Navigate IT Security with a Framework as Your Guide

Similar documents
Cybersecurity What Companies are Doing & How to Evaluate. Miguel Romero - NAIC David Gunkel & Dan Ford Rook Security

Rethinking Information Security Risk Management CRM002

Building a Resilient Security Posture for Effective Breach Prevention

Designing and Building a Cybersecurity Program

Cybersecurity Auditing in an Unsecure World

Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist

Bringing Cybersecurity to the Boardroom Bret Arsenault

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com

Tips for Passing an Audit or Assessment

CYBER RISK MANAGEMENT: ADDRESSING THE CHALLENGE SIMON CRUMPLIN, FOUNDER & CEO

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

GDPR Update and ENISA guidelines

How To Build or Buy An Integrated Security Stack

Must Have Items for Your Cybersecurity or IT Budget in 2018

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

SECOPS: NAVIGATE THE NEW LANDSCAPE FOR PREVENTION, DETECTION AND RESPONSE

Aligning IT, Security and Risk Management Programs. Ahmed Qurram Baig, CISSP, CBCP, CRISC, CISM Information Security & GRC Expert

CCISO Blueprint v1. EC-Council

CyberUSA Government Cyber Opportunities for your Region: The Federal Agenda - Federal, Grants & Resources Available to Support Community Cyber

Think Like an Attacker

A New Cyber Defense Management Regulation. Ophir Zilbiger, CRISC, CISSP SECOZ CEO

Effective Strategies for Managing Cybersecurity Risks

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

CISO as Change Agent: Getting to Yes

Lessons Learned from 4,000 Security Assessments. Sadik Al-Abdulla Security Practice Director, CDW

Security Metrics Framework

Cybersecurity Today Avoid Becoming a News Headline

whitepaper How to Measure, Report On, and Actually Reduce Vulnerability Risk

Les joies et les peines de la transformation numérique

SOLUTION BRIEF Virtual CISO

Managing IT & Election Systems. U.S. Election Assistance Commission 1

Introducing Cyber Observer

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

AZURE CLOUD SECURITY GUIDE: 6 BEST PRACTICES. To Secure Azure and Hybrid Cloud Environments

What It Takes to be a CISO in 2017

The CIS Security Metrics & Benchmarking Service. Clint Kreitner The Center for Internet Security

Automating the Top 20 CIS Critical Security Controls

Cyber Resilience. Think18. Felicity March IBM Corporation

Engaging Executives and Boards in Cybersecurity Session 303, Feb 20, 2017 Sanjeev Sah, CISO, Texas Children s Hospital Jimmy Joseph, Senior Manager,

Cybersecurity and the Board of Directors

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

CYBERSECURITY: E-COMMERCE, GOVERNANCE AND APPLIED CERTIFICATIONS A ROUNDTABLE DISCUSSION 15 DECEMBER 2015

The Modern SOC and NOC

TEL2813/IS2820 Security Management

Cyber Risks in the Boardroom Conference

2018 IT Priorities: Cybersecurity, Cloud Outsourcing & Risk Management. Follow Along

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

THE CYBERSECURITY LITERACY CONFIDENCE GAP

An All-Source Approach to Threat Intelligence Using Recorded Future

How to Underpin Security Transformation With Complete Visibility of Your Attack Surface

Reinvent Your 2013 Security Management Strategy

Think Like an Attacker

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

Nebraska CERT Conference

TSC Business Continuity & Disaster Recovery Session

01.0 Policy Responsibilities and Oversight

Security Hygiene. Be in a defensible position. Be cyber resilient. November 8 th, 2017

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

Security In A Box. Modular Security Services Offering - BFSI. A new concept to Security Services Delivery.

Certified Information Security Manager (CISM) Course Overview

Cybersecurity for Service Providers

The importance of STANDARDS to ensure ACCOUNTABILITY and GOVERNANCE in ehealth-ict security processes

Defense in Depth Security in the Enterprise

OPERATIONS CENTER. Keep your client s data safe and business going & growing with SOC continuous protection

Healthcare HIPAA and Cybersecurity Update

Avanade s Approach to Client Data Protection

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

Quantifying Cyber Security Risk in Dollars and Cents to Optimize Budgets

to Enhance Your Cyber Security Needs

Establishing a Credible Cybersecurity Program. September 2016

RSA Advanced Security Operations Richard Nichols, Director EMEA. Copyright 2015 EMC Corporation. All rights reserved. 1

NCSF Foundation Certification

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

Security Management Models And Practices Feb 5, 2008

From Managed Security Services to the next evolution of CyberSoc Services

Gaps in Resources, Risk and Visibility Weaken Cybersecurity Posture

ISE North America Leadership Summit and Awards

Cybersecurity Session IIA Conference 2018

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

Cybersecurity Roadmap: Global Healthcare Security Architecture

Sneak Peak at CIS Critical Security Controls V 7 Release Date: March Presented by Kelli Tarala Principal Consultant Enclave Security

Security Diagnostics for IAM

FTA 2017 SEATTLE. Cybersecurity and the State Tax Threat Environment. Copyright FireEye, Inc. All rights reserved.

CYBER SECURITY AIR TRANSPORT IT SUMMIT

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Sirius Security Overview

PROTECT YOUR DATA AND PREPARE FOR THE EUROPEAN GENERAL DATA PROTECTION REGULATION

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

Cyber-Threats and Countermeasures in Financial Sector

locuz.com SOC Services

Information Technology Security Plan Policies, Controls, and Procedures Identify Risk Assessment ID.RA

FDIC InTREx What Documentation Are You Expected to Have?

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

112 th Annual Conference May 6-9, 2018 St. Louis, Missouri

EU GDPR & NEW YORK CYBERSECURITY REQUIREMENTS 3 KEYS TO SUCCESS

Transcription:

Navigate IT Security with a Framework as Your Guide October 7 th, 2016

Background George Lazarou 16 years security experience in various roles both technical and non-technical AT&T Labs Research, Army, Navy Medicine, Air Force, Federal Reserve Bank NY, MetLife Member of ISACA and ISC2 2

Security vs Compliance IT Security and Compliance may overlap, but they are not the same thing. Compliance may not meet the requirements of a good security practice. Security is something we do to prevent a loss and reduce risk. 3

Everyone else is doing it. I want to do it too. The issue is that I don t know how to get started. 4

And I don t want this to happen. 5

IT Security Responsibilities Do we have a way to address all of these? Budget Business Enablement Sec Ops If yes, how do we know? Metrics, Audits, Tribal Knowledge? Project Management Compliance and Audit CISO ID Management Governance Security Architecture Legal and HR 6

Security Operations What do we need to implement? Configuration Management Vulnerability Management Network and Firewall People, Process, or Technology? DDoS Application Security Or a combination of all three? DLP Security Operations IDS/IPS Patch Incident Management and Breach Threat Detection 7

High level evaluation feel free to disagree A breach or loss is a sign of failure. Lack of a breach or incident is not an indicator of security success. You need to define what is meaningful to your organization and then measure that you are achieving it. 8

Modes of Operation Tactical Security IT Security is an IT Problem No CISO or technical CISO Not involved in business decisions Reactive role Strategic Security CISO that understands business and has a relationship Good manager, possibly less technical Ability to identify and communicate risks, how and why to mitigate them Proactive role, aligned with business 9

How to Prioritize Identifying How Firms Manage Cybersecurity Investment Southern Methodist University, October 2015 Use of Frameworks to Make Budget Case Allow CISO to Articulate Where Investments Should be Made Used as a Tool to Create a Strategy for Security Facilitates the Communication of Strengths and Weakness in Security Program All of the Firms that had a Framework Felt their Budget Was Appropriate 10

IT Security Framework as a Management Tool Report gaps in security to senior management IT Security Framework Coordinate, delegate, and plan near term and strategically 11

Example IT Security Frameworks NIST 800-53 ISO 27000 Series NIST Cybersecurity 12

Here is what I think. People Process Technology is getting better. Experienced people are scarce or over tasked. Technology Process doesn t define the goals of the program. 13

Frameworks are not necessarily prescriptive They don t draw a line in the sand. 14

You need to make a process measurable. PR.IP-12: A vulnerability management plan is developed and implemented ISO/IEC 27001:2013 A.12.6.1, A.18.2.2 NIST SP 800-53 Rev. 4 RA-3, RA-5, SI-2 While the controls have a directive, they don t give specifics about measurable criteria. Create Controls Patch Validate I.E. All critical security patches will be installed within 45 days. Report and improve Evaluate 15

Sound familiar? It s like any other business improvement process. And the more you treat security like any other business process, the easier it is to integrate into the organization. IT Security is a business concern, not an IT issue. 16

Ransomware is a symptom of a breakdown in process. Ransomware Attack Incident Response Backup and Restore Vulnerability Management Access Controls Configuration Management User Awareness 17

Addressing your organization s cybersecurity needs There is a lack of IT Security talent in the industry. Is it something your organization wants to do? What are your options? Ignore Wait for an attack or breach to act. Own it Train internally Purchase Solutions Get Help Cloud Provider Managed Solutions 18

Aspire Services Portfolio Risk Assessment/Analysis Policy and Procedure Review and Creation HIPAA Security Compliance Governance and Management Business Alignment Security Training and Phishing Campaigns NIST Security Compliance Penetration Testing External Security Audit Internal Audit Configuration Management and Guidance Security Product Configuration Audit and Testing Security Engineering Wireless Security Testing Web Application Security Testing Firewall Security Testing Network Security Review Endpoint Security Management 19

Aspire Services Portfolio Managed Services Managed IT Governance, Risk, and Compliance Solutions Managed Security Operations Analytics and Reporting Managed Security Monitoring SOC Services Managed IT Operations NOC Services 20

Thank you.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback