Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security Policy: The Next Generation

1,606 views

Published on

Presentation delivered by Peter Hesse at Security BSides Atlanta, October 8, 2010

Published in: Technology
  • Be the first to comment

Security Policy: The Next Generation

  1. 1. Security Policies: The Next Generation Peter Hesse Gemini Security Solutions, Inc. Security B-Sides Atlanta | October 8, 2010
  2. 2. Why do we have security policies?
  3. 3. We need rules to play the game
  4. 4. Written a policy lately?
  5. 5. Written a policy lately? ISO 27001
  6. 6. Written a policy lately? ORANG PCI-DSS 41 CFR 102 E BOOK SAS-70 FISMAISO 27001 WeBTRUST BITS SysTrust ISO 17799 / DITSCAP FIPS 199 BS 7799 Cloud Audit HIPAA
  7. 7. The language of policy [Organization] and applicable subsidiary Level 2 Unit ISMs will coordinate and document the establishment of all external network connections for their unit with Network Services. As every external network connection is potentially an entry point for intruders, Level 2 Unit ISMs must document all external network connections in their unit, including modems.
  8. 8. Code versus Policy
  9. 9. Code versus Policy
  10. 10. What happens if we simplify?
  11. 11. One-size-fits-all or tailor made?
  12. 12. What is the focus? Systems must be patched within 30 days of release of patch from vendor Management approval is required to download any copyrighted material from the Internet
  13. 13. Improving security policy: Prioritize
  14. 14. Improving security policy: Prioritize
  15. 15. Improving security policy: Prioritize
  16. 16. Improving security policy: Prioritize
  17. 17. The Next Generation: • Simplify, streamline, squeeze out jargon • Prioritize and heat map based on relative risk and audience • Build approaches that transcend documentation and encourage good behavior
  18. 18. Fin. • Peter Hesse, Gemini Security Solutions @pmhesse, pmhesse@geminisecurity.com • Extra special thanks to my partner-in-crime on this work, Michael Santarcangelo @catalyst (www.securitycatalyst.com)

×