One thing's for sure, there are many choices when it comes to hardware, software and everything in between. How can you know if you have the right infrastructure for moving forward? Many organizations have an IT Assessment done as their organizations grow to determine the best strategic plan for moving forward.
2. WHAT’S ON TAP?
• What we do
• Why do an IT Assessment?
• Is this a threat to my IT Staff?
• Procedure
• Network Infrastructure
• Network Security
• Disaster Recovery
• What’s New?
• IT Budget Review
2
4. WHY? PLANNING FOR THE FUTURE
• IS IT TIME FOR UPGRADES?
• PREPARING FOR AN RFP
• TIME TO INTRODUCE NEW TECHNOLOGY
• IMPROVE BUSINESS PROCESSES
• PCI OR HIPPA COMPLIANCE
• SEEKING CYBER-INSURANCE
4
5. WHY? WAS THERE A PROBLEM?
• WAS THERE A SERVER OUTAGE?
• AN AUDIT IS COMING UP
• STAFF NEED ASSESSING OR THERE IS POTENTIAL LOSS OF STAFF
• RECURRING ISSUES
• SECURITY CONCERNS
5
6. ITEMS FOR REVIEW
• STAFF
• TECHNOLOGY
• INFRASTRUCTURE
• POLICIES, PROCEDURES AND PRIVACY
• PLANNING FOR A MOVE?
• SOFTWARE , AMS
• IT PLANNING FOR THE NEXT FEW YEARS
6
9. LOOKING FOR AN ASSET MANAGER, NOT
A STOCK BROKER
• THEY ARE PART OF YOUR TEAM
• EXPERIENCES FROM OTHER SIMILAR ORGANIZATIONS
• TRAINING RECOMMENDATIONS
• IN-HOUSE OR THE CLOUD?
9
10. HOW DOES THE PROCESS WORK - IT
INFRASTRUCTURE ASSESSMENT?
Raffa Assessment Methodology
IT Structure Analysis
- Perform Interviews with key stakeholders
- Identify current/future IT needs in line with your vision
- Review current system architecture
- Review current servers and storage hardware configurations
- Review network configurations and their capacities
11. IT INFRASTRUCTURE ANALYSIS
Review domain configurations
Review enterprise back-office components and their
configurations
Review existing security requirements and compliance
Review disaster recovery requirements and strategies
including existing data backup/restore mechanisms, hardware,
software
Review current Total Cost of Ownership (TCO)
12. WHO AM I CONNECTED TO?
12
My
Network
Hosting
VOIP
Managed
Services
15. EVERYONE HAS SOMETHING TO
PROTECT
• Intellectual Property
• Human Resources Information
• Your Financial Data
• Your Customer Databases
• Your Customer’s Data
• Marketing and Sales Data
It’s not Just About
compliance with
state and federal
regulations.
It’s about
protecting your
company, your
employees and
your customers
Is it time for a Security and Compliance Assessment?
Financial
Healthcare Legal
Professional Services
16. WHAT ARE OUR DATA CONCERNS?
• UNAUTHORIZED ACCESS
• CONCERNS WITH IN-HOUSE STAFF
• EXTERNAL THREATS
• PRIVACY AUDIT
16
17. SECURITY CONSIDERATIONS AND
ACTIONS
Strong password
policy is the first
line of defense
against a data
breach
STRONG PASSWORD POLICIES
Benefit: Strong password policies help to reduce the risk of a breach. Policies should also
provide guidance to reduce the risk of human error breaches. Strong passwords should meet
these standards at a minimum:
• Lower case characters
• Upper case characters
• Numbers
• "Special characters"(@#$%^&*()_+|~-=`{}[]:";'<>/)
• Contain at least 12 but preferably 15 characters.
Is it Time for a Security and Compliance Assessment?
18. COMPLIANCE DEFINITIONS
Definitions are
generally accepted
by most states
However,
exceptions do
exist on a state by
state basis
Personal Information: An individual’s first name or first initial and last name plus
one or more of the following data elements:
1. Social Security number,
2. Driver’s license number or state- issued ID card number
3. Account number, credit card number or debit card number combined with any
security code, access code, PIN or password needed to access an account and
generally applies to computerized data that includes personal information.
Personal Information shall not include publicly available information that is lawfully
made available to the general public from federal, state or local government
records, or widely distributed media. In addition, Personal Information shall not
include publicly available information that is lawfully made available to the general
public from federal, state, or local government records.
Breach of Security: The unlawful and unauthorized acquisition of personal
information that compromises the security, confidentiality, or integrity of personal
information.
DEFINITIONS
Is it Time for a Security and Compliance Assessment?
19. FEDERAL, STATE & PRIVATE
REQUIREMENTS
It is important to
understand that
these laws don’t
only apply to
health and
financial
institutions.
HIPAA: Health Insurance Portability and Accountability Act, a US law designed to
provide privacy standards to protect patients' medical records and other health
information provided to health plans, doctors, hospitals and other health care providers.
Developed by the Department of Health and Human Services, these new standards
provide patients with access to their medical records and more control over how their
personal health information is used and disclosed. They represent a uniform, federal floor
of privacy protections for consumers across the country. State laws providing additional
protections to consumers are not affected by this new rule.
The Gramm-Leach-Bliley Act: (GLB Act or GLBA), is a federal law enacted to control
the ways that financial institutions deal with the private information of individuals. The Act
consists of three sections:
1. The Financial Privacy Rule, which regulates the collection and disclosure of private
financial information
2. The Safeguards Rule, which stipulates that financial institutions must implement
security programs to protect such information
3. The Pretexting provisions, which prohibit the practice of pretexting (accessing private
information using false pretenses).
The Act also requires financial institutions to give customers written privacy notices that
explain their information-sharing practices.
Is it Time for a Security and Compliance Assessment?
20. FEDERAL, STATE & PRIVATE
REQUIREMENTS
The Payment Card
Industry Council
established rules
governing how
credit card data
would be secured
Short for Payment Card Industry (PCI) Data Security Standard (DSS), PCI DSS is a standard
that all organizations, including online retailers, must follow when storing, processing and
transmitting their customer's credit card data.
The Data Security Standard (DSS) was developed and the standard is maintained by
The Payment Card Industry Security Standards Council (PCI SSC). To be PCI complaint
companies must use a firewall between wireless networks and their cardholder data environment,
use the latest security and authentication such as WPA/WPA2 and also change default settings for
wired privacy keys, and use a network intrusion detection system.
The PCI DSS standard, as of September 2009 (DSS v 1.2), includes 12 requirements for best
security practices
PRIVATE REQUIREMENTS
Payment Card Industry (PCI) Data Security Standard (DSS)
Is it Time for a Security and Compliance Assessment?
21. SECURITY CONSIDERATIONS AND
ACTIONS
Security is as
much about
people and good
process and well
documented policy
as it is about your
IT infrastructure
PROCESS AND PEOPLE MANAGEMENT