Information Security Risk Strategies. By

Similar documents
Cyber Criminal Methods & Prevention Techniques. By

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Cybersecurity in Higher Ed

Certified Information Security Manager (CISM) Course Overview

PROFESSIONAL SERVICES (Solution Brief)

Security Management Models And Practices Feb 5, 2008

CCISO Blueprint v1. EC-Council

TEL2813/IS2820 Security Management

HITRUST CSF Assurance Program HITRUST, Frisco, TX. All Rights Reserved.

Building a Case for Mainframe Security

Information Technology Branch Organization of Cyber Security Technical Standard

NCSF Foundation Certification

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

How to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.

Effective Strategies for Managing Cybersecurity Risks

Reducing Liability and Threats through Effective Cybersecurity Risk Measurement. Does Your Security Posture Stand Up to Tomorrow s New Threat?

PCI Policy Compliance Using Information Security Policies Made Easy. PCI Policy Compliance Information Shield Page 1

INTELLIGENCE DRIVEN GRC FOR SECURITY

Cyber Security Program

2016 Nationwide Cyber Security Review: Summary Report. Nationwide Cyber Security Review: Summary Report

CISM QAE ITEM DEVELOPMENT GUIDE

IMPROVING NETWORK SECURITY

Nebraska CERT Conference

Risk Management in Electronic Banking: Concepts and Best Practices

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

locuz.com SOC Services

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

How To Establish A Compliance Program. Richard E. Mackey, Jr. SystemExperts Corporation

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

The New COSO Framework, PII and Data Security. October 30, 2014

Four Deadly Traps of Using Frameworks NIST Examples

Why you should adopt the NIST Cybersecurity Framework

NIST Special Publication

What is Penetration Testing?

Cyber Risks in the Boardroom Conference

Sirius Security Overview

ACR 2 Solutions Compliance Tools

University of Pittsburgh Security Assessment Questionnaire (v1.7)

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

USING QUALYSGUARD TO MEET SOX COMPLIANCE & IT CONTROL OBJECTIVES

CISM ITEM DEVELOPMENT GUIDE

NYDFS Cybersecurity Regulations

CoreMax Consulting s Cyber Security Roadmap

Security Awareness Compliance Requirements. Updated: 11 October, 2017

Objectives of the Security Policy Project for the University of Cyprus

Global Security Consulting Services, compliancy and risk asessment services

Aligning Your Organization s Business Units to Achieve a Cohesive Cybersecurity Strategy

Compliance 101: Basics for Security Professionals

COBIT 5 With COSO 2013

Department of Management Services REQUEST FOR INFORMATION

CYBERSECURITY MATURITY ASSESSMENT

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Continuous protection to reduce risk and maintain production availability

Risk Assessment: Key to a successful risk management program

Balancing Between Risk and Compliance

Weighing in on the Benefits of a SAS 70 Audit for Third Party Administrators

The importance of STANDARDS to ensure ACCOUNTABILITY and GOVERNANCE in ehealth-ict security processes

Operational Network Security

Cybersecurity. Securely enabling transformation and change

NCSF Foundation Certification

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Using Metrics to Gain Management Support for Cyber Security Initiatives

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

Table of Contents. Preface xiii PART I: IT GOVERNANCE CONCEPTS. Chapter 1: Importance of IT Governance for All Enterprises 3

Business Continuity Management

Education Network Security

Compliance in 5 Steps

How to Conduct a Business Impact Analysis and Risk Assessment

K12 Cybersecurity Roadmap

Maximizing IT Security with Configuration Management WHITE PAPER

Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist

Implementing ITIL v3 Service Lifecycle

Integrating Cyber Security with Business Continuity Management to Build the Resilient Enterprise

Automating the Top 20 CIS Critical Security Controls

Introducing Cyber Observer

Framework for Improving Critical Infrastructure Cybersecurity

Cybersecurity for Health Care Providers

IBM Fundamentals of Applying Tivoli Security and Compliance Management Solutions V2.

COPYRIGHTED MATERIAL. Index

Overview: Compliance and Security Management PCI-DSS Control Compliance Suite Overview

DeMystifying Data Breaches and Information Security Compliance

TSC Business Continuity & Disaster Recovery Session

The Common Controls Framework BY ADOBE

Isaca EXAM - CISM. Certified Information Security Manager. Buy Full Product.

Will your application be secure enough when Robots produce code for you?

Securing an IT. Governance, Risk. Management, and Audit

T11: Incident Response Clinic Kieran Norton, Deloitte & Touche

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010

Defense in Depth Security in the Enterprise

Application Security Kung-Fu Competitive Advantage from Threat Modeling

EC-Council Certified Network Defender (CND) Duration: 5 Days Method: Instructor-Led

Information Technology General Control Review

Cybersecurity Auditing in an Unsecure World

IT Audit Process Prof. Liang Yao Week Two IT Audit Function

Exam4Tests. Latest exam questions & answers help you to pass IT exam test easily

Updates to the NIST Cybersecurity Framework

Compliance & Security in Azure. April 21, 2018

ISSMP is in compliance with the stringent requirements of ANSI/ISO/IEC Standard

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

Transcription:

Information Security Risk Strategies By Larry.Boettger@Berbee.com

Meeting Agenda Challenges Faced By IT Importance of ISO-17799 & NIST The Security Pyramid Benefits of Identifying Risks Dealing or Not Dealing With Risks Applying Real-World Risk Management Methodologies Conclusion

Challenges Information & System Availability Complex Environments Connectivity Requirements (Work From Anywhere \ Anytime) Fast Paced Growth (Acquisitions) Regulation Requirements Transitioning from Reactive to Proactive Practices Limited Resources (Biggest Challenge)

Regulations HIPAA Health Insurance Portability & Accountability Act GLBA Gram-Leach-Bliley Act Sarbanes-Oxley- Sarbanes-Oxley Act Payment Card Industry Credit Card Industry Specific Requirements

Key Methodologies ISO-17799 National Institute of Standards & Technology (NIST) ITIL CoBIT

Importance of NIST & ISO-17799 National Institute of Standards & Technology Referenced Throughout Most Regulations Policies and Procedures Are Critical to NIST Best Practices ISO-17799 is Industry Recognized Standard for Security ISO-17799 Covers 10 Areas of Security Each ISO-17799 Area Has Individual Security Items If You Follow NIST and ISO-17799 You Would Have a Strong Security Posture and Should Pass Almost Every Audit Combine NIST 800-26 Levels and ISO-17799

ISO-17799 Covered Areas Security Policies Organizational Security Asset Classification & Control Personnel Security Physical and Environmental Security Communications & Operations Management Access Control System Development & Maintenance Business Continuity Management Compliance

NIST Legend Level 1 control objective documented in a security policy Level 2 security controls documented as procedures Level 3 policies and procedures have been communicated & implemented Level 4 procedures and security controls are tested and reviewed Level 5 procedures and security controls are fully integrated into a comprehensive program.

ISO-17799 Graph Sample Business Continuity 6 5 4 Actual Practice Peer Comparison NIST Level 3 2 1 0 Business Continuity Management Process Business Continuity & Impact Analysis Writing & Implementing Continuity Plan Business Continuity Planning Framework Testing Maintaining & Reassessing BC Plan

Assess the Pyramid

What is the Pyramid Holistic\Integrated Approach to Security Represents the key building blocks to a strong Information Security Posture Represents Berbee s approach to security Much Like Malsow s Hierarchy of Needs or USDA s Food Pyramid

Three Types of Clients Those that are maintaining the pyramid Those who are building the pyramid Those that need to start building the pyramid They all have different pyramid needs

Security Professional s Goals Reduce Risk Reduce Cost Reduce Complexity

Policies, Procedures, Standards & Leadership Support Policies Procedures Standards Leadership Support

Assessments & Risk Management Risk Management Provide a roadmap to strengthen weaknesses Provide an idea of remediation budget If you re regulated, it will save you time when the audit occurs Assessments Types Baseline Compliance Progress Purposes Facilitation Education Justification

Benefits of Identifying Risks Can t Manage if You Can t Measure Knowing Risks will allow you to determine what and how to protect against threats It will identify costs of dealing with threats Roadmap for Protection Mechanisms Knowing Risks will be the first step towards evaluation & implementation of protection practices and solutions Project Plans and Head Count Necessary for Risk Mitigation will be defined Enhances Proactive Response Practices Knowing Risks will allow for more effective Incident Handling, IT Contingency, and Physical protection mechanisms With Risk Prioritization, when multiple issues occur, it will reduce time to respond

Dealing or Not Dealing With Risks Three ways to deal with risks Accept the risk as it is Mitigate or reduce the risk Transfer the risk (insurance) Not taking the time to identify risks has these potential consequences Significant monetary loss due to attacks Regulatory Penalties Civil Penalties (class action lawsuits by victims) Damage to Reputation Intellectual Property Loss Customer Privacy Compromised Physical Loss Loss of Life in Critical Infrastructures (Transportation, Health Care, Government, Utilities)

How To Identify and Prioritize Risk First Step is a Business Impact Analysis Utilize ISO-17799 Checklist Send out a BIA Questionnaire to Business Units Fill out the Risk Assessment Spreadsheet for each System, Application and Process from the BIA and ISO Checklist Create Priority Matrix & Tasks Lists With the results from the Risk Assessment Spreadsheet and other Material, a Task Plan can be built Identify resources that should be part of the Risk Management Project Risk Management Team First Steps Should each risk be: Accepted, Mitigated, Transferred For those that need to be mitigated: determine next steps

Key Processes In Overall InfoSec Program Assess policies, standards, procedures by conducting a gap analysis Author policies and procedures that are not in place based on the gap analysis Implement an internal Audit and Assessment process Conduct a Risk Analysis to identify systems, applications and their critical priority level Build an Incident Response\Handling process

Key Processes Continued Implement Release, Configuration and Management processes Create a Security Awareness Program for all internal personnel Conduct a Cost\Benefit Analysis (CBA) on technologies that can assist in reducing the complexity and costs associated with security risks Designate staff to lead the security initiatives and allow them time to do so Assess what organizations in your industry and that are similar in size, strategy, etc, are doing for their security initiatives

Key Take Aways ISO-17799 and NIST Are Important Components in Identifying, Measuring and Managing Risks Risk Management involves Leadership support to get the resources to deal with it Not dealing with risk has consequences There are free tools available for initiating & maintaining the risk management process Risk Management involves diligence, key personnel involvement and keeping it simple

Links & Tools http://www.securityfocus.com/vulnerabilities http://www.infosyssec.com/index.shtml http://www.nessus.org http://new.remote-exploit.org/index.php/auditor_main (Auditor) http://www.iwhax.net/modules/news/ (Whoppix) http://www.knoppix.net/ http://www.isecom.org/osstmm/ http://www.insecure.org http://www.foundstone.com/ http://www.metasploit.com/ http://packetstormsecurity.nl/

More Links & Tools http://www.owasp.org/index.jsp http://www.hackingexposed.com/ http://www.sans.org http://www.sans.org/score/ http://isc.sans.org/ http://csrc.nist.gov/publications/nistpubs/ http://csrc.nist.gov/pcig/cig.html http://csrc.nist.gov/checklists/repository/category.html http://www.iso17799software.com/ http://www.microsoft.com/security http://www.cisco.com/security

Thank You

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback