Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

David Clarke, CITSO at Digital Arena - Security Benchmarking, best practise and strategy development

566 views

Published on

David Clarke, CITSO at Digital Arena, presented at CIO Event October 2014

  • Be the first to comment

  • Be the first to like this

David Clarke, CITSO at Digital Arena - Security Benchmarking, best practise and strategy development

  1. 1. SECURITY BENCHMARKING, BEST PRACTICE AND STRATEGY DEVELOPMENT David Clarke Vciso
  2. 2. David Clarke • Created CERT on a Financial Intranet trading $3.5 Trillion a day ,CPNI Member 10 Years. • Managed Global Managed Security Services with a $100-$300 million Global install base 500 + Customers with $3.4 Billion dollar Contracts. • Created , maintained and improved regulatory and compliance commitments including Global PCI-DSS, ISO 27001 (10,000+ Security Devices/Systems ).
  3. 3. • Breach Legislation, IT or Legal? • " the proposed regulation of up to 5% of annual worldwide turnover, or €100"
  4. 4. • Information Sharing , Who,When, How • "The ICO has imposed a monetary penalty of £200000 on the British Pregnancy Advice Service (BPAS) for exposing thousands of personal"
  5. 5. • Compliance is the best protection? • "Resistance is futile" Gartner • "Brighton and Sussex University Hospitals NHS Trust fined £325k after hard drives with highly-sensitive patient data were sold on eBay, - "
  6. 6. • Best Practice or is this Compliance ? • "The ICO can issue fines of up to £500,000 for serious breaches of the Data Protection Act and Privacy and Electronic Communications Regulations." ICO
  7. 7. • Incident Response,Strategy • "There are two kinds of big companies in the U.S. Those who’ve been hacked by the Chinese and those who don’t know they’ve been hacked.” FBI
  8. 8. 4 Threats • Internal Threat • External Threat • Regulatory Threat • The Threat of “inadvertent human error”
  9. 9. Appendix
  10. 10. ISO 20000 Change Process Service Introduction Problem management Escalation Processe
  11. 11. Security Measurement • Measure of Compliance • Measure of System effectiveness • Measure of People Awareness • Measuremnet of main Threat Vector
  12. 12. 72 Hours to Report % 5% of Worldwide Revenue 71
  13. 13. Cyber Essentials Boundary Control Secure Configuration Patch Managment Malware Defense Access Control
  14. 14. Each Event is 0.25 80% achievable =0.2 The Maths Dependent Events 0.2+0.2+.2+.2=0.8 Previously 0.32 A Dramatic improvement by using a Leveraged Strategy
  15. 15. Probably? Independent Events 0.8x 0.8x0.8x0.8=0.41
  16. 16. "Inadvertent human error Inadvertent human error Hacker 95% Human Error 19:1 Leverage to Hackers
  17. 17. Incidents • Escalation Procedure • Alerting Procedure • Password Managment
  18. 18. Real Time Incident 1.2 13% Escalation Management Judgement Calls Staff Working with Outsourcers Identifying Risk/Direction Legal Presenting The Down Side Define Purpose Incident End Mitigation Techniques Information Control Post Analysis Stakeholders Prerequisites 0.14 0.12 0.1 0.08 0.06 0.04 0.02 0 1 0.8 0.6 0.4 0.2 0 12% 11% 11% 9% 9% 8% 6% 4% 4% 3% 3% 3% 2% 13% 26% 37% 48% 57% 66% 73% 79% 83% 88% 91% 94% 98% 100%
  19. 19. Incident Phases
  20. 20. • If you would like my worksheet matching the strategy to cyber essentials and sans top 20 please email me at cio@vciso.co • Linkedin with me at uk.linkedin/1davidclarke • Twitter @1davidclarke

×