Cyber Security and Project Planning: How to Bake It In

Similar documents
Cyber Risks in the Boardroom Conference

Insider Threat Program: Protecting the Crown Jewels. Monday, March 2, 2:15 pm - 3:15 pm

Preventing Corporate Espionage: Investigations, Data Analyses and Business Intelligence

DeMystifying Data Breaches and Information Security Compliance

Defensible and Beyond

How to Prepare a Response to Cyber Attack for a Multinational Company.

2016 BITGLASS, INC. mobile. solution brief

Is Your Information Safe? Presented by: Jake Gibson IT Director, Eurofins

Monthly Cyber Threat Briefing

Plenary Session: Branch Cybersecurity Controls Thursday, February 22 1:15 p.m. 2:15 p.m.

locuz.com SOC Services

Is Your Compliance Strategy Putting Your Business at Risk?

THE ULTIMATE SOLUTION TO SECURE MOBILE COMMUNICATIONS AND DEVICES

What FinAid offices need to know about cyberattacks. Presented by: Chris Chumley, COO at CampusLogic Thursday, March 31, EST

Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist

It s Not If But When: How to Build Your Cyber Incident Response Plan

Risk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23

Key Findings from the Global State of Information Security Survey 2017 Indonesian Insights

Recommendations for Implementing an Information Security Framework for Life Science Organizations

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

2017 RIMS CYBER SURVEY

MOBILE SECURITY 2017 SPOTLIGHT REPORT. Information Security PRESENTED BY. Group Partner

Legal Aspects of Cybersecurity

Breaches and Remediation

Cybersecurity Auditing in an Unsecure World

NERC Staff Organization Chart Budget 2019

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

You re Leaking: Incident Response in the World of DevOps Jerry Dixon & Levi Gundert

What It Takes to be a CISO in 2017

falanx Cyber ISO 27001: How and why your organisation should get certified

Keys to a more secure data environment

SECURING THE UK S DIGITAL PROSPERITY. Enabling the joint delivery of the National Cyber Security Strategy's objectives

Brian S. Dennis Director Cyber Security Center for Small Business Kansas Small Business Development Center

The simplified guide to. HIPAA compliance

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

Compliance with CloudCheckr

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

THE PROCESS FOR ESTABLISHING DATA CLASSIFICATION. Session #155

VALUE OF A CYBERSECURITY SELF-ASSESSMENT

Breaches and Remediation

security mindfulness dwayne.

Cyber Security. It s not just about technology. May 2017

WELCOME ISO/IEC 27001:2017 Information Briefing

LESSONS LEARNED IN SMART GRID CYBER SECURITY

OPUC Workshop March 13, 2015 Cyber Security Electric Utilities. Portland General Electric Co. Travis Anderson Scott Smith

Poor PAM processes and policies leave the crown jewels susceptible to security breaches Global Survey of IT Security Professionals

External Supplier Control Obligations. Cyber Security

Designing and Building a Cybersecurity Program

6 Tips to Find the Right Colocation Center for You

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010

Combating Cyber Risk in the Supply Chain

Managing Cybersecurity Risk

Effective Strategies for Managing Cybersecurity Risks

building a security culture to counter emerging cybersecurity threats

Incident Response Lessons From the Front Lines. Session 276, March 8, 2018 Nolan Garrett, CISO, Children s Hospital Los Angeles

Incident Response. Tony Drewitt Head of Consultancy IT Governance Ltd

Sage Data Security Services Directory

Information Security Risk Strategies. By

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

No Country for Old Security Compliance in the Cloud. Joel Sloss, CDSA Board of Directors May 2017

You knew the job was dangerous when you took it! Defending against CS malware

2015 HFMA What Healthcare Can Learn from the Banking Industry

FRAMEWORK MAPPING HITRUST CSF V9 TO ISO 27001/27002:2013. Visit us online at Flank.org to learn more.

ISACA Cincinnati Chapter March Meeting

Deploying to the Cloud: A Case study on the Development of EHNAC s Cloud Enabled Accreditation Program (CEAP)

Data Breach Preparedness & Response

Data Breach Preparedness & Response. April 16, 2015 Daniel Nelson, C EH, CIPP/US Lucas Amodio, C EH

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI

A Privacy and Cybersecurity Primer for Nonprofits Nonprofits in the Digital Age March 9, 2016

INTELLIGENCE DRIVEN GRC FOR SECURITY

Information Governance Incident Reporting Procedure

Cybersecurity in Higher Ed

NERC Staff Organization Chart Budget 2019

Cyber Security and Data Protection: Huge Penalties, Nowhere to Hide

Cyber Security Panel Discussion Gary Hayes, SVP & CIO Technology Operations. Arkansas Joint Committee on Energy March 16, 2016

Security Hygiene. Be in a defensible position. Be cyber resilient. November 8 th, 2017

Digital Health Cyber Security Centre

Cyber Security. Building and assuring defence in depth

EBOOK 4 TIPS FOR STRENGTHENING THE SECURITY OF YOUR VPN ACCESS

Top Reasons To Audit An IAM Program. Bryan Cook Focal Point Data Risk

Healthcare HIPAA and Cybersecurity Update

2017 Annual Meeting of Members and Board of Directors Meeting

PCI Compliance. What is it? Who uses it? Why is it important?

Jeff Wilbur VP Marketing Iconix

Sirius Security Overview

ISACA GEEK WEEK SECURITY MANAGEMENT TO ENTERPRISE RISK MANAGEMENT USING THE ISO FRAMEWORK AUGUST 19, 2015

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

Cyber Criminal Methods & Prevention Techniques. By

Cyber Security. The Question of the Day. Sylint Group, Inc. How did we come up with the company name Sylint and what does it mean?

TEL2813/IS2820 Security Management

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Unleashing Your Inner Code Warrior

MANAGING CYBER RISK: THE HUMAN ELEMENTS OF CYBERSECURITY

Governance Ideas Exchange

How Secure is Blockchain? June 6 th, 2017

NERC Staff Organization Chart Budget 2018

COMPLIANCE IN THE CLOUD

Transcription:

Cyber Security and Project Planning: How to Bake It In Tim Jacks, PhD, CMIS, SIUE Bruce Tons, VP, Security Officer, IT Privacy Advisor, Rabo AgriFinance Doug Ascoli, Sr. Project Manager, Ameren Tonya Munger, Sr. Mgr Manufacturing Execution Systems, Boeing Slide 1

Why do we care? http://www.informationisbeautiful.net/visualizations/worldsbiggest-data-breaches-hacks/ Slide 2

Cyber Security and PM role PMs are not expected to be Cyber Security experts By including security considerations in every phase of a project, PMs have the opportunity to deliver more secure systems in a more secure manner. (Pruitt, 2013) Is security a problem in St. Louis? Slide 3

http://map.norsecorp.com/ Slide 4

How can PM s bake it in? Ensure these 10 ingredients are baked into your project plan! Slide 5

Preview of 10 ingredients 1. Operational handoff 2. Security Impact Analysis 3. Know your data 4. Secure communications 5. Risk management 6. Access management 7. Questions for vendors 8. Weakest link 9. Becoming a top chef 10.Sharing lessons learned Slide 6

#1 Plan for a great operational handoff! Minimize last minute security fixes and oops s Invite security to the party early, not late. Get your firm s Operational Acceptance Testing checklist ahead of time and bake it in from the beginning of the project! Be a superhero! Slide 7

#2 Do a security impact analysis Determine the value of information to the firm Determine costs of preventative measures and costs of failure Average firm cost of responding to a data breach = $4.5 million in the U.S. Average damage to firm reputation = $3 million in the U.S. www.ponemon.org Include your Security Department in your planning meetings Slide 8

#3 Know and Protect your Data Any external regulatory/ compliance concerns? Any internal? Examples of protected data: healthcare, financial, military, government, personal, proprietary, social security #, credit card #, international, employee, grades, etc. The PM may not know the answers but has to ask the right questions and include others Slide 9

#4 Plan for secure communications Communications plan + security = secure communications PMBOK says Communication has been identified as one of the single biggest reasons for project success or failure. Communications Plan needs to include how to secure the following: Online project documentation, passwords for conference calls, email, IM, backups, printed documents, configuration documentation (F/W, VPN, outbound email, thumb drives) Are you guarding your keys to the kingdom or Crown Jewels? Slide 10

#5 Plan for risk management Different from impact analysis What are the likely risks Option #1 Use internal checklist Option #2 Use NIST risk management framework http://csrc.nist.gov/groups/sma/fisma/framework.html Option #3 Use SANS Practical Risk Analysis and Threat Modeling Spreadsheet Slide 11

Slide 12

#6 Plan for authentication and access management Who / what / where /when / how for access Does it tie into A.D. for authentication? Role-based security Who s the business owner for ongoing access approval? Recertification? Frequency? Remote access? Tonya s example Prod/test/dev environments Slide 13

#7 Ask your vendors the right questions It s not just about price and service quality. The vendor should provide verifiable evidence that data is secure on their infrastructure like security certifications that require audits of their practices with respect to NIST and FISMA [standards] by accredited organizations like Logyx and Veris group, or via STAR or FedRAMP certs. (Pruitt, 2013) External SLA s with penalties Right to audit Escalation procedures Timeliness in the event of a breach Communication Plan Review their DR plan Participate in their DR exercise; and vice versa Right to visit premises Understand their due diligence on their outside vendors and contractors Cloud usage Where is data stored? Slide 14

#8 Plan for the weakest link in security and make sure it s not YOU or someone on your project team Data leakage from PM s specifically PM s traveling abroad Using public WiFi Lost laptops, smart phones use security cable and don t check your laptop Written or weak passwords http://www.securingthehuman.org/resources Utilize a SETA (Security, Education, Training & Awareness) program. Slide 15

#9 Become a top chef with secret recipes Example handouts SANS Institute Security Best Practices for IT Project Managers top 20 controls IT Project Security Checklist SecSDLC PWC Cybercrime survey Slide 16

See handouts Slide 17

#10 Document lessons learned and tell stories War stories can be one of the most effective ways to motivate secure behaviors and to establish a culture of security in your organization over the long-term. (Pruitt, 2013) What are your stories? Your lessons learned? Q & A Slide 18

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback