View

po

ints

Weekly N

ews

Ab

out U

sP

od

castsC

ontent

Checklists

CYBER 2015 INSIGHTS RESOURCES

&

Presented at the RANE Insights Series

Ab

out U

sV

iewp

oints

Po

dcasts

Checklists

Co

ntent

Weekly N

ews

TABLE OF CONTENTS

About UsWeekly News Briefs

Stroz Friedberg Weekly “CYBER BRIEF” in association with THE CENTER ON NATIONAL SECURITY AT FORDHAM LAW

Incident Response Data Breach Checklist

CHECKLIST

©2015 Stroz Friedberg. All rights reserved.

www.strozfriedberg.com

Stroz Friedberg is a global leader in investigations, intelligence and risk management.

Preparedness Plan

q Create your data breach response plan and team

q Define team roles and responsibilities

q Outline steps necessary in the first 72 hours

q Establish clear action-items and checklists to keep parties focused

q Train staff to identify and report breaches

q Consult security experts to audit and review your current security assessment

q Examine third parties’ security protocols

q Track fast-changing data breach laws, privacy rules and notification mandates

q Encrypt sensitive data

q Map locations of critical data

q Restrict access to information on a “need to know” basis

q Review employee lists and purge old user accounts

q Follow a data retention policy with a plan to destroy or dispose of unneeded data

q Identify and secure computer systems’ vulnerabilities like common attack vectors

q Implement appropriate electronic and physical security

Incident Response Plan

q Seek expert forensic advice on the nature and scale of the incident

q Ensure data is no longer being compromised

q Secure all data and systems

q Isolate and preserve compromised data

q Leave the computers’ power on; disconnect from the network if possible

q Identify the types of compromised data, affected parties, and scope of the breach

q Attempt to retrieve or neutralize compromised data

q Change encryption keys and passwords immediately

q Identify the time frame for who needs to be contacted and how

q Adhere to regulatory notification mandates and coinciding timeframes

q Document your work

q Determine when the clock starts ticking for potential notification rules

q Consider notifying law enforcement, if you suspect criminal activity

Post Assessment & Action Plan

q Assess gaps and evaluate effectiveness of plans, procedures and staff training

q Adjust security and response plans and processes; communicate and train accordingly

q Stay current; test your plan often and remain aware of changing threats and laws

q Maintain a breach report in accordance with regulatory standards

q Continue to restore customer relations, monitor crisis communications, and if applicable, evaluate effectiveness of identity fraud monitoring vendors

INCIDENT RESPONSEData Breach

Incident Response PCI Data Breach Checklist

WHEN THE CLOCK IS TICKING

©2015 Stroz Friedberg. All rights reserved.

www.strozfriedberg.com

Stroz Friedberg is a global leader in investigations, intelligence and risk management.

INCIDENT RESPONSEPCI Data Breach Checklist

Within the First 48 Hours

Immediately report the suspected/confirmed loss or theft of cardholder data to card brands.

Within the first 36 hours, perform an initial investigation and provide written documentation to card brands, which must include steps taken to contain the incident.

Within the first 48 hours, advise card brands whether the entity was in compliance with Payment Card Industry Data Security Standards (PCI DSS) and, if applicable, PCI Payment Application (PA-DSS) and PCI PIN Security requirements at the time of the incident and provide appropriate proof.

Upon Receipt of Notification of Mandatory Forensic Investigation

Within 5 business days - Identify the PCI Forensic Investigator (PFI). For a list of approved PFI’s, you may visit the website: https://www.pcisecuritystandards.org/approved_companies_providers/pfi_companies.php

Within 10 business days - Ensure that the PFI is engaged or the contract is signed.

Within 5 business days from date of signed PFI contract - PFI must be on site to begin conducting a forensic investigation.

Hire an independent forensic examiner and request copies of forensic images collected by the PFI.

PFI Deadlines

Within 5 days from the start of on site review - PFI provides a preliminary forensic report to card brands.

Within 10 business days from the completion of the review - PFI provides a final forensic report to card brands.

How An Independent Forensic Examiner Can Help

An independent analysis of forensic images can identify possible technical errors or omissions in the PFI’s draft reports; these independent findings can potentially influence the PFI’s final report.

Deconstruct malware to identify capabilities and indicators of compromise (IOCs); IOCs are leveraged during the ongoing forensic analysis and containment efforts.

Provide greater clarification on meaning and intent of PCI DSS requirements.

Assist with development of a remediation plan. Remediation plan with implementation dates are required by card brands within 5 business days after receiving the PFI’s final forensic report.

Conduct network scans for IOCs specific to the incident in order to identify and remediate other potentially compromised hosts.

q

q

q

q

q

q

q

q

q

q

q

q

q

q

WITHIN THE FIRST 48 HOURS

UPON RECEIPT OF NOTIFICATION OF MANDATORy FORENSIC INvESTIgATION

PFI DEADLINES

HOW AN INDEPENDENT FORENSIC EXAMINER CAN HELP

A Nuanced Approach to Complex Privacy Breaches – Top Tips & Tactics

“A Nuanced Approach to Complex Privacy Breaches” — TOP TIPS & TACTICSextracted from the Stroz Friedberg sponsored panel at the Association of Corporate Counsel 2014 Annual

Meeting; helping in-house counsel better prepare for and respond more effectively to a potential breach:

www.strozfriedberg.com

Stroz Friedberg is a global leader in investigations, intelligence and risk management.

©2014 Stroz Friedberg. All rights reserved.

“One plan is not enough. Different factual scenarios will implicate different laws and individuals inside the organization. Explore how your response will need to change if, for example, vendors were involved, if external hackers are suspected, or if the alert has been caused by a disgruntled employee or by the loss of a device. How you learned about the lapse can also affect your company’s reaction. Were you informed by IT? By law enforcement? By the press? By a customer? You need to know how to react to all of these eventualities.”

Practice Response Planning - IN-HOUSE COUNSEL PRO TIP:

“Breach response is a very niche area; your company network and processes are unique; and time is against you. So train your team in advance. You don’t want them learning on the job. You don’t have the time or the dollars to burn.”

Have Your Team Ready - IN-HOUSE COUNSEL PRO TIP:

“Breach management is a mammoth task, but the law can help regulate the scope and structure of response. Legal professionals and privacy experts should work together to pinpoint what local and international laws and regulations apply to the incident. Laws differ based on breach specifics, like the industry implicated in the event, the countries involved and exact U.S. states in which the individual customer victims reside, the type of information accessed, and how this information was protected inside the network. Identifying what laws apply will focus the response team on accomplishing a clear set of obligations and will mitigate the risk of adding insult to injury with additional fines.”

Let the Law Guide You - OUTSIDE EXPERT PRO TIP:

“Save money and time by approaching this effort in an 80/20 way. It’s too great a challenge to track down every piece of sensitive information, but you should know where the big buckets are stored. One trick of the trade is to reach out to the executive assistants who have been at the company for many years. There is a difference between where files are supposed to be kept, and where they actually are—and these individuals are the experts in this department.”

Compose a Data Map - OUTSIDE EXPERT PRO TIP:

Conduct a Risk Assessment BEFORE a Breach Hits - IN-HOUSE COUNSEL PRO TIP:

“A pretty-on-paper security assessment won’t prove to regulators that you’re managing risk, nor will it effectively find weaknesses. The exploration must go deep; it must work. Bring in a third-party to help.”

“Don’t pick a date you think the authorities want to hear. No matter what date is selected, that date is going to be under scrutiny from regulators. So be sure to have a principled legal analysis for it.”

Pinpoint the Relevant Date of Discovery - IN-HOUSE COUNSEL PRO TIP:

“Memorize this response to help curb relentless and skeptical inquirers: ‘We are moving quickly to preserve the evidence and gather the facts in this matter. We take this matter seriously and are conducting a thorough investigation. We will let you know when we have more [helpful] information to report.’”

Investigative Realities Should Drive Messaging - OUTSIDE EXPERT PRO TIP:

HIGHLIGHTS & INSIGHTS for In-House Counsel

Checklists & Guidance

The Enemies of Data Security: Convenience and Collaboration (Originally Appeared in “Harvard Business Review”)

The Enemies of Data Security: Convenience and Collaboration

CARL S. YOUNG | MANAGING DIRECTOR

Article Originally Appeared inHarvard Business Review

February 11, 2015

1 | P a g e

Continued…

It is natural to view IT as both the cause and the cure for cyber security problems. After all, attackers typically steal

information by exploiting a technology-

related vulnerability. In addition, IT

networks are usually the scene of the

crime, and their inner workings are a

mystery to most users and therefore a

focus of suspicion. It is also tempting to

believe that using sophisticated security

devices alone will offer protection

from cyber threats. However, such a

view ignores fundamental drivers of

information security risk: organizational

culture and the behaviors that result

from it.

Two aspects of a company’s culture have

outsized effects on the security of its

information: the organization’s tolerance

for inconvenience and the degree of

collaboration across business units and

among employees.

Security and convenience are

inversely related. The greater the

security provided by a control, the

less convenient it is for affected

individuals. For example, just as adding

locks requires extra keys, increasing

password complexity results in

additional memorization and typing. An

organization’s willingness to tolerate

inconvenience has a profound effect on

the security of its information.

Importantly, its most senior employees,

the leaders who define and shape the

organization’s culture, often have the

lowest tolerance for inconvenience. An

extreme example I encountered was a

prestigious law firm where the senior

partners refused to use passwords! To

quote David Halberstam writing about

political leaders, “They were brilliant and

they were fools.”

A culture of failing to make security

measures a priority is a particular

problem in mission-driven organizations.

Activities that contribute in obvious

and direct ways to the mission are

automatically prioritized over practices

that are viewed as irrelevant — or as

impediments — to it. In such cultures,

employees often have tacit, if not

explicit, approval to deploy the most

expedient information management

solution to the exclusion of more secure

but less convenient alternatives. What

makes these companies successful, the

strength of their commitment to the

mission, also puts them at risk.

Organizations that operate as a

collection of independent business

units have a different cultural problem

relative to information security. They

may be structured this way because

they have grown through acquisition

or because their business models or

customers differ from one another.

Either way, it can be difficult to maintain

communication and consistent standards

in these organizations. This can result

in disjointed security solutions that are

difficult to manage, thereby increasing

risk.

That said, organizations with

collaborative cultures are also prone

to high-risk information management

practices. For example, academic

institutions actively encourage

“promiscuous” behavior to promote

knowledge sharing. Even sophisticated

technology companies are not immune

as their youthful cultures tend to resist

information technology restrictions.

In the event of a data breach, the

IT department is usually blamed for

failing to control the security of the

organization’s information, when in fact

the prevailing culture throughout the

organization has undermined IT’s risk-

management efforts. There’s a structural

problem as well: the IT department is

often responsible for both technology

implementation and IT security

governance, a situation that often puts IT

staff in invidious positions and represents

an inherent conflict of interest.

Viewpoints

Cyber Warfare, Legislative Gridlock & Ethical Hacking

The Business of

The Business of Truth PODCAST

Click for a copy of the transcript.

Exposing a Little Known Cyber Security Reality...“When Corporate Culture Threatens Data Security”

Episode 2 of the inaugural Stroz Friedberg podcast series, The Business of Truth, shines a light on the greatest driver of cyber security risk: a company’s culture and behaviors.

© 2015 Stroz Friedberg. All rights reserved. www.strozfriedberg.com

LISTEN TO THE PODCAST NOW

This talk upends a widespread notion that IT alone is responsible for ensuring information security by explaining what IT’s role should be, and what it really means to infuse security into an organization. Listen and discover how striking the right balance between security and risk-taking in your organization can better enable a thriving business.

When Corporate Culture Threatens Data Security

The Business of

The Business of Truth PODCAST

Click for a copy of the transcript.

Cyber Warfare, Legislative Gridlock, & Ethical Hacking...Eric Friedberg, Executive Chairman, Stroz Friedberg, delves into all of these hot-button topics in “The New Cyber Threat Landscape” — Episode 1 of the inaugural Stroz Friedberg podcast series, The Business of Truth.

Listen to on-the-ground cyber combat views into 2015’s likely greatest cyber threats, plus insight on why we haven’t had a “Cyber Pearl Harbor,” …yet. What’s more, you will hear take-away tactics for better securing a company’s information and assets, and thus its reputation, in an increasingly perilous digital business world.

© 2015 Stroz Friedberg. All rights reserved. www.strozfriedberg.com

LISTEN TO THE PODCAST NOW

Podcasts

CYBER 2015 INSIGHTS & RESOURCES

P a g e | 2 CYBER 2015 INSIGHTS & RESOURCES

Co

ntentA

bo

ut Us

View

po

intsP

od

castsC

hecklists

Weekly N

ews

©2015 Stroz Friedberg. All rights reserved.

CHECKLIST

www.strozfriedberg.com

Stroz Friedberg is a global leader in investigations, intelligence and risk management.

Preparedness Plan

q Create your data breach response plan and team

q Define team roles and responsibilities

q Outline steps necessary in the first 72 hours

q Establish clear action-items and checklists to keep parties focused

q Train staff to identify and report breaches

q Consult security experts to audit and review your current security assessment

q Examine third parties’ security protocols

q Track fast-changing data breach laws, privacy rules and notification mandates

q Encrypt sensitive data

q Map locations of critical data

q Restrict access to information on a “need to know” basis

q Review employee lists and purge old user accounts

q Follow a data retention policy with a plan to destroy or dispose of unneeded data

q Identify and secure computer systems’ vulnerabilities like common attack vectors

q Implement appropriate electronic and physical security

Incident Response Plan

q Seek expert forensic advice on the nature and scale of the incident

q Ensure data is no longer being compromised

q Secure all data and systems

q Isolate and preserve compromised data

q Leave the computers’ power on; disconnect from the network if possible

q Identify the types of compromised data, affected parties, and scope of the breach

q Attempt to retrieve or neutralize compromised data

q Change encryption keys and passwords immediately

q Identify the time frame for who needs to be contacted and how

q Adhere to regulatory notification mandates and coinciding timeframes

q Document your work

q Determine when the clock starts ticking for potential notification rules

q Consider notifying law enforcement, if you suspect criminal activity

Post Assessment & Action Plan

q Assess gaps and evaluate effectiveness of plans, procedures and staff training

q Adjust security and response plans and processes; communicate and train accordingly

q Stay current; test your plan often and remain aware of changing threats and laws

q Maintain a breach report in accordance with regulatory standards

q Continue to restore customer relations, monitor crisis communications, and if applicable, evaluate effectiveness of identity fraud monitoring vendors

INCIDENT RESPONSEData Breach

P a g e | 3 CYBER 2015 INSIGHTS & RESOURCES

Ab

out U

sV

iewp

oints

Po

dcasts

Co

ntentC

hecklists

Weekly N

ews

©2015 Stroz Friedberg. All rights reserved.

WHEN THE CLOCK IS TICKING

www.strozfriedberg.com

Stroz Friedberg is a global leader in investigations, intelligence and risk management.

INCIDENT RESPONSEPCI Data Breach Checklist

Within the First 48 Hours

Immediately report the suspected/confirmed loss or theft of cardholder data to card brands.

Within the first 36 hours, perform an initial investigation and provide written documentation to card brands, which must include steps taken to contain the incident.

Within the first 48 hours, advise card brands whether the entity was in compliance with Payment Card Industry Data Security Standards (PCI DSS) and, if applicable, PCI Payment Application (PA-DSS) and PCI PIN Security requirements at the time of the incident and provide appropriate proof.

Upon Receipt of Notification of Mandatory Forensic Investigation

Within 5 business days - Identify the PCI Forensic Investigator (PFI). For a list of approved PFI’s, you may visit the website: https://www.pcisecuritystandards.org/approved_companies_providers/pfi_companies.php

Within 10 business days - Ensure that the PFI is engaged or the contract is signed.

Within 5 business days from date of signed PFI contract - PFI must be on site to begin conducting a forensic investigation.

Hire an independent forensic examiner and request copies of forensic images collected by the PFI.

PFI Deadlines

Within 5 days from the start of on site review - PFI provides a preliminary forensic report to card brands.

Within 10 business days from the completion of the review - PFI provides a final forensic report to card brands.

How An Independent Forensic Examiner Can Help

An independent analysis of forensic images can identify possible technical errors or omissions in the PFI’s draft reports; these independent findings can potentially influence the PFI’s final report.

Deconstruct malware to identify capabilities and indicators of compromise (IOCs); IOCs are leveraged during the ongoing forensic analysis and containment efforts.

Provide greater clarification on meaning and intent of PCI DSS requirements.

Assist with development of a remediation plan. Remediation plan with implementation dates are required by card brands within 5 business days after receiving the PFI’s final forensic report.

Conduct network scans for IOCs specific to the incident in order to identify and remediate other potentially compromised hosts.

q

q

q

q

q

q

q

q

q

q

q

q

q

q

WITHIN THE FIRST 48 HOURS

UPON RECEIPT OF NOTIFICATION OF MANDATORy FORENSIC INvESTIgATION

PFI DEADLINES

HOW AN INDEPENDENT FORENSIC EXAMINER CAN HELP

P a g e | 4 CYBER 2015 INSIGHTS & RESOURCES

CYBER 2015 INSIGHTS & RESOURCES

Ab

out U

sV

iewp

oints

Po

dcasts

Co

ntentC

hecklists

Weekly N

ews

©2015 Stroz Friedberg. All rights reserved.

“A Nuanced Approach to Complex Privacy Breaches” — TOP TIPS & TACTICSextracted from the Stroz Friedberg sponsored panel at the Association of Corporate Counsel 2014 Annual

Meeting; helping in-house counsel better prepare for and respond more effectively to a potential breach:

www.strozfriedberg.com

Stroz Friedberg is a global leader in investigations, intelligence and risk management.

“One plan is not enough. Different factual scenarios will implicate different laws and individuals inside the organization. Explore how your response will need to change if, for example, vendors were involved, if external hackers are suspected, or if the alert has been caused by a disgruntled employee or by the loss of a device. How you learned about the lapse can also affect your company’s reaction. Were you informed by IT? By law enforcement? By the press? By a customer? You need to know how to react to all of these eventualities.”

Practice Response Planning - IN-HOUSE COUNSEL PRO TIP:

“Breach response is a very niche area; your company network and processes are unique; and time is against you. So train your team in advance. You don’t want them learning on the job. You don’t have the time or the dollars to burn.”

Have Your Team Ready - IN-HOUSE COUNSEL PRO TIP:

“Breach management is a mammoth task, but the law can help regulate the scope and structure of response. Legal professionals and privacy experts should work together to pinpoint what local and international laws and regulations apply to the incident. Laws differ based on breach specifics, like the industry implicated in the event, the countries involved and exact U.S. states in which the individual customer victims reside, the type of information accessed, and how this information was protected inside the network. Identifying what laws apply will focus the response team on accomplishing a clear set of obligations and will mitigate the risk of adding insult to injury with additional fines.”

Let the Law Guide You - OUTSIDE ExPERT PRO TIP:

“Save money and time by approaching this effort in an 80/20 way. It’s too great a challenge to track down every piece of sensitive information, but you should know where the big buckets are stored. One trick of the trade is to reach out to the executive assistants who have been at the company for many years. There is a difference between where files are supposed to be kept, and where they actually are—and these individuals are the experts in this department.”

Compose a Data Map - OUTSIDE ExPERT PRO TIP:

Conduct a Risk Assessment BEFORE a Breach Hits - IN-HOUSE COUNSEL PRO TIP:

“A pretty-on-paper security assessment won’t prove to regulators that you’re managing risk, nor will it effectively find weaknesses. The exploration must go deep; it must work. Bring in a third-party to help.”

“Don’t pick a date you think the authorities want to hear. No matter what date is selected, that date is going to be under scrutiny from regulators. So be sure to have a principled legal analysis for it.”

Pinpoint the Relevant Date of Discovery - IN-HOUSE COUNSEL PRO TIP:

“Memorize this response to help curb relentless and skeptical inquirers: ‘We are moving quickly to preserve the evidence and gather the facts in this matter. We take this matter seriously and are conducting a thorough investigation. We will let you know when we have more [helpful] information to report.’”

Investigative Realities Should Drive Messaging - OUTSIDE ExPERT PRO TIP:

HIGHLIGHTS & INSIGHTS for In-House Counsel

P a g e | 5

The Enemies of Data Security: Convenience and Collaboration

Article Originally Appeared inHarvard Business Review

february 11, 2015

Continued…

It is natural to view IT as both the cause and the cure for cyber security problems. After all, attackers typically steal

information by exploiting a technology-

related vulnerability. In addition, IT

networks are usually the scene of the

crime, and their inner workings are a

mystery to most users and therefore a

focus of suspicion. It is also tempting to

believe that using sophisticated security

devices alone will offer protection

from cyber threats. However, such a

view ignores fundamental drivers of

information security risk: organizational

culture and the behaviors that result

from it.

Two aspects of a company’s culture have

outsized effects on the security of its

information: the organization’s tolerance

for inconvenience and the degree of

collaboration across business units and

among employees.

Security and convenience are

inversely related. The greater the

security provided by a control, the

less convenient it is for affected

individuals. For example, just as adding

locks requires extra keys, increasing

password complexity results in

additional memorization and typing. An

organization’s willingness to tolerate

inconvenience has a profound effect on

the security of its information.

Importantly, its most senior employees,

the leaders who define and shape the

organization’s culture, often have the

lowest tolerance for inconvenience. An

extreme example I encountered was a

prestigious law firm where the senior

partners refused to use passwords! To

quote David Halberstam writing about

political leaders, “They were brilliant and

they were fools.”

A culture of failing to make security

measures a priority is a particular

problem in mission-driven organizations.

Activities that contribute in obvious

and direct ways to the mission are

automatically prioritized over practices

that are viewed as irrelevant — or as

impediments — to it. In such cultures,

employees often have tacit, if not

explicit, approval to deploy the most

expedient information management

solution to the exclusion of more secure

but less convenient alternatives. What

makes these companies successful, the

strength of their commitment to the

mission, also puts them at risk.

Organizations that operate as a

collection of independent business

units have a different cultural problem

relative to information security. They

may be structured this way because

they have grown through acquisition

or because their business models or

customers differ from one another.

Either way, it can be difficult to maintain

communication and consistent standards

in these organizations. This can result

in disjointed security solutions that are

difficult to manage, thereby increasing

risk.

That said, organizations with

collaborative cultures are also prone

to high-risk information management

practices. For example, academic

institutions actively encourage

“promiscuous” behavior to promote

knowledge sharing. Even sophisticated

technology companies are not immune

as their youthful cultures tend to resist

information technology restrictions.

In the event of a data breach, the

IT department is usually blamed for

failing to control the security of the

organization’s information, when in fact

the prevailing culture throughout the

organization has undermined IT’s risk-

management efforts. There’s a structural

problem as well: the IT department is

often responsible for both technology

implementation and IT security

governance, a situation that often puts IT

staff in invidious positions and represents

an inherent conflict of interest.

CARL S. YOUNG | MANAGING DIRECTOR

CYBER 2015 INSIGHTS & RESOURCES

Ab

out U

sP

od

castsV

iewp

oints

Checklists

Co

ntent

Weekly N

ews

P a g e | 6

The Enemies of Data Security: Convenience and Collaboration

Article Originally Appeared in Harvard Business Review

...Continued

Given the cultural drivers of information

security risk, how can organizations

be more effective in addressing the

spectrum of cyber threats that exist

today?

Changing an organization’s culture is

admittedly not easy. This is especially

true if the very features that have

contributed to its historical success

also put it at risk. The answer is not to

destroy the existing culture, but rather

to infuse security into the organizational

DNA and to support those responsible

for implementing secure technology

solutions in spite of encumbrances

that result from user inconvenience.

Importantly, the message must emanate

from the top, and senior executives must

lead by example.

The good news is that measurements

can be made that will yield meaningful

if coarse data about the security culture

and how resistance to basic security

controls is changing over time.

First, periodically testing the user

population on the contents of the

information security policy is a direct

measurement of the effectiveness

of security governance. This policy

should be simple, non-technical, risk-

based, aggressively disseminated, and

demonstrably assimilated across the

organization. An enterprise information

security policy is essential to a strategic

approach to managing information

security risk as it specifies the ground

rules for proper employee behavior

and aligns disparate businesses with

the organization’s overarching security

strategy.

The information security policy

should be linked to a set of technical

and operational standards based on

the actual risks to the business and

formulated by subject matter experts.

The policy dictates what security

processes are required, and standards

indicate how such processes must be

implemented and followed.

Second, measuring password resilience

is a good if indirect indicator of the

prevailing culture. If passwords are easily

cracked or are not regularly changed,

then either the culture as reflected in

policy is too tolerant or users are at

liberty to disobey the policy. In general,

the quality and staleness of passwords

tell a lot about whether security or

convenience is the dominant cultural

theme.

Information security affects, and

is affected by, all individuals in an

organization, and seemingly trivial errors

by a single user can have existential

consequences. In the end, what’s most

important is that employees believe that

by complying with information security

standards and policy they are reinforcing

their organization’s culture, rather than

undermining it.

CARL S. yOUNg is a former senior executive in the FBI and global head of security technology at Goldman Sachs. He is currently a Managing Director at Stroz Friedberg, LLC, and is the author of Metrics and Methods for Security Risk Management and The Science and Technology of Counterterrorism: Measuring Physical and Electronic Security Risk.

www.strozfriedberg.com

CYBER 2015 INSIGHTS & RESOURCES

Ab

out U

sP

od

castsV

iewp

oints

Checklists

Co

ntent

Weekly N

ews

P a g e | 7

Podcasts

CYBER 2015 INSIGHTS & RESOURCES

Checklists

Ab

out U

sV

iewp

oints

Po

dcasts

Co

ntent

P a g e | 8

The Business of

The Business of Truth PODCAST

Click for a copy of the transcript.

Exposing a Little Known Cyber Security Reality...“When Corporate Culture Threatens Data Security”

Episode 2 of the inaugural Stroz Friedberg podcast series, The Business of Truth, shines a light on the greatest driver of cyber security risk: a company’s culture and behaviors.

© 2015 Stroz Friedberg. All rights reserved. www.strozfriedberg.com

LISTEN TO THE PODCAST NOW

This talk upends a widespread notion that IT alone is responsible for ensuring information security by explaining what IT’s role should be, and what it really means to infuse security into an organization. Listen and discover how striking the right balance between security and risk-taking in your organization can better enable a thriving business.

The Business of

The Business of Truth PODCAST

Click for a copy of the transcript.

Cyber Warfare, Legislative Gridlock, & Ethical Hacking...Eric Friedberg, Executive Chairman, Stroz Friedberg, delves into all of these hot-button topics in “The New Cyber Threat Landscape” — Episode 1 of the inaugural Stroz Friedberg podcast series, The Business of Truth.

Listen to on-the-ground cyber combat views into 2015’s likely greatest cyber threats, plus insight on why we haven’t had a “Cyber Pearl Harbor,” …yet. What’s more, you will hear take-away tactics for better securing a company’s information and assets, and thus its reputation, in an increasingly perilous digital business world.

© 2015 Stroz Friedberg. All rights reserved. www.strozfriedberg.com

LISTEN TO THE PODCAST NOW

W

eekly New

s

Weekly News Briefs

CYBER 2015 INSIGHTS & RESOURCES

Checklists

Ab

out U

sV

iewp

oints

Po

dcasts

W

eekly New

sC

ontent

P a g e | 9

Stroz Friedberg Weekly “CYBER BRIEF” in association with

THE CENTER ON NATIONAL SECURITY AT FORDHAM LAW

Receive valuable weekly CYBER news related to data breaches,

security, legislative matters, plus the public and private sectors.

www.centeronnationalsecurity.org/cyberbriefsSUBSCRIBE:

About Us

CYBER 2015 INSIGHTS & RESOURCES

Checklists

View

po

intsP

od

castsA

bo

ut Us

Co

ntent

Weekly N

ews

P a g e | 10

About Stroz Friedberg, LLC

Founded in 2000, Stroz Friedberg is a global leader in investigations, intelligence, and risk services. It provides expertise in digital forensics, forensic accounting, cybercrime and incident response, security science, compliance, due diligence, data discovery and analytics. Working at the intersection of technology, investigations, regulatory governance and behavioral science, the company is driven by a core purpose—seeking truth so clients can find the assurance and answers they need to move forward with certainty.

With offices across nine U.S. cities, plus London, Hong Kong and Zürich, Stroz Friedberg assists in managing critical risk for Fortune 100 companies as well as 80% of the AmLaw 100 and the Top 20 UK law firms.

Learn more at

CONTACT US

www.strozfriedberg.com.

©2015 Stroz Friedberg. All rights reserved.