Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Information Security For Leaders, By a Leader


Published on

Evan Francen, President of FRSecure, discusses the challenges of building an efficient and effective security program in today’s world. Learn why most leaders have a false assumption of security, and how you can avoid the security mistakes most organizations make. - Delivered on 4/17/12 at TechPulse 2012.

Published in: Business, Technology
  • Be the first to comment

Information Security For Leaders, By a Leader

  1. 1. Information Security for Leaders, From a Leader TechPulse 2012 – April 17th, 2012 Presented by Evan Francen, President – FRSecure, LLC | 952-467-6384
  2. 2. Introduction Before we get started: • This is not your typical presentation. • What you have to say is as important as what I am going to tell you. • You are encouraged to participate! I will ask you questions, if you don’t ask me some! | 952-467-6384
  3. 3. Introduction FRSecure • Information security consulting company – it’s all we do. • Established in 2008 by people who have earned their stripes in the field. • We help small to medium sized organizations solve information security challenges. | 952-467-6384
  4. 4. Introduction Speaker – Evan Francen, CISSP CISM CCSK • President & Co-founder of FRSecure • 20 years of information security experience • Security evangelist with more than 700 published articles • Experience with 150+ public & private organizations. | 952-467-6384
  5. 5. Introduction Topics • What is information security? • What do business leaders need to know? • You’re in business to make money • Understand risk and manage it • How we help? • Where should you start? • Need Help? – Contact Us! | 952-467-6384
  6. 6. When you think of information security, how do you feel? Be honest | 952-467-6384
  7. 7. What is information security? This is really a question for you | 952-467-6384
  8. 8. What is Information Security? | 952-467-6384
  9. 9. Information Security Is Not an IT Issue The application of Administrative, Physical and Technical controls in an effort to protect the Confidentiality, Integrity, and Availability of Information. IT-centric information security over-emphasizes Technical Control, often at the expense of Administrative and Physical Control. IT-centric information security also places an over-emphasis on Availability of systems, sometimes at the expense of Confidentiality and Integrity. | 952-467-6384
  10. 10. It’s not compliance, but compliance is important Today’s compliance landscape is confusing! Federal Regulations: • HIPAA, GLBA, FTC, ECPA, Computer Fraud and Abuse Act, etc. State Regulations: • Breach notification laws, data destruction laws, data protection laws Industry Regulations: • Payment Card Industry Data Security Standard (PCI-DSS) Customer Regulations: • Good luck! | 952-467-6384
  11. 11. What do business leaders need to know? Business leaders have ultimate responsibility for information security Due Care (aka “duty of care”): • Provides a framework that helps to define a minimum standard of protection that business stakeholders must attempt to achieve. • Often reference the Prudent Man Rule, and require that the organization engage in business practices that a prudent, right thinking, person would consider to be appropriate. • Businesses that are found to have not applied this minimum duty of care can be deemed as having been negligent in carrying out their duties | 952-467-6384
  12. 12. What do business leaders need to know? Business leaders have ultimate responsibility for information security Due Diligence: • Requires that an organization continually scrutinize their own practices to ensure that they are always meeting or exceeding the requirements for protection of assets and stakeholders • Due diligence is the management of due care: it follows a formal process • Persons are said to have exercised due diligence, and therefore cannot be considered negligent, if they were prudent in their investigation of potential risks and threats | 952-467-6384
  13. 13. You are in business to make money Sometimes information security professionals forget this fact! • Not all risks require mitigation/remediation • Information security must be strategic • Information security strategy must align with business strategy • Avoid business vs. information security scenarios • Information security controls should be as transparent as possible | 952-467-6384
  14. 14. The Answer: Understand Risk and Manage it. • Risk is unique to your business and environment; information security is not a one-size-fits-all solution • Likelihood x Impact • Risks change as your business environment changes • There is no “easy button” • You don’t need to know about every risk, but you must know about the significant ones. | 952-467-6384
  15. 15. How we help – Risk Assessment | 952-467-6384
  16. 16. How we help – Risk Management (Build & Manage) | 952-467-6384
  17. 17. Where should you start? Conduct a risk assessment • Do it right • Comprehensive • Quantified/Measured/Scored • Choose a standard (ISO, NIST, COBIT, etc.) | 952-467-6384
  18. 18. Where should you start? Make Decisions Once you understand your risks, You can: decide what you want to do • Accept some risk about them. • Mitigate some risk • Transfer some risk Where organizations get in trouble is in ignoring risks and/or assuming that they don’t exist. | 952-467-6384
  19. 19. Where should you start? Your own information security risk management program: • Conduct Risk Assessment • Make Decisions • Plan Strategically • Update Regularly | 952-467-6384
  20. 20. Need Help? Contact FRSecure! Some of our services: • Information Security Assessments • Compliance Assessments (i.e. HIPAA, GLBA, etc.) • Customer Required Assessments • Internal Network Vulnerability Assessments • External Network Security Assessments • Penetration Testing • BC/DR Plans • Policy Creation Evan Francen, CISSP CISM • Outsourced Security Resources President 952-467-6384 (direct) www.frsecure.com | 952-467-6384
  21. 21. Thank you! Questions? | 952-467-6384