From ITC Agent Conference 2016... You need to take the security of your data seriously. You hold critical personally identifiable information about your clients that hackers want. Learn how to create a security plan to keep your agency and client information safe.

1. Creating a Security Plan
Agent Conference Advanced Track
Laird Rixford
@lrixford/ President

2. Data
What is it worth?

3. Security Plan
Why do you need one?

4. Creating a Security Plan
• Inventory Assessment
• Risk Assessment
• Checklist
• Evaluation and Audit
• Certification

5. Inventory Assessment
What do you need to protect?

6. Inventory Assessment
• Hardware
(name the equipment)
• Software
(name the applications and provide quantity...make sure they're licensed)
• System interfaces
(e.g., internal and external connectivity; who do you connect to?)
• Type of Information
(what type of information do your systems hold)
• Critical & Confidential information
(is the department in receipt of confidential, private, or identity bearing data)
• "Owner“
(who uses or manages)
• Processes
(the processes performed by the IT system)

7. Risk Assessment
What is the impact of breach?

8. Risk Assessment
• Probability & Impact
• +2 – High
• +1 – Medium
• +0 – Low
• Security Level
• +3 – High
• +1 – Medium
• +0 – Low
• Categories
• Confidentiality of information
• Data (or information) integrity (corruption of data)
• Availability

9. Confidential Information
• Low
• General workstation security
• Passwords
• Antivirus protection
• Encrypted Devices
• Medium
• Firewall
• High
• One-time passwords (DUO or similar)
• Intrusion Detection System

10. Data Integrity
• Low
• Antivirus protection
• Medium
• Firewall
• High
• One-time passwords (DUO or similar)
• Intrusion Detection System
• File Integrity & Versioning

11. Availability
• Low
• Alternate Power Source
• UPS
• Medium
• Disaster recovery and business continuity
• Secondary connectivity
• High
• Backup and recovery
• Antivirus protection
• Replication

12. Checklist
Things to cover.

13. Checklist
• Hardware Risks
• Software Risks
• Environmental Failures
• Network Failures
• Security Policy
• Password
• Retention
• Usage policy.
• Internet Usage
• Computer Usage
• Federal and State Compliance and Privacy

14. Checklist
• Physical Security
• Computer & Network Policy
• Firewalls
• Group Policy
• Business Continuity & Disaster Planning
• Backup & Recovery
• Change Management
• Patching of OS and Software
• Software Licensing
• User Awareness Training
• Network Security Reviews
• Anti-Virus/Antimalware

15. Evaluation & Audit
Executing your plan.

16. Evaluation & Audit
• Test
• Evaluate
• Report
• Rectify
• Repeat
• Certification of Audit
• Request from vendors.

17. When it goes wrong.
What do you do when it happens.

18. Don’t Panic
• Take immediate audit of the infrastructure.
• Retain logs.
• Contact law enforcement.
• Commit forensic analysis
• Determine impact.
• If notification is required, contact your lawyer, not
your insurance company.

19. Questions?
Comments.
Live Tweet on Twitter
@lrixford / #AgentCon16