Information security - Chapters Site - Home › fort-wayne › Events... · 2019-02-16 ·...
Transcript of Information security - Chapters Site - Home › fort-wayne › Events... · 2019-02-16 ·...
![Page 1: Information security - Chapters Site - Home › fort-wayne › Events... · 2019-02-16 · Information Security Mission: Develop, execute and maintain a proactive, company-wide security](https://reader033.fdocuments.net/reader033/viewer/2022053015/5f13ef44493c1f3e632f6116/html5/thumbnails/1.jpg)
INFORMATION SECURITY
A DAY IN THE LIFE
![Page 2: Information security - Chapters Site - Home › fort-wayne › Events... · 2019-02-16 · Information Security Mission: Develop, execute and maintain a proactive, company-wide security](https://reader033.fdocuments.net/reader033/viewer/2022053015/5f13ef44493c1f3e632f6116/html5/thumbnails/2.jpg)
![Page 3: Information security - Chapters Site - Home › fort-wayne › Events... · 2019-02-16 · Information Security Mission: Develop, execute and maintain a proactive, company-wide security](https://reader033.fdocuments.net/reader033/viewer/2022053015/5f13ef44493c1f3e632f6116/html5/thumbnails/3.jpg)
![Page 4: Information security - Chapters Site - Home › fort-wayne › Events... · 2019-02-16 · Information Security Mission: Develop, execute and maintain a proactive, company-wide security](https://reader033.fdocuments.net/reader033/viewer/2022053015/5f13ef44493c1f3e632f6116/html5/thumbnails/4.jpg)
![Page 5: Information security - Chapters Site - Home › fort-wayne › Events... · 2019-02-16 · Information Security Mission: Develop, execute and maintain a proactive, company-wide security](https://reader033.fdocuments.net/reader033/viewer/2022053015/5f13ef44493c1f3e632f6116/html5/thumbnails/5.jpg)
![Page 6: Information security - Chapters Site - Home › fort-wayne › Events... · 2019-02-16 · Information Security Mission: Develop, execute and maintain a proactive, company-wide security](https://reader033.fdocuments.net/reader033/viewer/2022053015/5f13ef44493c1f3e632f6116/html5/thumbnails/6.jpg)
WHO AM I?
• Security officer for MIE
• CISSP, CISA, CGEIT, CRISC,
CRMA, PMP, FLMI and studying
for CISM
• RMR and JA
• Interactive session – share stories
![Page 7: Information security - Chapters Site - Home › fort-wayne › Events... · 2019-02-16 · Information Security Mission: Develop, execute and maintain a proactive, company-wide security](https://reader033.fdocuments.net/reader033/viewer/2022053015/5f13ef44493c1f3e632f6116/html5/thumbnails/7.jpg)
THREAT SOURCES
• Nation States
• Terrorists
• Industrial Spies
• Organized Crime
• Hacktivists
• Hackers
• Business Competitors
• Employees – accidental or deliberate
https://ics-cert.us-cert.gov/content/cyber-threat-source-descriptions
https://hitrustalliance.net/threat-catalogue/
![Page 8: Information security - Chapters Site - Home › fort-wayne › Events... · 2019-02-16 · Information Security Mission: Develop, execute and maintain a proactive, company-wide security](https://reader033.fdocuments.net/reader033/viewer/2022053015/5f13ef44493c1f3e632f6116/html5/thumbnails/8.jpg)
IT STARTS WITH THE DATA
![Page 9: Information security - Chapters Site - Home › fort-wayne › Events... · 2019-02-16 · Information Security Mission: Develop, execute and maintain a proactive, company-wide security](https://reader033.fdocuments.net/reader033/viewer/2022053015/5f13ef44493c1f3e632f6116/html5/thumbnails/9.jpg)
BUSINESS ALIGNMENT
Mission of the Business
Strategic Business Objectives
Information Security
Mission: Develop, execute and maintain a proactive, company-wide security program
based on strategic business objectives
Vision: Incorporate a continuous security mindset into all aspects of our business
functions
![Page 10: Information security - Chapters Site - Home › fort-wayne › Events... · 2019-02-16 · Information Security Mission: Develop, execute and maintain a proactive, company-wide security](https://reader033.fdocuments.net/reader033/viewer/2022053015/5f13ef44493c1f3e632f6116/html5/thumbnails/10.jpg)
INFOSEC OBJECTIVES
Security Privacy
Confidentiality
Integrity
Availability
![Page 11: Information security - Chapters Site - Home › fort-wayne › Events... · 2019-02-16 · Information Security Mission: Develop, execute and maintain a proactive, company-wide security](https://reader033.fdocuments.net/reader033/viewer/2022053015/5f13ef44493c1f3e632f6116/html5/thumbnails/11.jpg)
GOVERNANCE
Board of Directors
IT Audit Committee
Policies
Standards
Procedures
Security Team
Compliance Team
InfoSec Objectives
![Page 12: Information security - Chapters Site - Home › fort-wayne › Events... · 2019-02-16 · Information Security Mission: Develop, execute and maintain a proactive, company-wide security](https://reader033.fdocuments.net/reader033/viewer/2022053015/5f13ef44493c1f3e632f6116/html5/thumbnails/12.jpg)
OWNERSHIP
Data Owner
Asset Inventory
Data Classification Governance
InfoSec Objectives
![Page 13: Information security - Chapters Site - Home › fort-wayne › Events... · 2019-02-16 · Information Security Mission: Develop, execute and maintain a proactive, company-wide security](https://reader033.fdocuments.net/reader033/viewer/2022053015/5f13ef44493c1f3e632f6116/html5/thumbnails/13.jpg)
BUSINESS RESILIENCY
BCP
DRP
IRP
BIA Ownership
Governance
InfoSec Objectives
![Page 14: Information security - Chapters Site - Home › fort-wayne › Events... · 2019-02-16 · Information Security Mission: Develop, execute and maintain a proactive, company-wide security](https://reader033.fdocuments.net/reader033/viewer/2022053015/5f13ef44493c1f3e632f6116/html5/thumbnails/14.jpg)
______ MANAGEMENT
Risk Analysis and Management
Patch Management
Vulnerability Management
Vendor/Supply Chain Management
Resiliency
Ownership
Governance
InfoSec Objectiveshttps://www.google.com/alerts#
https://www.nist.gov/
https://csrc.nist.gov/
https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final
https://csrc.nist.gov/publications/detail/sp/800-40/rev-3/final
https://csrc.nist.gov/publications/detail/sp/800-161/final
![Page 15: Information security - Chapters Site - Home › fort-wayne › Events... · 2019-02-16 · Information Security Mission: Develop, execute and maintain a proactive, company-wide security](https://reader033.fdocuments.net/reader033/viewer/2022053015/5f13ef44493c1f3e632f6116/html5/thumbnails/15.jpg)
TECHNICAL CONTROLS
AV
IDS/IPS
Encryption
Logging and Monitoring
DLP
______ Management
Resiliency
Ownership
Governance
InfoSec Objectives
![Page 16: Information security - Chapters Site - Home › fort-wayne › Events... · 2019-02-16 · Information Security Mission: Develop, execute and maintain a proactive, company-wide security](https://reader033.fdocuments.net/reader033/viewer/2022053015/5f13ef44493c1f3e632f6116/html5/thumbnails/16.jpg)
STORY TIME
• Cost of a laptop is $2,000
• Additional cost of losing the laptop is $8,000
• Asset Value (AV) = $10,000
• Exposure Factor (EF) = 100%
• Single Lose Expectancy = $10,000
• On average, we “lose” 3 laptops per year (ARO)
• Annual Loss Expectancy (ALE) is $30,000
Security Spending
Dennis steals the dinosaur embryos
![Page 17: Information security - Chapters Site - Home › fort-wayne › Events... · 2019-02-16 · Information Security Mission: Develop, execute and maintain a proactive, company-wide security](https://reader033.fdocuments.net/reader033/viewer/2022053015/5f13ef44493c1f3e632f6116/html5/thumbnails/17.jpg)
RETURN ON SECURITY INVESTMENT
ALE before encryption control $30,000
Encryption cuts EF to 20%
ALE after implementing control $6,000
+ Yearly cost of control $20,000
Return on Security Investment $4,000
![Page 18: Information security - Chapters Site - Home › fort-wayne › Events... · 2019-02-16 · Information Security Mission: Develop, execute and maintain a proactive, company-wide security](https://reader033.fdocuments.net/reader033/viewer/2022053015/5f13ef44493c1f3e632f6116/html5/thumbnails/18.jpg)
3RD PARTY ASSESSMENTS
External Pen Test
Internal Pen Test
Wireless Pen Test
Social Engineering
Controls
______ Management
Resiliency
Ownership
Governance
InfoSec Objectives
![Page 19: Information security - Chapters Site - Home › fort-wayne › Events... · 2019-02-16 · Information Security Mission: Develop, execute and maintain a proactive, company-wide security](https://reader033.fdocuments.net/reader033/viewer/2022053015/5f13ef44493c1f3e632f6116/html5/thumbnails/19.jpg)
ACCESS CONTROL
Logical
Physical
Remote
3rd Party Assessments
Controls
______ Management
Resiliency
Ownership
Governance
InfoSec Objectives
![Page 20: Information security - Chapters Site - Home › fort-wayne › Events... · 2019-02-16 · Information Security Mission: Develop, execute and maintain a proactive, company-wide security](https://reader033.fdocuments.net/reader033/viewer/2022053015/5f13ef44493c1f3e632f6116/html5/thumbnails/20.jpg)
KERBEROS
![Page 21: Information security - Chapters Site - Home › fort-wayne › Events... · 2019-02-16 · Information Security Mission: Develop, execute and maintain a proactive, company-wide security](https://reader033.fdocuments.net/reader033/viewer/2022053015/5f13ef44493c1f3e632f6116/html5/thumbnails/21.jpg)
COMPLIANCE
HIPAA / HITECH
FISMA
FFIEC
GLBA
SOX
GDPR, CONSENT, CCPA, PIPEDA
Privacy Shield
Access Control
3rd Party Assessments
Controls
______ Management
Resiliency
Ownership
Governance
InfoSec Objectives
![Page 22: Information security - Chapters Site - Home › fort-wayne › Events... · 2019-02-16 · Information Security Mission: Develop, execute and maintain a proactive, company-wide security](https://reader033.fdocuments.net/reader033/viewer/2022053015/5f13ef44493c1f3e632f6116/html5/thumbnails/22.jpg)
CERTIFICATIONS
SOC
HITRUST CSF
PCI – DSS
FedRAMP
Cloud Security Alliance
![Page 23: Information security - Chapters Site - Home › fort-wayne › Events... · 2019-02-16 · Information Security Mission: Develop, execute and maintain a proactive, company-wide security](https://reader033.fdocuments.net/reader033/viewer/2022053015/5f13ef44493c1f3e632f6116/html5/thumbnails/23.jpg)
SECURITY AWARENESS
New hire training
Annual refresher training
Monthly newsletters
NCSAM – October
Periodic newsflashes
Compliance and Certifications
Access Control
3rd Party Assessments
Controls
______ Management
Resiliency
Ownership
Governance
InfoSec Objectives
![Page 24: Information security - Chapters Site - Home › fort-wayne › Events... · 2019-02-16 · Information Security Mission: Develop, execute and maintain a proactive, company-wide security](https://reader033.fdocuments.net/reader033/viewer/2022053015/5f13ef44493c1f3e632f6116/html5/thumbnails/24.jpg)
DATA RECOVERABILITY
Online failover replica
Real-time replica offsite
Long-term offline backupSecurity Awareness
Compliance and Certifications
Access Control
3rd Party Assessments
Controls
______ Management
Resiliency
Ownership
Governance
InfoSec Objectives
![Page 25: Information security - Chapters Site - Home › fort-wayne › Events... · 2019-02-16 · Information Security Mission: Develop, execute and maintain a proactive, company-wide security](https://reader033.fdocuments.net/reader033/viewer/2022053015/5f13ef44493c1f3e632f6116/html5/thumbnails/25.jpg)
… STILL MORE
Cyber Insurance
Internal & External Audits
Regular exclusion checks:
OIG LEIE and SAM
Data Recoverability
Security Awareness
Compliance and Certifications
Access Control
3rd Party Assessments
Controls
______ Management
Resiliency
Ownership
Governance
InfoSec Objectives
https://oig.hhs.gov/exclusions/index.asp
https://www.sam.gov/SAM/
![Page 26: Information security - Chapters Site - Home › fort-wayne › Events... · 2019-02-16 · Information Security Mission: Develop, execute and maintain a proactive, company-wide security](https://reader033.fdocuments.net/reader033/viewer/2022053015/5f13ef44493c1f3e632f6116/html5/thumbnails/26.jpg)
INFOSEC RECAP
• Not one person or a team of people; the entire organization
• Defense in depth
• If you see something, say something
• https://www.ftc.gov/tips-advice/business-center/small-
businesses/cybersecurity