2011 National BDPA Technology Conference Developing an Information Security Program Shauna Cox August 3 – 6, 2011 Chicago,...
Presentation Objectives <ul><li>Understand the  components  of an Information Security Program. </li></ul><ul><li>Understa...
Agenda <ul><li>Need for Information Security Program </li></ul><ul><li>Program Components </li></ul><ul><li>Methodologies ...
Reality <ul><li>A Hacker has to be successful once.  </li></ul>A Security Professional must be successful every time.
Why is an Information Security Program Needed? <ul><li>Technology & Business Cycle Changes </li></ul><ul><li>Regulatory Re...
Technology & Business Cycle Changes <ul><li>Decentralization of computing resources </li></ul><ul><li>Accessibility of tec...
Regulatory Requirements <ul><li>FISMA  </li></ul><ul><li>HIPAA </li></ul><ul><li>SOX </li></ul><ul><li>Computer Security A...
Potential Threats <ul><li>Terrorism / Cyber-Terrorism </li></ul><ul><li>Uninformed Users (Social Engineering)  </li></ul><...
Sophistication of Attacks <ul><li>Availability of Technology </li></ul><ul><li>Greater Modes of Organization (i.e., social...
Strategic Necessity  <ul><li>Competitive Survival & Advantage  </li></ul><ul><li>Business / Technology Alignment </li></ul>
Myth <ul><li>Information Security Policy  =   </li></ul><ul><li>Information Security Program </li></ul>
Information Security Principles
People, Places & Things <ul><li>Roles & Responsibilities </li></ul><ul><li>Scope of Authority </li></ul><ul><li>Tools & Te...
Roles & Responsibilities <ul><li>Information Security Function </li></ul><ul><li>Executive Management </li></ul><ul><li>Or...
Information Security Function <ul><li>Develop, maintain & help enforce information security policies, procedures and contr...
Executive Management <ul><li>Provide the strategic vision for  an information security program. </li></ul><ul><li>Approve ...
Management <ul><li>Ensure compliance & help facilitate awareness of organizational information security policies & procedu...
Users <ul><li>Adhere to organizational policies and procedures. </li></ul><ul><li>Protect individual user accounts and pas...
Scope of Authority & Need
Tools & Techniques <ul><li>Standards </li></ul><ul><li>Security Monitoring Tools </li></ul><ul><li>Organizational Process ...
Information Security Program Components <ul><li>Executive Commitment </li></ul><ul><li>Policies & Procedures </li></ul><ul...
Executive Commitment <ul><li>Executives must understand the strategic impact of information security. </li></ul><ul><li>Ex...
Policies & Procedures  <ul><li>Acceptable Use </li></ul><ul><li>Incident Handling </li></ul><ul><li>Security Violations </...
Metrics <ul><li>Financial </li></ul><ul><li>Application-based </li></ul><ul><li>Incident Management </li></ul><ul><li>Chan...
Governance Structure <ul><li>Governance:  “…a set of responsibilities & practices exercised by the Board and executive  ma...
Awareness Training <ul><li>Who? </li></ul>How?
Methodologies / Standards <ul><li>ISO 17799 </li></ul><ul><ul><li>developed by ISO </li></ul></ul><ul><ul><li>includes 10 ...
ISO 17799 Domains <ul><li>Information Security Policy </li></ul><ul><li>Information Security Infrastructure </li></ul><ul>...
Program Development Process
Program Development Process <ul><li>Plan & Organize </li></ul><ul><li>Implement </li></ul><ul><li>Operate & Maintain </li>...
Plan & Organize <ul><li>Establish commitment & oversight </li></ul><ul><li>Conduct risk assessment </li></ul><ul><li>Devel...
Implement <ul><li>Assign roles & responsibilities </li></ul><ul><li>Develop & implement policies, procedures, etc. </li></...
Operate & Maintain <ul><li>Ensure baselines are met based on blueprints </li></ul><ul><li>Conduct audits </li></ul><ul><li...
Monitor & Evaluate <ul><li>Review logs, audit results, metrics </li></ul><ul><li>Assess goal accomplishments </li></ul><ul...
A Day in the Life Conduct Self- Assessments Respond to Audits Train & Educate  Provide Expertise Monitor Systems Manage Pr...
Game Changers <ul><li>Cloud Computing </li></ul><ul><li>Mobile Computing </li></ul><ul><li>Social Networking </li></ul>
Resources <ul><li>NIST </li></ul><ul><li>ISC 2 </li></ul><ul><li>ISACA </li></ul><ul><li>SANS Institute </li></ul>
Questions
Contact Information <ul><li>Shauna Cox </li></ul><ul><li>[email_address] </li></ul>
Upcoming SlideShare
Loading in...5
×

Developing an Information Security Program

2,450

Published on

2011 BDPA Conference Presentation

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
2,450
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
44
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Developing an Information Security Program

  1. 1. 2011 National BDPA Technology Conference Developing an Information Security Program Shauna Cox August 3 – 6, 2011 Chicago, IL
  2. 2. Presentation Objectives <ul><li>Understand the components of an Information Security Program. </li></ul><ul><li>Understand the internal & external factors that impact Information Security Program development. </li></ul><ul><li>Describe the various approaches used to develop an Information Security Program. </li></ul>
  3. 3. Agenda <ul><li>Need for Information Security Program </li></ul><ul><li>Program Components </li></ul><ul><li>Methodologies / Standards </li></ul><ul><li>Information Security Program Development Process </li></ul><ul><li>A Day In The Life </li></ul>
  4. 4. Reality <ul><li>A Hacker has to be successful once. </li></ul>A Security Professional must be successful every time.
  5. 5. Why is an Information Security Program Needed? <ul><li>Technology & Business Cycle Changes </li></ul><ul><li>Regulatory Requirements </li></ul><ul><li>Potential Security Threats </li></ul><ul><li>Sophistication of Attacks / Attackers </li></ul><ul><li>Strategic Necessity </li></ul>
  6. 6. Technology & Business Cycle Changes <ul><li>Decentralization of computing resources </li></ul><ul><li>Accessibility of technology for novices & experts alike </li></ul><ul><li>Technology dependency </li></ul><ul><li>Layers of technology architecture </li></ul>
  7. 7. Regulatory Requirements <ul><li>FISMA </li></ul><ul><li>HIPAA </li></ul><ul><li>SOX </li></ul><ul><li>Computer Security Act </li></ul><ul><li>U.S. Privacy Act </li></ul>
  8. 8. Potential Threats <ul><li>Terrorism / Cyber-Terrorism </li></ul><ul><li>Uninformed Users (Social Engineering) </li></ul><ul><li>Disgruntled Users / Employees </li></ul><ul><li>Intentional Hackers </li></ul>
  9. 9. Sophistication of Attacks <ul><li>Availability of Technology </li></ul><ul><li>Greater Modes of Organization (i.e., social networking) </li></ul><ul><li>Enhanced Technical Skills </li></ul><ul><li>Easier to Maintain Anonymity </li></ul><ul><li>Potentially Lucrative (e.g., organized criminals) </li></ul>
  10. 10. Strategic Necessity <ul><li>Competitive Survival & Advantage </li></ul><ul><li>Business / Technology Alignment </li></ul>
  11. 11. Myth <ul><li>Information Security Policy = </li></ul><ul><li>Information Security Program </li></ul>
  12. 12. Information Security Principles
  13. 13. People, Places & Things <ul><li>Roles & Responsibilities </li></ul><ul><li>Scope of Authority </li></ul><ul><li>Tools & Techniques </li></ul>
  14. 14. Roles & Responsibilities <ul><li>Information Security Function </li></ul><ul><li>Executive Management </li></ul><ul><li>Organizational (Line) Management </li></ul><ul><li>Users </li></ul>
  15. 15. Information Security Function <ul><li>Develop, maintain & help enforce information security policies, procedures and controls. </li></ul><ul><li>Oversee the deployment and integration of security solutions. </li></ul><ul><li>Serve as an advisor on IT security-related issues. </li></ul>
  16. 16. Executive Management <ul><li>Provide the strategic vision for an information security program. </li></ul><ul><li>Approve strategic goals and ensure information security is integrated into management processes. </li></ul><ul><li>Ensure enterprise compliance with applicable regulatory directives. </li></ul>
  17. 17. Management <ul><li>Ensure compliance & help facilitate awareness of organizational information security policies & procedures. </li></ul><ul><li>Enforce rules for appropriate use and protection of organization’s systems. </li></ul><ul><li>Ensure proper segregation of duties in operational areas. </li></ul><ul><li>Follow appropriate procedures and provide first-line authorization for system access. </li></ul>
  18. 18. Users <ul><li>Adhere to organizational policies and procedures. </li></ul><ul><li>Protect individual user accounts and passwords used to access systems. </li></ul><ul><li>Report known or suspected IT security breaches to appropriate personnel. </li></ul><ul><li>Treat all information with the sensitivity necessary in accordance with applicable information classification systems. </li></ul>
  19. 19. Scope of Authority & Need
  20. 20. Tools & Techniques <ul><li>Standards </li></ul><ul><li>Security Monitoring Tools </li></ul><ul><li>Organizational Process Assets (policies, procedures, etc.) </li></ul>
  21. 21. Information Security Program Components <ul><li>Executive Commitment </li></ul><ul><li>Policies & Procedures </li></ul><ul><li>Monitoring Processes / Metrics </li></ul><ul><li>Governance Structure </li></ul><ul><li>Awareness Training </li></ul>
  22. 22. Executive Commitment <ul><li>Executives must understand the strategic impact of information security. </li></ul><ul><li>Executive management articulates the priority of information security in word & in deed. </li></ul><ul><li>The role of the information security function must adhere to a level of independence (i.e., reporting structure should be appropriate). </li></ul>
  23. 23. Policies & Procedures <ul><li>Acceptable Use </li></ul><ul><li>Incident Handling </li></ul><ul><li>Security Violations </li></ul><ul><li>Identity Management </li></ul><ul><li>Physical Security </li></ul>
  24. 24. Metrics <ul><li>Financial </li></ul><ul><li>Application-based </li></ul><ul><li>Incident Management </li></ul><ul><li>Change Management </li></ul><ul><li>Vulnerability Management </li></ul>
  25. 25. Governance Structure <ul><li>Governance: “…a set of responsibilities & practices exercised by the Board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately, and verifying that the enterprise’s resources are used responsibly”. </li></ul><ul><li>Source: IT Governance Institute (Board Briefing on IT Governance, 2 nd Edition) </li></ul>
  26. 26. Awareness Training <ul><li>Who? </li></ul>How?
  27. 27. Methodologies / Standards <ul><li>ISO 17799 </li></ul><ul><ul><li>developed by ISO </li></ul></ul><ul><ul><li>includes 10 domains </li></ul></ul><ul><li>CobiT </li></ul><ul><ul><li>developed by ISACA </li></ul></ul><ul><ul><li>derived from COSO </li></ul></ul>
  28. 28. ISO 17799 Domains <ul><li>Information Security Policy </li></ul><ul><li>Information Security Infrastructure </li></ul><ul><li>Asset Classification & Control </li></ul><ul><li>Personnel Security </li></ul><ul><li>Physical & Environmental Security </li></ul><ul><li>Communications & Operations Management </li></ul><ul><li>Access Control </li></ul><ul><li>System Development & Maintenance </li></ul><ul><li>Business Continuity Management </li></ul><ul><li>Compliance </li></ul>
  29. 29. Program Development Process
  30. 30. Program Development Process <ul><li>Plan & Organize </li></ul><ul><li>Implement </li></ul><ul><li>Operate & Maintain </li></ul><ul><li>Monitor & Evaluate </li></ul>Source: All-In-One CISSP Exam Guide, 4 th Edition, by Shon Harris
  31. 31. Plan & Organize <ul><li>Establish commitment & oversight </li></ul><ul><li>Conduct risk assessment </li></ul><ul><li>Develop security architecture </li></ul><ul><li>Identify solutions </li></ul>
  32. 32. Implement <ul><li>Assign roles & responsibilities </li></ul><ul><li>Develop & implement policies, procedures, etc. </li></ul><ul><li>Implement security blueprints </li></ul><ul><li>Implement security solutions </li></ul><ul><li>Develop audit & monitoring mechanisms </li></ul><ul><li>Establish SLAs </li></ul>
  33. 33. Operate & Maintain <ul><li>Ensure baselines are met based on blueprints </li></ul><ul><li>Conduct audits </li></ul><ul><li>Manage SLAs </li></ul>
  34. 34. Monitor & Evaluate <ul><li>Review logs, audit results, metrics </li></ul><ul><li>Assess goal accomplishments </li></ul><ul><li>Evaluate via governance structure </li></ul>
  35. 35. A Day in the Life Conduct Self- Assessments Respond to Audits Train & Educate Provide Expertise Monitor Systems Manage Projects Track Compliance Gauge SLA Adherence
  36. 36. Game Changers <ul><li>Cloud Computing </li></ul><ul><li>Mobile Computing </li></ul><ul><li>Social Networking </li></ul>
  37. 37. Resources <ul><li>NIST </li></ul><ul><li>ISC 2 </li></ul><ul><li>ISACA </li></ul><ul><li>SANS Institute </li></ul>
  38. 38. Questions
  39. 39. Contact Information <ul><li>Shauna Cox </li></ul><ul><li>[email_address] </li></ul>
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×