This document discusses security benchmarking, best practices, and strategy development. It outlines the experience and qualifications of David Clarke in managing large financial trading networks, global security services, and maintaining regulatory compliance. Clarke discusses security measurement, compliance, incident response planning, and the four main threats of internal actors, external hackers, regulatory issues, and inadvertent human error. An appendix provides information on standards like ISO 20000 and the phases of incident response.

1. SECURITY BENCHMARKING, BEST PRACTICE AND STRATEGY DEVELOPMENT
David Clarke
Vciso

2. David Clarke
• Created CERT on a Financial Intranet trading $3.5
Trillion a day ,CPNI Member 10 Years.
• Managed Global Managed Security Services with a
$100-$300 million Global install base 500 + Customers
with $3.4 Billion dollar Contracts.
• Created , maintained and improved regulatory and
compliance commitments including Global PCI-DSS,
ISO 27001 (10,000+ Security Devices/Systems ).

3. • Breach Legislation, IT or Legal?
• " the proposed regulation of up to 5% of
annual worldwide turnover, or €100"

4. • Information Sharing , Who,When, How
• "The ICO has imposed a monetary penalty
of £200000 on the British Pregnancy
Advice Service (BPAS) for exposing
thousands of personal"

5. • Compliance is the best protection?
• "Resistance is futile" Gartner
• "Brighton and Sussex University Hospitals NHS
Trust fined £325k after hard drives with highly-sensitive
patient data were sold on eBay, - "

6. • Best Practice or is this Compliance ?
• "The ICO can issue fines of up to
£500,000 for serious breaches of the Data
Protection Act and Privacy and Electronic
Communications Regulations." ICO

7. • Incident Response,Strategy
• "There are two kinds of big companies in the
U.S. Those who’ve been hacked by the Chinese
and those who don’t know they’ve been hacked.”
FBI

8. 4 Threats
• Internal Threat
• External Threat
• Regulatory Threat
• The Threat of “inadvertent human
error”

9. Appendix

10. ISO 20000
Change Process
Service Introduction
Problem management
Escalation Processe

11. Security Measurement
• Measure of Compliance
• Measure of System effectiveness
• Measure of People Awareness
• Measuremnet of main Threat Vector

13. 72 Hours to Report
% 5% of Worldwide
Revenue
71

14. Cyber Essentials
Boundary Control
Secure Configuration
Patch Managment
Malware Defense
Access Control

15. Each Event is 0.25 80% achievable =0.2 The Maths
Dependent Events
0.2+0.2+.2+.2=0.8
Previously 0.32
A Dramatic improvement by
using a Leveraged Strategy

16. Probably? Independent Events
0.8x 0.8x0.8x0.8=0.41

17. "Inadvertent
human error
Inadvertent
human error
Hacker
95% Human Error
19:1 Leverage to Hackers

18. Incidents
• Escalation Procedure
• Alerting Procedure
• Password Managment

19. Real Time Incident
1.2 13%
Escalation Management
Judgement Calls
Staff
Working with Outsourcers
Identifying Risk/Direction
Legal
Presenting The Down Side
Define Purpose
Incident End
Mitigation Techniques
Information Control
Post Analysis
Stakeholders
Prerequisites
0.14
0.12
0.1
0.08
0.06
0.04
0.02
0
1
0.8
0.6
0.4
0.2
0
12%
11% 11%
9% 9%
8%
6%
4% 4%
3% 3% 3%
2%
13%
26%
37%
48%
57%
66%
73% 79% 83% 88% 91% 94% 98% 100%

20. Incident Phases

21. • If you would like my worksheet matching
the strategy to cyber essentials and sans
top 20 please email me at cio@vciso.co
• Linkedin with me at
uk.linkedin/1davidclarke
• Twitter @1davidclarke