Information Security in a Compliance World

345 views

Published on

Presented by Evan Francen at the 2012 RK Dixon Tech Summit

What drives information security in your organization?
What is information security?
Customer requirements
Compliance
Compliant = Secure?
Solution - Strategic Information Security
Top Five Things You Should Do (Tactically & Strategically)
Need Help? – Contact Us!

Published in: Business
  • Be the first to comment

  • Be the first to like this

Information Security in a Compliance World

  1. 1. Information Security in a Compliance World RK Dixon Tech Summit ‘12 – November 7, 2012 Presented by Evan Francen, President – FRSecure, LLChttp://www.frsecure.com | 952-467-6384
  2. 2. Introduction Thank you for attending! Thank you to RK Dixon for inviting us!http://www.frsecure.com | 952-467-6384
  3. 3. Introduction Before we get started: • This is not your typical presentation. • What you have to say is as important as what I am going to tell you. • You are encouraged to participate! I will ask you questions, if you don’t ask me some!http://www.frsecure.com | 952-467-6384
  4. 4. Introduction FRSecure • Information security consulting company – it’s all we do. • Established in 2008 by people who have earned their stripes in the field. • We help small to medium sized organizations solve information security challenges.http://www.frsecure.com | 952-467-6384
  5. 5. Introduction Speaker – Evan Francen, CISSP CISM CCSK • President & Co-founder of FRSecure • 20 years of information security experience • Security evangelist with more than 700 published articles • Experience with 150+ public & private organizations.http://www.frsecure.com | 952-467-6384
  6. 6. Introduction Topics • What drives information security in your organization? • What is information security? • Customer requirements • Compliance • Compliant = Secure? • Solution - Strategic Information Security • Top Five Things You Should Do (Tactically & Strategically) • Need Help? – Contact Us!http://www.frsecure.com | 952-467-6384
  7. 7. What drives information security at your organization? This is a question for you?http://www.frsecure.com | 952-467-6384
  8. 8. Maybe an explanation of information security would help… In your opinion/words, what is information security?http://www.frsecure.com | 952-467-6384
  9. 9. What is Information Security?http://www.frsecure.com | 952-467-6384
  10. 10. Information Security Is Not an IT Issue The application of Administrative, Physical and Technical controls in an effort to protect the Confidentiality, Integrity, and Availability of Information. IT-centric information security over-emphasizes Technical Control, often at the expense of Administrative and Physical Control. IT-centric information security also places an over-emphasis on Availability of systems, sometimes at the expense of Confidentiality and Integrity.http://www.frsecure.com | 952-467-6384
  11. 11. Back to our question; what drives information security at your organization? Customer Requirements? Regulations? • HIPAA, GLBA, FTC, FERPA, Computer Fraud and Abuse Act, etc. Risk? Really, there is only one good answer.http://www.frsecure.com | 952-467-6384
  12. 12. Customer Requirements What’s the problem with customer requirements? • Different customers, different requirements • Customers don’t know your business like you do • Customer protection is more important than your success • Customers are probably more confused than you are Should the basis of your information security strategy be customer requirements?http://www.frsecure.com | 952-467-6384
  13. 13. What’s the problem with compliance? • You’re in business to make money, right? • Information security is not one size fits all • Regulators and examiners are not information security professionals • Compliance is confusing, yes? Should the basis of your information security strategy be compliance?http://www.frsecure.com | 952-467-6384
  14. 14. Compliant DOESN’T mean Secure! Today’s compliance landscape is confusing! Federal Regulations: • HIPAA, GLBA, FTC, FERPA, Computer Fraud and Abuse Act, etc. State Regulations: • Breach notification laws, data destruction laws, data protection laws Industry Regulations: • Payment Card Industry Data Security Standard (PCI-DSS) Customer Requirements: • Good luck!http://www.frsecure.com | 952-467-6384
  15. 15. Solution – A strategic approach to information security Principles of strategic information security: • Alignment with business objectives • It’s all about people – culture • Management involvement • Proactive vs. Reactive • Forward-looking • Formal OWN IT!http://www.frsecure.com | 952-467-6384
  16. 16. Top Five Things for You To Do #1 – Conduct a risk assessment • Where are your most significant risks? • What risk is the highest (priority)? • How will we justify our existence (expenditures)? • How do we measure what we’re doing?http://www.frsecure.com | 952-467-6384
  17. 17. Top Five Things for You To Do #2 – Documented Policies & Procedures • Policies are one tool we use to set culture. • What is management’s view? • Nobody reads policy, bummer. • People are the biggest risk. • Policies set direction and governancehttp://www.frsecure.com | 952-467-6384
  18. 18. Top Five Things for You To Do #3 – Patch your systems & install antivirus • Together, not one in lieu of the other • Might be a pain, but it’s worth it (trust me) • This is the song that never ends…http://www.frsecure.com | 952-467-6384
  19. 19. Top Five Things for You To Do #4 – Training & Awareness • How do users know what to do if you don’t tell them? • Remember culture?http://www.frsecure.com | 952-467-6384
  20. 20. Top Five Things for You To Do #5 – Incident Responsehttp://www.frsecure.com | 952-467-6384
  21. 21. DON’T FORGET Sometimes information security professionals forget this fact! • Not all risks require mitigation/remediation • Information security must be strategic • Information security strategy must align with business strategy • Avoid business vs. information security scenarios • Information security controls should be as transparent as possiblehttp://www.frsecure.com | 952-467-6384
  22. 22. Top Five Things for You To Do BONUS Govern mobile devices • Data doesn’t stay home anymore • How do you protect data on mobile devices?http://www.frsecure.com | 952-467-6384
  23. 23. How we help – Risk Assessmenthttp://www.frsecure.com | 952-467-6384
  24. 24. How we help – Risk Management (Build & Manage)http://www.frsecure.com | 952-467-6384
  25. 25. Need Help? Contact FRSecure! Some of our services: • Information Security Assessments • Compliance Assessments (i.e. HIPAA, GLBA, etc.) • Customer Required Assessments • Internal Network Vulnerability Assessments • External Network Security Assessments • Penetration Testing • BC/DR Plans • Policy Creation Evan Francen, CISSP CISM • Outsourced Security Resources President evan@frsecure.com 952-467-6384 (direct) www.frsecure.comhttp://www.frsecure.com | 952-467-6384
  26. 26. Thank you! Questions?http://www.frsecure.com | 952-467-6384

×