CITP

Background & Experience� BBA from University of Hawaii at Manoa

– Accounting

– Management Information Systems

Alumni of PricewaterhouseCoopers LLP� Alumni of PricewaterhouseCoopers LLP– Strategic Technology Group

– Financial Audit and IT Audit

– Washington Consulting Practice

� Founder of IntrapriseTechKnowlogies LLC– Organizational Development advisor with a focus on Business Intelligence and Performance Management

– Business Process Improvement with emphasis on internal controls and technology risk management

– IT Outsourcing for small and middle market organizations

Donny C. Shimamoto, Donny C. Shimamoto, Donny C. Shimamoto, Donny C. Shimamoto, CPA.CITPCPA.CITPCPA.CITPCPA.CITP

Involvement, Awards, and Recognition� American Institute of CPAs

– Assurance Services Executive Committee (2009+)

– Co-Chair, Business Intelligence Workgroup (2009+)

– IT Executive Committee (2006-2009)– IT Executive Committee (2006-2009)

� Association of IT Professionals– Honolulu : Director (2008), Treasurer (2009), President (2010)

– National: Chair, Governance Task Force (2009+), National Strategic Planning Committee (2009)

� Awards & Recognition– Top “40 Under 40” Accounting Professionals in the US

� 2007 & 2009, CPA Technology Advisor Magazine

– Top High Tech Leaders in Hawaii� 2004, Pacific Technology Foundation & Technology News Network

5

Audience Poll #1Audience Poll #1Audience Poll #1Audience Poll #1

� What part of the organization are you from?

– Executive Director

– Finance

– IT / IS– IT / IS

– Programs / Other Management

– Staff

– Vendors / Consultants

6

Audience Poll #12Audience Poll #12Audience Poll #12Audience Poll #12

� What size of the organization are you from?

– Very Large (multiple offices, geographically disbursed)

– Large (multiple offices, 250+ staff)– Large (multiple offices, 250+ staff)

– Large (single office, 250+ staff)

– Mid-sized (100 – 250 staff)

– Small (<100 staff)

7

Information Risks and Losses are IncreasingInformation Risks and Losses are IncreasingInformation Risks and Losses are IncreasingInformation Risks and Losses are Increasing

� Banking laws leave business customers vulnerable to Internet fraud

– March 21, 2010 – Los Angeles Times

– 32% of 500 small business owners surveyed had – 32% of 500 small business owners surveyed had been victimized; >50% more than once

– Federal law doesn’t protect business customers

� Data Theft Creates Notification Nightmare for BlueCross

– March 1, 2010 – CIO.com

– 57 hard drives stolen, 1M customer support calls

– Which of 3M customers to notify?


� Wanted: Defense Against Online Bank Fraud

– February 8, 2010 – Wall Street Journal

– Smaller businesses rich target for hackers because the smaller banks they utilize aren’t as because the smaller banks they utilize aren’t as sophisticated in their protections

� Study: Hacking Passwords Easy As 123456

– January 21, 2010 – CIO.com

– 2009 Data Breach Study:

� 30% had passwords <=6 characters

� 60% use limited set of alpha-numeric characters

� 50% use names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keys)


� 2009 AICPA Top Technology Initiatives 2009 AICPA Top Technology Initiatives 2009 AICPA Top Technology Initiatives 2009 AICPA Top Technology Initiatives Survey (http://www.aicpa.org/toptech)Survey (http://www.aicpa.org/toptech)Survey (http://www.aicpa.org/toptech)Survey (http://www.aicpa.org/toptech)

1. Information Security Management

2. Privacy Management2. Privacy Management

3. Secure Data File Storage, Transmission and Exchange

4. Business Process Improvement, Workflow, and Process Exception Alerts

5. Mobile and Remote Computing


� 2009 AICPA Top Technology Initiatives 2009 AICPA Top Technology Initiatives 2009 AICPA Top Technology Initiatives 2009 AICPA Top Technology Initiatives Survey (http://www.aicpa.org/toptech)Survey (http://www.aicpa.org/toptech)Survey (http://www.aicpa.org/toptech)Survey (http://www.aicpa.org/toptech)

1. Information Security Management

2. Privacy Management2. Privacy Management

3. Secure Data File Storage, Transmission and Exchange

4. Business Process Improvement, Workflow, and Process Exception Alerts

5. Mobile and Remote Computing


� 2008 CSI/FBI Computer Crime and Security Survey2008 CSI/FBI Computer Crime and Security Survey2008 CSI/FBI Computer Crime and Security Survey2008 CSI/FBI Computer Crime and Security Survey

– Greatest source of financial loss

� Financial Fraud moved to the top in 2007

– Displaced Viruses, which as been top for last 7 yrs– Displaced Viruses, which as been top for last 7 yrs

� Financial Fraud stayed at the top in 2008

– Average loss per respondent: $463,100

– Other high loss areas

� Bots within the Organization: $345,600

� Loss of customer/employee data: $268,000

� Loss of proprietary information: $241,000


Losses from Mobile Device risks: $8,429,150

Losses from Virus:$8,391,800

Source: 2007 CSI/FBI Computer Crime and Security Survey


Losses from outsider: $6,875,000

Losses from insider:Losses from insider:$6,802,000

Source: 2007 CSI/FBI Computer Crime and Security Survey


� Federal Trade Commission

– ID Theft is the #1 concern of consumers contacting the FTC

� US Dept of Justice Statistics� US Dept of Justice Statistics

– ID Theft has overtaken drug trafficking

� 2006 Gartner Study

– 28 ½ people become new victims every minute

– new victim almost every 2 seconds

Source: Identity Theft Resource Center


� Common Sources of Data Leaks

– 45% Lost or stolen laptop computers

– 29% Records lost by 3rd party business partners or outsourcing companiespartners or outsourcing companies

– 26% Misplaced or stolen backup files

– 10% Malware programs (e.g. viruses/spyware)

Source: Identity Theft Resource Center


Hawaii was 25th in ID Theft instances per Capita in 2005

Massachusetts Data Privacy LawMassachusetts Data Privacy LawMassachusetts Data Privacy LawMassachusetts Data Privacy Law

� Requirements

– Written Information Security Program (WISP)

� Must be appropriate for the size, scope, and type of business conducted by the entity

� Must address administrative, technical, and physical safeguards

� Applies to both consumer and employee information

� Applies to all forms of media (paper & electronic) and the devices that contain them (laptop/phone/ext-HD)

– Designated employee must be assigned to

� Evaluate reasonably foreseeable internal and externalrisks to personal information being managed


� Requirements

– Employee training program

– Monitoring of employee compliance

� To ensure that the WISP is operating in a manner that � To ensure that the WISP is operating in a manner that can be reasonably assumed to prevent unauthorized access to or use of personal information

– Incident management

� Identification of potential incidents

� Assessment of breach and potential data loss

� Documentation of actions taken in response to breaches


� Additional Technical Requirements for Electronically Stored Information (ESI)

– Secure authentication protocols

– Control of user IDs and other identifiers– Control of user IDs and other identifiers

– Password security

– Restriction of access to personal information to active users and active user accounts

� Limit access to a need-to-know basis

– Must encrypt personal info transmitted over public networks

– Must encrypt personal info at rest on portable devices


� I’m not in Massachusetts, why should I care?

� State Privacy Laws protect the information of the residents of that stateof the residents of that state

– If you have information about a state’s resident, you are often then subject to the state’s privacy law and compliance with the law

� The European Union and State of California also have very stringent privacy laws

Personal Information Protection LawsPersonal Information Protection LawsPersonal Information Protection LawsPersonal Information Protection Laws

Hawaii’s ID Theft LawsHawaii’s ID Theft LawsHawaii’s ID Theft LawsHawaii’s ID Theft Laws

� Internal costs

– $197 per compromised record� 2007 estimate by Ponemon Institute (per Journal of Accountancy, January 2009)Accountancy, January 2009)

� State penalties

– Up to $2,500 for EACH violation/record

� Additional costs

– Liability to injured parties for actual damages sustained

Payment Card Industry Data Security StandardPayment Card Industry Data Security StandardPayment Card Industry Data Security StandardPayment Card Industry Data Security Standard

� Payment Card Industry Data Security Standard (PCI DSS)

– Best practice security standards for protecting cardholder datacardholder data

– Compliance REQUIRED for

� “Merchants” = Companies who accept credit/debit card information (cardholder data)

� “Service providers” = Companies the provide services to merchants and have access to cardholder data

http://www.PCISecurityStandards.org


� Penalties for Non-compliance– Potential fines of up to $500,000 (in the discretion of Visa, MasterCard, Discover Network or other card companies).

– All fraud losses incurred from the use of the compromised account numbers from the date of compromise forward. account numbers from the date of compromise forward.

– Cost of re-issuing cards associated with the compromise.

– Cost of any additional fraud prevention/detection activities required by the card associations (i.e. a forensic audit) or costs incurred by credit card issuers associated with the compromise (i.e. additional monitoring of system for fraudulent activity).

From: Wells Fargo Merchant Services

https://www.wellsfargo.com/biz/help/merchant/faqs/pci#Q25


� 6 Principles + 12 Requirements

1. Build and Maintain a Secure Network

2. Protect Cardholder Data

3. Maintain a Vulnerability Management Program3. Maintain a Vulnerability Management Program

4. Implement Strong Access Control Measures

5. Regularly Monitor and Test Networks

6. Maintain and Information Security Policy

http://www.PCISecurityStandards.org


� Common PCI Myth #3

From: Ten Common Myths of PCI DSS

© 2008 PCI Security Standards Council

https://www.pcisecuritystandards.org/pdfs/pciscc_ten_common_myths.pdf


� Compliance Requirements

– Level 1 = must have onsite audit performed by a QSA or internal auditor

– Level 2-4 = must complete Self-Assessment – Level 2-4 = must complete Self-Assessment Questionnaire (SAQ)

� SAQ Type 1 = card not present

� SAQ Type 2 = Imprint-only

� SAQ Type 3 = Stand-alone merchant terminals

� SAQ Type 4 = POS connected to Internet

� SAQ Type 5 = All others


� Sample SAQ Type 3 questions: (Req 9)

– Are all paper and electronic media that contain cardholder data physically secure?

– Is strict control maintained over the internal or – Is strict control maintained over the internal or external distribution of any kind of media that contains cardholder data?

� Is the media identified so that it can be identified as confidential?

� Is the media sent by secured courier or other delivery method that can be accurately tracked?

– Is strict control maintained over the storage and accessibility of media that contains cardholder data?


� Sample SAQ Type 3 questions: (Req 12)

– Is a security policy established, published, maintained and disseminated?

� Is it reviewed at least once a year and updated when Is it reviewed at least once a year and updated when the environment changes?

– Is a formal security awareness program in place to make all employees aware of the importance of cardholder data security?

These are all basically control points/objectives and should be “easy” for a CPA to answer.

Your Role in Protecting InformationYour Role in Protecting InformationYour Role in Protecting InformationYour Role in Protecting Information

� NPOs must protect personal information

– Donors

– Clients/customers

– Employees– Employees

� NPOs must be sure that service providers are protecting personal information too

– Capital campaigns / Fundraising

– Donor management

– Financial data processing

� A breach on the part of the service provider is a breach of the NPO


� A Common Myth: I use a SAS 70 certified vendor, I don’t need to worry.

Wrong!! � SAS 70 only covers the internal controls and � SAS 70 only covers the internal controls and operations of a service provider as it relates to accounting processes and financial reporting

� It does not cover operations related to non-accounting/non-financial statement data

� It does not include any coverage of confidentiality or privacy controls


� Instead of a SAS 70 you need to request a

– Trust Services report that specifically covers a review of confidentiality and privacy

� This is available from CPA firms that have IT � This is available from CPA firms that have IT audit specialists

– Previously this was a very specialized area

– Education is being conducted to increase the number of CPAs trained to provide this service

� So what do I do until I can get this report?

Risk Assessment MethodologyRisk Assessment MethodologyRisk Assessment MethodologyRisk Assessment Methodology

� Inventory places in your organization with Personally Identifying Information (PII)

– Electronic Files/Databases AND Physical Files

� Identify the safeguards in place� Identify the safeguards in place

� Identify applicable security requirements

� Determine compliance gap

� Assess risk of non-compliance

� Develop risk remediation plan

– Work with IT to identify and evaluate options

Generally Accepted Privacy PrinciplesGenerally Accepted Privacy PrinciplesGenerally Accepted Privacy PrinciplesGenerally Accepted Privacy Principles

� Provides criteria and related material for protecting the privacy of personal information

� Incorporates concepts from significant � Incorporates concepts from significant domestic and international privacy laws, regulations, and guidelines

� Used to guide and assist organizations in implementing privacy programs

http://www.aicpa.org/privacy

Generally Accepted Privacy PrinciplesGenerally Accepted Privacy PrinciplesGenerally Accepted Privacy PrinciplesGenerally Accepted Privacy Principles

1. Management

2. Notice

3. Choice & Consent

Collection

7. Disclosure to Third Parties

8. Security for Privacy

4. Collection

5. Use & Retention

6. Access

Privacy

9. Quality

10. Monitoring and Enforcement

http://www.aicpa.org/privacy

You Must Be Proactive for Privacy!You Must Be Proactive for Privacy!You Must Be Proactive for Privacy!You Must Be Proactive for Privacy!

� Identify and understand the Privacy Requirements that you are subject to

� Conduct a Privacy Risk Assessment

� Determine the acceptable level of risk for � Determine the acceptable level of risk for your organization

� Develop an enterprise privacy policy

� Enact an enterprise privacy program

� Get your privacy program evaluated by a qualified CPA and get a Trust Services report – use this to your advantage!

IIIINTRAPRISENTRAPRISENTRAPRISENTRAPRISETTTTECHECHECHECHKKKKNOWLOGIESNOWLOGIESNOWLOGIESNOWLOGIES LLCLLCLLCLLC

Feedback and questions are welcome

Thank you for yourThank you for yourThank you for yourThank you for yourattention and participation!attention and participation!attention and participation!attention and participation!

Feedback and questions are welcome

Donny C. Shimamoto, CPA.CITP

[email protected]

(808) 735-8324

Any Questions or Comments?

How Was this Session?How Was this Session?How Was this Session?How Was this Session?

Call InCall InCall InCall In TextTextTextText OnlineOnlineOnlineOnline

Call 404.939.4909404.939.4909404.939.4909404.939.4909

Enter Code 165165165165Text 165165165165 to

69866698666986669866

Visit nten.org/nten.org/nten.org/nten.org/ntcntcntcntc----evalevalevaleval

Enter Code 165165165165

Session feedback powered by:Session feedback powered by:Session feedback powered by:Session feedback powered by:

Tell Us and You Could Win a Free 2011 NTC Registration!Tell Us and You Could Win a Free 2011 NTC Registration!Tell Us and You Could Win a Free 2011 NTC Registration!Tell Us and You Could Win a Free 2011 NTC Registration!