Transcript Slide 1
Information Security
What every CFO needs to consider
Joe Fracchia, CPA, CISA
November 22, 2013
Information Security
A Quick Primer
Context
Headlines
Opportunity
Information Security Primer
What:
Intellectual Property: Customer Lists, Recipes,
Proprietary Processes/Formulae, R&D
Supplier pricing, customer pricing
Financial Data; banking data
HR data
Personally Identifiable Data (PII)
Etc…
Why:
Regulatory, Contractual, Reputational, Competitive
Context
Competition
Suppliers
Information Security Zones
Business
Operations
Regulatory
Customers
Headlines
Competit
ion
Suppliers
Business
Operatio
ns
Regulator
y
Security Week 10/10/2013
Customer
s
Headlines
Competit
ion
Suppliers
Business
Operatio
ns
Regulator
y
Customer
s
Headlines
Competit
ion
Suppliers
Business
Operatio
ns
Regulator
y
10/4/2013
Customer
s
Headlines
Competit
ion
Suppliers
Business
Operatio
ns
Regulator
y
Customer
s
Headlines
Competit
ion
Suppliers
Business
Operatio
ns
Regulator
y
Customer
s
Headlines
Competit
ion
Suppliers
Business
Operatio
ns
Regulator
y
Customer
s
Headlines
Competit
ion
Suppliers
Business
Operatio
ns
Regulator
y
What specifically does your product do?
Where has your R&D investment gone in the past
2 years?
What ROI am I buying? What is the value add?
When will I get the benefit? Now?
What advantage do I get by doing business with
you?
Customer
s
Vulnerabilities run across the and overlap the
various zones
Competition
PII, IP
Suppliers
PII, PCI, R&D,
Strategic Moves,
OPS and Fin
Data
IP, Financial
Data, Customer
Lists, R&D,
Marketing
Business
Operations
Customers
Pricing, IP
Regulatory
Financial, HIPAA,
PII
How we assure ourselves and each other takes on
various forms, each with their own approaches
Competition
SSAE 16 SOC
Reports
Suppliers
Business
Operations
SSAE 16 SOC
Reports
Customers
PCI-DSS; PA-DSS;
Internal Audit
PCI-DSS; PA-DSS
Regulatory
SOX, Internal
Audit, PII
Ownership of the various assurance
vehicles and the data tends to be in silos:
SOX, SSAE 16
Finance
PCI
PII, HIPAA
Human
Resources
Contractual, IP
Legal/
Counsel
The opportunity is efficiency: leverage
assurance, reduce cost, increase
effectiveness
PCI
PII
SOX
SSAE
16
Information Security Policy
X
X
X
*
Secure Network
X
X
*
*
*
Protect Data
X
X
X
*
*
*
Vulnerability Management
X
X
X
*
*
*
Access Control
X
X
*
*
*
Monitor and Test
X
X
*
*
*
Change Control
X
*
*
*
Operations Integrity
X
*
*
*
Control Area
Internal
Audit
Self
Assess
Examples
We do penetration testing to test our network;
PCI requires scans for various levels of providersdo you do them twice?
System integrity depends on change control.
SOX, most SSAE 16s and portions of PCI require
testing. How do you avoid doing process testing
three times?
Are your internal auditors, QSA and functional
areas testing the same things that other providers
are? Can you leverage?
Now is the right time to have the discussion
about the security budget
Questions?
Information Security
What every CFO needs to consider
Joe Fracchia, CPA.CISA
901.333.2255 / 901.289.3417