www.evalid8.com

Identity Theft…

…or a Lack of ManagementA 50,000 Foot Technology View of this Business Tsunami

Maryland Chamber of Commerce Conference 2007Cambridge, MD

Presented by:

Brian Dilley - President / Founder eValid8 CorporationCISA / CGEIT / MBA Accredited Auditor

www.evalid8.com

Agenda

Introduction Legal Precedent Snap Shot Technology Solutions Independent Validation Logical Solutions Physical Solutions What it is going to Cost YOU! Frontline Report Open Mic

www.evalid8.com

Introduction

Mr. Brian Dilley - Your Speaker President

Certified Information Systems Auditor Accredited Mortgage Bankers PKI Auditor Member – Information Systems Audit and Control Association

(ISACA) Member – ISACA Maryland Chapter Board Member – Howard County Chamber of Commerce

24 years of Experience Cryptographer, IT Security Specialist, PKI Expert Active PKI Internal / External auditing activities FISMA SP 800-53 Assessor Identity Management – Global / Federal / State / Commercial IRS Privacy SME

www.evalid8.com

Legal Precedent

Revised TJX Settlement To Offer Customers Vouchers Or ChecksAfter a federal judge raised concerns about a proposed TJX settlement stemming from an intrusion into its systems that compromised 45.7 million credit and debit card numbers, the deal has been revised to offer customers a choice of a $30 store voucher or a $15 check, according to this Boston Globe article. The company has estimated that it expects breach-related costs of about $256 million. The story indicates that the litigation outcome could set a precedent ($5.00 per record) for other similar breach-related cases.

LATEST NEWS IS THAT THE BREACH COULD EXCEED 94 million CREDIT CARDS – FINES WILL INCREASE

www.evalid8.com

Snap Shot

Maryland Personal Information Protection Act 8 Sections

14-3501 - Definitions 14-3502 - Customer Obligations 14-3503 - Protections 14-3504 - Breach 14-3505 - Provision 14-3506 - Notice 14-3507 - Business Affiliate 14-3508 - Violation

Good News (yada yada yada …If you comply with GLBA, Federal Fair & Accurate Transaction Act,

Federal Interagency Guidelines Establishing Information Security Standards, Federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice you meet the intent of SB 194 and are covered…what analysis have you conducted ?????

www.evalid8.com

Technology Solutions

Encryption In transit (electronic or physical) In storage (long or short term) eMail, Documents, Tokens, Biometrics, RealID, HSPD12, PKI, Strong

Authentication – all based on cryptography and/or digital certificates

Authorized Access Permissions and Rights Vetting Permissions / Issuing IDs

www.evalid8.com

More Technology

VPNs Dedicated Lines Encryption Session Termination SSH / Credential logons

Algorithms AES, SHA-1 or greater – RC4 can be beaten SSL / TLS HTTPS

Firewalls Ports & Protocols Only open what is needed

Logs Audit, Review, Report, Investigate

www.evalid8.com

Technology Statements

Logon Warning Banners Allows prosecution, Due notice has been given

Privacy Statement Website – Do you have one?

Retention Policy – See Vangel Paper http://www.vangelpaper.com/laws/records.php Period required by contracts or law Access / Authorization / Documentation Destruction SHRED! SHRED! SHRED! Removal, minimize what is to be stored & retained

IT Security and Privacy Protection touches every business sector today

www.evalid8.com

Organization IT Plans

IT Documents & Plans Privacy Statement System Security Plan Business Continuity Plans Backup / Archive Plans Retention Policies Destruction / Disposal Policy Transmission / Transportation Policy User Policy / Authentications Independent Audits / Assessments Plan of Action & Milestones

www.evalid8.com

Controls

Technical, Logical, Physical All families of protection come into play Comprehensive Plan Implementation of Plan 3rd Party Validation of Plan - eValidated™

Physical Controls Gates, Guns, Guards, Doors, & Locks,

If you have those then the hard work begins Log Books

Documentation of all events, prompt reporting Training Awareness

Dust the cobwebs off All professionals go to training to keep their skills up

Accountability Personnel / Management

www.evalid8.com

Independent Validation

HAVING NO PLANS IS NOT BETTER Due diligence prevents lawsuits based upon

negligence LAWYERS HAVE IDENTIFIED THIS AS ANOTHER

ABESTOS HEYDAY FOR THEIR INDUSTRYThis time all businesses are in play – IT crosses all

industries

www.evalid8.com

Certified IT Auditors

Right Profession for the Right Engagement ISACA – ANSI Accredited

CISA CISM

Trained Professionals Security and Privacy separation of duties provides

management with a check and balance

Global Recognized Professionals Continuing Education Units

http://www.isaca.org

www.evalid8.com

What it is Going to Cost You!

Penalties Applicable Laws – Varies, but are accumulative

Credit Monitoring Cost $100 * 100K User Database = $10,000,000

Notification Cost $0.41 * 100K User Database = $41,000

Required improvements $5,000 - $100,000,000

Legal Defenses, Seniors IT Professionals

This is for one minor database being lost!

www.evalid8.com

More $$$$$$$$$$$$$$$$$$

Lawsuits Not only from individuals, but companies that have

entrusted their information to you The sky is the limit – Tort Law prevails

Trained Professionals Over $100K per year, per professional – local business level U.S. Government pays over $250K per year, per

professional Conservative Estimate, lets assume 400,000 specialists

$100,000,000,000 per year Based on 3,000,000 Federal (Non-DoD) employees by the

Census Bureau (2005) i.e. DHS employs over 800K employees as of 2006

www.evalid8.com

More $$$$$$$$$$$$$$$$$$

Business against Business VISA, MasterCard, American Express Healthcare Privacy Information retained

Consumers against Business Clients

Lawyer growth industry This will be an emerging trend for litigation and

restitutions

Privacy tied to security solutions Legal Ramifications on Two Fronts

www.evalid8.com

Frontline Report

Old practices are what makes it work Watching, all the time Awareness improves behavior, improves response

times Accountability and Responsibility Independent Assessments – Regular basis

Technology Part of the solution Scales Provides Strong protections / authentication / logging Electronic Non-Repudiation

www.evalid8.com

More News…

People Biggest Exposure and Solution Component

Physical & Cyber Security Have got to work together Old perceptions and paradigms must be broken Jobs will not be replaced by technology

Security enables Privacy --> Privacy enables Trust --> Trust enables Business!

www.evalid8.com

Open Mic

Contact Information (If you want a copy)

eValid8 CorporationPhone: 866.465.6005Fax: 410.465.9315

eMail: brian.dilley@evalid8.com

www.evalid8.com

Where are those files?

Business Landscape

www.evalid8.com

References

GAO Report – Identity Awareness http://www.gao.gov/new.items/d02766.pdf

President’s Strategic Plan http://www.ftc.gov/opa/2007/04/idtheft.shtm

U.S. Government Identity Theft Website http://www.idtheft.gov/

NIST IT Security Publications http://www.nist.gov/public_affairs/pubs.htm

Maryland Law http://mlis.state.md.us/2007RS/bills/sb/sb0194e.pdf