Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Information security challenges in today’s banking environment


Published on

This presentation was delivered to by FRSecure's Evan Francen to the Uniforum User's Group on November 8th, 2012. There were more than 50 bankers in attendance, and the presentation was very well received.

Published in: Business
  • Be the first to comment

  • Be the first to like this

Information security challenges in today’s banking environment

  1. 1. Information Security Challenges in Today’s Banking Environment Uniforum – November 8, 2012 Presented by Evan Francen, President – FRSecure, LLC | 952-467-6384
  2. 2. Introduction Thank you for attending! Thank you to Uniforum for inviting us! | 952-467-6384
  3. 3. Introduction Before we get started: • This is not your typical presentation. • What you have to say is as important as what I am going to tell you. • You are encouraged to participate! I will ask you questions, if you don’t ask me some! | 952-467-6384
  4. 4. Introduction FRSecure • Information security consulting company – it’s all we do. • Established in 2008 by people who have earned their stripes in the field. • We help small to medium sized organizations solve information security challenges. | 952-467-6384
  5. 5. Introduction Speaker – Evan Francen, CISSP CISM CCSK • President & Co-founder of FRSecure • 20 years of information security experience • Security evangelist with more than 700 published articles • Experience with 150+ public & private organizations. | 952-467-6384
  6. 6. Introduction Topics • What drives information security in your organization? • What is information security? • Compliance vs. Risk • Current Threats vs. Future Threats • Current Regulations vs. Future Regulations • Solution - Strategic Information Security • Top Five Things You Should Master (Tactically & Strategically) • Need Help? – Contact Us! | 952-467-6384
  7. 7. What drives information security at your organization? This is a question for you? | 952-467-6384
  8. 8. Maybe our explanation of information security would help… In your opinion/words, what is information security? | 952-467-6384
  9. 9. Information Security Is Not an IT Issue The application of Administrative, Physical and Technical controls in an effort to protect the Confidentiality, Integrity, and Availability of Information. IT-centric information security over-emphasizes Technical Control, often at the expense of Administrative and Physical Control. IT-centric information security also places an over-emphasis on Availability of systems, sometimes at the expense of Confidentiality and Integrity. | 952-467-6384
  10. 10. What is Information Security? | 952-467-6384
  11. 11. Back to our question; what drives information security at your organization? Compliance vs. Risk • Information security is not one size fits all • Who knows your organization better? • Checklists only work as well as the checklist • Motivation. You’re in business to make money. Right? • Strategy. What is the examiner going to ask vs. what are our risks? Really, there is only one good answer. | 952-467-6384
  12. 12. Back to our question; what drives information security at your organization? Compliance vs. Risk - Compliance • Do you have a firewall? Check. • Do you have an acceptable use policy? Check. • Do you encrypt the data on your internal network? No?! Well you need to encrypt the data on your internal network. • Do you have filtered network segmentation on your internal LAN? No?! You need to install firewalls between network segments. | 952-467-6384
  13. 13. Back to our question; what drives information security at your organization? Compliance vs. Risk - Risk • You have a firewall. How well does your firewall provide value? Is the firewall effective in controlling access and reducing risk? Is the firewall adequately managed and monitored? • How does our use of our firewall align with our business objectives? • What is the risk in how the firewall is currently designed, implemented, and managed? • How can we take what we’ve learned about our use of the firewall and plan for the future of our business? | 952-467-6384
  14. 14. Compliance vs. Risk In summary: Compliance based information security does not lend itself well to strategy, alignment, or cost- effectiveness. | 952-467-6384
  15. 15. Current Threats vs. Future Threats Hopefully, we know what challenges we face today. How do we determine with any certainty, what threats we face in the future? • Pay attention to the news. • Subscribe to security-related publications. • Continue to participate in user groups. Good Resources;,,, Uniforum, and others. | 952-467-6384
  16. 16. Current Threats vs. Future Threats Hopefully, we know what challenges we face today. What should be plan for? • Risk management, not compliance management • People are the biggest risk, spend on training & awareness • More regulatory pressure • Detective and corrective controls – Plan to be breached. | 952-467-6384
  17. 17. Current Regulations vs. Future Regulations Can we all agree that regulatory pressure will not decrease? • Prepare for additional pressure and more intrusive audits/examinations. • Prepare for more regulation. • Letter of the law vs. Intent of the law | 952-467-6384
  18. 18. Solution – A strategic approach to information security Principles of strategic information security: • Alignment with business objectives • It’s all about people – culture • Management involvement • Proactive vs. Reactive • Forward-looking • Formal OWN IT! | 952-467-6384
  19. 19. Top Five Things for You Should Master #1 – Risk Management • Where are your most significant risks? • What risk is the highest (priority)? • How will we justify our existence (expenditures)? • How do we measure what we’re doing? | 952-467-6384
  20. 20. Top Five Things for You Should Master #2 – Documented Policies & Procedures • Policies are one tool we use to set culture. • What is management’s view? • Nobody reads policy; no offense. • People are the biggest risk. • Policies set direction and governance | 952-467-6384
  21. 21. Top Five Things for You Should Master #3 – Patch Management and Malicious Code Controls • Together, not one in lieu of the other • Might be a pain, but it’s worth it (trust me) • This is the song that never ends… | 952-467-6384
  22. 22. Top Five Things You Should Master #4 – Training & Awareness • How do users know what to do if you don’t tell them? • Remember culture? | 952-467-6384
  23. 23. Top Five Things for You Should Master #5 – Incident Response | 952-467-6384
  24. 24. DON’T FORGET Sometimes information security professionals forget these facts! • Not all risks require mitigation/remediation • Information security must be strategic • Information security strategy must align with business strategy • Avoid business vs. information security scenarios • Information security controls should be as transparent as possible | 952-467-6384
  25. 25. Top Five Things for You Should Master BONUS Mobile Device Security • Data doesn’t stay home anymore • How do you protect data on mobile devices? | 952-467-6384
  26. 26. How we help – Risk Assessment | 952-467-6384
  27. 27. How we help – Risk Management (Build & Manage) | 952-467-6384
  28. 28. Need Help? Contact FRSecure! Some of our services: • Information Security Assessments • Compliance Assessments (i.e. HIPAA, GLBA, etc.) • Customer Required Assessments • Internal Network Vulnerability Assessments • External Network Security Assessments • Penetration Testing • BC/DR Plans • Policy Creation Evan Francen, CISSP CISM • Outsourced Security Resources President 952-467-6384 (direct) www.frsecure.com | 952-467-6384
  29. 29. Thank you! Questions? | 952-467-6384