Post on 20-Aug-2015
transcript
Growing Identity Theft
Incidences of identity theft grew by 11 percent from 2008 to 2009 altering the lives of 11 million Americans *
One in every 20 Americans will be a victim of identity theft this year *
2
* Javelin Strategy & Research 2010 Identity Fraud Survey Report
3
Agenda
•Overview of the Red Flags Rule and who must comply
•Learn how to enhance your data security practices
•Harmonize security controls across multiple mandates such
as PCI DSS
•Monitor controls that the Federal Trade Commission
mandates
•Effectively respond to red flags as they are identified
Today’s Speakers
4
Jeff HughesDirector, Solution MarketingLumension
Brandon DunlapManaging Director of ResearchBrightfly
6
What is the Red Flags Rule Regulation?
The red flags fall into five categories:1. Alerts, notifications, or warnings from
a consumer reporting agency
2. Suspicious documents
3. Suspicious personally identifying information (i.e. suspicious address)
4. Unusual use relating to a covered account
5. Notices from customers, victims of identity theft, law enforcement authorities, or other businesses about possible identity theft in connection with covered accounts
Who Must Comply with the Red Flags Rule?
•Applies to “financial institutions” and “creditors”
» Financial Institution - a state or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or any other person that, directly or indirectly, holds a transaction account belonging to a consumer.
» Creditor - organizations that regularly defer payment for goods or services or provide goods or services and bill customers later.
7
Enforcement of Red Flags Rule
8
Compliance Deadline•Anyone with “covered accounts” must be compliant as of June 1, 2010.
Audits•The FTC can conduct investigations to determine if a business has taken appropriate steps to develop and implement a written Program, as required by the Rule. If a violation occurs, the FTC can bring an enforcement action.
Penalties for Non-Compliance
•The FTC can seek both monetary civil penalties and injunctive relief for violations.
•$3,500 is the maximum civil penalty per violation instance
•Additional costs could include:» Civil suits» Reporting and document retention
requirements» Compliance requirements via
court order
9
11111111
Red Flags Rule and Your Security Program
4. Manage» Create operational
and strategic visibility across compliance, IT risk and control environments
1. Identify» Identify optimal
controls to meet your policy requirements
2. Assess» Assess technical,
procedural, and physical controls
3. Remediate» Prioritize and
address technical and procedural control deficiencies
Enhancing Data Security Measures
1. Identify Relevant Red Flags
» Identify the red flags of identity theft you’re likely to come across in your business
2. Detect Red Flags
» Set up procedures to detect those red flags in your day-to-day operations
3. Prevent and Mitigate Identity Theft
» Respond to identified red flags to prevent and mitigate the harm done
4. Update your Program
» Keep your program current and educate your staff
» Design and implement a program that is appropriate for your organization’s size and complexity
12
14
Compliance and IT Risk Management Challenges
Fragmented
IT Visibility
Lack of Regulatory
Knowledge
Manual & DisparateProcesses
Misinterpretation
Policies &
Controls HIPAA
PCI
SOX
Security Policy
Password LengthSpecial Characters
Excel
ManualSurveys
Database Business Processes
IT Resources
Disparate Data Collection
Functional Silos
Non Standardized Processes
Similar Requirements to Other Regulations
15
Requirements Red Flags Rule PCI DSS
Train Staff to Recognize an Incident
Security Awareness and Training
Test and Update the Incident Response Plan
Maintain Intrusion Detection and Incident Monitoring and Response Capabilities
Manage Third-Party Services
Report Monitoring Statistics and Follow-up to the Board of Directors
17
Solutions to Ensure Compliance and Improve Security
Lumension® Compliance and IT Risk Management
» Delivers a standardized Compliance and IT risk management framework
» Standardized interpretation of organizational policies and controls
» Improves IT risk and compliance visibility
» Reduces reliance on third party consulting and auditing resources
» Automates and integrates assessment and remediation processes and data
» Optimizes IT resources to proactively address IT risk and compliance exposure
Com
plia
nce
Man
agem
ent
IT R
isk Managem
ent
Identify
AssessRemediate
Manage
Benefits of Creating a “Playbook”
•Reduce manual and redundant efforts
•Deliver centralized visibility into your IT risk posture
•Efficient processes extend IT security/compliance budget
•Prioritize remediation against business impact
•Take cost savings and invest in the business to drive innovation
19
Global Headquarters8660 East Hartford Drive
Suite 300
Scottsdale, AZ 85255
1.888.725.7828
info@lumension.com