• Save
Information Security For Leaders, By a Leader
Upcoming SlideShare
Loading in...5
×
 

Information Security For Leaders, By a Leader

on

  • 479 views

Evan Francen, President of FRSecure, discusses the challenges of building an efficient and effective security program in today’s world. Learn why most leaders have a false assumption of security, ...

Evan Francen, President of FRSecure, discusses the challenges of building an efficient and effective security program in today’s world. Learn why most leaders have a false assumption of security, and how you can avoid the security mistakes most organizations make. - Delivered on 4/17/12 at TechPulse 2012.

Statistics

Views

Total Views
479
Views on SlideShare
474
Embed Views
5

Actions

Likes
0
Downloads
0
Comments
0

1 Embed 5

http://www.docshut.com 5

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Information Security For Leaders, By a Leader Information Security For Leaders, By a Leader Presentation Transcript

  • Information Security for Leaders, From a Leader TechPulse 2012 – April 17th, 2012 Presented by Evan Francen, President – FRSecure, LLChttp://www.frsecure.com | 952-467-6384
  • Introduction Before we get started: • This is not your typical presentation. • What you have to say is as important as what I am going to tell you. • You are encouraged to participate! I will ask you questions, if you don’t ask me some!http://www.frsecure.com | 952-467-6384
  • Introduction FRSecure • Information security consulting company – it’s all we do. • Established in 2008 by people who have earned their stripes in the field. • We help small to medium sized organizations solve information security challenges.http://www.frsecure.com | 952-467-6384
  • Introduction Speaker – Evan Francen, CISSP CISM CCSK • President & Co-founder of FRSecure • 20 years of information security experience • Security evangelist with more than 700 published articles • Experience with 150+ public & private organizations.http://www.frsecure.com | 952-467-6384
  • Introduction Topics • What is information security? • What do business leaders need to know? • You’re in business to make money • Understand risk and manage it • How we help? • Where should you start? • Need Help? – Contact Us!http://www.frsecure.com | 952-467-6384
  • When you think of information security, how do you feel? Be honesthttp://www.frsecure.com | 952-467-6384
  • What is information security? This is really a question for youhttp://www.frsecure.com | 952-467-6384
  • What is Information Security?http://www.frsecure.com | 952-467-6384
  • Information Security Is Not an IT Issue The application of Administrative, Physical and Technical controls in an effort to protect the Confidentiality, Integrity, and Availability of Information. IT-centric information security over-emphasizes Technical Control, often at the expense of Administrative and Physical Control. IT-centric information security also places an over-emphasis on Availability of systems, sometimes at the expense of Confidentiality and Integrity.http://www.frsecure.com | 952-467-6384
  • It’s not compliance, but compliance is important Today’s compliance landscape is confusing! Federal Regulations: • HIPAA, GLBA, FTC, ECPA, Computer Fraud and Abuse Act, etc. State Regulations: • Breach notification laws, data destruction laws, data protection laws Industry Regulations: • Payment Card Industry Data Security Standard (PCI-DSS) Customer Regulations: • Good luck!http://www.frsecure.com | 952-467-6384
  • What do business leaders need to know? Business leaders have ultimate responsibility for information security Due Care (aka “duty of care”): • Provides a framework that helps to define a minimum standard of protection that business stakeholders must attempt to achieve. • Often reference the Prudent Man Rule, and require that the organization engage in business practices that a prudent, right thinking, person would consider to be appropriate. • Businesses that are found to have not applied this minimum duty of care can be deemed as having been negligent in carrying out their dutieshttp://www.frsecure.com | 952-467-6384
  • What do business leaders need to know? Business leaders have ultimate responsibility for information security Due Diligence: • Requires that an organization continually scrutinize their own practices to ensure that they are always meeting or exceeding the requirements for protection of assets and stakeholders • Due diligence is the management of due care: it follows a formal process • Persons are said to have exercised due diligence, and therefore cannot be considered negligent, if they were prudent in their investigation of potential risks and threatshttp://www.frsecure.com | 952-467-6384
  • You are in business to make money Sometimes information security professionals forget this fact! • Not all risks require mitigation/remediation • Information security must be strategic • Information security strategy must align with business strategy • Avoid business vs. information security scenarios • Information security controls should be as transparent as possiblehttp://www.frsecure.com | 952-467-6384
  • The Answer: Understand Risk and Manage it. • Risk is unique to your business and environment; information security is not a one-size-fits-all solution • Likelihood x Impact • Risks change as your business environment changes • There is no “easy button” • You don’t need to know about every risk, but you must know about the significant ones.http://www.frsecure.com | 952-467-6384
  • How we help – Risk Assessmenthttp://www.frsecure.com | 952-467-6384
  • How we help – Risk Management (Build & Manage)http://www.frsecure.com | 952-467-6384
  • Where should you start? Conduct a risk assessment • Do it right • Comprehensive • Quantified/Measured/Scored • Choose a standard (ISO, NIST, COBIT, etc.)http://www.frsecure.com | 952-467-6384
  • Where should you start? Make Decisions Once you understand your risks, You can: decide what you want to do • Accept some risk about them. • Mitigate some risk • Transfer some risk Where organizations get in trouble is in ignoring risks and/or assuming that they don’t exist.http://www.frsecure.com | 952-467-6384
  • Where should you start? Your own information security risk management program: • Conduct Risk Assessment • Make Decisions • Plan Strategically • Update Regularlyhttp://www.frsecure.com | 952-467-6384
  • Need Help? Contact FRSecure! Some of our services: • Information Security Assessments • Compliance Assessments (i.e. HIPAA, GLBA, etc.) • Customer Required Assessments • Internal Network Vulnerability Assessments • External Network Security Assessments • Penetration Testing • BC/DR Plans • Policy Creation Evan Francen, CISSP CISM • Outsourced Security Resources President evan@frsecure.com 952-467-6384 (direct) www.frsecure.comhttp://www.frsecure.com | 952-467-6384
  • Thank you! Questions?http://www.frsecure.com | 952-467-6384