Happy National Cyber Security Awareness Month! Kick off October with our recent Lunch with a vCISO webinar “Do You Know Your Risk Tolerance – The Role of a vCISO.”
This article was originally posted on CSOOnline >
Join Sophos CEO Kris Hagerman and SVP Dan Schiappa at the Revere Hotel in downtown Boston to learn more about the latest development in Sophos’ innovative approach to endpoint protection.
Seating is limited; reserve your seat today to discover:
Despite record investments in cyber security technology, the data continues to paint a bleak picture:
Our heavy reliance on technology to protect against constantly evolving cyber threats ignores the most critical element— the human element. Phishing targets people and with 92% of global information workers using email regularly as part of their job, it’s no surprise. By targeting employees, attackers are playing the odds and hoping for an easy mark. The powerful combination of PhishMe’s Human Phishing Defense Solution disrupts the core of the adversary’s attack chain – their targets and tactics. PhishMe focuses on engaging the human–your last line of defense after a phish bypasses other technologies and enables incident response teams with automation tools to quickly analyze and respond to targeted phishing attacks.
WELLESLEY HILLS, MA (September 20, 2017) – Massachusetts Bay Community College is pleased to announce it has received a generous donation of $10,000 from this year’s annual Information Security Summit to support student scholarships in the field of cyber security.
The Information Security Summit, held each year on MassBay Community College’s Wellesley Hills campus, was established in 2013 to help professionals advance their programs and knowledge base on the latest network security and technology issues. The net proceeds from the Summit are awarded to students in the form of two scholarships in support of Cyber Security education.
To date, the Information Security Summit and its attendees and sponsors have raised a total of $38,000 to support student scholarships.
Towerwall CEO Michelle Drolet, whose Framingham-based cyber security company is one of the co-sponsors of the Information Security Summit, along with MassBay’s Chief Information Officer Michael Lyons were on hand to present this year’s scholarship check to President Dr. David Podell, Computer Science Professor Shamsi Moussavi and to Mary Shia, the Executive Director of the MassBay Foundation and the College’s Vice President for Institutional Advancement and Alumni Relations. Drolet is also a member of the MassBay’s Foundation Board.
Sponsors of this year’s Information Security Summit also include: Varonis, Alien Vault, GovConnection, LogRhythem, Securonix, SnoopWall, Sophos, RSA, CDW, CyberSN, Darktrace Ltd, Gigamon, Juniper Netwroks, PhishMe, SHI, Stealthbits, SuperCom, TCG Network Services, Big Switch and Xerox Corporation.
Scholarships are available to full-time and part-time MassBay students in the form of Information Security Summit (Cyber Security) scholarships and given out by the MassBay Foundation
The MassBay Foundation gives 100% of donations back to students in the form of student scholarships. The Information Security Summit Scholarship was created and is supported by the generous sponsors of the Information Security Summit established by Towerwall and MassBay Community College to support student’s studying in the Cyber Security field. Anyone interested in donating to student scholarships, learning more about our student scholarship program or getting involved with the MassBay Foundation can contact Mary Shia at MShia@massbay.edu.
*Attached is a photo of the check presentation (left to right) MassBay President Dr. David Podell, Towerwall CEO Michelle Drolet, MassBay Computer Science Professor Shamsi Moussavi, MassBay Vice President for Institution Advancement and Alumni Relations and the Executive Director of the MassBay Foundation Mary Shia, and MassBay Chief Information Officer Michael Lyons.
To learn more about the Information Security Summit, visit www.massbay.edu/iss.
MassBay Community College was recently ranked by the Brookings Institution as one of the top schools for value added and earned salaries in the workforce. Ranked #1 for 2-year colleges in Massachusetts, #2 in New England and ranked #16 nationally. The College’s facilities in Wellesley Hills, Framingham and Ashland house day, evening and weekend classes that meet the needs of degree-seeking students and career minded life-long learners. Online options provide convenience and allow faculty to facilitate the learning process. Since its founding in 1961, MassBay has been accredited by several governing bodies and strives to meet the needs of the diverse local communities it serves.
This article was originally posted on CSO Online >
Each session will provide unprecedented access to the industry’s top Virtual Chief Information Security Officers and cover critical issues in the field. The interactive series will cover a variety of topics, such as aligning information security policies with your firm’s culture and how to prepare for an audit.
Attendees will be given the opportunity to ask questions of these experts during each session. Sessions will be held every other month and are designed to fit into your lunch hour.
We’ve already laid out a broad overview of what NIST’s cybersecurity framework can do for you, so today we’re going to drill into Special Publication 800-53. Published by the National Institute of Standards and Technology, and based on important research from the Information Technology Laboratory, this publication offers a comprehensive set of security controls to help you protect your data.
The document refers to Federal information systems, but this terminology will be removed in the forthcoming fifth revision, because the advice here is applicable to all organizations.
It may seem dense and inaccessible at first, so we’re going to break down some of the key elements and explain their importance.
It’s not easy to calculate the business impact of a cyberattack, because there are many knock-on effects that take time to reveal themselves. The latest research from the Ponemon Institute suggests a global average cost of $3.62 million for a data breach. The level of potential risk is your starting point in developing and building solid cybersecurity defenses.
Before you can select the right set of security controls, you must consider the importance and sensitivity of the data. The FIPS 199 document explains how you might go about categorizing your systems, taking into account confidentiality, integrity, and availability to figure out if the potential impact of a breach is low, moderate, or high risk.
Having established the potential impact levels, you can select a security control baseline. It’s deliberately called a baseline, because it’s something to build on.
The guidelines are broad and make certain assumptions that might not apply to your organization, so the next step is to tweak your security control baseline to ensure that it’s aligned with your business functions, systems and operating environment. You may be able to drop some controls, but will probably have to add or enhance others.
Part of the aim during this process is to arrive an approach that strikes a good balance between security and cost. There’s no such thing as a perfect set of security controls. You must weigh in regulations, emerging threats, new and legacy technologies and systems, plus your business goals, to arrive at the right blend for your organization.
Detailed documentation laying out the design, development and implementation of your security controls is vital for regulatory bodies to be able to audit your efforts. It also provides a sound rationale that can be continually applied for the future, because cybersecurity is a travelling cliché – it’s not a destination, but a journey.
Being able to refer to this documentation could be hugely valuable for the long haul, particularly if you have a new system to integrate, or your CISO resigns, or you hired a virtual CISO for the short term.
A common mistake that organizations make is to draft the plan, implement it, and then trust that it’s working as expected. Without in-depth, regular assessments you have no idea if your security controls have been implemented correctly, if they’re operating as intended, or if they’re meeting your expectations for security. Get an outside party with no vested interest to put your security through its paces and don’t forget to test your third-party service providers to ensure they meet your standards.
You’ve set a baseline, tweaked it to fit your needs, implemented it and tested to ensure that it’s working properly, now you can take it easy, right? Wrong!
Your work is never done when it comes to cybersecurity because things change. You might adopt a new system, integrate a new third-party service, or change your business goals. To comply with your legal requirements, you need to be up to date with the latest regulations. And all the while, new software vulnerabilities are being discovered, and hackers are probing your defenses and developing new techniques to gain entry.
At the heart of NIST’s holistic approach to infosec and risk management are two simple ideas – “Built it right” and “continuous monitoring.”
Take your time and create a solid cybersecurity foundation, but accept that you’ll need to be vigilant for cracks in your defenses and continually make improvements if you want to ensure that your data is truly protected.
Medical marijuana, like any controlled substance, requires a strong system of identifying patients properly. As the industry matures, the federal government has increasingly been more involved in enforcing ever more stringent laws and regulations on medical marijuana dispensaries.
While it is easy to dismiss this if you’re running your business on a strictly cash-only basis, the future could change and possibly require you to do this. Why not prepare now, so that you can avoid possible problems down the road?
Dispensaries use computerized systems to process and verify patient health information (PHI). This can pose certain risks, including security breaches. These systems are subject to the Health Insurance of Portability and Accountability Act of 1996 (also referred to as HIPAA). Under this law, medical marijuana is treated in a similar way as prescription drugs.
Due to its reputation, the medical marijuana industry is very keen on staying within the parameters of the federal law. Patient verification systems are crucial in this endeavor. They often contain a variety of protected health information (PHI), including patient contact information, medical record numbers, diagnoses, driver’s license, and other personal information.
The most obvious signal that you are compliant is to have a Secure Socket Layer (SSL) certificate on your website. What is an SSL certificate? Sites with SSL certificates will indicate a lock in the address bar and/or be green to signal that the site’s traffic is securely encrypted. If you don’t already have this and want to see an example, visit some of your competitors’ websites and look for their SLL certificate signals to see this first hand.
Pay close attention to this crucial point, as keeping patient data on-site or on a typical server location can land you in a lot of deep trouble. For one thing, it is considered a serious crime and more often than not, violators have to pay hefty fines to the tune of tens of thousands of dollars. You’ll want to fully understand the differences between what is considered HIPAA compliant hosting and traditional web hosting. The following checklist will help you find the right HIPAA compliant data center for you. Remember, this is not about shopping for the best company who can work with you for a cheap price. HIPAA compliant hosting companies are more expensive than traditional ones, and for good reason.
1. Signed business associate agreement
This is to cover yourself, as well as to experience peace of mind. You want your host to understand and accept the risks of hosting patient health information.
2. Multiple vulnerability scans of your servers on a monthly basis
Ask for the reports, the hosting companies will gladly provide them for you.
3. Mitigating discovered vulnerabilities
HIPAA-compliant hosting companies should provide remediation services to fix the vulnerabilities.
4. Server hardening
Request copies for your hosting company’s server hardening steps. This will detail the process of how they apply their measures for security to your servers.
5. Regular off-site backup
Ask if they provide backups and how far away the backups are physically from your hosting company. Ideally, you want them at least 50 miles apart, to factor in the possibility of a local storm or some other unforeseen natural disaster, that could take out both your server and backup.
6. Keep a six year log retention
After you’re finished using a server, hard drives should not be used again, until they have had several passes of clean swipes. This is to be sure that PHI cannot be read again. Inquire as to what kind of process they use to wipe the hard drives clean and how many passes they make.
Medical marijuana dispensaries are by law required to keep confidential all of the patient health information aggregated during patient transactions. This starts from the very first time a patient provides information to qualify for a medical marijuana card. This, as well as any future patient health information, is covered under HIPAA federal law. It cannot be released to anyone without first obtaining the patient’s written consent or a court ordered subpoena.
Accidents in handling patient information will still result in a HIPAA violation and could result in a fine. This poses a problem, especially when credit cards are used to make medical marijuana purchases from a dispensary. It is not possible to completely restrict the transaction information. This is probably why Mastercard and Visa have been hesitant to allow medical marijuana purchases. In some instances, where the purchases were allowed, high per-transaction fees essentially eliminated any feasibility to accepting credit cards.
The laws and rules concerning medical marijuana are almost exactly the same as the laws for traditional medical prescriptions and treatments. Your patients’ health information is protected under these laws. This doesn’t just include data storage, but also employees and business associates that handle PHI. It is necessary for you to get a signed business associate agreement from any associates that may be handling sensitive PHI.
This article was originally posted on Cannabis Business Executive >