Presenter:
K. K. Mookhey, PCI QSA, CISA, CISSP, CISM, CRISC
Founder & Director
Network Intelligence (I) Pvt. Ltd.
Institute of Information Security
Analytics
Mobility
Social Media
Cloud
Genuine Call Girls In {Mahipalpur Delhi} 9667938988 Indian Russian High Profi...
Getting your Strategy Right – in a SMAC World!
1. Continuity and Resilience (CORE)
ISO 22301 BCM Consulting Firm
Presentations by our partners and
extended team of industry experts
Our Contact Details:
INDIA UAE
Continuity and Resilience
Level 15,Eros Corporate Tower
Nehru Place ,New Delhi-110019
Tel: +91 11 41055534/ +91 11 41613033
Fax: ++91 11 41055535
Email: neha@continuityandresilience.com
Continuity and Resilience
P. O. Box 127557
Abu Dhabi, United Arab Emirates
Mobile:+971 50 8460530
Tel: +971 2 8152831
Fax: +971 2 8152888
Email: info@continuityandresilience.com
2. Getting your Strategy
Right – in a SMAC world!
K. K. Mookhey, PCI QSA, CISA, CISSP, CISM, CRISC
Founder & Director
Network Intelligence (I) Pvt. Ltd.
Institute of Information Security
7. Which in this case would be…
Proper asset inventory
Restriction of local admin rights
Standardization of the user’s browser
Patch management program to cover more
than just Windows – Java, Adobe?
Software asset management
Most importantly – strong monitoring and
incident response processes
8.
9. Can you get the most out of your
investment in X?
12. Case Study
• Large Telco
• On-going application security assessments
• On-going source code reviews
• Periodic penetration tests
• Development done by vendors
• WAF decision pending for a year…
• Should they buy a WAF? Should they invest
more in application security? Should they
implement a GRC solution?
14. Insights from data analytics
Vendor delays in fixing the issues
Multiple reassessments leads to the
issues remaining open and overlapped in
subsequent assessments
High level of exposure on the Internet
Multiple approaches adopted and strong
focus on appsec in recent times
15. Hence…
Strategy is two pronged
1. WAF and other virtual patching
technologies should be implemented
2. Vendor management practices and
contractual negotiation should have CISO
involvement
16. Why you need your data
• Surveys/Reports cover
organizations across
industries
• Do not take into account
nature of the organization’s
current web app situation –
vendor, in-house, legacy,
COTSE, etc.
• Do not take into account
current level of maturity
• Try to draw general
conclusions from
average/sum of all data
20. Sub-questions
What is our objective in opening up this
access?
What about productivity?
What about data loss?
What about misuse of the facilities?
What about harm to company reputation?
What about misuse of logo and brand
name?
21. But change begins at home…
Out of top 100 CISOs how many
on Twitter?
4 out of sample of 15
Of these, how many actively
tweet?
2 out of the 4
24. References
Social Media Strategy, Policy and Governance
http://www.ey.com/Publication/vwLUAssets/Social_med
ia_strategy_policy_and_governance/$File/Social_medi
a_strategy_policy_governance.pdf
Enterprise Social Governance
http://www.clearvale.com/mkt-
nav/en/whitepapers/Enterprise_Social_Governance_20
10_02_25.pdf
Social Media Policy Template
http://www.biba.org.uk/PDFfiles/SocialMediaPolicy.pdf
Another template (4 pages)
http://www.ericschwartzman.com/pr/schwartzman/socia
l-media-policy-template.aspx
27. Questions your strategy should
address
What applications/data can reside on a public cloud?
What is the regulatory stance on this?
When going for public cloud, will we choose IaaS or
SaaS or PaaS?
What systems will we allow to host on a private cloud?
What will be our criteria for choosing a CSP?
What minimum contractual elements will we enforce
when moving to the cloud?
What will be my risk mitigation framework overall?
Then document this
Communicate it to the business! And take their
feedback!
30. Pointers…
BYOD is a given – it will happen sooner
rather than later if not happening already
Better embrace it!
Your strategy / policy should be in place
Applications should be M-ready!
Brilliant way to engage the end-user – not
being tapped currently!
32. Take-Aways
Start building a smart metrics program
Take a cue from the SANS Top 20
If not a full-fledged GRC, at least implement a
proper vulnerability management program
Use data analytics to build business case and
determine future investments
If not a policy, have a social media approach
paper ready
Same goes for cloud and mobility adoption