ISOAG Meeting July 12, 2017 - vita.virginia.gov · 2021. 2. 11. · ISOAG Meeting July 12, 2017...
Transcript of ISOAG Meeting July 12, 2017 - vita.virginia.gov · 2021. 2. 11. · ISOAG Meeting July 12, 2017...
![Page 1: ISOAG Meeting July 12, 2017 - vita.virginia.gov · 2021. 2. 11. · ISOAG Meeting July 12, 2017 Welcome to CESC . 2 ... Senior Assistant Attorney General . Virginia Attorney General’s](https://reader036.fdocuments.net/reader036/viewer/2022071419/61174aca44c8eb6f0c545da4/html5/thumbnails/1.jpg)
1
ISOAG Meeting July 12, 2017
Welcome to CESC
www.vita.virginia.gov
![Page 2: ISOAG Meeting July 12, 2017 - vita.virginia.gov · 2021. 2. 11. · ISOAG Meeting July 12, 2017 Welcome to CESC . 2 ... Senior Assistant Attorney General . Virginia Attorney General’s](https://reader036.fdocuments.net/reader036/viewer/2022071419/61174aca44c8eb6f0c545da4/html5/thumbnails/2.jpg)
2
Welcome and Opening Remarks
Michael Watson
July 12, 2017
www.vita.virginia.gov 2
![Page 3: ISOAG Meeting July 12, 2017 - vita.virginia.gov · 2021. 2. 11. · ISOAG Meeting July 12, 2017 Welcome to CESC . 2 ... Senior Assistant Attorney General . Virginia Attorney General’s](https://reader036.fdocuments.net/reader036/viewer/2022071419/61174aca44c8eb6f0c545da4/html5/thumbnails/3.jpg)
3
ISOAG July 12, 2017 Agenda I. Welcome & Opening Remarks Mike Watson, VITA
II. Database Breaches & Identity Theft Gene Fishel, OAG III. Push – Pull Technique Doug Mungle, Control Coach Consulting IV. The Chan-DO’s and The Chan DON’Ts Chandos Carrow, VEC of Information Security in the Commonwealth
V. Upcoming Events Mike Watson, VITA VI. Partnership Update Northrop Grumman
![Page 4: ISOAG Meeting July 12, 2017 - vita.virginia.gov · 2021. 2. 11. · ISOAG Meeting July 12, 2017 Welcome to CESC . 2 ... Senior Assistant Attorney General . Virginia Attorney General’s](https://reader036.fdocuments.net/reader036/viewer/2022071419/61174aca44c8eb6f0c545da4/html5/thumbnails/4.jpg)
Database Breaches and Identity Theft: Trends
and Enforcement
Gene Fishel Senior Assistant Attorney General
Chief, Computer Crime Section Virginia Attorney General’s Office
![Page 5: ISOAG Meeting July 12, 2017 - vita.virginia.gov · 2021. 2. 11. · ISOAG Meeting July 12, 2017 Welcome to CESC . 2 ... Senior Assistant Attorney General . Virginia Attorney General’s](https://reader036.fdocuments.net/reader036/viewer/2022071419/61174aca44c8eb6f0c545da4/html5/thumbnails/5.jpg)
Outline •Database Breaches •Identity Theft
![Page 7: ISOAG Meeting July 12, 2017 - vita.virginia.gov · 2021. 2. 11. · ISOAG Meeting July 12, 2017 Welcome to CESC . 2 ... Senior Assistant Attorney General . Virginia Attorney General’s](https://reader036.fdocuments.net/reader036/viewer/2022071419/61174aca44c8eb6f0c545da4/html5/thumbnails/7.jpg)
![Page 8: ISOAG Meeting July 12, 2017 - vita.virginia.gov · 2021. 2. 11. · ISOAG Meeting July 12, 2017 Welcome to CESC . 2 ... Senior Assistant Attorney General . Virginia Attorney General’s](https://reader036.fdocuments.net/reader036/viewer/2022071419/61174aca44c8eb6f0c545da4/html5/thumbnails/8.jpg)
![Page 9: ISOAG Meeting July 12, 2017 - vita.virginia.gov · 2021. 2. 11. · ISOAG Meeting July 12, 2017 Welcome to CESC . 2 ... Senior Assistant Attorney General . Virginia Attorney General’s](https://reader036.fdocuments.net/reader036/viewer/2022071419/61174aca44c8eb6f0c545da4/html5/thumbnails/9.jpg)
![Page 10: ISOAG Meeting July 12, 2017 - vita.virginia.gov · 2021. 2. 11. · ISOAG Meeting July 12, 2017 Welcome to CESC . 2 ... Senior Assistant Attorney General . Virginia Attorney General’s](https://reader036.fdocuments.net/reader036/viewer/2022071419/61174aca44c8eb6f0c545da4/html5/thumbnails/10.jpg)
![Page 11: ISOAG Meeting July 12, 2017 - vita.virginia.gov · 2021. 2. 11. · ISOAG Meeting July 12, 2017 Welcome to CESC . 2 ... Senior Assistant Attorney General . Virginia Attorney General’s](https://reader036.fdocuments.net/reader036/viewer/2022071419/61174aca44c8eb6f0c545da4/html5/thumbnails/11.jpg)
![Page 12: ISOAG Meeting July 12, 2017 - vita.virginia.gov · 2021. 2. 11. · ISOAG Meeting July 12, 2017 Welcome to CESC . 2 ... Senior Assistant Attorney General . Virginia Attorney General’s](https://reader036.fdocuments.net/reader036/viewer/2022071419/61174aca44c8eb6f0c545da4/html5/thumbnails/12.jpg)
![Page 13: ISOAG Meeting July 12, 2017 - vita.virginia.gov · 2021. 2. 11. · ISOAG Meeting July 12, 2017 Welcome to CESC . 2 ... Senior Assistant Attorney General . Virginia Attorney General’s](https://reader036.fdocuments.net/reader036/viewer/2022071419/61174aca44c8eb6f0c545da4/html5/thumbnails/13.jpg)
Enforcer’s Perspective • 566 database breach notices received
in VA In 2016 (464 already in 2017) • Broad cross-section of industry • Lost equipment, theft, intrusion are
most common occurrences • Small breaches dominate
![Page 14: ISOAG Meeting July 12, 2017 - vita.virginia.gov · 2021. 2. 11. · ISOAG Meeting July 12, 2017 Welcome to CESC . 2 ... Senior Assistant Attorney General . Virginia Attorney General’s](https://reader036.fdocuments.net/reader036/viewer/2022071419/61174aca44c8eb6f0c545da4/html5/thumbnails/14.jpg)
Enforcer’s Perspective • From 1 resident to over 1 million
residents affected in a single breach • Work with your attorneys • Contact law enforcement • Work with our office
![Page 15: ISOAG Meeting July 12, 2017 - vita.virginia.gov · 2021. 2. 11. · ISOAG Meeting July 12, 2017 Welcome to CESC . 2 ... Senior Assistant Attorney General . Virginia Attorney General’s](https://reader036.fdocuments.net/reader036/viewer/2022071419/61174aca44c8eb6f0c545da4/html5/thumbnails/15.jpg)
Database Breach Laws • State laws vary (48 of them) • Virginia Code Section 18.2-186.6
– Took effect July 1, 2008 – Crafted from Governor’s consortium of
national business and consumer advocates – Attempts to strike a balance – Allows Graham Leach Bliley compliance
![Page 16: ISOAG Meeting July 12, 2017 - vita.virginia.gov · 2021. 2. 11. · ISOAG Meeting July 12, 2017 Welcome to CESC . 2 ... Senior Assistant Attorney General . Virginia Attorney General’s](https://reader036.fdocuments.net/reader036/viewer/2022071419/61174aca44c8eb6f0c545da4/html5/thumbnails/16.jpg)
Database Breach Laws • Fairly standard provisions • Pertinent Provisions
– Applies to any legal entity; broad application – Unencrypted data accessed or acquired by
unauthorized person – Must have caused or reasonably believe will cause
fraud or identity theft to resident – Must notify OAG and affected resident without
unreasonable delay
![Page 17: ISOAG Meeting July 12, 2017 - vita.virginia.gov · 2021. 2. 11. · ISOAG Meeting July 12, 2017 Welcome to CESC . 2 ... Senior Assistant Attorney General . Virginia Attorney General’s](https://reader036.fdocuments.net/reader036/viewer/2022071419/61174aca44c8eb6f0c545da4/html5/thumbnails/17.jpg)
Database Breach Laws • Pertinent Provisions
– Law enforcement delay acceptable – Provisions also apply to encrypted data acquired in
an unencrypted form or if person has access to the encryption key
– If more than 1,000 affected residents, must also notify consumer reporting agencies
![Page 18: ISOAG Meeting July 12, 2017 - vita.virginia.gov · 2021. 2. 11. · ISOAG Meeting July 12, 2017 Welcome to CESC . 2 ... Senior Assistant Attorney General . Virginia Attorney General’s](https://reader036.fdocuments.net/reader036/viewer/2022071419/61174aca44c8eb6f0c545da4/html5/thumbnails/18.jpg)
Database Breach Laws • Pertinent Provisions
– Data = “personal information” to include name, SSN, financial acct/credit card numbers along with access code, driver’s license number
– July 1, 2017: Now includes tax identification numbers (to counter prevalent payroll breaches / IRS scams)
![Page 19: ISOAG Meeting July 12, 2017 - vita.virginia.gov · 2021. 2. 11. · ISOAG Meeting July 12, 2017 Welcome to CESC . 2 ... Senior Assistant Attorney General . Virginia Attorney General’s](https://reader036.fdocuments.net/reader036/viewer/2022071419/61174aca44c8eb6f0c545da4/html5/thumbnails/19.jpg)
Database Breach Laws • Pertinent Provisions
– Notice = written, electronic, telephone or substitute
– Substitute Notice = over $50K in cost, over 100,000 residents, or no sufficient contact info…can then post conspicuously on website, or notify statewide media
![Page 20: ISOAG Meeting July 12, 2017 - vita.virginia.gov · 2021. 2. 11. · ISOAG Meeting July 12, 2017 Welcome to CESC . 2 ... Senior Assistant Attorney General . Virginia Attorney General’s](https://reader036.fdocuments.net/reader036/viewer/2022071419/61174aca44c8eb6f0c545da4/html5/thumbnails/20.jpg)
Database Breach Laws • Pertinent Provisions
– Notice must include: • Incident in general terms • Type of information accessed • The general acts of entity to prevent further
unauthorized access • Telephone number for affected persons to call • Advice directing person to remain vigilant of
accounts and monitor free credit reports
![Page 21: ISOAG Meeting July 12, 2017 - vita.virginia.gov · 2021. 2. 11. · ISOAG Meeting July 12, 2017 Welcome to CESC . 2 ... Senior Assistant Attorney General . Virginia Attorney General’s](https://reader036.fdocuments.net/reader036/viewer/2022071419/61174aca44c8eb6f0c545da4/html5/thumbnails/21.jpg)
Database Breach Laws • Pertinent Provisions
– Attorney General’s Office can bring civil enforcement action for failure to comply with notice provisions
– $150,000 penalty per breach – Does not prohibit affected residents from filing
individual claims
![Page 22: ISOAG Meeting July 12, 2017 - vita.virginia.gov · 2021. 2. 11. · ISOAG Meeting July 12, 2017 Welcome to CESC . 2 ... Senior Assistant Attorney General . Virginia Attorney General’s](https://reader036.fdocuments.net/reader036/viewer/2022071419/61174aca44c8eb6f0c545da4/html5/thumbnails/22.jpg)
Identity Theft
![Page 23: ISOAG Meeting July 12, 2017 - vita.virginia.gov · 2021. 2. 11. · ISOAG Meeting July 12, 2017 Welcome to CESC . 2 ... Senior Assistant Attorney General . Virginia Attorney General’s](https://reader036.fdocuments.net/reader036/viewer/2022071419/61174aca44c8eb6f0c545da4/html5/thumbnails/23.jpg)
![Page 24: ISOAG Meeting July 12, 2017 - vita.virginia.gov · 2021. 2. 11. · ISOAG Meeting July 12, 2017 Welcome to CESC . 2 ... Senior Assistant Attorney General . Virginia Attorney General’s](https://reader036.fdocuments.net/reader036/viewer/2022071419/61174aca44c8eb6f0c545da4/html5/thumbnails/24.jpg)
![Page 25: ISOAG Meeting July 12, 2017 - vita.virginia.gov · 2021. 2. 11. · ISOAG Meeting July 12, 2017 Welcome to CESC . 2 ... Senior Assistant Attorney General . Virginia Attorney General’s](https://reader036.fdocuments.net/reader036/viewer/2022071419/61174aca44c8eb6f0c545da4/html5/thumbnails/25.jpg)
![Page 26: ISOAG Meeting July 12, 2017 - vita.virginia.gov · 2021. 2. 11. · ISOAG Meeting July 12, 2017 Welcome to CESC . 2 ... Senior Assistant Attorney General . Virginia Attorney General’s](https://reader036.fdocuments.net/reader036/viewer/2022071419/61174aca44c8eb6f0c545da4/html5/thumbnails/26.jpg)
![Page 27: ISOAG Meeting July 12, 2017 - vita.virginia.gov · 2021. 2. 11. · ISOAG Meeting July 12, 2017 Welcome to CESC . 2 ... Senior Assistant Attorney General . Virginia Attorney General’s](https://reader036.fdocuments.net/reader036/viewer/2022071419/61174aca44c8eb6f0c545da4/html5/thumbnails/27.jpg)
![Page 28: ISOAG Meeting July 12, 2017 - vita.virginia.gov · 2021. 2. 11. · ISOAG Meeting July 12, 2017 Welcome to CESC . 2 ... Senior Assistant Attorney General . Virginia Attorney General’s](https://reader036.fdocuments.net/reader036/viewer/2022071419/61174aca44c8eb6f0c545da4/html5/thumbnails/28.jpg)
![Page 29: ISOAG Meeting July 12, 2017 - vita.virginia.gov · 2021. 2. 11. · ISOAG Meeting July 12, 2017 Welcome to CESC . 2 ... Senior Assistant Attorney General . Virginia Attorney General’s](https://reader036.fdocuments.net/reader036/viewer/2022071419/61174aca44c8eb6f0c545da4/html5/thumbnails/29.jpg)
Identity Theft A. Unlawful for any person, without
authorization….to: 1. Obtain, record or access identifying
information which is not available to the general public that would assist in accessing financial resources…;
2. Obtain money, credit, loans, goods or services through the use of identifying information of such other person;
3. Obtain identification documents in such other person's name
![Page 30: ISOAG Meeting July 12, 2017 - vita.virginia.gov · 2021. 2. 11. · ISOAG Meeting July 12, 2017 Welcome to CESC . 2 ... Senior Assistant Attorney General . Virginia Attorney General’s](https://reader036.fdocuments.net/reader036/viewer/2022071419/61174aca44c8eb6f0c545da4/html5/thumbnails/30.jpg)
Identity Theft A. Identifying Information
(i) name; (ii) date of birth; (iii) social security number; (iv) driver's license number; (v) bank account numbers; (vi) credit or debit card numbers; (vii) personal identification numbers (PIN); (viii) electronic identification codes; (ix) automated or electronic signatures; (x) biometric data; (xi) fingerprints; (xii) passwords; or (xiii) any other numbers or information that can be used to access a person's financial resources, obtain identification, act as identification, or obtain money, credit, loans, goods, or services.
![Page 31: ISOAG Meeting July 12, 2017 - vita.virginia.gov · 2021. 2. 11. · ISOAG Meeting July 12, 2017 Welcome to CESC . 2 ... Senior Assistant Attorney General . Virginia Attorney General’s](https://reader036.fdocuments.net/reader036/viewer/2022071419/61174aca44c8eb6f0c545da4/html5/thumbnails/31.jpg)
Identity Theft - Penalties
• Up to 12 months jail • If over $200, 1-5 years imprisonment • If 50 or more person’s identifying info
stolen, 1-5 years • 1-10 years if information is used to
commit another crime
![Page 32: ISOAG Meeting July 12, 2017 - vita.virginia.gov · 2021. 2. 11. · ISOAG Meeting July 12, 2017 Welcome to CESC . 2 ... Senior Assistant Attorney General . Virginia Attorney General’s](https://reader036.fdocuments.net/reader036/viewer/2022071419/61174aca44c8eb6f0c545da4/html5/thumbnails/32.jpg)
Identity Theft
WHAT CAN YOU DO? • Protect your social security number • Use caution when giving out personal info
(phishing) • Treat your trash carefully • Protect your postal mail • Check your bank statements often
![Page 33: ISOAG Meeting July 12, 2017 - vita.virginia.gov · 2021. 2. 11. · ISOAG Meeting July 12, 2017 Welcome to CESC . 2 ... Senior Assistant Attorney General . Virginia Attorney General’s](https://reader036.fdocuments.net/reader036/viewer/2022071419/61174aca44c8eb6f0c545da4/html5/thumbnails/33.jpg)
Identity Theft
WHAT CAN YOU DO? cont… • Check your credit reports (1 free report
annually) – Annualcreditreport.com (recommended by FTC)
• Protect your computer (firewall, anti-virus, lock wireless networks)
• Use some plain common sense (i.e. too good to be true)
![Page 34: ISOAG Meeting July 12, 2017 - vita.virginia.gov · 2021. 2. 11. · ISOAG Meeting July 12, 2017 Welcome to CESC . 2 ... Senior Assistant Attorney General . Virginia Attorney General’s](https://reader036.fdocuments.net/reader036/viewer/2022071419/61174aca44c8eb6f0c545da4/html5/thumbnails/34.jpg)
Identity Theft
HOW TO SPOT IT… • You see withdrawals from your bank account
that you can’t explain • You don’t get your bills or other mail • Debt collectors call you about debts that aren’t
yours • You find unfamiliar accounts or charges on
your credit report
![Page 35: ISOAG Meeting July 12, 2017 - vita.virginia.gov · 2021. 2. 11. · ISOAG Meeting July 12, 2017 Welcome to CESC . 2 ... Senior Assistant Attorney General . Virginia Attorney General’s](https://reader036.fdocuments.net/reader036/viewer/2022071419/61174aca44c8eb6f0c545da4/html5/thumbnails/35.jpg)
Identity Theft
WHERE TO REPORT IT… • Creditors (Card Issuers & Utilities) • Credit Bureaus • Federal Trade Commission (FTC) • Local/State Law Enforcement • Office of the Attorney General
![Page 36: ISOAG Meeting July 12, 2017 - vita.virginia.gov · 2021. 2. 11. · ISOAG Meeting July 12, 2017 Welcome to CESC . 2 ... Senior Assistant Attorney General . Virginia Attorney General’s](https://reader036.fdocuments.net/reader036/viewer/2022071419/61174aca44c8eb6f0c545da4/html5/thumbnails/36.jpg)
![Page 37: ISOAG Meeting July 12, 2017 - vita.virginia.gov · 2021. 2. 11. · ISOAG Meeting July 12, 2017 Welcome to CESC . 2 ... Senior Assistant Attorney General . Virginia Attorney General’s](https://reader036.fdocuments.net/reader036/viewer/2022071419/61174aca44c8eb6f0c545da4/html5/thumbnails/37.jpg)
![Page 38: ISOAG Meeting July 12, 2017 - vita.virginia.gov · 2021. 2. 11. · ISOAG Meeting July 12, 2017 Welcome to CESC . 2 ... Senior Assistant Attorney General . Virginia Attorney General’s](https://reader036.fdocuments.net/reader036/viewer/2022071419/61174aca44c8eb6f0c545da4/html5/thumbnails/38.jpg)
RESOURCES VA Office of the Attorney General http://www.ag.virginia.gov Internet Crime Complaint Center http://www.ic3.gov Federal Trade Commission (FTC) http://www.ftc.gov
![Page 39: ISOAG Meeting July 12, 2017 - vita.virginia.gov · 2021. 2. 11. · ISOAG Meeting July 12, 2017 Welcome to CESC . 2 ... Senior Assistant Attorney General . Virginia Attorney General’s](https://reader036.fdocuments.net/reader036/viewer/2022071419/61174aca44c8eb6f0c545da4/html5/thumbnails/39.jpg)
Thank You
Gene Fishel Senior Assistant Attorney General Virginia Attorney General’s Office
[email protected] 804-786-2071
www.ag.virginia.gov
![Page 40: ISOAG Meeting July 12, 2017 - vita.virginia.gov · 2021. 2. 11. · ISOAG Meeting July 12, 2017 Welcome to CESC . 2 ... Senior Assistant Attorney General . Virginia Attorney General’s](https://reader036.fdocuments.net/reader036/viewer/2022071419/61174aca44c8eb6f0c545da4/html5/thumbnails/40.jpg)
Functional Objectives and the “Push/Pull” Technique®
Doug Mungle, CPA, CIA, CFE, CRMA, PCI
ControlCoachConsulting.com 804 514 9694
Constantly Driving Value
Virginia Information Technologies Agency Information Security Officers Advisory Group
July 12, 2017
![Page 41: ISOAG Meeting July 12, 2017 - vita.virginia.gov · 2021. 2. 11. · ISOAG Meeting July 12, 2017 Welcome to CESC . 2 ... Senior Assistant Attorney General . Virginia Attorney General’s](https://reader036.fdocuments.net/reader036/viewer/2022071419/61174aca44c8eb6f0c545da4/html5/thumbnails/41.jpg)
Program Title: Driving Value; Determining Functional Objectives and the Push/Pull Technique®. Date: July 12, 2017 Field of study: Specialized knowledge Approach: Group live program Method: Lecture and group participation Location: Richmond, VA Prerequisite: Understanding of basic management techniques Level: Intermediate Learning Objective: Gain an understanding of how to determine functional objectives for consideration. Understand the Push/Pull Technique®
Recommended CPE:1 hour, based on 50 minute session. Sponsor: VITA, ISOAG Presenter: Douglas R. Mungle, CPA, CIA, CFE, CRMA, PCI
Please remember to sign-in 41
![Page 42: ISOAG Meeting July 12, 2017 - vita.virginia.gov · 2021. 2. 11. · ISOAG Meeting July 12, 2017 Welcome to CESC . 2 ... Senior Assistant Attorney General . Virginia Attorney General’s](https://reader036.fdocuments.net/reader036/viewer/2022071419/61174aca44c8eb6f0c545da4/html5/thumbnails/42.jpg)
• Doug Mungle • CPA, CIA, CFE, CRMA, PCI • 25+ years • Audit, Risk Management, Internal Controls, Security, Operational
Management • Consulting Firm
• Internal Audit Function Advice • Risk Management Services • Compliance and Corporate Governance Support • Fraud Detection and Prevention Advice
42
![Page 43: ISOAG Meeting July 12, 2017 - vita.virginia.gov · 2021. 2. 11. · ISOAG Meeting July 12, 2017 Welcome to CESC . 2 ... Senior Assistant Attorney General . Virginia Attorney General’s](https://reader036.fdocuments.net/reader036/viewer/2022071419/61174aca44c8eb6f0c545da4/html5/thumbnails/43.jpg)
• Factors often considered in planning (ideal or not) o Users (information or report) o Framework or basis o Political considerations – push back o Degree of confidence/assurance o Complexity, familiarity and
competencies o Timing o Professional Standards o Detection and Inherit Risks o Etc.
o Assertions (i.e., VCROEPSM, etc.) o Legal, Regulatory or Other
Compliance o Resource availability o Potential impact or benefit o Nature and Scope o Auditor’s Responsibilities o Quality of Evidence o Materiality o Sensitivity of information
• Typically: o User-Centric o Auditor’s Perspective o Broad or laser-focused
Outside, looking in
43
![Page 44: ISOAG Meeting July 12, 2017 - vita.virginia.gov · 2021. 2. 11. · ISOAG Meeting July 12, 2017 Welcome to CESC . 2 ... Senior Assistant Attorney General . Virginia Attorney General’s](https://reader036.fdocuments.net/reader036/viewer/2022071419/61174aca44c8eb6f0c545da4/html5/thumbnails/44.jpg)
44
![Page 45: ISOAG Meeting July 12, 2017 - vita.virginia.gov · 2021. 2. 11. · ISOAG Meeting July 12, 2017 Welcome to CESC . 2 ... Senior Assistant Attorney General . Virginia Attorney General’s](https://reader036.fdocuments.net/reader036/viewer/2022071419/61174aca44c8eb6f0c545da4/html5/thumbnails/45.jpg)
• Functional Objectives o Support the overall business objective o Short, medium and long-term o Could be a unit, domain or sphere of responsibility (Agency, LOB, Dept., etc.) o Theoretical ideal desire is to optimize output o Vision, mission, goal, intent o Considers constraints; resources, timeframes, quality of management, etc.
• Typically: o Accountable Management-Centric o Functional Employee’s Perspective o More laser-focused
Inside, looking around
45
![Page 46: ISOAG Meeting July 12, 2017 - vita.virginia.gov · 2021. 2. 11. · ISOAG Meeting July 12, 2017 Welcome to CESC . 2 ... Senior Assistant Attorney General . Virginia Attorney General’s](https://reader036.fdocuments.net/reader036/viewer/2022071419/61174aca44c8eb6f0c545da4/html5/thumbnails/46.jpg)
• Functional Objectives should be: o Clearly defined o Have supporting sub-objectives o Specific executable and actionable o Measurable (and actually measured) o Consistent with theoretical ideal of optimized output/results o Tied directly to overall organization’s objectives o Communicated, understood and reinforced
46
![Page 47: ISOAG Meeting July 12, 2017 - vita.virginia.gov · 2021. 2. 11. · ISOAG Meeting July 12, 2017 Welcome to CESC . 2 ... Senior Assistant Attorney General . Virginia Attorney General’s](https://reader036.fdocuments.net/reader036/viewer/2022071419/61174aca44c8eb6f0c545da4/html5/thumbnails/47.jpg)
• Functional players may not be cognizant of objectives o Ambiguous, nebulous or lofty concepts o Lack supporting sub-objectives relevant to positions/responsibilities o Lack specific, executable actions o May conflict with theoretical ideal optimization of output o Not tied to overall business objectives
• If people are unaware of objectives, may:
• Focus on activity rather than achieving the intent • Not recognize an anomaly for follow-up • Not be able to measure level of achievement • Miss opportunities to improve
47
![Page 48: ISOAG Meeting July 12, 2017 - vita.virginia.gov · 2021. 2. 11. · ISOAG Meeting July 12, 2017 Welcome to CESC . 2 ... Senior Assistant Attorney General . Virginia Attorney General’s](https://reader036.fdocuments.net/reader036/viewer/2022071419/61174aca44c8eb6f0c545da4/html5/thumbnails/48.jpg)
• Explore and understand to ensure functional objectives meet expected criteria. o Defined, measurable, communicated, knowledge transfer, incentive,
internalized, reiterated, etc. o Activities are linked to specific outcomes which support the function’s
sub-objectives o Who, What, When, Where, How, Why (process understanding)
48
![Page 49: ISOAG Meeting July 12, 2017 - vita.virginia.gov · 2021. 2. 11. · ISOAG Meeting July 12, 2017 Welcome to CESC . 2 ... Senior Assistant Attorney General . Virginia Attorney General’s](https://reader036.fdocuments.net/reader036/viewer/2022071419/61174aca44c8eb6f0c545da4/html5/thumbnails/49.jpg)
• Sometimes, functional management and employees may not have a solid understanding or have considered objectives
Disconnect in understanding or perceptions; Senior Management Functional Management Workplace Participants
• Clarifying objectives to look for opportunities to achieve additional value
• Exercise is often very helpful for management and employees
49
![Page 50: ISOAG Meeting July 12, 2017 - vita.virginia.gov · 2021. 2. 11. · ISOAG Meeting July 12, 2017 Welcome to CESC . 2 ... Senior Assistant Attorney General . Virginia Attorney General’s](https://reader036.fdocuments.net/reader036/viewer/2022071419/61174aca44c8eb6f0c545da4/html5/thumbnails/50.jpg)
• Technique used to clarify functional objectives • Simply asking why a task is performed multiple times until the core
“reason” is revealed. o “On Tuesday morning, I hit the F12 key and compare the amount
displayed to the yellow report.” Why? o “To make sure the amount wired agrees with the invoiced
amount.” Why? o “To make sure we only pay for invoiced expenditures.” Why? o “To ensure cash disbursements are supported by underlying
documentation and have been approved by management.” (Dept. objective) Why?
o “To ensure utilization of resources maximize value to shareholders” (Organizational objective)
“Cuz it’s my job” – Indication of insufficient understanding or need to reinforcement of objectives. 50
![Page 51: ISOAG Meeting July 12, 2017 - vita.virginia.gov · 2021. 2. 11. · ISOAG Meeting July 12, 2017 Welcome to CESC . 2 ... Senior Assistant Attorney General . Virginia Attorney General’s](https://reader036.fdocuments.net/reader036/viewer/2022071419/61174aca44c8eb6f0c545da4/html5/thumbnails/51.jpg)
• Once understood, all activities should support the functional objectives.
o Extraneous tasks: Could be based on prior technology, previous LOBs, business evolution, discrete management requests, misunderstandings, make-work, self preservation, political sensitivity, etc. (opportunity for efficiency – justify or eliminate).
o Missing activities: No task is executed to support functional objective (opportunity for effectiveness – justify and build)
o Imbalance: Too much (or not enough) effort/resources dedicated to certain activities/objectives. Not clearly justified by risk or opportunity.
51
![Page 52: ISOAG Meeting July 12, 2017 - vita.virginia.gov · 2021. 2. 11. · ISOAG Meeting July 12, 2017 Welcome to CESC . 2 ... Senior Assistant Attorney General . Virginia Attorney General’s](https://reader036.fdocuments.net/reader036/viewer/2022071419/61174aca44c8eb6f0c545da4/html5/thumbnails/52.jpg)
• All activities should clearly support objectives.
OBJECTIVE
Extraneous Task
Missing Activity
Excessive Chores
52
![Page 53: ISOAG Meeting July 12, 2017 - vita.virginia.gov · 2021. 2. 11. · ISOAG Meeting July 12, 2017 Welcome to CESC . 2 ... Senior Assistant Attorney General . Virginia Attorney General’s](https://reader036.fdocuments.net/reader036/viewer/2022071419/61174aca44c8eb6f0c545da4/html5/thumbnails/53.jpg)
• Consider functional objectives while executing other work to achieve audit objectives. (value added service)
• Consider a separate review of achievement of the Functional Objectives.
• Technique is applicable to virtually any situation o Accounting o IT o Production o Security o Treasury o Sales and Marketing
o Distribution/Transportation o Tax o Human Resources o Inventory Control o Company-Wide/Executive Level o Etc.
53
![Page 54: ISOAG Meeting July 12, 2017 - vita.virginia.gov · 2021. 2. 11. · ISOAG Meeting July 12, 2017 Welcome to CESC . 2 ... Senior Assistant Attorney General . Virginia Attorney General’s](https://reader036.fdocuments.net/reader036/viewer/2022071419/61174aca44c8eb6f0c545da4/html5/thumbnails/54.jpg)
Functional Objectives
Risks to Functional Objectives
Functional Goals
Opportunities to Enhance Attainment
of Goals Activities to
Support Goals 54
![Page 55: ISOAG Meeting July 12, 2017 - vita.virginia.gov · 2021. 2. 11. · ISOAG Meeting July 12, 2017 Welcome to CESC . 2 ... Senior Assistant Attorney General . Virginia Attorney General’s](https://reader036.fdocuments.net/reader036/viewer/2022071419/61174aca44c8eb6f0c545da4/html5/thumbnails/55.jpg)
Asset physically exists Transaction valued properly Physical possession balanced
with records Electronically monitored for
inappropriate activity
Company Objective: Maximize asset utilization • Functional objectives oOperations: Reduce idle asset time o Treasury: Time cash flows to limit financing needs o Security: Protect physical assets from misappropriation (core objective) Sub-Objectives: Unbroken chain of custody Physically concealed/protected Timely executed Verified by second party Specifically-named accountable party Records reflect sufficient information
(no omissions)
55
![Page 56: ISOAG Meeting July 12, 2017 - vita.virginia.gov · 2021. 2. 11. · ISOAG Meeting July 12, 2017 Welcome to CESC . 2 ... Senior Assistant Attorney General . Virginia Attorney General’s](https://reader036.fdocuments.net/reader036/viewer/2022071419/61174aca44c8eb6f0c545da4/html5/thumbnails/56.jpg)
• Auditors often focus on risk: Avoid, mitigate, transfer, (even no action). • Equally as important: Achievement of objectives: Seize opportunities,
maximize return, capitalize on events, expand as advantageous, etc. • Many continuums based on perspectives, dimensions, desires, etc.
Reckless Risk Ignorance Absolute Risk Avoidance
Maximized Opportunity Missed Opportunity
High Cost/Low Value Low Cost/High Value
Ineffective Highly Effective
56
![Page 57: ISOAG Meeting July 12, 2017 - vita.virginia.gov · 2021. 2. 11. · ISOAG Meeting July 12, 2017 Welcome to CESC . 2 ... Senior Assistant Attorney General . Virginia Attorney General’s](https://reader036.fdocuments.net/reader036/viewer/2022071419/61174aca44c8eb6f0c545da4/html5/thumbnails/57.jpg)
Push-Pull Risk Management Technique®: Execution of activities which pull the organization away from risk fruition and simultaneously push the organization towards greater probability of achieving desired objectives. • Risk mitigation is not the only focus. • Concurrently reduce risk and increase probability to achieve business goal. • Requires understanding of audit, risk management and operations.
Collaborative considerations.
Downside Upside 57
|
0
![Page 58: ISOAG Meeting July 12, 2017 - vita.virginia.gov · 2021. 2. 11. · ISOAG Meeting July 12, 2017 Welcome to CESC . 2 ... Senior Assistant Attorney General . Virginia Attorney General’s](https://reader036.fdocuments.net/reader036/viewer/2022071419/61174aca44c8eb6f0c545da4/html5/thumbnails/58.jpg)
• Objectives: o Finance: Assets are safeguarded/accounted for o Security: Continuous chain of custody by named, accountable curator o Operations: Product moves expeditiously through plant
Assets insecure No clear custody Product sits idle
Assets secured/accounted (+1) Continuous custody (0) Product moves quickly (+6)
Desired Movement
58
0 -10 +10
![Page 59: ISOAG Meeting July 12, 2017 - vita.virginia.gov · 2021. 2. 11. · ISOAG Meeting July 12, 2017 Welcome to CESC . 2 ... Senior Assistant Attorney General . Virginia Attorney General’s](https://reader036.fdocuments.net/reader036/viewer/2022071419/61174aca44c8eb6f0c545da4/html5/thumbnails/59.jpg)
Assets insecure No clear custody Product sits idle
Assets secured/accounted Continuous custody Product moves quickly
• Some objectives may first appear to be contradictory • Requires critical and creative thinking, considering each perspective • What procedure, technique, device, activity or combination thereof,
could simultaneously contribute to reducing risks while increasing probability of achieving objectives?
• Relative to the associated risk or opportunity – Optimal balance • Enhanced through positive facilitation with stakeholders
o Get creative – balance can typically be achieved!
Downside Upside
59
![Page 60: ISOAG Meeting July 12, 2017 - vita.virginia.gov · 2021. 2. 11. · ISOAG Meeting July 12, 2017 Welcome to CESC . 2 ... Senior Assistant Attorney General . Virginia Attorney General’s](https://reader036.fdocuments.net/reader036/viewer/2022071419/61174aca44c8eb6f0c545da4/html5/thumbnails/60.jpg)
• Control: Barcoded, secure cart with badge ID and stoplight monitoring o Caged cart increases protection from misappropriation (Security Dept.) o ID badge scan designates specifically-accountable party (Security Dept.) o Stoplight monitoring allows identification of stalled product (Production Dept.) o Data collection allows for analysis of bottlenecks for action (Production Dept.)
• Push organization away from risk and simultaneously pull towards achieving other business objectives.
• Goal: Multiple parties have a vested interest in ensuring the procedure (control) is executed. WIIFM
• Next steps: Developing motivations, monitoring techniques, empowering, feedback, etc.
Downside Upside
60
![Page 61: ISOAG Meeting July 12, 2017 - vita.virginia.gov · 2021. 2. 11. · ISOAG Meeting July 12, 2017 Welcome to CESC . 2 ... Senior Assistant Attorney General . Virginia Attorney General’s](https://reader036.fdocuments.net/reader036/viewer/2022071419/61174aca44c8eb6f0c545da4/html5/thumbnails/61.jpg)
• Spheres of objectives and goals
Explore commonality and interrelationships
Capitalize on existing controls, tweak or implement new ones
61
![Page 62: ISOAG Meeting July 12, 2017 - vita.virginia.gov · 2021. 2. 11. · ISOAG Meeting July 12, 2017 Welcome to CESC . 2 ... Senior Assistant Attorney General . Virginia Attorney General’s](https://reader036.fdocuments.net/reader036/viewer/2022071419/61174aca44c8eb6f0c545da4/html5/thumbnails/62.jpg)
Questions or Comments……
Doug Mungle, CPA, CIA, CFE, CRMA, PCI
ControlCoachConsulting.com 804 514 9694
July 12th Events: • Largest tank battle of WWII • Smoking is connected with lung
cancer (1957) • Bill Cosby’s birthday…… • Henry VIII weds his 6th wife • Alexander Hamilton dies • The bikini is launched (1946) • Frank Sinatra’s first album flops • ISOAG meeting
![Page 63: ISOAG Meeting July 12, 2017 - vita.virginia.gov · 2021. 2. 11. · ISOAG Meeting July 12, 2017 Welcome to CESC . 2 ... Senior Assistant Attorney General . Virginia Attorney General’s](https://reader036.fdocuments.net/reader036/viewer/2022071419/61174aca44c8eb6f0c545da4/html5/thumbnails/63.jpg)
By: Chandos J. Carrow, MSIS, CISSP VEC ISO
THE CHAN-DOS AND CHAN-DON’TS OF INFORMATION SECURITY
![Page 64: ISOAG Meeting July 12, 2017 - vita.virginia.gov · 2021. 2. 11. · ISOAG Meeting July 12, 2017 Welcome to CESC . 2 ... Senior Assistant Attorney General . Virginia Attorney General’s](https://reader036.fdocuments.net/reader036/viewer/2022071419/61174aca44c8eb6f0c545da4/html5/thumbnails/64.jpg)
Unemployment Insurance Commission Appeals
Job Services Employer Services
Economic Information Services Labor Market Information
COV Agency, but we are Federally funded
As the ISO I am on the Executive Team for the agency and report directly to the Commission
VIRGINIA EMPLOYMENT COMMISSION
![Page 65: ISOAG Meeting July 12, 2017 - vita.virginia.gov · 2021. 2. 11. · ISOAG Meeting July 12, 2017 Welcome to CESC . 2 ... Senior Assistant Attorney General . Virginia Attorney General’s](https://reader036.fdocuments.net/reader036/viewer/2022071419/61174aca44c8eb6f0c545da4/html5/thumbnails/65.jpg)
UI Modernization TOP and 1099 Misclassification
Test Data Management COV Migration
ECOS / Log Event Management / Risk Assessments, Security Plans, and Audits / New Firewall and Switches & Third-Party Review / Information
Security Manual / IRS Safeguard Security Report / Incident Response Plan / Continuous Monitoring Plan / Auditable Events Plan / System and Data
Sensitivity Classification / BIA / IT DRP / System and Data Owner Training / IT Role Based Security Training / Properly identifying Business
Processes, Data Types, and Systems
VEC INITIATIVES
![Page 66: ISOAG Meeting July 12, 2017 - vita.virginia.gov · 2021. 2. 11. · ISOAG Meeting July 12, 2017 Welcome to CESC . 2 ... Senior Assistant Attorney General . Virginia Attorney General’s](https://reader036.fdocuments.net/reader036/viewer/2022071419/61174aca44c8eb6f0c545da4/html5/thumbnails/66.jpg)
WHAT MAKES A GOOD ISO?
![Page 67: ISOAG Meeting July 12, 2017 - vita.virginia.gov · 2021. 2. 11. · ISOAG Meeting July 12, 2017 Welcome to CESC . 2 ... Senior Assistant Attorney General . Virginia Attorney General’s](https://reader036.fdocuments.net/reader036/viewer/2022071419/61174aca44c8eb6f0c545da4/html5/thumbnails/67.jpg)
GET INVOLVED!
THE CHAN-DOS
![Page 68: ISOAG Meeting July 12, 2017 - vita.virginia.gov · 2021. 2. 11. · ISOAG Meeting July 12, 2017 Welcome to CESC . 2 ... Senior Assistant Attorney General . Virginia Attorney General’s](https://reader036.fdocuments.net/reader036/viewer/2022071419/61174aca44c8eb6f0c545da4/html5/thumbnails/68.jpg)
Join local Richmond information security groups Attend the meetings once you join the group
Awesome meetings to attend - http://rvatech.com/event/ Some groups to join – (ISC)2 Richmond Metro and InfraGard Richmond
Networking events like RICHsec
Attend ISOAG in person as often as possible and come down early to join other ISOs at the Knowledge Sharing Luncheons
Get on LinkedIn and network with your peers (even in the private sector)
THE CHAN-DOS
![Page 69: ISOAG Meeting July 12, 2017 - vita.virginia.gov · 2021. 2. 11. · ISOAG Meeting July 12, 2017 Welcome to CESC . 2 ... Senior Assistant Attorney General . Virginia Attorney General’s](https://reader036.fdocuments.net/reader036/viewer/2022071419/61174aca44c8eb6f0c545da4/html5/thumbnails/69.jpg)
Attend and present at conferences
COV IS Conference / RVAsec / VASCAN / ACCS / DerbyCon / CanSecWest / Black Hat / Def Con / (ISC)2 Security Congress / ShmooCon
/ RSA / THOTCON
Just because one speaks in front of a group, it does not mean they are an expert they just had the courage to speak up.
THE CHAN-DOS
![Page 70: ISOAG Meeting July 12, 2017 - vita.virginia.gov · 2021. 2. 11. · ISOAG Meeting July 12, 2017 Welcome to CESC . 2 ... Senior Assistant Attorney General . Virginia Attorney General’s](https://reader036.fdocuments.net/reader036/viewer/2022071419/61174aca44c8eb6f0c545da4/html5/thumbnails/70.jpg)
Become friends with your APA Auditors / CSRM folks / other ISOs
ASK QUESTIONS!!!!!!
Utilize the Knowledge Sharing SharePoint site Talk to vendors / VITA ICE
Invite yourself to ALL project meetings if you do not get invited Go to agency events – if people do not know who you are they will not listen
Get involved in all aspects of the business Have regularly scheduled meetings with your agency head and internal audit
THE CHAN-DOS
![Page 71: ISOAG Meeting July 12, 2017 - vita.virginia.gov · 2021. 2. 11. · ISOAG Meeting July 12, 2017 Welcome to CESC . 2 ... Senior Assistant Attorney General . Virginia Attorney General’s](https://reader036.fdocuments.net/reader036/viewer/2022071419/61174aca44c8eb6f0c545da4/html5/thumbnails/71.jpg)
Don’t be afraid to: Pushback – you are the ISO and if something isn’t right say something Push the pace – people get set in their ways, be the leader/motivator
Involve CSRM – VITA is not the bad guys, they will stand behind you Provide APA your concerns – Findings = Change
Don’t be afraid of the scare tactic media, but use it to advance security in your
agency. Sometimes you might need to bump up the fear factor Don’t just follow the standards – Do better
Don’t follow old traditions – Do fix the mistakes of the past
DO NOT GET STRESSED!
THE CHAN-DON’TS
![Page 72: ISOAG Meeting July 12, 2017 - vita.virginia.gov · 2021. 2. 11. · ISOAG Meeting July 12, 2017 Welcome to CESC . 2 ... Senior Assistant Attorney General . Virginia Attorney General’s](https://reader036.fdocuments.net/reader036/viewer/2022071419/61174aca44c8eb6f0c545da4/html5/thumbnails/72.jpg)
THE END
![Page 73: ISOAG Meeting July 12, 2017 - vita.virginia.gov · 2021. 2. 11. · ISOAG Meeting July 12, 2017 Welcome to CESC . 2 ... Senior Assistant Attorney General . Virginia Attorney General’s](https://reader036.fdocuments.net/reader036/viewer/2022071419/61174aca44c8eb6f0c545da4/html5/thumbnails/73.jpg)
73 www.vita.virginia.gov 73
Upcoming Events
![Page 74: ISOAG Meeting July 12, 2017 - vita.virginia.gov · 2021. 2. 11. · ISOAG Meeting July 12, 2017 Welcome to CESC . 2 ... Senior Assistant Attorney General . Virginia Attorney General’s](https://reader036.fdocuments.net/reader036/viewer/2022071419/61174aca44c8eb6f0c545da4/html5/thumbnails/74.jpg)
74
ISC2 Richmond Metro Chapter Meeting • Meetings for the ISC2 Richmond Metro chapter are
typically held on the last Thursday of the month.
• This month’s meeting is July 27th at MAXX Potential, 201 W 7th Street, Richmond, VA 23224 from 6 pm to 8 pm.
• There is parking available in the rear of the building.
• Please sign up for the newsletter here: http://isc2chapter-richmondmetro.com/
![Page 75: ISOAG Meeting July 12, 2017 - vita.virginia.gov · 2021. 2. 11. · ISOAG Meeting July 12, 2017 Welcome to CESC . 2 ... Senior Assistant Attorney General . Virginia Attorney General’s](https://reader036.fdocuments.net/reader036/viewer/2022071419/61174aca44c8eb6f0c545da4/html5/thumbnails/75.jpg)
75
IS Orientations Current Schedule:
• Sept 21 9 am to 11 am • Dec 14 1 pm to 3 pm
Link for registration: http://vita2.virginia.gov/registration/Session.cfm?MeetingID=10
![Page 76: ISOAG Meeting July 12, 2017 - vita.virginia.gov · 2021. 2. 11. · ISOAG Meeting July 12, 2017 Welcome to CESC . 2 ... Senior Assistant Attorney General . Virginia Attorney General’s](https://reader036.fdocuments.net/reader036/viewer/2022071419/61174aca44c8eb6f0c545da4/html5/thumbnails/76.jpg)
76
August 2 ISOAG Meeting Steven Hernandez Chief Information Security Officer Office of Inspector General US Department of Health and Human Services
Demetrias Rodgers VITA Director, Enterprise Services Platform Relationship Office
![Page 77: ISOAG Meeting July 12, 2017 - vita.virginia.gov · 2021. 2. 11. · ISOAG Meeting July 12, 2017 Welcome to CESC . 2 ... Senior Assistant Attorney General . Virginia Attorney General’s](https://reader036.fdocuments.net/reader036/viewer/2022071419/61174aca44c8eb6f0c545da4/html5/thumbnails/77.jpg)
77
ADJOURN THANK YOU FOR ATTENDING
Picture courtesy of www.v3.co.uk