Influence and Implementation

Similar documents
FDIC InTREx What Documentation Are You Expected to Have?

CompTIA CASP (Advanced Security Practitioner)

REAL-WORLD STRATEGIES FOR MEDICAL DEVICE SECURITY

Language for Control Systems

Cyber Hygiene: A Baseline Set of Practices

One Hospital s Cybersecurity Journey

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

AUTHORITY FOR ELECTRICITY REGULATION

CYBER SECURITY POLICY REVISION: 12

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

Information Technology Branch Organization of Cyber Security Technical Standard

Virtualization Security & Audit. John Tannahill, CA, CISM, CGEIT, CRISC

Security Monitoring Engineer / (NY or NC) Director, Information Security. New York, NY or Winston-Salem, NC. Location:

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

Introduction to Business continuity Planning

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

Understanding IT Audit and Risk Management

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

External Supplier Control Obligations. Cyber Security

How do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?

Assessing Your Incident Response Capabilities Do You Have What it Takes?

Table of Contents. Sample

Infosec Europe 2009 Business Strategy Theatre. Giving Executives the Security Management Information that they Really Need

Unofficial Comment Form Project Modifications to CIP Standards Requirements for Transient Cyber Assets CIP-003-7(i)

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

Vulnerability Management Policy

NW NATURAL CYBER SECURITY 2016.JUNE.16

2018 IT Priorities: Cybersecurity, Cloud Outsourcing & Risk Management. Follow Along

Mike Spear, Ops Leader Greg Maciel, Cyber Director INDUSTRIAL CYBER SECURITY PROGRAMS

Internet Scanner 7.0 Service Pack 2 Frequently Asked Questions

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

CLE Alabama. Banking Law Update. Embassy Suites Hoover Hotel Birmingham, Alabama Friday, February 19, 2016

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Accelerate Your Enterprise Private Cloud Initiative

PeopleSoft Finance Access and Security Audit

10 FOCUS AREAS FOR BREACH PREVENTION

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Malware Outbreak

FedRAMP: Understanding Agency and Cloud Provider Responsibilities

ISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure

ACM Retreat - Today s Topics:

Dell helps you simplify IT

Information Security Controls Policy

Threat and Vulnerability Assessment Tool

playbook OpShield for NERC CIP 5 sales PlAy

Symantec Backup Exec 2012 OEM FAQ

Think Like an Attacker

Information Technology Security Plan Policies, Controls, and Procedures Identify Risk Assessment ID.RA

Kaspersky Cloud Security for Hybrid Cloud. Diego Magni Presales Manager Kaspersky Lab Italia

NORTH CAROLINA NC MRITE. Nominating Category: Enterprise IT Management Initiatives

Copyright 2011 Trend Micro Inc.

Securing the Grid and Your Critical Utility Functions. April 24, 2017

Take Risks in Life, Not with Your Security

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 January 23, 2015

UP B03 - Don't expire: Simplify Your Windows Migration Patrick Tyler - Distinguished System Engineer Mike Holmes IT HQ Department of the US Army

HWDSB s Journey to the Cloud

Department of Management Services REQUEST FOR INFORMATION

INFORMATION ASSURANCE DIRECTORATE

IT Modernization In Brief

How Switching to the Cloud Drives Employee and Agency Growth

Cyber Resilience. Think18. Felicity March IBM Corporation

Today s Security Threats: Emerging Issues Keeping CFOs Up at Night Understanding & Protecting Against Information Security Breaches

SYMANTEC DATA CENTER SECURITY

ICS Security Rapid Digital Risk Assessment

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

FIVE BEST PRACTICES FOR ENSURING A SUCCESSFUL SQL SERVER MIGRATION

Security for NG9-1-1 SYSTEMS

On-site Time and Material Rates for Equipment Not Covered under an HP Service Contract

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

NCUA IT Exam Focus. By Tom Schauer, Principal CliftonLarsonAllen

Evolving the Security Strategy for Growth. Eric Schlesinger Global Director and CISO Polaris Alpha

Symantec Data Center Migration Service

Transforming Security Part 2: From the Device to the Data Center

Overview Bank IT examination perspective Background information Elements of a sound plan Customer notifications

Launching a Highly-regulated Startup in the Cloud

The Business Value of including Cybersecurity and Vendor Risk in ERM

Manchester Metropolitan University Information Security Strategy

Cyber Security Requirements for Supply Chain. June 17, 2015

Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City

Top 20 Critical Security Controls (CSC) for Effective Cyber Defense. Christian Espinosa Alpine Security

Cyber Security Program

Information Technology Procedure IT 3.4 IT Configuration Management

Davidson Technologies: A Medium Sized Business Experience with DFARS 7012/NIST

THE TRIPWIRE NERC SOLUTION SUITE

VMWARE CLOUD FOUNDATION: INTEGRATED HYBRID CLOUD PLATFORM WHITE PAPER NOVEMBER 2017

Risk Management Framework for DoD Medical Devices

Information Security Guideline OPERATING SYSTEM PATCHING

SANS ICS Europe 2018 Munich, Germany

Emerging Issues: Cybersecurity. Directors College 2015

Cybersecurity Auditing in an Unsecure World

The Honest Advantage

Figure 11-1: Organizational Issues. Managing the Security Function. Chapter 11. Figure 11-1: Organizational Issues. Figure 11-1: Organizational Issues

VIKING. Vital Infrastructure, Networks, Information and Control Systems Management. A Research Project in the EU Seventh Framework Programme

3/3/2017. Medical device security The transition from patient privacy to patient safety. Scott Erven. Who i am. What we ll be covering today

SIEM: Five Requirements that Solve the Bigger Business Issues

VALUE OF A CYBERSECURITY SELF-ASSESSMENT

Transcription:

Influence and Implementation Wes Earnest April 2017 GSEC/GCIA/GCIH/ GWAPT/GPEN/GCCC/GSNA/ PMP/CISA/CISM/CGEIT SANS Technology Institute - Candidate for Master of Science Degree 1 1

Objective What does it mean to successfully implement information security? How practical is information security in small organizations? How can I influence my organization to improve information security? SANS Technology Institute - Candidate for Master of Science Degree 2

InfoSec in a Small Company Cyber security is critical to any business enterprise, no matter how small. However, leaders of small businesses often do not know where to begin, given the scope and complexity of the issue in the face of a small staff and limited resources (US-CERT) SANS Technology Institute - Candidate for Master of Science Degree 3

Bank Background Small town community bank Established in the late 1800s Legacy systems Flat network Antiquated core banking system SANS Technology Institute - Candidate for Master of Science Degree 4

Us vs. Them The board and senior management are responsible for understanding the risks associated with existing and planned IT operations, determining the risk tolerance of the institution, and establishing and monitoring policies for risk management (FFIEC, 2004) SANS Technology Institute - Candidate for Master of Science Degree 5

Decision Making Important to understand the current state Who made the decision to implement bad security? Active vs Passive decision making Mapping past decisions to the bank s identity Continuous improvement SANS Technology Institute - Candidate for Master of Science Degree 6

Mitigating Risk (Curtis, 2012) SANS Technology Institute - Candidate for Master of Science Degree 7

Business Risk Manager Only 1 in 10 security leaders have successfully made this transition from technology expert to business risk manager and can effectively communicate IT risks to business peers. (Symantec 2012) SANS Technology Institute - Candidate for Master of Science Degree 8

Real World Case Study Minimum 15 Character Passwords VDI Workstations for All Employees Network Segmentation Vendor Management Process Complete Replacement of Core Banking System SANS Technology Institute - Candidate for Master of Science Degree 9

Building Credibility Implementing 15 Character Passwords User Awareness Training Communicating Risk Creating a Paradigm Shift Increased Productivity SANS Technology Institute - Candidate for Master of Science Degree 10

Workstation Life Cycle Management Upgrading from Windows XP to Windows 7 Migrate from physical workstations to VMWare Virtual Desktops Standardized Configurations Remove Local Admin and Shared Accounts Consistent Application Inventory Consistent Patch Management Improved Incident Response SANS Technology Institute - Candidate for Master of Science Degree 11

Network Segmentation Understanding Baseline Traffic Network Security Monitoring Limiting Lateral Movement Micro Segmentation SANS Technology Institute - Candidate for Master of Science Degree 12

Vendor Management Federal Reserve Guidance on Managing Outsourcing Risk Broad definition of Service Provider Opportunity for improvement Require security review / risk assessment of vendors Require language in contracts for vulnerability remediation SANS Technology Institute - Candidate for Master of Science Degree 13

Core Banking System Request for Proposal Looking for ways to generate value for business operations Vendor consolidation Process efficiencies Contract negotiations Defining security vulnerability SANS Technology Institute - Candidate for Master of Science Degree 14

Summary Implementing information security is more than just turning on a set of controls Small businesses can afford great information security, because it can generate value Influencing the decision making process (effective communication) SANS Technology Institute - Candidate for Master of Science Degree 15

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback