SlideShare a Scribd company logo

Enterprise Security Critical Security Functions version 1.0

Download as PPTX, PDF
Marc-Andre Heroux
Marc-Andre Heroux

Security subjects within this article: Enterprise Security Security Governance IT Risk Management Information System Management Threat & Incident Management Vulnerability Management Protecting Information Resources BCP Management Identity and Access Control Management Change Management Physical Security

Technology
1 of 13
Enterprise Security - Critical Security Functions  There are several elements to consider to properly protect an organization. In order to align security adequately, it is possible to refer to an information security standard such as ISO 27002.  For many organizations, a smaller framework scope can be necessary in order to quickly implement security controls and bring the organization to an acceptable security posture.  In this article, we describe the main areas where it is possible to focus to quickly increase the security posture of an enterprise.  This guide does not encompass all controls and controls objectives and its main focus is to provide guidance on critical aspects often forgotten or not properly addressed. Enterprise Security - Critical Security Functions version 1.0 June 10th 2015 Marc-Andre Heroux, CGEIT, CISA, CRMA, CRMP, ABCP, CISSP, NSA-IAM, NSA-IEM
Among the biggest security challenges  One of the biggest challenge for organization is to established roles for security.  Undefined roles lead to inappropriate security management and practice. In this circumstance, everyone give best effort to maintain the overall security in an unstructured way.  It can give positive result for a certain time, but on a long period, the security posture of the organization will almost always decrease.  The planning, organization, implementation and verification of security is challenging for every organization. How to improve? Enterprise Security - Critical Security Functions version 1.0 June 10th 2015 Marc-Andre Heroux, CGEIT, CISA, CRMA, CRMP, ABCP, CISSP, NSA-IAM, NSA-IEM
Security Governance  Establish authoritative role for Information Security with accountability and responsibility in a security program.  There must be a management role for Information Security Management such as CISO, CSO, etc. This person must determine roles and responsibilities of the Information Security members (incident management, vulnerability management, system change/update, etc.). Formalize Operational Security Role & Responsibility and Processes.  Roles and responsibilities must be officially defined and integrated to work functions of each members of the security team. Interaction with other team such as the system administration group and other department must be defined and understood by the security members.  Security members must be adequately trained and a security awareness and training standard practice must be in place. Enterprise Security - Critical Security Functions version 1.0 June 10th 2015 Marc-Andre Heroux, CGEIT, CISA, CRMA, CRMP, ABCP, CISSP, NSA-IAM, NSA-IEM
IT Risk Management  An IT Risk Management standard practice must be in place in order to implement appropriate controls and justify decisions according to the risk and impact on the enterprise of various situations or scenarios (ex.: cyber-attack, natural disaster, human error such as misconfiguration, etc.).  Standard methodology and templates must exist for information classification and risk/impact analysis.  Controls to reduce the capability of threat/attack and controls to reduce vulnerabilities must be identified, implemented, audit and verified regularly.  When a necessary control cannot be implemented according to the identified risk/impact, a justification must exist with compensatory measures. Justification must be reviewed periodically and are valid only for a certain period of time. All effort must be made to eliminate the justification and implement the control to reduce the risk/impact. Enterprise Security - Critical Security Functions version 1.0 June 10th 2015 Marc-Andre Heroux, CGEIT, CISA, CRMA, CRMP, ABCP, CISSP, NSA-IAM, NSA-IEM
Information System Management  Protection equipment, according to the identified risk and impact must be selected, implemented, audit and verified regularly (ex.: servers, firewall, IPS, etc.).  Appropriate systems and equipment must be available to security members to conduct their task, such as a ticketing system for incident management.  Protection systems must be kept up-to-date and modifications must follow a change management process in place.  Following an incident, according to the result of the investigation, protective systems must be updated when applicable (ex.: increase logging, update protective rules, etc.). Enterprise Security - Critical Security Functions version 1.0 June 10th 2015 Marc-Andre Heroux, CGEIT, CISA, CRMA, CRMP, ABCP, CISSP, NSA-IAM, NSA-IEM
Threat & Incident Management  Role regarding incident management must be identified (ex.: security manager, IT Security Leader, IT Security Analyst, other team responsibilities/interaction, etc.).  A plan, a process and a practice must be in place regarding threat and incident management.  Manual threat and incident activities must be in place to identify irregularity (ex.: log review, system audit, etc.).  Automation must exist to automatically detect known threat at the organizational boundaries or at sub-layer network if passed main defensive systems.  A threat and intelligence mechanism is strongly suggested (ex.: correlation between internal network/systems events with an external threat feeds).  An incident management systems must be available and used to track and manage incidents.  Investigation standard must exist in the organization specifying the way to investigate incidents, systems to be used and the procedure to follow. Enterprise Security - Critical Security Functions version 1.0 June 10th 2015 Marc-Andre Heroux, CGEIT, CISA, CRMA, CRMP, ABCP, CISSP, NSA-IAM, NSA-IEM
Vulnerability Management  A process and a practice must be in place regarding vulnerability management.  Role of the security, system administration, assets owners, change management, compliance, etc. must be defined in a process and RACI chart.  There must be a mechanism to be informed of know vulnerabilities for systems in scope (ex.: external advisory feeds).  There must be a procedure for emergency or critical update in order to quickly implement fix and remain secured.  Every significant change must be logged, verified, confirmed and conducted according to a change management practice in place. Enterprise Security - Critical Security Functions version 1.0 Marc-Andre Heroux, CGEIT, CISA, CRMA, CRMP, ABCP, CISSP, NSA-IAM, NSA-IEM June 10th 2015
Protecting Information Resources  According to the classification scheme defined in the risk management activities, we must classify data according to confidentiality, integrity and availability.  To be able to protect the information, we must create a protection map (ex.: a map of all information and systems of the organization).  There must be roles specifying management, prevention, detection, response and correction of security issue or disruption to maintain integrity/availability/confidentiality (daily).  Standards must be in place for encryption (ex.: hashing for integrity, symmetric encryption for confidentiality, asymmetric keys for authenticity, etc.).  Encryption mechanisms must implemented and used according to the information classification, risk and impact defined in risk management activities where security controls are defined. Enterprise Security - Critical Security Functions version 1.0 June 10th 2015 Marc-Andre Heroux, CGEIT, CISA, CRMA, CRMP, ABCP, CISSP, NSA-IAM, NSA-IEM
BCP Management  Backup systems and data must be available in a timely fashion in order to maintain operation, especially in case of incident.  Backup must be verified regularly to ensure the viability of the information and systems.  It is strongly suggested to use virtual environment with ready image backup. In case of incident, an image can be restore, updated to current stable and bring live to production to continue the operation normally. Enterprise Security - Critical Security Functions version 1.0 June 10th 2015 Marc-Andre Heroux, CGEIT, CISA, CRMA, CRMP, ABCP, CISSP, NSA-IAM, NSA-IEM
Identity and Access Control Management  Policies must exist regarding internal access and external access to ensure they are managed according to different criteria and needs (ex.: vendor access, employee access, etc.) and different rules must be implemented accordingly.  It is strongly suggested to follow the least privileges principles at all time and remove right at the moment someone doesn't have the need to know or to use in order to accomplish his work.  It is also strongly suggested to follow the principle:”all user are considered untrust until they prove the needs to know or use according to criteria (ex.: group, ID, system integrity check)”. Even an employe account can be considered untrust at first and according to criteria, gain more access. Enterprise Security - Critical Security Functions version 1.0 June 10th 2015 Marc-Andre Heroux, CGEIT, CISA, CRMA, CRMP, ABCP, CISSP, NSA-IAM, NSA-IEM
Identity and Access Control Management  A security architecture must defined the various zones of the organization (ex.: Intranet, Extranet, shared services, etc.), control objectives defined for each zone with controls to respect the control objectives. Risk and impact are important elements to consider when defining control objectives (ex.: everyone can access the zone, employee can access the zone, remote user cannot access the zone, etc.).  Two factor authentication is strongly suggested for access to sensitive or critical systems.  A process must be in place for commissioning and decommissioning account. If possible, automation can be used. A practice must be in place and defining the management of identifies in the organization (ex.: account review, password strength/change).  Privilege account disclosure can lead to greater impact and must be managed, monitor and verified closely. In the case of external access, such for vendors, it can be appropriate that a security analyst monitor the session (remote session opening, monitor changes, ensure remote session is closed). Enterprise Security - Critical Security Functions version 1.0 June 10th 2015 Marc-Andre Heroux, CGEIT, CISA, CRMA, CRMP, ABCP, CISSP, NSA-IAM, NSA-IEM
Change Management  We must distinguished “significant change” vs “non-significant change” (ex.: kernel update is significant, virus definition update is not a significant change.  A policy, a process and the according procedures must be defined, understood and followed for any significant change.  There must be rules defined for emergency/critical changes in order to bring the necessary flexibility to react quickly and properly. These rules must not be pass-trough rules, every exception must be justified. Usually, standard change management steps are just delayed, but followed as usual.  There must be roll-back process, procedure with the information and systems ready to go back to a stable state in case of unsuccessful change. Enterprise Security - Critical Security Functions version 1.0 June 10th 2015 Marc-Andre Heroux, CGEIT, CISA, CRMA, CRMP, ABCP, CISSP, NSA-IAM, NSA-IEM
Physical Security  With the current tendencies, information is becoming more and more accessible electronically and often online. Many objects are now integrating electronic remote access (ex.: car) and physical security must be rethink to include electronic emissions, radio frequency, mobile and WIFI transmissions and access to interfaces/protocols.  Biometrics mechanisms are becoming standards in many organizations. False positive is when an individual gain access while he is not supposed to and those incident are very critical; tests and evidences must exist to confirm effectiveness of the device.  Physical security can prevent, detect , deter, etc. (ex.: outside light, fence).  Data center must be chose carefully (ex.: not close to river, with multiple road access, etc.) and disaster center must be in an appropriate distance and location to prevent any impact from a geographical disaster.  Any privileges access must be supported by two factor authentication (ex.: magnetic cards/pin pad locks and finger print). June 10th 2015 Marc-Andre Heroux, CGEIT, CISA, CRMA, CRMP, ABCP, CISSP, NSA-IAM, NSA-IEM

Recommended

SMB270: Security Essentials for ITSM
SMB270: Security Essentials for ITSMSMB270: Security Essentials for ITSM
SMB270: Security Essentials for ITSMIvanti
 
Five principles for improving your cyber security
Five principles for improving your cyber securityFive principles for improving your cyber security
Five principles for improving your cyber securityWGroup
 
Nist.sp.800 37r2
Nist.sp.800 37r2Nist.sp.800 37r2
Nist.sp.800 37r2newbie2019
 
Information Security Identity and Access Management Administration 07072016
Information Security Identity and Access Management Administration 07072016Information Security Identity and Access Management Administration 07072016
Information Security Identity and Access Management Administration 07072016Leon Blum
 
information security management
information security managementinformation security management
information security managementGurpreetkaur838
 
Security management concepts and principles
Security management concepts and principlesSecurity management concepts and principles
Security management concepts and principlesDivya Tiwari
 
Bit defender ebook_secmonitor_print
Bit defender ebook_secmonitor_printBit defender ebook_secmonitor_print
Bit defender ebook_secmonitor_printjames morris
 
Security Maturity Model
Security Maturity ModelSecurity Maturity Model
Security Maturity ModelConferencias FIST
 

Recommended

SMB270: Security Essentials for ITSM
SMB270: Security Essentials for ITSMSMB270: Security Essentials for ITSM
SMB270: Security Essentials for ITSMIvanti
 
Five principles for improving your cyber security
Five principles for improving your cyber securityFive principles for improving your cyber security
Five principles for improving your cyber securityWGroup
 
Nist.sp.800 37r2
Nist.sp.800 37r2Nist.sp.800 37r2
Nist.sp.800 37r2newbie2019
 
Information Security Identity and Access Management Administration 07072016
Information Security Identity and Access Management Administration 07072016Information Security Identity and Access Management Administration 07072016
Information Security Identity and Access Management Administration 07072016Leon Blum
 
information security management
information security managementinformation security management
information security managementGurpreetkaur838
 
Security management concepts and principles
Security management concepts and principlesSecurity management concepts and principles
Security management concepts and principlesDivya Tiwari
 
Bit defender ebook_secmonitor_print
Bit defender ebook_secmonitor_printBit defender ebook_secmonitor_print
Bit defender ebook_secmonitor_printjames morris
 
Security Maturity Model
Security Maturity ModelSecurity Maturity Model
Security Maturity ModelConferencias FIST
 
Information security management best practice
Information security management best practiceInformation security management best practice
Information security management best practiceparves kamal
 
Information Security Risk Management Overview
Information Security Risk Management OverviewInformation Security Risk Management Overview
Information Security Risk Management OverviewWesley Moore
 
DojoSec FISMA Presentation
DojoSec FISMA PresentationDojoSec FISMA Presentation
DojoSec FISMA Presentationdanphilpott
 
Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Understanding the NIST Risk Management Framework: 800-37 Rev. 2Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Understanding the NIST Risk Management Framework: 800-37 Rev. 2Denise Tawwab
 
Vskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample MaterialVskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample MaterialVskills
 
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKSRISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKSChristina33713
 
Information security management (bel g. ragad)
Information security management (bel g. ragad)Information security management (bel g. ragad)
Information security management (bel g. ragad)Rois Solihin
 
Chapter 10 security standart
Chapter 10 security standartChapter 10 security standart
Chapter 10 security standartnewbie2019
 
Scada implement secure - architecture
Scada implement secure - architectureScada implement secure - architecture
Scada implement secure - architectureFelipe Prado
 
Ch09 Information Security Best Practices
Ch09 Information Security Best PracticesCh09 Information Security Best Practices
Ch09 Information Security Best Practicesphanleson
 
Risk Management
Risk ManagementRisk Management
Risk Managementijtsrd
 
CISSPills #3.02
CISSPills #3.02CISSPills #3.02
CISSPills #3.02Pierluigi Falcone, CISSP, CISM, CCSK, SABSA Foundation
 
Ch06 Policy
Ch06 PolicyCh06 Policy
Ch06 Policyphanleson
 
Is awareness government
Is awareness governmentIs awareness government
Is awareness governmentHamisi Kibonde
 
The security risk management guide
The security risk management guideThe security risk management guide
The security risk management guideSergey Erohin
 
Information security management iso27001
Information security management iso27001Information security management iso27001
Information security management iso27001Hiran Kanishka
 
Security Management Practices
Security Management PracticesSecurity Management Practices
Security Management Practicesamiable_indian
 
What is Enterprise Security Architecture (ESA)?
What is Enterprise Security Architecture (ESA)?What is Enterprise Security Architecture (ESA)?
What is Enterprise Security Architecture (ESA)?John Gardner, CMC
 
Risk management ISO 27001 Standard
Risk management ISO 27001 StandardRisk management ISO 27001 Standard
Risk management ISO 27001 StandardTharindunuwan9
 
Stop Chasing the Version: Compliance with CIPv5 through CIPv99
Stop Chasing the Version: Compliance with CIPv5 through CIPv99 Stop Chasing the Version: Compliance with CIPv5 through CIPv99
Stop Chasing the Version: Compliance with CIPv5 through CIPv99 Tripwire
 
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...Skoda Minotti
 
Integrating Qualys into the patch and vulnerability management processes
Integrating Qualys into the patch and vulnerability management processesIntegrating Qualys into the patch and vulnerability management processes
Integrating Qualys into the patch and vulnerability management processesVladimir Jirasek
 

More Related Content

What's hot

Information security management best practice
Information security management best practiceInformation security management best practice
Information security management best practiceparves kamal
 
Information Security Risk Management Overview
Information Security Risk Management OverviewInformation Security Risk Management Overview
Information Security Risk Management OverviewWesley Moore
 
DojoSec FISMA Presentation
DojoSec FISMA PresentationDojoSec FISMA Presentation
DojoSec FISMA Presentationdanphilpott
 
Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Understanding the NIST Risk Management Framework: 800-37 Rev. 2Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Understanding the NIST Risk Management Framework: 800-37 Rev. 2Denise Tawwab
 
Vskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample MaterialVskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample MaterialVskills
 
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKSRISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKSChristina33713
 
Information security management (bel g. ragad)
Information security management (bel g. ragad)Information security management (bel g. ragad)
Information security management (bel g. ragad)Rois Solihin
 
Chapter 10 security standart
Chapter 10 security standartChapter 10 security standart
Chapter 10 security standartnewbie2019
 
Scada implement secure - architecture
Scada implement secure - architectureScada implement secure - architecture
Scada implement secure - architectureFelipe Prado
 
Ch09 Information Security Best Practices
Ch09 Information Security Best PracticesCh09 Information Security Best Practices
Ch09 Information Security Best Practicesphanleson
 
Risk Management
Risk ManagementRisk Management
Risk Managementijtsrd
 
Is awareness government
Is awareness governmentIs awareness government
Is awareness governmentHamisi Kibonde
 
The security risk management guide
The security risk management guideThe security risk management guide
The security risk management guideSergey Erohin
 
Information security management iso27001
Information security management iso27001Information security management iso27001
Information security management iso27001Hiran Kanishka
 
Security Management Practices
Security Management PracticesSecurity Management Practices
Security Management Practicesamiable_indian
 
What is Enterprise Security Architecture (ESA)?
What is Enterprise Security Architecture (ESA)?What is Enterprise Security Architecture (ESA)?
What is Enterprise Security Architecture (ESA)?John Gardner, CMC
 
Risk management ISO 27001 Standard
Risk management ISO 27001 StandardRisk management ISO 27001 Standard
Risk management ISO 27001 StandardTharindunuwan9
 
Stop Chasing the Version: Compliance with CIPv5 through CIPv99
Stop Chasing the Version: Compliance with CIPv5 through CIPv99 Stop Chasing the Version: Compliance with CIPv5 through CIPv99
Stop Chasing the Version: Compliance with CIPv5 through CIPv99 Tripwire
 

What's hot (20)

Information security management best practice
Information security management best practiceInformation security management best practice
Information security management best practice
 
Information Security Risk Management Overview
Information Security Risk Management OverviewInformation Security Risk Management Overview
Information Security Risk Management Overview
 
DojoSec FISMA Presentation
DojoSec FISMA PresentationDojoSec FISMA Presentation
DojoSec FISMA Presentation
 
Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Understanding the NIST Risk Management Framework: 800-37 Rev. 2Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Understanding the NIST Risk Management Framework: 800-37 Rev. 2
 
Vskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample MaterialVskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample Material
 
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKSRISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
 
Information security management (bel g. ragad)
Information security management (bel g. ragad)Information security management (bel g. ragad)
Information security management (bel g. ragad)
 
Chapter 10 security standart
Chapter 10 security standartChapter 10 security standart
Chapter 10 security standart
 
Scada implement secure - architecture
Scada implement secure - architectureScada implement secure - architecture
Scada implement secure - architecture
 
Ch09 Information Security Best Practices
Ch09 Information Security Best PracticesCh09 Information Security Best Practices
Ch09 Information Security Best Practices
 
Risk Management
Risk ManagementRisk Management
Risk Management
 
CISSPills #3.02
CISSPills #3.02CISSPills #3.02
CISSPills #3.02
 
Ch06 Policy
Ch06 PolicyCh06 Policy
Ch06 Policy
 
Is awareness government
Is awareness governmentIs awareness government
Is awareness government
 
The security risk management guide
The security risk management guideThe security risk management guide
The security risk management guide
 
Information security management iso27001
Information security management iso27001Information security management iso27001
Information security management iso27001
 
Security Management Practices
Security Management PracticesSecurity Management Practices
Security Management Practices
 
What is Enterprise Security Architecture (ESA)?
What is Enterprise Security Architecture (ESA)?What is Enterprise Security Architecture (ESA)?
What is Enterprise Security Architecture (ESA)?
 
Risk management ISO 27001 Standard
Risk management ISO 27001 StandardRisk management ISO 27001 Standard
Risk management ISO 27001 Standard
 
Stop Chasing the Version: Compliance with CIPv5 through CIPv99
Stop Chasing the Version: Compliance with CIPv5 through CIPv99 Stop Chasing the Version: Compliance with CIPv5 through CIPv99
Stop Chasing the Version: Compliance with CIPv5 through CIPv99
 

Viewers also liked

IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...Skoda Minotti
 
Integrating Qualys into the patch and vulnerability management processes
Integrating Qualys into the patch and vulnerability management processesIntegrating Qualys into the patch and vulnerability management processes
Integrating Qualys into the patch and vulnerability management processesVladimir Jirasek
 
Information Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO StandardsInformation Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO StandardsPECB
 
Framework for a business process management competency centre
Framework for a business process management competency centreFramework for a business process management competency centre
Framework for a business process management competency centreMartin Moore
 
Implementing Vulnerability Management
Implementing Vulnerability Management Implementing Vulnerability Management
Implementing Vulnerability Management Argyle Executive Forum
 
TrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability ManagementTrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability ManagementTuan Phan
 
Expert talk strategic building blocks for the digital transformation strategy
Expert talk strategic building blocks for the digital transformation strategyExpert talk strategic building blocks for the digital transformation strategy
Expert talk strategic building blocks for the digital transformation strategyDavid Terrar
 
Governance and Management of Enterprise IT with COBIT 5 Framework
Governance and Management of Enterprise IT with COBIT 5 FrameworkGovernance and Management of Enterprise IT with COBIT 5 Framework
Governance and Management of Enterprise IT with COBIT 5 FrameworkGoutama Bachtiar
 

Viewers also liked (9)

IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
 
Integrating Qualys into the patch and vulnerability management processes
Integrating Qualys into the patch and vulnerability management processesIntegrating Qualys into the patch and vulnerability management processes
Integrating Qualys into the patch and vulnerability management processes
 
Information Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO StandardsInformation Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO Standards
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
 
Framework for a business process management competency centre
Framework for a business process management competency centreFramework for a business process management competency centre
Framework for a business process management competency centre
 
Implementing Vulnerability Management
Implementing Vulnerability Management Implementing Vulnerability Management
Implementing Vulnerability Management
 
TrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability ManagementTrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability Management
 
Expert talk strategic building blocks for the digital transformation strategy
Expert talk strategic building blocks for the digital transformation strategyExpert talk strategic building blocks for the digital transformation strategy
Expert talk strategic building blocks for the digital transformation strategy
 
Governance and Management of Enterprise IT with COBIT 5 Framework
Governance and Management of Enterprise IT with COBIT 5 FrameworkGovernance and Management of Enterprise IT with COBIT 5 Framework
Governance and Management of Enterprise IT with COBIT 5 Framework
 

Similar to Enterprise Security Critical Security Functions version 1.0

The Security and Compliance Plan for Maxistar Medical Supplies Company
The Security and Compliance Plan for Maxistar Medical Supplies Company The Security and Compliance Plan for Maxistar Medical Supplies Company
The Security and Compliance Plan for Maxistar Medical Supplies Company Abdulrahman Alamri
 
Five Mistakes of Vulnerability Management
Five Mistakes of Vulnerability ManagementFive Mistakes of Vulnerability Management
Five Mistakes of Vulnerability ManagementAnton Chuvakin
 
Presentation(group j)implementing trustworthy computing by Sundas Ilyas
Presentation(group j)implementing trustworthy computing by Sundas IlyasPresentation(group j)implementing trustworthy computing by Sundas Ilyas
Presentation(group j)implementing trustworthy computing by Sundas IlyasSundas Kayani
 
CompTIA CySA Domain 1 Threat and Vulnerability Management.pptx
CompTIA CySA Domain 1 Threat and Vulnerability Management.pptxCompTIA CySA Domain 1 Threat and Vulnerability Management.pptx
CompTIA CySA Domain 1 Threat and Vulnerability Management.pptxInfosectrain3
 
A Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
A Pragmatic Approach to SIEM: Buy for Compliance, Use for SecurityA Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
A Pragmatic Approach to SIEM: Buy for Compliance, Use for SecurityTripwire
 
PSIM: Why Should I Be Interested?
PSIM: Why Should I Be Interested?PSIM: Why Should I Be Interested?
PSIM: Why Should I Be Interested?Adlan Hussain
 
Cyber Families - Incident Response.pptx
Cyber Families - Incident Response.pptxCyber Families - Incident Response.pptx
Cyber Families - Incident Response.pptxKinetic Potential
 
InTech-FOCUS-Process-Safety-Sept2020.pdf
InTech-FOCUS-Process-Safety-Sept2020.pdfInTech-FOCUS-Process-Safety-Sept2020.pdf
InTech-FOCUS-Process-Safety-Sept2020.pdfglan Glandeva
 
It Security Audit Process
It Security Audit ProcessIt Security Audit Process
It Security Audit ProcessRam Srivastava
 
Symantec Managed AV Service - KAZ
Symantec Managed AV Service - KAZSymantec Managed AV Service - KAZ
Symantec Managed AV Service - KAZGrant Chapman
 
Ignyte assurance platform NIST RMF datasheet.
Ignyte assurance platform NIST RMF datasheet.Ignyte assurance platform NIST RMF datasheet.
Ignyte assurance platform NIST RMF datasheet.Ignyte Assurance Platform
 
Implementation of security standards and procedures
Implementation of security standards and proceduresImplementation of security standards and procedures
Implementation of security standards and proceduresStevenSegaert
 
Automated Incident Handling Using SIM
Automated Incident Handling Using SIMAutomated Incident Handling Using SIM
Automated Incident Handling Using SIMAnton Chuvakin
 
McAfee SIEM solution
McAfee SIEM solution McAfee SIEM solution
McAfee SIEM solution hashnees
 
MATH215 Introduction To Analysis.docx
MATH215 Introduction To Analysis.docxMATH215 Introduction To Analysis.docx
MATH215 Introduction To Analysis.docxstirlingvwriters
 
A Practical Approach to Managing Information System Risk
A Practical Approach to Managing Information System RiskA Practical Approach to Managing Information System Risk
A Practical Approach to Managing Information System Riskamiable_indian
 

Similar to Enterprise Security Critical Security Functions version 1.0 (20)

The Security and Compliance Plan for Maxistar Medical Supplies Company
The Security and Compliance Plan for Maxistar Medical Supplies Company The Security and Compliance Plan for Maxistar Medical Supplies Company
The Security and Compliance Plan for Maxistar Medical Supplies Company
 
CISO-Fundamentals
CISO-FundamentalsCISO-Fundamentals
CISO-Fundamentals
 
Five Mistakes of Vulnerability Management
Five Mistakes of Vulnerability ManagementFive Mistakes of Vulnerability Management
Five Mistakes of Vulnerability Management
 
Presentation(group j)implementing trustworthy computing by Sundas Ilyas
Presentation(group j)implementing trustworthy computing by Sundas IlyasPresentation(group j)implementing trustworthy computing by Sundas Ilyas
Presentation(group j)implementing trustworthy computing by Sundas Ilyas
 
CompTIA CySA Domain 1 Threat and Vulnerability Management.pptx
CompTIA CySA Domain 1 Threat and Vulnerability Management.pptxCompTIA CySA Domain 1 Threat and Vulnerability Management.pptx
CompTIA CySA Domain 1 Threat and Vulnerability Management.pptx
 
A Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
A Pragmatic Approach to SIEM: Buy for Compliance, Use for SecurityA Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
A Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
 
PSIM: Why Should I Be Interested?
PSIM: Why Should I Be Interested?PSIM: Why Should I Be Interested?
PSIM: Why Should I Be Interested?
 
Cyber Families - Incident Response.pptx
Cyber Families - Incident Response.pptxCyber Families - Incident Response.pptx
Cyber Families - Incident Response.pptx
 
InTech-FOCUS-Process-Safety-Sept2020.pdf
InTech-FOCUS-Process-Safety-Sept2020.pdfInTech-FOCUS-Process-Safety-Sept2020.pdf
InTech-FOCUS-Process-Safety-Sept2020.pdf
 
Managing Compliance
Managing ComplianceManaging Compliance
Managing Compliance
 
It Security Audit Process
It Security Audit ProcessIt Security Audit Process
It Security Audit Process
 
Se project-methodology-for-security-project-web
Se project-methodology-for-security-project-webSe project-methodology-for-security-project-web
Se project-methodology-for-security-project-web
 
Symantec Managed AV Service - KAZ
Symantec Managed AV Service - KAZSymantec Managed AV Service - KAZ
Symantec Managed AV Service - KAZ
 
Ignyte assurance platform NIST RMF datasheet.
Ignyte assurance platform NIST RMF datasheet.Ignyte assurance platform NIST RMF datasheet.
Ignyte assurance platform NIST RMF datasheet.
 
Applying Lean for information security operations centre
Applying Lean for information security operations centreApplying Lean for information security operations centre
Applying Lean for information security operations centre
 
Implementation of security standards and procedures
Implementation of security standards and proceduresImplementation of security standards and procedures
Implementation of security standards and procedures
 
Automated Incident Handling Using SIM
Automated Incident Handling Using SIMAutomated Incident Handling Using SIM
Automated Incident Handling Using SIM
 
McAfee SIEM solution
McAfee SIEM solution McAfee SIEM solution
McAfee SIEM solution
 
MATH215 Introduction To Analysis.docx
MATH215 Introduction To Analysis.docxMATH215 Introduction To Analysis.docx
MATH215 Introduction To Analysis.docx
 
A Practical Approach to Managing Information System Risk
A Practical Approach to Managing Information System RiskA Practical Approach to Managing Information System Risk
A Practical Approach to Managing Information System Risk
 

More from Marc-Andre Heroux

Monitoring your organization against threats - Critical System Control
Monitoring your organization against threats - Critical System ControlMonitoring your organization against threats - Critical System Control
Monitoring your organization against threats - Critical System ControlMarc-Andre Heroux
 
Frame - MAC Address Threats & Vulnerabilities
Frame - MAC Address Threats & VulnerabilitiesFrame - MAC Address Threats & Vulnerabilities
Frame - MAC Address Threats & VulnerabilitiesMarc-Andre Heroux
 
Modèle de sécurité organisationnelle
Modèle de sécurité organisationnelleModèle de sécurité organisationnelle
Modèle de sécurité organisationnelleMarc-Andre Heroux
 
Méthodologie - adoption d'une norme en 7 étapes
Méthodologie - adoption d'une norme en 7 étapesMéthodologie - adoption d'une norme en 7 étapes
Méthodologie - adoption d'une norme en 7 étapesMarc-Andre Heroux
 
BUSINESS MATURITY LIFE CYCLE
BUSINESS MATURITY LIFE CYCLEBUSINESS MATURITY LIFE CYCLE
BUSINESS MATURITY LIFE CYCLEMarc-Andre Heroux
 
Assurance compliance management system
Assurance compliance management systemAssurance compliance management system
Assurance compliance management systemMarc-Andre Heroux
 

More from Marc-Andre Heroux (9)

Linux encrypted container
Linux encrypted containerLinux encrypted container
Linux encrypted container
 
IT Control Framework
IT Control FrameworkIT Control Framework
IT Control Framework
 
Online Authentication
Online AuthenticationOnline Authentication
Online Authentication
 
Monitoring your organization against threats - Critical System Control
Monitoring your organization against threats - Critical System ControlMonitoring your organization against threats - Critical System Control
Monitoring your organization against threats - Critical System Control
 
Frame - MAC Address Threats & Vulnerabilities
Frame - MAC Address Threats & VulnerabilitiesFrame - MAC Address Threats & Vulnerabilities
Frame - MAC Address Threats & Vulnerabilities
 
Modèle de sécurité organisationnelle
Modèle de sécurité organisationnelleModèle de sécurité organisationnelle
Modèle de sécurité organisationnelle
 
Méthodologie - adoption d'une norme en 7 étapes
Méthodologie - adoption d'une norme en 7 étapesMéthodologie - adoption d'une norme en 7 étapes
Méthodologie - adoption d'une norme en 7 étapes
 
BUSINESS MATURITY LIFE CYCLE
BUSINESS MATURITY LIFE CYCLEBUSINESS MATURITY LIFE CYCLE
BUSINESS MATURITY LIFE CYCLE
 
Assurance compliance management system
Assurance compliance management systemAssurance compliance management system
Assurance compliance management system
 

Recently uploaded

SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 

Recently uploaded (20)

SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 

Enterprise Security Critical Security Functions version 1.0

  • 1. Enterprise Security - Critical Security Functions  There are several elements to consider to properly protect an organization. In order to align security adequately, it is possible to refer to an information security standard such as ISO 27002.  For many organizations, a smaller framework scope can be necessary in order to quickly implement security controls and bring the organization to an acceptable security posture.  In this article, we describe the main areas where it is possible to focus to quickly increase the security posture of an enterprise.  This guide does not encompass all controls and controls objectives and its main focus is to provide guidance on critical aspects often forgotten or not properly addressed. Enterprise Security - Critical Security Functions version 1.0 June 10th 2015 Marc-Andre Heroux, CGEIT, CISA, CRMA, CRMP, ABCP, CISSP, NSA-IAM, NSA-IEM
  • 2. Among the biggest security challenges  One of the biggest challenge for organization is to established roles for security.  Undefined roles lead to inappropriate security management and practice. In this circumstance, everyone give best effort to maintain the overall security in an unstructured way.  It can give positive result for a certain time, but on a long period, the security posture of the organization will almost always decrease.  The planning, organization, implementation and verification of security is challenging for every organization. How to improve? Enterprise Security - Critical Security Functions version 1.0 June 10th 2015 Marc-Andre Heroux, CGEIT, CISA, CRMA, CRMP, ABCP, CISSP, NSA-IAM, NSA-IEM
  • 3. Security Governance  Establish authoritative role for Information Security with accountability and responsibility in a security program.  There must be a management role for Information Security Management such as CISO, CSO, etc. This person must determine roles and responsibilities of the Information Security members (incident management, vulnerability management, system change/update, etc.). Formalize Operational Security Role & Responsibility and Processes.  Roles and responsibilities must be officially defined and integrated to work functions of each members of the security team. Interaction with other team such as the system administration group and other department must be defined and understood by the security members.  Security members must be adequately trained and a security awareness and training standard practice must be in place. Enterprise Security - Critical Security Functions version 1.0 June 10th 2015 Marc-Andre Heroux, CGEIT, CISA, CRMA, CRMP, ABCP, CISSP, NSA-IAM, NSA-IEM
  • 4. IT Risk Management  An IT Risk Management standard practice must be in place in order to implement appropriate controls and justify decisions according to the risk and impact on the enterprise of various situations or scenarios (ex.: cyber-attack, natural disaster, human error such as misconfiguration, etc.).  Standard methodology and templates must exist for information classification and risk/impact analysis.  Controls to reduce the capability of threat/attack and controls to reduce vulnerabilities must be identified, implemented, audit and verified regularly.  When a necessary control cannot be implemented according to the identified risk/impact, a justification must exist with compensatory measures. Justification must be reviewed periodically and are valid only for a certain period of time. All effort must be made to eliminate the justification and implement the control to reduce the risk/impact. Enterprise Security - Critical Security Functions version 1.0 June 10th 2015 Marc-Andre Heroux, CGEIT, CISA, CRMA, CRMP, ABCP, CISSP, NSA-IAM, NSA-IEM
  • 5. Information System Management  Protection equipment, according to the identified risk and impact must be selected, implemented, audit and verified regularly (ex.: servers, firewall, IPS, etc.).  Appropriate systems and equipment must be available to security members to conduct their task, such as a ticketing system for incident management.  Protection systems must be kept up-to-date and modifications must follow a change management process in place.  Following an incident, according to the result of the investigation, protective systems must be updated when applicable (ex.: increase logging, update protective rules, etc.). Enterprise Security - Critical Security Functions version 1.0 June 10th 2015 Marc-Andre Heroux, CGEIT, CISA, CRMA, CRMP, ABCP, CISSP, NSA-IAM, NSA-IEM
  • 6. Threat & Incident Management  Role regarding incident management must be identified (ex.: security manager, IT Security Leader, IT Security Analyst, other team responsibilities/interaction, etc.).  A plan, a process and a practice must be in place regarding threat and incident management.  Manual threat and incident activities must be in place to identify irregularity (ex.: log review, system audit, etc.).  Automation must exist to automatically detect known threat at the organizational boundaries or at sub-layer network if passed main defensive systems.  A threat and intelligence mechanism is strongly suggested (ex.: correlation between internal network/systems events with an external threat feeds).  An incident management systems must be available and used to track and manage incidents.  Investigation standard must exist in the organization specifying the way to investigate incidents, systems to be used and the procedure to follow. Enterprise Security - Critical Security Functions version 1.0 June 10th 2015 Marc-Andre Heroux, CGEIT, CISA, CRMA, CRMP, ABCP, CISSP, NSA-IAM, NSA-IEM
  • 7. Vulnerability Management  A process and a practice must be in place regarding vulnerability management.  Role of the security, system administration, assets owners, change management, compliance, etc. must be defined in a process and RACI chart.  There must be a mechanism to be informed of know vulnerabilities for systems in scope (ex.: external advisory feeds).  There must be a procedure for emergency or critical update in order to quickly implement fix and remain secured.  Every significant change must be logged, verified, confirmed and conducted according to a change management practice in place. Enterprise Security - Critical Security Functions version 1.0 Marc-Andre Heroux, CGEIT, CISA, CRMA, CRMP, ABCP, CISSP, NSA-IAM, NSA-IEM June 10th 2015
  • 8. Protecting Information Resources  According to the classification scheme defined in the risk management activities, we must classify data according to confidentiality, integrity and availability.  To be able to protect the information, we must create a protection map (ex.: a map of all information and systems of the organization).  There must be roles specifying management, prevention, detection, response and correction of security issue or disruption to maintain integrity/availability/confidentiality (daily).  Standards must be in place for encryption (ex.: hashing for integrity, symmetric encryption for confidentiality, asymmetric keys for authenticity, etc.).  Encryption mechanisms must implemented and used according to the information classification, risk and impact defined in risk management activities where security controls are defined. Enterprise Security - Critical Security Functions version 1.0 June 10th 2015 Marc-Andre Heroux, CGEIT, CISA, CRMA, CRMP, ABCP, CISSP, NSA-IAM, NSA-IEM
  • 9. BCP Management  Backup systems and data must be available in a timely fashion in order to maintain operation, especially in case of incident.  Backup must be verified regularly to ensure the viability of the information and systems.  It is strongly suggested to use virtual environment with ready image backup. In case of incident, an image can be restore, updated to current stable and bring live to production to continue the operation normally. Enterprise Security - Critical Security Functions version 1.0 June 10th 2015 Marc-Andre Heroux, CGEIT, CISA, CRMA, CRMP, ABCP, CISSP, NSA-IAM, NSA-IEM
  • 10. Identity and Access Control Management  Policies must exist regarding internal access and external access to ensure they are managed according to different criteria and needs (ex.: vendor access, employee access, etc.) and different rules must be implemented accordingly.  It is strongly suggested to follow the least privileges principles at all time and remove right at the moment someone doesn't have the need to know or to use in order to accomplish his work.  It is also strongly suggested to follow the principle:”all user are considered untrust until they prove the needs to know or use according to criteria (ex.: group, ID, system integrity check)”. Even an employe account can be considered untrust at first and according to criteria, gain more access. Enterprise Security - Critical Security Functions version 1.0 June 10th 2015 Marc-Andre Heroux, CGEIT, CISA, CRMA, CRMP, ABCP, CISSP, NSA-IAM, NSA-IEM
  • 11. Identity and Access Control Management  A security architecture must defined the various zones of the organization (ex.: Intranet, Extranet, shared services, etc.), control objectives defined for each zone with controls to respect the control objectives. Risk and impact are important elements to consider when defining control objectives (ex.: everyone can access the zone, employee can access the zone, remote user cannot access the zone, etc.).  Two factor authentication is strongly suggested for access to sensitive or critical systems.  A process must be in place for commissioning and decommissioning account. If possible, automation can be used. A practice must be in place and defining the management of identifies in the organization (ex.: account review, password strength/change).  Privilege account disclosure can lead to greater impact and must be managed, monitor and verified closely. In the case of external access, such for vendors, it can be appropriate that a security analyst monitor the session (remote session opening, monitor changes, ensure remote session is closed). Enterprise Security - Critical Security Functions version 1.0 June 10th 2015 Marc-Andre Heroux, CGEIT, CISA, CRMA, CRMP, ABCP, CISSP, NSA-IAM, NSA-IEM
  • 12. Change Management  We must distinguished “significant change” vs “non-significant change” (ex.: kernel update is significant, virus definition update is not a significant change.  A policy, a process and the according procedures must be defined, understood and followed for any significant change.  There must be rules defined for emergency/critical changes in order to bring the necessary flexibility to react quickly and properly. These rules must not be pass-trough rules, every exception must be justified. Usually, standard change management steps are just delayed, but followed as usual.  There must be roll-back process, procedure with the information and systems ready to go back to a stable state in case of unsuccessful change. Enterprise Security - Critical Security Functions version 1.0 June 10th 2015 Marc-Andre Heroux, CGEIT, CISA, CRMA, CRMP, ABCP, CISSP, NSA-IAM, NSA-IEM
  • 13. Physical Security  With the current tendencies, information is becoming more and more accessible electronically and often online. Many objects are now integrating electronic remote access (ex.: car) and physical security must be rethink to include electronic emissions, radio frequency, mobile and WIFI transmissions and access to interfaces/protocols.  Biometrics mechanisms are becoming standards in many organizations. False positive is when an individual gain access while he is not supposed to and those incident are very critical; tests and evidences must exist to confirm effectiveness of the device.  Physical security can prevent, detect , deter, etc. (ex.: outside light, fence).  Data center must be chose carefully (ex.: not close to river, with multiple road access, etc.) and disaster center must be in an appropriate distance and location to prevent any impact from a geographical disaster.  Any privileges access must be supported by two factor authentication (ex.: magnetic cards/pin pad locks and finger print). June 10th 2015 Marc-Andre Heroux, CGEIT, CISA, CRMA, CRMP, ABCP, CISSP, NSA-IAM, NSA-IEM