Hackers, ransomware, and breach headlines have grabbed the attention of leaders tasked with securing their company. But reactionary tasks and spot solutions do little to protect against the next threat To truly protect your company your company’s treasured assets we need to stop “thinking like a hacker” and start thinking like a business leader. Mr. Landoll will reveal the steps of executing a “crown jewels” project that starts with identifying and locating key assets. This presentation will give leaders 3 key next steps that will significantly reduce the risk to their crown jewels.
2. Background
2
• 25+ Years Experience in Information Security
• Led Professional Service Organizations for
Several Large Consultancies
• Assessed and Built Information Security
Programs for Federal Agencies, State Agencies,
Universities, Hospitals, Major Retailers, and
Internet Companies.
• Prepared over 2000+ students for security
certifications
• Developed RIOT Data Gathering Method for
Risk Assessment
• Revised Security Policy Development
Approaches
9. Information Security Breach Response
Detection Initial
Assessment
Triage Escalation
Analysis
Recovery
Post-
Incident
9Parsons ProprietaryITAR CM.01.2014
Many Breaches Go Undiscovered / Unreported
Detecting intrusions and breaches
64% - percentage of organizations that took
greater than 90 days to detect a breach
243 days – median number of days that
attackers were present on a victim network
before detection
86% of breaches were reported by an external
party (U.S. Justice Dept notified Target)
15. Crown Jewel Approach
15Parsons ProprietaryITAR CM.01.2014
Threats Impact
Most Critical Data &
Systems
All System Threats
+ Unique threats
+ Targeted attacks
Catastrophic Impact
• upon system loss
• upon data loss
16. Crown Jewels
16Parsons ProprietaryITAR CM.01.2014
Volume Impact
Most Critical Data &
Systems
For most organizations –
0.01% - 2.0% of total
sensitive data
Represents up to
70% of sensitive
data value
Source: U.S. President’s 2006
Economic Report to Congress
17. Crown Jewels Project
17ITAR CM.01.2014
Define For Each
Business Unit:
Identify Critical
Systems
Define Critical
Data
Discover For Each Crown
Jewel:
Identify
Lifecycle,
Environment,
and Flows
Identify System
& Environment
Controls
Baseline For Each Crown
Jewel:
Identify
Requirements
Assess Control
Effectiveness
Analyze Identify Control
Gaps
Identify Security
Risk
Prioritize
Security Gaps
Secure Create Security
Solution Sets
Deploy Solutions
Monitor
Solutions
19. Crown Jewels Project Results
19Parsons Proprietary
Identification of Corporate “Crown Jewels”
Determination of Crown Jewel Risk
Limitation of Assessment to Most Impactful
Elements
Creation of Security Controls Plan with Most
Significant Risk Reduction
Less Work – More Results
21. Applying Crown Jewel Lessons
21Parsons ProprietaryITAR CM.01.2014
Define
Discover
Baseline
Analyze
Secure
Next Week
• Identify Organization’s Security Assessment
Plan
• Self vs. Third Party
• Frequency
• Rigor / Technique (tests vs. assessments)
• Determine Adequacy of Plan
22. Applying Crown Jewel Lessons
22Parsons ProprietaryITAR CM.01.2014
Define
Discover
Baseline
Analyze
Secure
Within 1 Month
• Identify and Review Contractual and Legal
Security Requirements
• Review Latest Security Assessment Reports
• Identify Business Process Owners
Within 3 Months
• Conduct Crown Jewels Project
• Apply Lessons Learned
24. Project Challenges
24Parsons ProprietaryITAR CM.01.2014
Define
Discover
Baseline
Analyze
Secure
1. Common Organizational Definition
of “Crown Jewels”
2. Identification of Business
Processes
3. Identification of Business / Systems
Owners
4. Identifying a Business Champion