Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Effective Security and Compliance Through Relationships and Communication
1. An Effective Security
and Compliance Office
UC Davis Security Symposium 2013
Sean Cordero, Cloud Watchmen
Kevin Mazzone, UC Davis Health System
June 18, 2013
2. About the presenters
Sean Cordero, CISSP,
CISM, CISA, CRISC
• Founder Cloud Watchmen
– Provides InfoSec and
compliance services
• 14+ years experience
• Consults with C-level
management at public
and private enterprises
• Regular speaker at
security conferences
• Former CSO of EdFund
and Charlotte Russe
Kevin Mazzone, PMP,
CEH
• M.S. Information
Management & InfoSec
from Syracuse University
• Security and compliance
experience – Intel,
EdFund, UCDHS,
MAXIMUS
• 15+ years of experience
• Former ISO
• Candidate for CISSP
2
3. Objectives
• Based on our experiences, we’ll talk about:
• Engage & approach in a different way
• Establishing relationships and human factors
– Communication tools & standardized reporting
– Show risk & effectuate IT management
• Ensure security agenda is pushed forward
3
6. Traditional model
CEO
CIO
IT Apps
IT Facilities
IT Infra
IT Sec
Compliance
HR
Legal
Physical Security
Records
• IT Sec “enforcer”
• Doesn’t work with
traditional
organizational
constraints
• “Begger-Prince”
• Security team has no
power
• Company policy
– “Crying to Mom”
8. Traditional model doesn’t work
• A CIO makes sure information systems are
effectively managed & to get the information to
users - fast
• ISO protects and ensure CIA
• ISO should be the CSO & report to CEO/ COO
• Alternatively, ISO reports to CSO
• Avoid conflict of interest
– Lateral with CIO
8Source: Kovcich
9. Even more…
• Technical reviewer
– Security skills < IT apps and infrastructure
• Policy developer
– Vacuum = useless; important what is done
• Assessor
• Competency of ISO
– Need to manage up & force written decisions
– Fails at: building external relationships, articulating risks,
marketing, create win/win, over reliance on tech fixes to
human factor
9
11. Organizational overview
CEO
CIO
IT AppsIT FacilitiesIT Infra
Compliance
HR
Information
Security
Legal Physical
Security
Records
ConsumersofITServices
• Security becomes a
consumer
• Requirements &
expectations based
• Ends Conflict of
interest
• End 2 End risk
understanding
• Carnegie Mellon
placement
12. Proposed Org Benefits
• Influence with biz and support groups
– HR, Legal, Finance, Physical Sec, Biz Units, etc.
– Peer Management Review Committees (MRCs)
• Risk acceptance & documentation
• Buy-off on IA response
• Security governance
12
13. Reality…
• In most orgs, security is already a part of IT
• Establishing & maintaining relationships with the
other consumers of IT is key
13
15. Relationships = Enabler
• “Make the most of what you’ve got”
– Up & out relations – Legal, HR, line of biz, etc.
• IT InfoSec conduit between biz groups and rest
of IT
• IT InfoSec as enabler
– Not just validator
– Sec can run vuln scan
– Poor relationship = backfire
15
17. Types of engagements
1. Internal IT
2. Lateral
3. Up & out
4. External 3rd parties
– SME
– External auditors (BSA, Joint Commission, PCI,
etc.)
17
18. Internal IT
• Upward to management
• Lateral to support groups
– Infrastructure
– Project management / business analysts
– Applications
• Non-functional requirements
18
19. Internal IT management
• Communicate security & compliance risks!
• Address costs, resource requirements, time,
scope
– Security & remediation not effectively accounted for
in new projects or KTBR
• Security technologies not budgeted
• Resources not assigned security control & remediation
tasks
– CIO can assign more resources or extend the time
• Document decisions
19
20. IT mgmt. comms gone wrong
• When CIO disavows from identified security or
compliance risks & makes determination not work
on through decree or priority they are failing org,
not doing job, and taking on board role
– CIO makes risk decision for entire company
– Blind decision and not represent company
– Bad CIO does whatever can to shut down process
• Document decision
20
21. Up & out engagement
• Conversation - unified way to report, measure,
rank, and how to communicate to up & out
stakeholders
– Meaningless to Legal – x vulnerabilities in patching
• Way to begin holding IT accountable even though
role of sec is to “open the kimono”
• Establish on-going relationship
• Establishes expectations
21
22. 3rd party engagement
• Scope & engagement – top down
– May or may not be from board or audit committee
– Ex: E&Y, BSA, PCI Assessor, FISMA/ FEDRAMP
readiness review, HITECH/ HIPPA comply review,
SOx audit (§404)
• Best way to engage: pen. test, vuln. assessment,
effectiveness reviews
22
24. • Communication types
– Indirect – written loop back to decision maker
– Direct – 1:1 engagement
• Disclosure levels
– Full – show all the dirty laundry
– Limited – minimal amount of information
26. • Type of engagement and expected outcome
– Direct with IA = bad
• nature, level of disclosure, org risk, dealing w/ auditor
provide min info and just enough to pass
• 3rd party SME = direct, full
• CIO = direct full disclosure sco to cio, indirect
mod to full to lateral groups
26
27. Communication tools
• Written communication & agreements
– IT SLAs to consumer – codified and written; measurable
– Incident response
– Inventory/ asset mgmt.
– Patch / system upkeep
– Base-line configuration
– Email - per our convorsation…
– Policies – vetted, approved
• Up and out groups, external 3rd party, CIO enabler
27
28. Communication tools (cont’d)
• Audit reports
• Checklists
• SOWs / RFP
• Change management
• Risk Assessments
• Management level reports
– -ISO to CIO, Audit Committee, stakeholders/ consumers of IT services
– Measure/ metrics baseline SLA between consumer and IT
– Internal measures / metrics
28
29. Checklists
• Direct communications
• Implementation up for
interpretation
– Security SME sees
requirements one way; IT
another
• Formal support / written
from exec mgmt.
– Let go of non-supported /
legal issue esc to Legal
for resolution
29
30. Indirect audit reports
• Indirect communications
• Finding go fix it
• Force finding through internal risk acceptance
process and make executive mgmt./ board sign
off & approve to accept
– Forced: prioritization change for IT projects
30
31. Respond to audit reports
• Response is too often date focused
– Consider LOE, costs (ops + expenses), risk,
duration, and time
• Executive management must make decision on
project prioritization, and when to start
– This decision establishes date
– Future date = temporary risk acceptance
– Document mgmt. decision
31
32. SOW / RFP
• Including security requirements as part of
procurement process
• Implementation include security non-functional
requirements
– Often solution supports security controls but they
need to be turned on
32
33. Change management
• Full disclosure
• Operations (upgrades &
KTBR) & project focused
• Non-functional
requirements
– Not going to do; decision
made, documented, and
approved
• Type of risk assessment
33
34. Management level reports
• Full disclosure
• State of compliance
• Unaddressed risks
• Measures related to SLA with IT
– Patching timelines, etc.
34
36. Summary
• Security is a consumer of IT
– HR, Legal, Physical Security, Compliance, etc. are
consumers
• Relationships are key
• Communications – tailored for the consumer
– Methods - Indirect v. direct
– Tools
38. Citations
• Kovacich, Dr. Gerald L., CISSP, CFE, CPP. The
information systems security officer's guide,
establishing and managing an information
protection program. 2nd ed. Butterworth-
Heinemann, 2003. Print.
38