Navigate IT Security with a Framework as Your Guide October 7 th, 2016
Background George Lazarou 16 years security experience in various roles both technical and non-technical AT&T Labs Research, Army, Navy Medicine, Air Force, Federal Reserve Bank NY, MetLife Member of ISACA and ISC2 2
Security vs Compliance IT Security and Compliance may overlap, but they are not the same thing. Compliance may not meet the requirements of a good security practice. Security is something we do to prevent a loss and reduce risk. 3
Everyone else is doing it. I want to do it too. The issue is that I don t know how to get started. 4
And I don t want this to happen. 5
IT Security Responsibilities Do we have a way to address all of these? Budget Business Enablement Sec Ops If yes, how do we know? Metrics, Audits, Tribal Knowledge? Project Management Compliance and Audit CISO ID Management Governance Security Architecture Legal and HR 6
Security Operations What do we need to implement? Configuration Management Vulnerability Management Network and Firewall People, Process, or Technology? DDoS Application Security Or a combination of all three? DLP Security Operations IDS/IPS Patch Incident Management and Breach Threat Detection 7
High level evaluation feel free to disagree A breach or loss is a sign of failure. Lack of a breach or incident is not an indicator of security success. You need to define what is meaningful to your organization and then measure that you are achieving it. 8
Modes of Operation Tactical Security IT Security is an IT Problem No CISO or technical CISO Not involved in business decisions Reactive role Strategic Security CISO that understands business and has a relationship Good manager, possibly less technical Ability to identify and communicate risks, how and why to mitigate them Proactive role, aligned with business 9
How to Prioritize Identifying How Firms Manage Cybersecurity Investment Southern Methodist University, October 2015 Use of Frameworks to Make Budget Case Allow CISO to Articulate Where Investments Should be Made Used as a Tool to Create a Strategy for Security Facilitates the Communication of Strengths and Weakness in Security Program All of the Firms that had a Framework Felt their Budget Was Appropriate 10
IT Security Framework as a Management Tool Report gaps in security to senior management IT Security Framework Coordinate, delegate, and plan near term and strategically 11
Example IT Security Frameworks NIST 800-53 ISO 27000 Series NIST Cybersecurity 12
Here is what I think. People Process Technology is getting better. Experienced people are scarce or over tasked. Technology Process doesn t define the goals of the program. 13
Frameworks are not necessarily prescriptive They don t draw a line in the sand. 14
You need to make a process measurable. PR.IP-12: A vulnerability management plan is developed and implemented ISO/IEC 27001:2013 A.12.6.1, A.18.2.2 NIST SP 800-53 Rev. 4 RA-3, RA-5, SI-2 While the controls have a directive, they don t give specifics about measurable criteria. Create Controls Patch Validate I.E. All critical security patches will be installed within 45 days. Report and improve Evaluate 15
Sound familiar? It s like any other business improvement process. And the more you treat security like any other business process, the easier it is to integrate into the organization. IT Security is a business concern, not an IT issue. 16
Ransomware is a symptom of a breakdown in process. Ransomware Attack Incident Response Backup and Restore Vulnerability Management Access Controls Configuration Management User Awareness 17
Addressing your organization s cybersecurity needs There is a lack of IT Security talent in the industry. Is it something your organization wants to do? What are your options? Ignore Wait for an attack or breach to act. Own it Train internally Purchase Solutions Get Help Cloud Provider Managed Solutions 18
Aspire Services Portfolio Risk Assessment/Analysis Policy and Procedure Review and Creation HIPAA Security Compliance Governance and Management Business Alignment Security Training and Phishing Campaigns NIST Security Compliance Penetration Testing External Security Audit Internal Audit Configuration Management and Guidance Security Product Configuration Audit and Testing Security Engineering Wireless Security Testing Web Application Security Testing Firewall Security Testing Network Security Review Endpoint Security Management 19
Aspire Services Portfolio Managed Services Managed IT Governance, Risk, and Compliance Solutions Managed Security Operations Analytics and Reporting Managed Security Monitoring SOC Services Managed IT Operations NOC Services 20
Thank you.