Successfully reported this slideshow.

FRSecure's Ten Security Principles to Live (or die) By

705 views

Published on

Presentation delivered to attendees of RK Dixon's 2011 Tech Summit on November 8, 2011. Presenter is Evan Francen, president of FRSecure.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

FRSecure's Ten Security Principles to Live (or die) By

  1. 1. Protecting your Information and your Customer’s Information Ten principles to live (or die) byCopyright NoticeMaterial contained in this document is proprietary to FRSecure LLC and is to be treated confidentially by all recipients. Acceptance of delivery of this material constitutes acknowledgment of theconfidential relationship under which disclosure and delivery are made. FRSecure copyrights this material and all rights are reserved. No part of this publication may be reproduced or transmitted inany form or by any means, electronic or mechanical, including photocopy, recording, or any information storage and retrieval system without permission in writing from FRSecure.
  2. 2. Before we get started: • This is not your typical presentation. • What you have to say is as important as what I am going to tell you. • You are encouraged to participate! I will ask you questions, if you don’t ask me some!Copyright NoticeMaterial contained in this document is proprietary to FRSecure LLC and is to be treated confidentially by all recipients. Acceptance of delivery of this material constitutes acknowledgment of theconfidential relationship under which disclosure and delivery are made. FRSecure copyrights this material and all rights are reserved. No part of this publication may be reproduced or transmitted inany form or by any means, electronic or mechanical, including photocopy, recording, or any information storage and retrieval system without permission in writing from FRSecure.
  3. 3. FRSecure and RK Dixon • How we got to know each other • Customers benefit from our work togetherCopyright NoticeMaterial contained in this document is proprietary to FRSecure LLC and is to be treated confidentially by all recipients. Acceptance of delivery of this material constitutes acknowledgment of theconfidential relationship under which disclosure and delivery are made. FRSecure copyrights this material and all rights are reserved. No part of this publication may be reproduced or transmitted inany form or by any means, electronic or mechanical, including photocopy, recording, or any information storage and retrieval system without permission in writing from FRSecure.
  4. 4. FRSecure • Information security consulting company – it’s all we know how to do. • Established in 2008 by people who have earned their stripes in the field. • We help small to medium sized organizations solve information security challenges.Copyright NoticeMaterial contained in this document is proprietary to FRSecure LLC and is to be treated confidentially by all recipients. Acceptance of delivery of this material constitutes acknowledgment of theconfidential relationship under which disclosure and delivery are made. FRSecure copyrights this material and all rights are reserved. No part of this publication may be reproduced or transmitted inany form or by any means, electronic or mechanical, including photocopy, recording, or any information storage and retrieval system without permission in writing from FRSecure.
  5. 5. Speaker – Evan Francen, CISSP CISM CCSK • President & Co-founder of FRSecure • 20 years of information security experience • Security evangelist with more than 700 published articles • Experience with 150+ public & private organizations.Copyright NoticeMaterial contained in this document is proprietary to FRSecure LLC and is to be treated confidentially by all recipients. Acceptance of delivery of this material constitutes acknowledgment of theconfidential relationship under which disclosure and delivery are made. FRSecure copyrights this material and all rights are reserved. No part of this publication may be reproduced or transmitted inany form or by any means, electronic or mechanical, including photocopy, recording, or any information storage and retrieval system without permission in writing from FRSecure.
  6. 6. Speaker – Evan Francen, CISSP CISM CCSKCopyright NoticeMaterial contained in this document is proprietary to FRSecure LLC and is to be treated confidentially by all recipients. Acceptance of delivery of this material constitutes acknowledgment of theconfidential relationship under which disclosure and delivery are made. FRSecure copyrights this material and all rights are reserved. No part of this publication may be reproduced or transmitted inany form or by any means, electronic or mechanical, including photocopy, recording, or any information storage and retrieval system without permission in writing from FRSecure.
  7. 7. Topics • Some questions to get us started • Ten principles to live (or die) by • Information security today • Information security predictions • What should you be doing?Copyright NoticeMaterial contained in this document is proprietary to FRSecure LLC and is to be treated confidentially by all recipients. Acceptance of delivery of this material constitutes acknowledgment of theconfidential relationship under which disclosure and delivery are made. FRSecure copyrights this material and all rights are reserved. No part of this publication may be reproduced or transmitted inany form or by any means, electronic or mechanical, including photocopy, recording, or any information storage and retrieval system without permission in writing from FRSecure.
  8. 8. What is information security? This is really a question for youCopyright NoticeMaterial contained in this document is proprietary to FRSecure LLC and is to be treated confidentially by all recipients. Acceptance of delivery of this material constitutes acknowledgment of theconfidential relationship under which disclosure and delivery are made. FRSecure copyrights this material and all rights are reserved. No part of this publication may be reproduced or transmitted inany form or by any means, electronic or mechanical, including photocopy, recording, or any information storage and retrieval system without permission in writing from FRSecure.
  9. 9. Fundamentally, Information Security is: The application of Administrative, Physical and Technical controls in an effort to protect the Confidentiality, Integrity, and Availability of Information. Controls: Administrative – Policies, procedures, processes Physical – Locks, cameras, alarm systems Technical – Firewalls, anti-virus software, permissions Protect: Confidentiality – Disclosure to authorized entities Integrity – Accuracy and completeness Availability – Accessible when required and authorizedCopyright NoticeMaterial contained in this document is proprietary to FRSecure LLC and is to be treated confidentially by all recipients. Acceptance of delivery of this material constitutes acknowledgment of theconfidential relationship under which disclosure and delivery are made. FRSecure copyrights this material and all rights are reserved. No part of this publication may be reproduced or transmitted inany form or by any means, electronic or mechanical, including photocopy, recording, or any information storage and retrieval system without permission in writing from FRSecure.
  10. 10. Why do we need information security?Copyright NoticeMaterial contained in this document is proprietary to FRSecure LLC and is to be treated confidentially by all recipients. Acceptance of delivery of this material constitutes acknowledgment of theconfidential relationship under which disclosure and delivery are made. FRSecure copyrights this material and all rights are reserved. No part of this publication may be reproduced or transmitted inany form or by any means, electronic or mechanical, including photocopy, recording, or any information storage and retrieval system without permission in writing from FRSecure.
  11. 11. What if you do nothing? It’s likely that there will be consequences • Civil suits • Regulatory fines • Legal fees • Investigation fees • FBI investigations • Forensic investigations • Loss of consumer confidence • Loss of brand name recognition and status • Loss of customers, potentially to be driven out of business • Potential personal liabilities for company leaders • Loss of Intellectual property • Etc., etc., etc.Copyright NoticeMaterial contained in this document is proprietary to FRSecure LLC and is to be treated confidentially by all recipients. Acceptance of delivery of this material constitutes acknowledgment of theconfidential relationship under which disclosure and delivery are made. FRSecure copyrights this material and all rights are reserved. No part of this publication may be reproduced or transmitted inany form or by any means, electronic or mechanical, including photocopy, recording, or any information storage and retrieval system without permission in writing from FRSecure.
  12. 12. When you think of information security, how do you feel? Be honestCopyright NoticeMaterial contained in this document is proprietary to FRSecure LLC and is to be treated confidentially by all recipients. Acceptance of delivery of this material constitutes acknowledgment of theconfidential relationship under which disclosure and delivery are made. FRSecure copyrights this material and all rights are reserved. No part of this publication may be reproduced or transmitted inany form or by any means, electronic or mechanical, including photocopy, recording, or any information storage and retrieval system without permission in writing from FRSecure.
  13. 13. The ten FRSecure principles that we live by. Derived from more than 15 years of information security experience with companies across the board in terms of size, industry, demographic and geographic criteria.Copyright NoticeMaterial contained in this document is proprietary to FRSecure LLC and is to be treated confidentially by all recipients. Acceptance of delivery of this material constitutes acknowledgment of theconfidential relationship under which disclosure and delivery are made. FRSecure copyrights this material and all rights are reserved. No part of this publication may be reproduced or transmitted inany form or by any means, electronic or mechanical, including photocopy, recording, or any information storage and retrieval system without permission in writing from FRSecure.
  14. 14. #1 - We don’t work well in a bubble.Copyright NoticeMaterial contained in this document is proprietary to FRSecure LLC and is to be treated confidentially by all recipients. Acceptance of delivery of this material constitutes acknowledgment of theconfidential relationship under which disclosure and delivery are made. FRSecure copyrights this material and all rights are reserved. No part of this publication may be reproduced or transmitted inany form or by any means, electronic or mechanical, including photocopy, recording, or any information storage and retrieval system without permission in writing from FRSecure.
  15. 15. #2 - Information security isn’t an IT issue.Copyright NoticeMaterial contained in this document is proprietary to FRSecure LLC and is to be treated confidentially by all recipients. Acceptance of delivery of this material constitutes acknowledgment of theconfidential relationship under which disclosure and delivery are made. FRSecure copyrights this material and all rights are reserved. No part of this publication may be reproduced or transmitted inany form or by any means, electronic or mechanical, including photocopy, recording, or any information storage and retrieval system without permission in writing from FRSecure.
  16. 16. #3 - People are the most significant risk.Copyright NoticeMaterial contained in this document is proprietary to FRSecure LLC and is to be treated confidentially by all recipients. Acceptance of delivery of this material constitutes acknowledgment of theconfidential relationship under which disclosure and delivery are made. FRSecure copyrights this material and all rights are reserved. No part of this publication may be reproduced or transmitted inany form or by any means, electronic or mechanical, including photocopy, recording, or any information storage and retrieval system without permission in writing from FRSecure.
  17. 17. #4 – “Compliant” doesn’t mean “secure”.Copyright NoticeMaterial contained in this document is proprietary to FRSecure LLC and is to be treated confidentially by all recipients. Acceptance of delivery of this material constitutes acknowledgment of theconfidential relationship under which disclosure and delivery are made. FRSecure copyrights this material and all rights are reserved. No part of this publication may be reproduced or transmitted inany form or by any means, electronic or mechanical, including photocopy, recording, or any information storage and retrieval system without permission in writing from FRSecure.
  18. 18. #5 – Businesses are in business to make money.Copyright NoticeMaterial contained in this document is proprietary to FRSecure LLC and is to be treated confidentially by all recipients. Acceptance of delivery of this material constitutes acknowledgment of theconfidential relationship under which disclosure and delivery are made. FRSecure copyrights this material and all rights are reserved. No part of this publication may be reproduced or transmitted inany form or by any means, electronic or mechanical, including photocopy, recording, or any information storage and retrieval system without permission in writing from FRSecure.
  19. 19. #6 – There’s no common sense in information security.Copyright NoticeMaterial contained in this document is proprietary to FRSecure LLC and is to be treated confidentially by all recipients. Acceptance of delivery of this material constitutes acknowledgment of theconfidential relationship under which disclosure and delivery are made. FRSecure copyrights this material and all rights are reserved. No part of this publication may be reproduced or transmitted inany form or by any means, electronic or mechanical, including photocopy, recording, or any information storage and retrieval system without permission in writing from FRSecure.
  20. 20. #7 – “Secure” is relative.Copyright NoticeMaterial contained in this document is proprietary to FRSecure LLC and is to be treated confidentially by all recipients. Acceptance of delivery of this material constitutes acknowledgment of theconfidential relationship under which disclosure and delivery are made. FRSecure copyrights this material and all rights are reserved. No part of this publication may be reproduced or transmitted inany form or by any means, electronic or mechanical, including photocopy, recording, or any information storage and retrieval system without permission in writing from FRSecure.
  21. 21. #8 – Information security doesn’t always have to be a cost-center.Copyright NoticeMaterial contained in this document is proprietary to FRSecure LLC and is to be treated confidentially by all recipients. Acceptance of delivery of this material constitutes acknowledgment of theconfidential relationship under which disclosure and delivery are made. FRSecure copyrights this material and all rights are reserved. No part of this publication may be reproduced or transmitted inany form or by any means, electronic or mechanical, including photocopy, recording, or any information storage and retrieval system without permission in writing from FRSecure.
  22. 22. #9 – Information security isn’t a one size fits all solution.Copyright NoticeMaterial contained in this document is proprietary to FRSecure LLC and is to be treated confidentially by all recipients. Acceptance of delivery of this material constitutes acknowledgment of theconfidential relationship under which disclosure and delivery are made. FRSecure copyrights this material and all rights are reserved. No part of this publication may be reproduced or transmitted inany form or by any means, electronic or mechanical, including photocopy, recording, or any information storage and retrieval system without permission in writing from FRSecure.
  23. 23. #10 – There’s no “easy button”.Copyright NoticeMaterial contained in this document is proprietary to FRSecure LLC and is to be treated confidentially by all recipients. Acceptance of delivery of this material constitutes acknowledgment of theconfidential relationship under which disclosure and delivery are made. FRSecure copyrights this material and all rights are reserved. No part of this publication may be reproduced or transmitted inany form or by any means, electronic or mechanical, including photocopy, recording, or any information storage and retrieval system without permission in writing from FRSecure.
  24. 24. Information Security Today - ComplianceCopyright NoticeMaterial contained in this document is proprietary to FRSecure LLC and is to be treated confidentially by all recipients. Acceptance of delivery of this material constitutes acknowledgment of theconfidential relationship under which disclosure and delivery are made. FRSecure copyrights this material and all rights are reserved. No part of this publication may be reproduced or transmitted inany form or by any means, electronic or mechanical, including photocopy, recording, or any information storage and retrieval system without permission in writing from FRSecure.
  25. 25. Information Security Today - BreachesCopyright NoticeMaterial contained in this document is proprietary to FRSecure LLC and is to be treated confidentially by all recipients. Acceptance of delivery of this material constitutes acknowledgment of theconfidential relationship under which disclosure and delivery are made. FRSecure copyrights this material and all rights are reserved. No part of this publication may be reproduced or transmitted inany form or by any means, electronic or mechanical, including photocopy, recording, or any information storage and retrieval system without permission in writing from FRSecure.
  26. 26. Information Security Today – The CloudCopyright NoticeMaterial contained in this document is proprietary to FRSecure LLC and is to be treated confidentially by all recipients. Acceptance of delivery of this material constitutes acknowledgment of theconfidential relationship under which disclosure and delivery are made. FRSecure copyrights this material and all rights are reserved. No part of this publication may be reproduced or transmitted inany form or by any means, electronic or mechanical, including photocopy, recording, or any information storage and retrieval system without permission in writing from FRSecure.
  27. 27. Information Security Today – MobileCopyright NoticeMaterial contained in this document is proprietary to FRSecure LLC and is to be treated confidentially by all recipients. Acceptance of delivery of this material constitutes acknowledgment of theconfidential relationship under which disclosure and delivery are made. FRSecure copyrights this material and all rights are reserved. No part of this publication may be reproduced or transmitted inany form or by any means, electronic or mechanical, including photocopy, recording, or any information storage and retrieval system without permission in writing from FRSecure.
  28. 28. What does the future hold? Do you want the good news or the bad news first?Copyright NoticeMaterial contained in this document is proprietary to FRSecure LLC and is to be treated confidentially by all recipients. Acceptance of delivery of this material constitutes acknowledgment of theconfidential relationship under which disclosure and delivery are made. FRSecure copyrights this material and all rights are reserved. No part of this publication may be reproduced or transmitted inany form or by any means, electronic or mechanical, including photocopy, recording, or any information storage and retrieval system without permission in writing from FRSecure.
  29. 29. What does the future hold? The good news There will be real rewards for organizations that take security seriously • Incentive-based regulations • Lower costs in other areas of business; insurance, process efficiencies, etc. • Competitive advantage In general, there will be a greater awareness of information security Real quantifiable data will be available to determine the most optimal investmentsCopyright NoticeMaterial contained in this document is proprietary to FRSecure LLC and is to be treated confidentially by all recipients. Acceptance of delivery of this material constitutes acknowledgment of theconfidential relationship under which disclosure and delivery are made. FRSecure copyrights this material and all rights are reserved. No part of this publication may be reproduced or transmitted inany form or by any means, electronic or mechanical, including photocopy, recording, or any information storage and retrieval system without permission in writing from FRSecure.
  30. 30. What does the future hold? The bad news We expect more: • Attacks targeted at small firms • Pressure from customers • Legislation & regulation • Hacktivism • State-sponsored attacks • Mobile device attacksCopyright NoticeMaterial contained in this document is proprietary to FRSecure LLC and is to be treated confidentially by all recipients. Acceptance of delivery of this material constitutes acknowledgment of theconfidential relationship under which disclosure and delivery are made. FRSecure copyrights this material and all rights are reserved. No part of this publication may be reproduced or transmitted inany form or by any means, electronic or mechanical, including photocopy, recording, or any information storage and retrieval system without permission in writing from FRSecure.
  31. 31. What Should I Be Doing?Copyright NoticeMaterial contained in this document is proprietary to FRSecure LLC and is to be treated confidentially by all recipients. Acceptance of delivery of this material constitutes acknowledgment of theconfidential relationship under which disclosure and delivery are made. FRSecure copyrights this material and all rights are reserved. No part of this publication may be reproduced or transmitted inany form or by any means, electronic or mechanical, including photocopy, recording, or any information storage and retrieval system without permission in writing from FRSecure.
  32. 32. What should you be doing? • Practice “due care” • Formalize a risk-based approach • Make yourself defensible • Prevention • Detection • CorrectionCopyright NoticeMaterial contained in this document is proprietary to FRSecure LLC and is to be treated confidentially by all recipients. Acceptance of delivery of this material constitutes acknowledgment of theconfidential relationship under which disclosure and delivery are made. FRSecure copyrights this material and all rights are reserved. No part of this publication may be reproduced or transmitted inany form or by any means, electronic or mechanical, including photocopy, recording, or any information storage and retrieval system without permission in writing from FRSecure.
  33. 33. Conclusion • Take the time to understand basic information security concepts • Stay current on world events, but don’t lose focus on your specific needs • Choose risk as your driver; not compliance or customer requirements • Capitalize on benefits Call us if you have questions or need help!Copyright NoticeMaterial contained in this document is proprietary to FRSecure LLC and is to be treated confidentially by all recipients. Acceptance of delivery of this material constitutes acknowledgment of theconfidential relationship under which disclosure and delivery are made. FRSecure copyrights this material and all rights are reserved. No part of this publication may be reproduced or transmitted inany form or by any means, electronic or mechanical, including photocopy, recording, or any information storage and retrieval system without permission in writing from FRSecure.
  34. 34. YOU MADE IT! - Questions? About FRSecure FRSecure LLC is a full-service information security consulting company. We are dedicated to information security education, awareness, application, and improvement. FRSecure helps clients understand, design, implement, and manage best-in-class information security solutions; thereby achieving optimal value for every information security dollar spent. Our clients are in business to make money, so we design secure solutions that drive business, protect sensitive information assets, and improve the bottom line. Want a copy of these slides? Leave a business cardCopyright NoticeMaterial contained in this document is proprietary to FRSecure LLC and is to be treated confidentially by all recipients. Acceptance of delivery of this material constitutes acknowledgment of theconfidential relationship under which disclosure and delivery are made. FRSecure copyrights this material and all rights are reserved. No part of this publication may be reproduced or transmitted inany form or by any means, electronic or mechanical, including photocopy, recording, or any information storage and retrieval system without permission in writing from FRSecure.

×