56. Disaster Strikes April 27th - F4 tornado struck operations centers in Arab, AL and Huntsville, AL - hundreds of employees on site Tornado destroyed Jet Pep gas station on US 231, approximately .2 a mile from our local operations center 10 Confidential
57. IT Risk Evaluation Structured evaluation – Align evaluation with 27001/27002, COBIT, Shared Assessment Questionnaire Information gathering - Identify key areas for investigation (AV, network topography, network intrusion, patch management, SDLC, web application vulnerability, firewall management, change control, etc) Align team/resources Develop a prioritized remediation roadmap Architecture – evaluate integration initiatives Compliance – develop/integrate compliance program Determine audience/output for communication plan - How does your culture manage risk? Recruit allies (CIO, other major stakeholders) Confidential 11
84. Risk Action Plan Synthesize information into actionable items – patch servers, fix app vulnerabilities, etc. Align with integration efforts where possible (AD migration, billing system integration, etc) Develop Remediation Roadmap Quick hits - patching servers, fixing web apps, etc Interim hits - risk reduction initiatives (prioritized risk reduction target system upgrades for key users, IPS, SIEM monitoring, process improvements ex. AV) Long term - system standardization, integration projects, cultural change Adopt standard processes, protections, guidelines, metrics Confidential 14
86. Lessons Learned Ignorance is not bliss - get in the game early Right-size your risk management plan - Communicate early and often Balance business with security Standardize the process Confidential 16