View
po
ints
Weekly N
ews
Ab
out U
sP
od
castsC
ontent
Checklists
CYBER 2015 INSIGHTS RESOURCES
&
Presented at the RANE Insights Series
Ab
out U
sV
iewp
oints
Po
dcasts
Checklists
Co
ntent
Weekly N
ews
TABLE OF CONTENTS
About UsWeekly News Briefs
Stroz Friedberg Weekly “CYBER BRIEF” in association with THE CENTER ON NATIONAL SECURITY AT FORDHAM LAW
Incident Response Data Breach Checklist
CHECKLIST
©2015 Stroz Friedberg. All rights reserved.
www.strozfriedberg.com
Stroz Friedberg is a global leader in investigations, intelligence and risk management.
Preparedness Plan
q Create your data breach response plan and team
q Define team roles and responsibilities
q Outline steps necessary in the first 72 hours
q Establish clear action-items and checklists to keep parties focused
q Train staff to identify and report breaches
q Consult security experts to audit and review your current security assessment
q Examine third parties’ security protocols
q Track fast-changing data breach laws, privacy rules and notification mandates
q Encrypt sensitive data
q Map locations of critical data
q Restrict access to information on a “need to know” basis
q Review employee lists and purge old user accounts
q Follow a data retention policy with a plan to destroy or dispose of unneeded data
q Identify and secure computer systems’ vulnerabilities like common attack vectors
q Implement appropriate electronic and physical security
Incident Response Plan
q Seek expert forensic advice on the nature and scale of the incident
q Ensure data is no longer being compromised
q Secure all data and systems
q Isolate and preserve compromised data
q Leave the computers’ power on; disconnect from the network if possible
q Identify the types of compromised data, affected parties, and scope of the breach
q Attempt to retrieve or neutralize compromised data
q Change encryption keys and passwords immediately
q Identify the time frame for who needs to be contacted and how
q Adhere to regulatory notification mandates and coinciding timeframes
q Document your work
q Determine when the clock starts ticking for potential notification rules
q Consider notifying law enforcement, if you suspect criminal activity
Post Assessment & Action Plan
q Assess gaps and evaluate effectiveness of plans, procedures and staff training
q Adjust security and response plans and processes; communicate and train accordingly
q Stay current; test your plan often and remain aware of changing threats and laws
q Maintain a breach report in accordance with regulatory standards
q Continue to restore customer relations, monitor crisis communications, and if applicable, evaluate effectiveness of identity fraud monitoring vendors
INCIDENT RESPONSEData Breach
Incident Response PCI Data Breach Checklist
WHEN THE CLOCK IS TICKING
©2015 Stroz Friedberg. All rights reserved.
www.strozfriedberg.com
Stroz Friedberg is a global leader in investigations, intelligence and risk management.
INCIDENT RESPONSEPCI Data Breach Checklist
Within the First 48 Hours
Immediately report the suspected/confirmed loss or theft of cardholder data to card brands.
Within the first 36 hours, perform an initial investigation and provide written documentation to card brands, which must include steps taken to contain the incident.
Within the first 48 hours, advise card brands whether the entity was in compliance with Payment Card Industry Data Security Standards (PCI DSS) and, if applicable, PCI Payment Application (PA-DSS) and PCI PIN Security requirements at the time of the incident and provide appropriate proof.
Upon Receipt of Notification of Mandatory Forensic Investigation
Within 5 business days - Identify the PCI Forensic Investigator (PFI). For a list of approved PFI’s, you may visit the website: https://www.pcisecuritystandards.org/approved_companies_providers/pfi_companies.php
Within 10 business days - Ensure that the PFI is engaged or the contract is signed.
Within 5 business days from date of signed PFI contract - PFI must be on site to begin conducting a forensic investigation.
Hire an independent forensic examiner and request copies of forensic images collected by the PFI.
PFI Deadlines
Within 5 days from the start of on site review - PFI provides a preliminary forensic report to card brands.
Within 10 business days from the completion of the review - PFI provides a final forensic report to card brands.
How An Independent Forensic Examiner Can Help
An independent analysis of forensic images can identify possible technical errors or omissions in the PFI’s draft reports; these independent findings can potentially influence the PFI’s final report.
Deconstruct malware to identify capabilities and indicators of compromise (IOCs); IOCs are leveraged during the ongoing forensic analysis and containment efforts.
Provide greater clarification on meaning and intent of PCI DSS requirements.
Assist with development of a remediation plan. Remediation plan with implementation dates are required by card brands within 5 business days after receiving the PFI’s final forensic report.
Conduct network scans for IOCs specific to the incident in order to identify and remediate other potentially compromised hosts.
q
q
q
q
q
q
q
q
q
q
q
q
q
q
WITHIN THE FIRST 48 HOURS
UPON RECEIPT OF NOTIFICATION OF MANDATORy FORENSIC INvESTIgATION
PFI DEADLINES
HOW AN INDEPENDENT FORENSIC EXAMINER CAN HELP
A Nuanced Approach to Complex Privacy Breaches – Top Tips & Tactics
“A Nuanced Approach to Complex Privacy Breaches” — TOP TIPS & TACTICSextracted from the Stroz Friedberg sponsored panel at the Association of Corporate Counsel 2014 Annual
Meeting; helping in-house counsel better prepare for and respond more effectively to a potential breach:
www.strozfriedberg.com
Stroz Friedberg is a global leader in investigations, intelligence and risk management.
©2014 Stroz Friedberg. All rights reserved.
“One plan is not enough. Different factual scenarios will implicate different laws and individuals inside the organization. Explore how your response will need to change if, for example, vendors were involved, if external hackers are suspected, or if the alert has been caused by a disgruntled employee or by the loss of a device. How you learned about the lapse can also affect your company’s reaction. Were you informed by IT? By law enforcement? By the press? By a customer? You need to know how to react to all of these eventualities.”
Practice Response Planning - IN-HOUSE COUNSEL PRO TIP:
“Breach response is a very niche area; your company network and processes are unique; and time is against you. So train your team in advance. You don’t want them learning on the job. You don’t have the time or the dollars to burn.”
Have Your Team Ready - IN-HOUSE COUNSEL PRO TIP:
“Breach management is a mammoth task, but the law can help regulate the scope and structure of response. Legal professionals and privacy experts should work together to pinpoint what local and international laws and regulations apply to the incident. Laws differ based on breach specifics, like the industry implicated in the event, the countries involved and exact U.S. states in which the individual customer victims reside, the type of information accessed, and how this information was protected inside the network. Identifying what laws apply will focus the response team on accomplishing a clear set of obligations and will mitigate the risk of adding insult to injury with additional fines.”
Let the Law Guide You - OUTSIDE EXPERT PRO TIP:
“Save money and time by approaching this effort in an 80/20 way. It’s too great a challenge to track down every piece of sensitive information, but you should know where the big buckets are stored. One trick of the trade is to reach out to the executive assistants who have been at the company for many years. There is a difference between where files are supposed to be kept, and where they actually are—and these individuals are the experts in this department.”
Compose a Data Map - OUTSIDE EXPERT PRO TIP:
Conduct a Risk Assessment BEFORE a Breach Hits - IN-HOUSE COUNSEL PRO TIP:
“A pretty-on-paper security assessment won’t prove to regulators that you’re managing risk, nor will it effectively find weaknesses. The exploration must go deep; it must work. Bring in a third-party to help.”
“Don’t pick a date you think the authorities want to hear. No matter what date is selected, that date is going to be under scrutiny from regulators. So be sure to have a principled legal analysis for it.”
Pinpoint the Relevant Date of Discovery - IN-HOUSE COUNSEL PRO TIP:
“Memorize this response to help curb relentless and skeptical inquirers: ‘We are moving quickly to preserve the evidence and gather the facts in this matter. We take this matter seriously and are conducting a thorough investigation. We will let you know when we have more [helpful] information to report.’”
Investigative Realities Should Drive Messaging - OUTSIDE EXPERT PRO TIP:
HIGHLIGHTS & INSIGHTS for In-House Counsel
Checklists & Guidance
The Enemies of Data Security: Convenience and Collaboration (Originally Appeared in “Harvard Business Review”)
The Enemies of Data Security: Convenience and Collaboration
CARL S. YOUNG | MANAGING DIRECTOR
Article Originally Appeared inHarvard Business Review
February 11, 2015
1 | P a g e
Continued…
It is natural to view IT as both the cause and the cure for cyber security problems. After all, attackers typically steal
information by exploiting a technology-
related vulnerability. In addition, IT
networks are usually the scene of the
crime, and their inner workings are a
mystery to most users and therefore a
focus of suspicion. It is also tempting to
believe that using sophisticated security
devices alone will offer protection
from cyber threats. However, such a
view ignores fundamental drivers of
information security risk: organizational
culture and the behaviors that result
from it.
Two aspects of a company’s culture have
outsized effects on the security of its
information: the organization’s tolerance
for inconvenience and the degree of
collaboration across business units and
among employees.
Security and convenience are
inversely related. The greater the
security provided by a control, the
less convenient it is for affected
individuals. For example, just as adding
locks requires extra keys, increasing
password complexity results in
additional memorization and typing. An
organization’s willingness to tolerate
inconvenience has a profound effect on
the security of its information.
Importantly, its most senior employees,
the leaders who define and shape the
organization’s culture, often have the
lowest tolerance for inconvenience. An
extreme example I encountered was a
prestigious law firm where the senior
partners refused to use passwords! To
quote David Halberstam writing about
political leaders, “They were brilliant and
they were fools.”
A culture of failing to make security
measures a priority is a particular
problem in mission-driven organizations.
Activities that contribute in obvious
and direct ways to the mission are
automatically prioritized over practices
that are viewed as irrelevant — or as
impediments — to it. In such cultures,
employees often have tacit, if not
explicit, approval to deploy the most
expedient information management
solution to the exclusion of more secure
but less convenient alternatives. What
makes these companies successful, the
strength of their commitment to the
mission, also puts them at risk.
Organizations that operate as a
collection of independent business
units have a different cultural problem
relative to information security. They
may be structured this way because
they have grown through acquisition
or because their business models or
customers differ from one another.
Either way, it can be difficult to maintain
communication and consistent standards
in these organizations. This can result
in disjointed security solutions that are
difficult to manage, thereby increasing
risk.
That said, organizations with
collaborative cultures are also prone
to high-risk information management
practices. For example, academic
institutions actively encourage
“promiscuous” behavior to promote
knowledge sharing. Even sophisticated
technology companies are not immune
as their youthful cultures tend to resist
information technology restrictions.
In the event of a data breach, the
IT department is usually blamed for
failing to control the security of the
organization’s information, when in fact
the prevailing culture throughout the
organization has undermined IT’s risk-
management efforts. There’s a structural
problem as well: the IT department is
often responsible for both technology
implementation and IT security
governance, a situation that often puts IT
staff in invidious positions and represents
an inherent conflict of interest.
Viewpoints
Cyber Warfare, Legislative Gridlock & Ethical Hacking
The Business of
The Business of Truth PODCAST
Click for a copy of the transcript.
Exposing a Little Known Cyber Security Reality...“When Corporate Culture Threatens Data Security”
Episode 2 of the inaugural Stroz Friedberg podcast series, The Business of Truth, shines a light on the greatest driver of cyber security risk: a company’s culture and behaviors.
© 2015 Stroz Friedberg. All rights reserved. www.strozfriedberg.com
LISTEN TO THE PODCAST NOW
This talk upends a widespread notion that IT alone is responsible for ensuring information security by explaining what IT’s role should be, and what it really means to infuse security into an organization. Listen and discover how striking the right balance between security and risk-taking in your organization can better enable a thriving business.
When Corporate Culture Threatens Data Security
The Business of
The Business of Truth PODCAST
Click for a copy of the transcript.
Cyber Warfare, Legislative Gridlock, & Ethical Hacking...Eric Friedberg, Executive Chairman, Stroz Friedberg, delves into all of these hot-button topics in “The New Cyber Threat Landscape” — Episode 1 of the inaugural Stroz Friedberg podcast series, The Business of Truth.
Listen to on-the-ground cyber combat views into 2015’s likely greatest cyber threats, plus insight on why we haven’t had a “Cyber Pearl Harbor,” …yet. What’s more, you will hear take-away tactics for better securing a company’s information and assets, and thus its reputation, in an increasingly perilous digital business world.
© 2015 Stroz Friedberg. All rights reserved. www.strozfriedberg.com
LISTEN TO THE PODCAST NOW
Podcasts
CYBER 2015 INSIGHTS & RESOURCES
P a g e | 2 CYBER 2015 INSIGHTS & RESOURCES
Co
ntentA
bo
ut Us
View
po
intsP
od
castsC
hecklists
Weekly N
ews
©2015 Stroz Friedberg. All rights reserved.
CHECKLIST
www.strozfriedberg.com
Stroz Friedberg is a global leader in investigations, intelligence and risk management.
Preparedness Plan
q Create your data breach response plan and team
q Define team roles and responsibilities
q Outline steps necessary in the first 72 hours
q Establish clear action-items and checklists to keep parties focused
q Train staff to identify and report breaches
q Consult security experts to audit and review your current security assessment
q Examine third parties’ security protocols
q Track fast-changing data breach laws, privacy rules and notification mandates
q Encrypt sensitive data
q Map locations of critical data
q Restrict access to information on a “need to know” basis
q Review employee lists and purge old user accounts
q Follow a data retention policy with a plan to destroy or dispose of unneeded data
q Identify and secure computer systems’ vulnerabilities like common attack vectors
q Implement appropriate electronic and physical security
Incident Response Plan
q Seek expert forensic advice on the nature and scale of the incident
q Ensure data is no longer being compromised
q Secure all data and systems
q Isolate and preserve compromised data
q Leave the computers’ power on; disconnect from the network if possible
q Identify the types of compromised data, affected parties, and scope of the breach
q Attempt to retrieve or neutralize compromised data
q Change encryption keys and passwords immediately
q Identify the time frame for who needs to be contacted and how
q Adhere to regulatory notification mandates and coinciding timeframes
q Document your work
q Determine when the clock starts ticking for potential notification rules
q Consider notifying law enforcement, if you suspect criminal activity
Post Assessment & Action Plan
q Assess gaps and evaluate effectiveness of plans, procedures and staff training
q Adjust security and response plans and processes; communicate and train accordingly
q Stay current; test your plan often and remain aware of changing threats and laws
q Maintain a breach report in accordance with regulatory standards
q Continue to restore customer relations, monitor crisis communications, and if applicable, evaluate effectiveness of identity fraud monitoring vendors
INCIDENT RESPONSEData Breach
P a g e | 3 CYBER 2015 INSIGHTS & RESOURCES
Ab
out U
sV
iewp
oints
Po
dcasts
Co
ntentC
hecklists
Weekly N
ews
©2015 Stroz Friedberg. All rights reserved.
WHEN THE CLOCK IS TICKING
www.strozfriedberg.com
Stroz Friedberg is a global leader in investigations, intelligence and risk management.
INCIDENT RESPONSEPCI Data Breach Checklist
Within the First 48 Hours
Immediately report the suspected/confirmed loss or theft of cardholder data to card brands.
Within the first 36 hours, perform an initial investigation and provide written documentation to card brands, which must include steps taken to contain the incident.
Within the first 48 hours, advise card brands whether the entity was in compliance with Payment Card Industry Data Security Standards (PCI DSS) and, if applicable, PCI Payment Application (PA-DSS) and PCI PIN Security requirements at the time of the incident and provide appropriate proof.
Upon Receipt of Notification of Mandatory Forensic Investigation
Within 5 business days - Identify the PCI Forensic Investigator (PFI). For a list of approved PFI’s, you may visit the website: https://www.pcisecuritystandards.org/approved_companies_providers/pfi_companies.php
Within 10 business days - Ensure that the PFI is engaged or the contract is signed.
Within 5 business days from date of signed PFI contract - PFI must be on site to begin conducting a forensic investigation.
Hire an independent forensic examiner and request copies of forensic images collected by the PFI.
PFI Deadlines
Within 5 days from the start of on site review - PFI provides a preliminary forensic report to card brands.
Within 10 business days from the completion of the review - PFI provides a final forensic report to card brands.
How An Independent Forensic Examiner Can Help
An independent analysis of forensic images can identify possible technical errors or omissions in the PFI’s draft reports; these independent findings can potentially influence the PFI’s final report.
Deconstruct malware to identify capabilities and indicators of compromise (IOCs); IOCs are leveraged during the ongoing forensic analysis and containment efforts.
Provide greater clarification on meaning and intent of PCI DSS requirements.
Assist with development of a remediation plan. Remediation plan with implementation dates are required by card brands within 5 business days after receiving the PFI’s final forensic report.
Conduct network scans for IOCs specific to the incident in order to identify and remediate other potentially compromised hosts.
q
q
q
q
q
q
q
q
q
q
q
q
q
q
WITHIN THE FIRST 48 HOURS
UPON RECEIPT OF NOTIFICATION OF MANDATORy FORENSIC INvESTIgATION
PFI DEADLINES
HOW AN INDEPENDENT FORENSIC EXAMINER CAN HELP
P a g e | 4 CYBER 2015 INSIGHTS & RESOURCES
CYBER 2015 INSIGHTS & RESOURCES
Ab
out U
sV
iewp
oints
Po
dcasts
Co
ntentC
hecklists
Weekly N
ews
©2015 Stroz Friedberg. All rights reserved.
“A Nuanced Approach to Complex Privacy Breaches” — TOP TIPS & TACTICSextracted from the Stroz Friedberg sponsored panel at the Association of Corporate Counsel 2014 Annual
Meeting; helping in-house counsel better prepare for and respond more effectively to a potential breach:
www.strozfriedberg.com
Stroz Friedberg is a global leader in investigations, intelligence and risk management.
“One plan is not enough. Different factual scenarios will implicate different laws and individuals inside the organization. Explore how your response will need to change if, for example, vendors were involved, if external hackers are suspected, or if the alert has been caused by a disgruntled employee or by the loss of a device. How you learned about the lapse can also affect your company’s reaction. Were you informed by IT? By law enforcement? By the press? By a customer? You need to know how to react to all of these eventualities.”
Practice Response Planning - IN-HOUSE COUNSEL PRO TIP:
“Breach response is a very niche area; your company network and processes are unique; and time is against you. So train your team in advance. You don’t want them learning on the job. You don’t have the time or the dollars to burn.”
Have Your Team Ready - IN-HOUSE COUNSEL PRO TIP:
“Breach management is a mammoth task, but the law can help regulate the scope and structure of response. Legal professionals and privacy experts should work together to pinpoint what local and international laws and regulations apply to the incident. Laws differ based on breach specifics, like the industry implicated in the event, the countries involved and exact U.S. states in which the individual customer victims reside, the type of information accessed, and how this information was protected inside the network. Identifying what laws apply will focus the response team on accomplishing a clear set of obligations and will mitigate the risk of adding insult to injury with additional fines.”
Let the Law Guide You - OUTSIDE ExPERT PRO TIP:
“Save money and time by approaching this effort in an 80/20 way. It’s too great a challenge to track down every piece of sensitive information, but you should know where the big buckets are stored. One trick of the trade is to reach out to the executive assistants who have been at the company for many years. There is a difference between where files are supposed to be kept, and where they actually are—and these individuals are the experts in this department.”
Compose a Data Map - OUTSIDE ExPERT PRO TIP:
Conduct a Risk Assessment BEFORE a Breach Hits - IN-HOUSE COUNSEL PRO TIP:
“A pretty-on-paper security assessment won’t prove to regulators that you’re managing risk, nor will it effectively find weaknesses. The exploration must go deep; it must work. Bring in a third-party to help.”
“Don’t pick a date you think the authorities want to hear. No matter what date is selected, that date is going to be under scrutiny from regulators. So be sure to have a principled legal analysis for it.”
Pinpoint the Relevant Date of Discovery - IN-HOUSE COUNSEL PRO TIP:
“Memorize this response to help curb relentless and skeptical inquirers: ‘We are moving quickly to preserve the evidence and gather the facts in this matter. We take this matter seriously and are conducting a thorough investigation. We will let you know when we have more [helpful] information to report.’”
Investigative Realities Should Drive Messaging - OUTSIDE ExPERT PRO TIP:
HIGHLIGHTS & INSIGHTS for In-House Counsel
P a g e | 5
The Enemies of Data Security: Convenience and Collaboration
Article Originally Appeared inHarvard Business Review
february 11, 2015
Continued…
It is natural to view IT as both the cause and the cure for cyber security problems. After all, attackers typically steal
information by exploiting a technology-
related vulnerability. In addition, IT
networks are usually the scene of the
crime, and their inner workings are a
mystery to most users and therefore a
focus of suspicion. It is also tempting to
believe that using sophisticated security
devices alone will offer protection
from cyber threats. However, such a
view ignores fundamental drivers of
information security risk: organizational
culture and the behaviors that result
from it.
Two aspects of a company’s culture have
outsized effects on the security of its
information: the organization’s tolerance
for inconvenience and the degree of
collaboration across business units and
among employees.
Security and convenience are
inversely related. The greater the
security provided by a control, the
less convenient it is for affected
individuals. For example, just as adding
locks requires extra keys, increasing
password complexity results in
additional memorization and typing. An
organization’s willingness to tolerate
inconvenience has a profound effect on
the security of its information.
Importantly, its most senior employees,
the leaders who define and shape the
organization’s culture, often have the
lowest tolerance for inconvenience. An
extreme example I encountered was a
prestigious law firm where the senior
partners refused to use passwords! To
quote David Halberstam writing about
political leaders, “They were brilliant and
they were fools.”
A culture of failing to make security
measures a priority is a particular
problem in mission-driven organizations.
Activities that contribute in obvious
and direct ways to the mission are
automatically prioritized over practices
that are viewed as irrelevant — or as
impediments — to it. In such cultures,
employees often have tacit, if not
explicit, approval to deploy the most
expedient information management
solution to the exclusion of more secure
but less convenient alternatives. What
makes these companies successful, the
strength of their commitment to the
mission, also puts them at risk.
Organizations that operate as a
collection of independent business
units have a different cultural problem
relative to information security. They
may be structured this way because
they have grown through acquisition
or because their business models or
customers differ from one another.
Either way, it can be difficult to maintain
communication and consistent standards
in these organizations. This can result
in disjointed security solutions that are
difficult to manage, thereby increasing
risk.
That said, organizations with
collaborative cultures are also prone
to high-risk information management
practices. For example, academic
institutions actively encourage
“promiscuous” behavior to promote
knowledge sharing. Even sophisticated
technology companies are not immune
as their youthful cultures tend to resist
information technology restrictions.
In the event of a data breach, the
IT department is usually blamed for
failing to control the security of the
organization’s information, when in fact
the prevailing culture throughout the
organization has undermined IT’s risk-
management efforts. There’s a structural
problem as well: the IT department is
often responsible for both technology
implementation and IT security
governance, a situation that often puts IT
staff in invidious positions and represents
an inherent conflict of interest.
CARL S. YOUNG | MANAGING DIRECTOR
CYBER 2015 INSIGHTS & RESOURCES
Ab
out U
sP
od
castsV
iewp
oints
Checklists
Co
ntent
Weekly N
ews
P a g e | 6
The Enemies of Data Security: Convenience and Collaboration
Article Originally Appeared in Harvard Business Review
...Continued
Given the cultural drivers of information
security risk, how can organizations
be more effective in addressing the
spectrum of cyber threats that exist
today?
Changing an organization’s culture is
admittedly not easy. This is especially
true if the very features that have
contributed to its historical success
also put it at risk. The answer is not to
destroy the existing culture, but rather
to infuse security into the organizational
DNA and to support those responsible
for implementing secure technology
solutions in spite of encumbrances
that result from user inconvenience.
Importantly, the message must emanate
from the top, and senior executives must
lead by example.
The good news is that measurements
can be made that will yield meaningful
if coarse data about the security culture
and how resistance to basic security
controls is changing over time.
First, periodically testing the user
population on the contents of the
information security policy is a direct
measurement of the effectiveness
of security governance. This policy
should be simple, non-technical, risk-
based, aggressively disseminated, and
demonstrably assimilated across the
organization. An enterprise information
security policy is essential to a strategic
approach to managing information
security risk as it specifies the ground
rules for proper employee behavior
and aligns disparate businesses with
the organization’s overarching security
strategy.
The information security policy
should be linked to a set of technical
and operational standards based on
the actual risks to the business and
formulated by subject matter experts.
The policy dictates what security
processes are required, and standards
indicate how such processes must be
implemented and followed.
Second, measuring password resilience
is a good if indirect indicator of the
prevailing culture. If passwords are easily
cracked or are not regularly changed,
then either the culture as reflected in
policy is too tolerant or users are at
liberty to disobey the policy. In general,
the quality and staleness of passwords
tell a lot about whether security or
convenience is the dominant cultural
theme.
Information security affects, and
is affected by, all individuals in an
organization, and seemingly trivial errors
by a single user can have existential
consequences. In the end, what’s most
important is that employees believe that
by complying with information security
standards and policy they are reinforcing
their organization’s culture, rather than
undermining it.
CARL S. yOUNg is a former senior executive in the FBI and global head of security technology at Goldman Sachs. He is currently a Managing Director at Stroz Friedberg, LLC, and is the author of Metrics and Methods for Security Risk Management and The Science and Technology of Counterterrorism: Measuring Physical and Electronic Security Risk.
www.strozfriedberg.com
CYBER 2015 INSIGHTS & RESOURCES
Ab
out U
sP
od
castsV
iewp
oints
Checklists
Co
ntent
Weekly N
ews
P a g e | 7
Podcasts
CYBER 2015 INSIGHTS & RESOURCES
Checklists
Ab
out U
sV
iewp
oints
Po
dcasts
Co
ntent
P a g e | 8
The Business of
The Business of Truth PODCAST
Click for a copy of the transcript.
Exposing a Little Known Cyber Security Reality...“When Corporate Culture Threatens Data Security”
Episode 2 of the inaugural Stroz Friedberg podcast series, The Business of Truth, shines a light on the greatest driver of cyber security risk: a company’s culture and behaviors.
© 2015 Stroz Friedberg. All rights reserved. www.strozfriedberg.com
LISTEN TO THE PODCAST NOW
This talk upends a widespread notion that IT alone is responsible for ensuring information security by explaining what IT’s role should be, and what it really means to infuse security into an organization. Listen and discover how striking the right balance between security and risk-taking in your organization can better enable a thriving business.
The Business of
The Business of Truth PODCAST
Click for a copy of the transcript.
Cyber Warfare, Legislative Gridlock, & Ethical Hacking...Eric Friedberg, Executive Chairman, Stroz Friedberg, delves into all of these hot-button topics in “The New Cyber Threat Landscape” — Episode 1 of the inaugural Stroz Friedberg podcast series, The Business of Truth.
Listen to on-the-ground cyber combat views into 2015’s likely greatest cyber threats, plus insight on why we haven’t had a “Cyber Pearl Harbor,” …yet. What’s more, you will hear take-away tactics for better securing a company’s information and assets, and thus its reputation, in an increasingly perilous digital business world.
© 2015 Stroz Friedberg. All rights reserved. www.strozfriedberg.com
LISTEN TO THE PODCAST NOW
W
eekly New
s
Weekly News Briefs
CYBER 2015 INSIGHTS & RESOURCES
Checklists
Ab
out U
sV
iewp
oints
Po
dcasts
W
eekly New
sC
ontent
P a g e | 9
Stroz Friedberg Weekly “CYBER BRIEF” in association with
THE CENTER ON NATIONAL SECURITY AT FORDHAM LAW
Receive valuable weekly CYBER news related to data breaches,
security, legislative matters, plus the public and private sectors.
www.centeronnationalsecurity.org/cyberbriefsSUBSCRIBE:
About Us
CYBER 2015 INSIGHTS & RESOURCES
Checklists
View
po
intsP
od
castsA
bo
ut Us
Co
ntent
Weekly N
ews
P a g e | 10
About Stroz Friedberg, LLC
Founded in 2000, Stroz Friedberg is a global leader in investigations, intelligence, and risk services. It provides expertise in digital forensics, forensic accounting, cybercrime and incident response, security science, compliance, due diligence, data discovery and analytics. Working at the intersection of technology, investigations, regulatory governance and behavioral science, the company is driven by a core purpose—seeking truth so clients can find the assurance and answers they need to move forward with certainty.
With offices across nine U.S. cities, plus London, Hong Kong and Zürich, Stroz Friedberg assists in managing critical risk for Fortune 100 companies as well as 80% of the AmLaw 100 and the Top 20 UK law firms.
Learn more at
CONTACT US
www.strozfriedberg.com.
©2015 Stroz Friedberg. All rights reserved.