Presentation - Cyber Security with a Twist
Transcription
Presentation - Cyber Security with a Twist
Cyber Security With a Twist Protecting Information in Market Actions April 13, 2015 Moderator: Sue Stead, Nelson Brown & Co. Speakers: Holly Blanchard, Examination Resources, LLC Bernd Breitenbach, Guardian Life Insurance Co. Jon Brynga, Hanover Insurance Group Jerry Link, INS Services, Inc. Joy Morton, Virginia Bureau of Insurance IRES Foundation 2015 National School on Market Regulation Surfin’ the waves of Regulation | April 12-14, 2015 | Hilton La Jolla | San Diego, CA Before the Exam o Share your Company Cyber and IT Security Practices with the Regulators or consultants up front and request they comply with them. o Determine what information will be accessed through systems vs. paper or other medium. o Establish a contact point in IT/Information Security to work with Regulators/consultants on exams and help with technical issues. IRES Foundation 2015 National School on Market Regulation Surfin’ the waves of Regulation | April 12-14, 2015 | Hilton La Jolla | San Diego, CA Before the Exam o Determine if you want to provide access to Company Systems, networks, etc. and what hardware requirements are necessary. Make it clear to the regulator whether their laptops would have to undergo a IT Security scan before hooking up to the Company Networks/Systems. o Have dedicated company hardware and printers ready that can be substituted for regulators if they won’t subject their equipment to scans or their equipment does not have the required security protocols. o Request that examiners refrain from any personal or nonbusiness emails while hooked up to company networks or email systems. IRES Foundation 2015 National School on Market Regulation Surfin’ the waves of Regulation | April 12-14, 2015 | Hilton La Jolla | San Diego, CA Communications o Avoid sending anything with Personally Identifiable information such as flash drives or mail diskettes unless secured, encrypted or password protected. IRES Foundation 2015 National School on Market Regulation Surfin’ the waves of Regulation | April 12-14, 2015 | Hilton La Jolla | San Diego, CA During the Exam o Provide a secure facility (locking room, locking cabinets) for regulators to leave laptops, flash drives, etc. so they don’t have to take them back and forth if they don’t need to. o Where possible use Secure Email Networks to send and provide PII information in lieu of normal emails. Where not possible, password protect all documents, spreadsheets, etc. that may contain PII information. o Request that regulators do not take any documentation with PII out of the office during the course of audit. Provide them with locking file cabinets. Request regulators leave any documents containing PII secured in the office. o Provide examiners with a secure shredding bin to house confidential information to be destroyed. IRES Foundation 2015 National School on Market Regulation Surfin’ the waves of Regulation | April 12-14, 2015 | Hilton La Jolla | San Diego, CA After the Exam o Notify HTG to disable any passwords or access provided. o Ask regulators to return any documentation with PII. o Continue to use Secure email to share audit results. o Make sure any published audit reports/findings do not contain any PII or that it is redacted by the DOI before publishing. o Survey regulators or consultants on their experience and any areas that need improvements. IRES Foundation 2015 National School on Market Regulation Surfin’ the waves of Regulation | April 12-14, 2015 | Hilton La Jolla | San Diego, CA Additional Consideration o Communications from Company to Regulators. Use Secure File Transfer Portals (SFTPs) to move encrypted & secure company data o Restrict examiner direct access to Company legacy systems. Provide data extracts from Company legacy systems and make such data available to examiners via accessible share drives o Ensure security of Company data is baked into contracts with third party vendors At front end - - ensure security of Company data at time of data delivery to vendor At back end - - ensure security of Company data upon conclusion of examination at vendor IRES Foundation 2015 National School on Market Regulation Surfin’ the waves of Regulation | April 12-14, 2015 | Hilton La Jolla | San Diego, CA Data Security and Integrity for the Regulator o Prior to exam start dates; have a discussion with the Company on what process, procedures, and technologies they would be comfortable with. They may already have technical solutions in place. o Ensure devices (laptops) are encrypted to industry standard device encryption software. o Utilize secured private cloud storage instead of transferring exam documents via mail on cd’s and jump drives (not Public cloud such as Box). This will increase the security and efficiencies at the same time lower the overall cost of the examination. Many of you may have already utilized the INS Sharefile environment. IRES Foundation 2015 National School on Market Regulation Surfin’ the waves of Regulation | April 12-14, 2015 | Hilton La Jolla | San Diego, CA Data Security and Integrity for the Regulator o Minimize the use of private email domains especially when transmitting examination documents since the emails are not encrypted. Ex. Gmail.com, Yahoo.com, etc. o If utilizing a hosted Teammate environment, ensure it is physically located in a Datacenter where all power, network redundancies, and backup, DR, and CEM plans are inherited especially when engaging a third party vendor. o Ensure all these standards are required for all third party vendors. o Review NIST standards for a better understanding of data security requirements. IRES Foundation 2015 National School on Market Regulation Surfin’ the waves of Regulation | April 12-14, 2015 | Hilton La Jolla | San Diego, CA THANK YOU IRES Foundation 2015 National School on Market Regulation Surfin’ the waves of Regulation | April 12-14, 2015 | Hilton La Jolla | San Diego, CA