The document discusses setting up a unified security governance program including establishing a cross-functional team, defining scope and milestones, performing security analyses, designing and implementing processes, and establishing unified vulnerability and security operations centers. It provides examples of tasks for different roles on the project team and considerations for analyzing security, designing processes, and selecting a vulnerability management platform.
4. • What is your job? (Not your linkedin title)
– Reports, Presentation, Budget Planning, Tracking
unsolved vulnerabilities
Or
– Security operations, find vulnerabilities, process
design and manage processes
5. • Complexity has a cost.
– Infrastructure
– Technology
– Design
– Process
– Analysis tools
– Supplier
6. Role Tasks Personal Characteristics[1]
Project Sponsor Solve project conflicts
Leadership
Top management commitment
Ensure project plan still applicable
Enterprising , Social
Project Lead Coordinate all team
Organize periodic meetings
Update project plan
Escalate problems when necessary
Conventional, Social
Technical Lead Planning technical need and assuring them
Assign tasks to technical team
Review technical team results
Realistic, Creative
Technical Team Accomplish given tasks Realistic
[1] http://sourcesofinsight.com/6-personality-and-work-environment-
types/
7. • Scope matters.
– Cost
– Time
– KPI
Photo credit:Bernhard Schambeck Feature China/Barcroft Media
http://www.dailymail.co.uk/news/article-2170881/Chinese-tightrope-walker-plummets-ground-trying-high-wire-stunt-backwards-AND-
blindfolded.html
8. • If you are new in the town.
– Computer Based
• Review all external/internal DNS host records
• Review all firewall rules
• Review all router/switch configuration
• Review suppliers/hosting records
9. • Human Based
– Face to face interview to all possible business partners
including;
• Company departments
• Top management
• Suppliers
• Paper Based
– Review all written rules/policies/procedures about this
domain
• Probably nothing is written
10. • Your scope is shining.
Need milestones?
• Yet another project
going to graveyard?
Page by Tom Parker http://tevp.net
17. • Your platform should allow you to;
– Create different type users&rolees
– Create different groups
18. • Your platform should allow you to;
– Define assets in any type
– Define asset groups by asset attribute
– Define ownership
– Auto discover
19. • Your platform should allow you to;
– Define asset/asset group scan
– Manage scan&scan results in one platform
– Integrate historical scans
– Define compliance based scans
– Define and handle passive vulnerability scan
20. • Your platform should allow you to;
– Define your vulnerabilities in any language
– Group your vulnerabilities
– Define Manuel vulnerability and so on
21. • Your platform should allow you to;
– Integration to GRC
– Integration to ticketing mechanism
– Assign vulnerabilities manually or
automatically
– Assign vulnerabilities based on assets
22. • Your platform should allow you to;
– Track domain records
– Track SSL information
– Track information disclosure over internet
– Track social media
23. • Your platform should allow you to;
– Define asset based alarms
– Define vulnerability based alarms
– Define scan based alarms
– Define SLA based alarms
– Define cyber intelligence based alarms
24. • Your platform should allow you to;
– Collect log on your platform
– Integration to Central Log Management
25. • Give me’ some
nice reports!
• Make it simple!
Photo credit: https://jaxenter.com/deploying-microservice-how-to-handle-complexity-122336.html
26. • Your platform should allow you to;
– Create reports in desired language
– Create report templates
– Filter your report based on asset, vulnerability or
any other parameter
– Compare your reports by given parameter
27. Photo credit: forums.archeagegame.com ArcheAge NA Server Connectivity Issues:
• Evebody talks
about it!
• To much
information will kill
you in the end!
28. • Centralized log management
• Scenario!!!
• Incident management
• Big data analysis!
• Forensics
29.
30. • http://sourcesofinsight.com/6-personality-and-work-environment-types/
• IT Governance Institute, CobIT 5.0
• IS0 27001:2013 Information technology— Security techniques — Information
security management systems — Requirements
• Bedirhan Urgun, IstSec 2015 Bilgi Güvenliği Konferansı, Etkin Zafiyet Yönetimi
• http://www.slideshare.net/bgasecurity/stsec-2015-norm-shield-why
• Çağatay IŞIKCI, Zafiyet Yönetim Sistemi, Bilgi Güvenliği Notları
• https://www.bilgiguvenligi.gov.tr/is-surekliligi/zaafiyet-yonetimi-sistemi-
zys.html