iamers presentation-2
TRANSCRIPT
(c)2012 The Lorenzi Group & DF Labs
Emerging Issues in Data Security, Data Privacy, & Employee Monitoring
DF LabsThe Lorenzi Group
IAMERs 8th Annual Meeting2012
Data Security What data are we talking about?
Health Financial Product Innovation Operations & Strategy
(c)2012 The Lorenzi Group & DF Labs
Data Privacy – US vs. EU Main Difference:
EU – All about regulation & compliance protecting the rights of the individual.
USA – National security & the company interests are protected first.
Patriot Act Safe Harbor Preventive Monitoring & Security
Analytics
(c)2012 The Lorenzi Group & DF Labs
Privacy in the EU: ….possible modification soon No More Local Implementation Only one notification Under the new proposals national data
protection authorities will be able to penalize data protection breaches by imposing fines of up to 2 percent of the global annual revenues of a business.
Immediate data breach notification
(c)2012 The Lorenzi Group & DF Labs
Security Analytics:The Next Frontier Proactive Monitoring of data traffic Internal monitoring more important than
external monitoring Baselines Metrics Patterns, anomalies & Standard
Deviation
(c)2012 The Lorenzi Group & DF Labs
Discussion Points HIPAA/EU Healthcare Privacy (aka
Directive) Insurance Companies & Data Theft
Protection FCPA/UK Bribery Act 2010 Medical Fraud Employee Monitoring
(c)2012 The Lorenzi Group & DF Labs
HIPAA & the EU Directive
United States Federal Mandate Health related
information Can encompass
Financial Info
European Union EU Mandate (w/
country-specific regulators)
(c)2012 The Lorenzi Group & DF Labs
Insurance Co’s & Data Theft More control over data theft claims Policies becoming more restrictive Coverage becoming more focused Moving away from typical coverage as
add-on Immediate action required by insured
(c)2012 The Lorenzi Group & DF Labs
US FCPA & UK Bribery Act 2010 Foreign Corrupt Practices Act Revenue generator for Federal Gov’ts Regulator base and depth growing “Double Jeopardy” does not apply Recently expanded to vendors, partners
& consultants
(c)2012 The Lorenzi Group & DF Labs
Medical Fraud Equipment being sold on Black
Market/Gray Market Purchases made with false information:
Credit Cards Federal Tax Id’s (Corporate ID Theft) Unauthorized Personnel
FBI issued report showing 40% Corporate Cybercrime is Employee Driven
(c)2012 The Lorenzi Group & DF Labs
Employee Monitoring Key part of Security Analytics
US: Company owned EU: Data owned
German Unions seeing great success
Sony vs. Lockheed
Lockheed Martin, KaiserPermanente, USPS
(c)2012 The Lorenzi Group & DF Labs
Employee Monitoring (pt2)
In EU, Employee monitoring may not be allowed. In some cases, in fact: Privacy Impact Labor Law
Cases where monitoring data and preventing incidents are mandatory i.e. the Italian 231/01
(c)2012 The Lorenzi Group & DF Labs
(c)2012 The Lorenzi Group & DF Labs
Incident Prevention and Preparation
(Including Forensics and Fraud)
Pre-Incident Preparation
Application Security Management
Test Your Tech
Enterprise Business Security
IT SecurityProcess Management and Support, including vulnerability management
Know where your data are
Risk Mitigation FrameworkFonte: Dflabs&Terremark
Business Risk Management, Policy, standards, Technologies, Legal
and guidelines
Incident Response and investigation
(Including Forensics and Fraud)
Use the Right
Technology
Risk Mitigation Framework: Example in the Medical Device World FDA: Which medical devices are covered by this guidance?
Medical devices that incorporate off-the-shelf (OTS) software Medical Devices that can be connected to a private intranet or
the public Internet This information also may be useful to network administrators
in health care organizations and information technology vendors.
Who is responsible for ensuring the safety and effectiveness of medical devices?
The device manufacturer bears the responsibility for the continued safe and effective performance of their medical device,
The device manufacturer does not bear responsibility for the Hospital Network
Source: FDA 2012
(c)2012 The Lorenzi Group & DF Labs
Risk Mitigation Framework: Example in the Medical Device World
A vendor in the medical devices arena asked DFLabs to perform the following tasks: Code Audit on the Device Software Security Assessment on the Device Itself Security Guidelines for the Device setup Contractual Technical Support Vs, Hospital
Relationships
Source: FDA 2012(c)2012 The Lorenzi Group & DF Labs
Risk Mitigation Framework:Example in the Hospital World Prominent Hospital has a MAJOR/Gross data
breach Post event Security Analysis ID’d
Lack of Controls Too much & contradicting Information Employee Monitoring would have ID threat risk
prior to event
Set it & Forget Security it is DEAD. Diligence is KEY to success.
(c)2012 The Lorenzi Group & DF Labs
Questions?
Robert FitzgeraldThe Lorenzi Group
+1-866-632-9880 www.thelorenzigroup.com [email protected]
Dario ForteDF Labs
+39-0373-83196www.dflabs.com [email protected]
(c)2012 The Lorenzi Group & DF Labs