Resolver Inc., profile picture
Uploaded byResolver Inc.
190 views

Information Security Best Practices: Keeping Your Company's Data Safe

The document outlines best practices for information security, emphasizing principles such as least privilege and defense in depth. It details technical controls for network, operating systems, and applications, alongside policies for business continuity, disaster recovery, and ongoing security training. The importance of a strong security culture and third-party validation is also highlighted to ensure data protection and risk management.

Software
Related topics:
Information Security

Embed presentation

Downloaded 15 times
Information Security Best Practices: Keeping Your Company’s Data Safe
Hello! I am James Patterson COO & CISO, Resolver james@resolver.com Your Photo Here!
Information Security Confidentiality Integrity Availability
Principle Least Privilege • Every module (process, user, program, environment) must be able to only access the information and resources that are necessary for its legitimate purpose • Start from nothing, only add what is needed
Defense in Depth Use of all available security mechanisms in the different aspects of the application deployment infrastructure to minimise potential attack vectors by creating multiple layers of protection in case one mechanism fails.
Layer Cake • BCP & DR • Monitoring • Procedures • Automation • Policies • Penetration Testing • Third Party Validation • Corporate Environment • People • Technical Controls • Network • OS • Application • Data Storage and Access • Physical Security
Corporate Environment • Security Culture • Tone at the Top • Trusted Guardian of Your Data • Transparency • Risk Assessment • Documentation • Investment
People Security Roles Job Descriptions Hiring Decisions (background checks) Onboarding/ Offboarding (least privilege) Ongoing security training
Security Architecture Principles ▪ Segmented Environments ▪ Server Isolation ▪ Least Privilege ▪ Private Network for Server Management ▪ Minimal public surface area ▪ AWS Managed Services Wherever Possible ▪ MFA and Credential Complexity
Technical Controls - Network ▪ ALB (Application Load Balancer) or Nginx secure reverse proxy ▪ CloudFront for Content Distribution, DDOS attacks ▪ AWS Shield (WAF) ▪ EC2 Security Groups (AWS Firewall) ▪ IAM Users and Roles ▪ Transport Encryption ▪ Private Management Subnet through MFA Enabled VPN
Technical Controls - Operating System ▪ Server Hardening ▪ Anti-virus ▪ Anti-malware ▪ Intrusion detection systems – AlienVault and AWS GuardDuty ▪ Monthly Patch Management ▪ Critical patches analyzed for applicability within 48 hours
Technical Controls - Application ▪ Security by Design ▪ Access and Authorization checked at every level ▪ Resolver Application Level Authentication control ▪ Resolver as identity provider ▪ Single Sign On ▪ Role and Data Based Authorization Control
Encryption at Rest Data Segregation Access Review High Availability and Durability Access Controls • Least privilege • Encrypted credentials Data Storage and Access
Physical Security - AWS ▪ Site selection ▪ AWS employee access only ▪ Access logs ▪ Access review ▪ CCTV and MFA access
• AWS Regions and Availability Zones • Regular Backups with Validation • Monthly Testing • Auto Scale and Self Healing Business Continuity Planning & Disaster Recovery
Monitoring ▪ AWS Cloud Watch – Log Aggregation preservation ▪ Cloud Trail – AWS Account Config Changes ▪ Application Audit Trail ▪ Alien Vault – SIEM, HIDS ▪ Site 24x7 – External availability ▪ Pager Duty – Notification ▪ Nessus – Vulnerability Scanning ▪ Guard Duty – Machine Learning SIEM
Standard Operating Procedures ▪ Disaster Recovery ▪ Change Management ▪ Incident Management ▪ Monthly Maintenance ▪ Vulnerability Management ▪ Other SOPs ▪ Common operations (onboard & offboard customers)
▪ Faster ▪ Removes human error ▪ Scripting for common tasks ▪ New customer ▪ Resolver Core environment deploy ▪ Cattle, not pets ▪ Replace servers with secure versions ▪ No need to remote into containers Automation
Policies ▪ InfoSec Policy ▪ Change Control ▪ Hiring Process ▪ Termination Process ▪ Security Assessment Process ▪ Incident Management Policy ▪ Security Awareness Training Policy ▪ Server Capacity Policy ▪ Server Hardening Policy ▪ Data Classification ▪ Password Policy ▪ Cryptography Policy ▪ Patch Management Policy ▪ Remote Access Policy
Penetration Testing ▪ Annual ▪ Third Party ▪ Black box, authenticated, comprehensive ▪ OWASP ▪ Top 10 ▪ Application Security Verification Standard ▪ Data segregation ▪ Application logic
Third Party Validation
Thanks! Any questions? james@resolver.com

More Related Content

PDF
Bay Dynamics
byMeg Vorland
 
PDF
An Intro to Resolver's InfoSec Application (RiskVision)
byResolver Inc.
 
PDF
An Intro to Resolver's Incident Management Application
byResolver Inc.
 
PDF
Data Driven Risk Assessment
byResolver Inc.
 
PDF
An Intro to Resolver's Risk Application
byResolver Inc.
 
PDF
Why Corporate Security Professionals Should Care About Information Security
byResolver Inc.
 
PDF
An Intro to Resolver's Compliance Application
byResolver Inc.
 
PDF
Taking a Data-Driven Approach to Business Continuity
byResolver Inc.
 
Bay Dynamics
byMeg Vorland
 
An Intro to Resolver's InfoSec Application (RiskVision)
byResolver Inc.
 
An Intro to Resolver's Incident Management Application
byResolver Inc.
 
Data Driven Risk Assessment
byResolver Inc.
 
An Intro to Resolver's Risk Application
byResolver Inc.
 
Why Corporate Security Professionals Should Care About Information Security
byResolver Inc.
 
An Intro to Resolver's Compliance Application
byResolver Inc.
 
Taking a Data-Driven Approach to Business Continuity
byResolver Inc.
 

What's hot

PDF
Information Security Risk Management
byErsoy AKSOY
 
PDF
Integrated Risk Management
byOmicron Systems
 
PDF
Risk Assessments
byJoAnna Cheshire
 
PDF
Remote Deposit Capture Risk Management & FFIEC Complaince
byJTLeekley
 
PDF
Don't Get Left In The Dust How To Evolve From Ciso To Ciro
byPriyanka Aash
 
PPTX
Risk Management Methodology - Copy
byRabah Odeh ITIL 5.0-OCP-CISA-PMP-OCP..etc
 
PPTX
Security Policies and Standards
byprimeteacher32
 
PDF
Integrated risk management
byEndeavor Management
 
PDF
Security & Risk Management
byAhmed Sayed-
 
PPT
Cyber crime with privention
byManish Dixit Ceh
 
PDF
'Re-writing' Infrastructure management
byMovate
 
PDF
Integrating-Cyber-Security-for-Increased-Effectiveness
byAyham Kochaji
 
PPTX
2 ppt final dan shoemaker dd1 stockholm presentation
byGlobalForum
 
PPT
Risk Assessment And Management
byvikasraina
 
PPTX
Security assessment isaca sv presentation jan 2016
byEnterpriseGRC Solutions, Inc.
 
PDF
Jim Dean Marketing One Pager
byJames Dean
 
PDF
SFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply Chain
bySouth Tyrol Free Software Conference
 
PDF
Why Your Organization Should Leverage Data Science for Risk Intelligence and ...
byResolver Inc.
 
PDF
Why does-your-company-need-a-third-party-risk-management-program
byCharles Steve
 
PPTX
CISSPills #3.02
byPierluigi Falcone, CISSP, CISM, CCSK, SABSA Foundation
 
Information Security Risk Management
byErsoy AKSOY
 
Integrated Risk Management
byOmicron Systems
 
Risk Assessments
byJoAnna Cheshire
 
Remote Deposit Capture Risk Management & FFIEC Complaince
byJTLeekley
 
Don't Get Left In The Dust How To Evolve From Ciso To Ciro
byPriyanka Aash
 
Risk Management Methodology - Copy
byRabah Odeh ITIL 5.0-OCP-CISA-PMP-OCP..etc
 
Security Policies and Standards
byprimeteacher32
 
Integrated risk management
byEndeavor Management
 
Security & Risk Management
byAhmed Sayed-
 
Cyber crime with privention
byManish Dixit Ceh
 
'Re-writing' Infrastructure management
byMovate
 
Integrating-Cyber-Security-for-Increased-Effectiveness
byAyham Kochaji
 
2 ppt final dan shoemaker dd1 stockholm presentation
byGlobalForum
 
Risk Assessment And Management
byvikasraina
 
Security assessment isaca sv presentation jan 2016
byEnterpriseGRC Solutions, Inc.
 
Jim Dean Marketing One Pager
byJames Dean
 
SFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply Chain
bySouth Tyrol Free Software Conference
 
Why Your Organization Should Leverage Data Science for Risk Intelligence and ...
byResolver Inc.
 
Why does-your-company-need-a-third-party-risk-management-program
byCharles Steve
 
CISSPills #3.02
byPierluigi Falcone, CISSP, CISM, CCSK, SABSA Foundation
 

Similar to Information Security Best Practices: Keeping Your Company's Data Safe

PDF
Managed Threat Detection and Response
byAlert Logic
 
PDF
Managed Threat Detection & Response for AWS Applications
byAlert Logic
 
PPTX
AWS Cloud Security
byAWS Riyadh User Group
 
PPTX
Security on AWS
byCloudHesive
 
PPTX
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
bySilvioHayashi
 
PPTX
A guide to Sustainable Cyber Security
byErnest Staats
 
PPTX
Add-Structure-and-Credibility-to-Your-Security-Portfolio-with-CIS-Controls-v8...
byhoang971
 
PPTX
MS. Cybersecurity Reference Architecture
byangelohammond
 
PPTX
CS5300 class presentation on managing information systems
byzenhubris
 
PDF
Essentials of Network and Cloud Security.pptx.pdf
byapurvar399
 
PPTX
Key Tables, Charts and Flows for SSCP _ CISSP.pptx
byDeepakChougule8
 
PPTX
Securing the cloud and your assets
byMarcus Dempsey
 
PPTX
Privacies are coming
byErnest Staats
 
PPTX
AWS Spotlight Series - Modernization and Security with AWS
byCloudHesive
 
PPTX
Privacies are Coming
byErnest Staats
 
PDF
Securing Your Customers Data From Day One
byAmazon Web Services LATAM
 
PDF
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day One
byAWS Germany
 
PPTX
Deep dive - AWS security by design
byRichard Harvey
 
PPTX
Cloud Security or: How I Learned to Stop Worrying & Love the Cloud
byMarkAnnati
 
PPT
Guard Era Security Overview Preso (Draft)
byGuardEra Access Solutions, Inc.
 
Managed Threat Detection and Response
byAlert Logic
 
Managed Threat Detection & Response for AWS Applications
byAlert Logic
 
AWS Cloud Security
byAWS Riyadh User Group
 
Security on AWS
byCloudHesive
 
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
bySilvioHayashi
 
A guide to Sustainable Cyber Security
byErnest Staats
 
Add-Structure-and-Credibility-to-Your-Security-Portfolio-with-CIS-Controls-v8...
byhoang971
 
MS. Cybersecurity Reference Architecture
byangelohammond
 
CS5300 class presentation on managing information systems
byzenhubris
 
Essentials of Network and Cloud Security.pptx.pdf
byapurvar399
 
Key Tables, Charts and Flows for SSCP _ CISSP.pptx
byDeepakChougule8
 
Securing the cloud and your assets
byMarcus Dempsey
 
Privacies are coming
byErnest Staats
 
AWS Spotlight Series - Modernization and Security with AWS
byCloudHesive
 
Privacies are Coming
byErnest Staats
 
Securing Your Customers Data From Day One
byAmazon Web Services LATAM
 
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day One
byAWS Germany
 
Deep dive - AWS security by design
byRichard Harvey
 
Cloud Security or: How I Learned to Stop Worrying & Love the Cloud
byMarkAnnati
 
Guard Era Security Overview Preso (Draft)
byGuardEra Access Solutions, Inc.
 

More from Resolver Inc.

PDF
How Resolver Uses Resolver
byResolver Inc.
 
PDF
Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...
byResolver Inc.
 
PPTX
Best Practices and ROI for Risk-based Vulnerability Management
byResolver Inc.
 
PDF
Risk Intelligence: Threats are the New Risk
byResolver Inc.
 
PDF
Creating an Enterprise-Wide Workplace Violence & Threat Assessment Team
byResolver Inc.
 
PDF
A Peek at adidas Group's Integrated Risk & Security Management Strategy
byResolver Inc.
 
PDF
Reporting to the Board on Corporate Compliance
byResolver Inc.
 
PDF
Terrorism in a Corporate Setting
byResolver Inc.
 
PDF
Planning a move from Perspective to CORE
byResolver Inc.
 
PDF
Scammed: Defend Against Social Engineering
byResolver Inc.
 
PDF
Modelling your Business Processes with Resolver Core
byResolver Inc.
 
PDF
How to Prove the Value of Security Investments
byResolver Inc.
 
PDF
An Intro to Resolver's Resilience Application
byResolver Inc.
 
PDF
Int:rsect: CEO Address with Will Anderson
byResolver Inc.
 
PDF
Keeping Your Data Clean
byResolver Inc.
 
PDF
Security Trends: From "Silos" to Integrated Risk Management
byResolver Inc.
 
PDF
ERM Benchmarking Survey Results
byResolver Inc.
 
PDF
How to Achieve a Fully Integrated Approach to Business Resilience
byResolver Inc.
 
PDF
Leveraging Change Leadership to Find Success in your IRM Program
byResolver Inc.
 
PDF
How to Use Storytelling to Communicate with Executives
byResolver Inc.
 
How Resolver Uses Resolver
byResolver Inc.
 
Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...
byResolver Inc.
 
Best Practices and ROI for Risk-based Vulnerability Management
byResolver Inc.
 
Risk Intelligence: Threats are the New Risk
byResolver Inc.
 
Creating an Enterprise-Wide Workplace Violence & Threat Assessment Team
byResolver Inc.
 
A Peek at adidas Group's Integrated Risk & Security Management Strategy
byResolver Inc.
 
Reporting to the Board on Corporate Compliance
byResolver Inc.
 
Terrorism in a Corporate Setting
byResolver Inc.
 
Planning a move from Perspective to CORE
byResolver Inc.
 
Scammed: Defend Against Social Engineering
byResolver Inc.
 
Modelling your Business Processes with Resolver Core
byResolver Inc.
 
How to Prove the Value of Security Investments
byResolver Inc.
 
An Intro to Resolver's Resilience Application
byResolver Inc.
 
Int:rsect: CEO Address with Will Anderson
byResolver Inc.
 
Keeping Your Data Clean
byResolver Inc.
 
Security Trends: From "Silos" to Integrated Risk Management
byResolver Inc.
 
ERM Benchmarking Survey Results
byResolver Inc.
 
How to Achieve a Fully Integrated Approach to Business Resilience
byResolver Inc.
 
Leveraging Change Leadership to Find Success in your IRM Program
byResolver Inc.
 
How to Use Storytelling to Communicate with Executives
byResolver Inc.
 

Recently uploaded

PDF
Constraints First - Why Our On-Prem Ticketing System Starts With Limits, Not ...
bySpirit Face
 
PPTX
Magnet-AXIOM_overview_tool_cyber_tool.pptx
byashishtjoseph
 
PPTX
Why Your Business Needs Snowflake Consulting_ From Data Silos to AI-Ready Cloud
byChetu
 
PDF
PeopleSoft Lift and Shift to Oracle Cloud Infrastructure.pdf
byAstuteBusiness
 
PDF
How Does AI Improve Location-Based Mobile App Development for Businesses.pdf
byNet-Craft.com
 
PPTX
Deep Dive into Durable Functions, presented at Cloudbrew 2025
byJoonas Westlin
 
PDF
Code, Coins and Collaboration: How Open Source Shapes Modern Finance.
byDavid Okononfua
 
PPTX
Reimagining Service with AI Voice Agents | Webinar
byCEPTES Software
 
PPTX
#15 All About Anypoint MQ - Calicut MuleSoft Meetup Group
bycalicutmulesoftmeetu
 
PDF
INTRODUCTION TO DATABASES, MYSQL, MS ACCESS, PHARMACY DRUG DATABASE.pdf
bylikudas9861
 
PPTX
NSF Converter Software to Convert NSF to PST, EML, MSG
byNSF Converter Software
 
PDF
Resource-Levelled Critical-Path Analysis Balancing Time, Cost and Constraints
byOrangescrum
 
PDF
Database Management Systems(DBMS):UNIT-I Introduction to Database(DBMS) BCA S...
byKuvempu University
 
PDF
Imed Eddine Bouchoucha | computer engineer | software Architect
byImed Bouchoucha
 
PPTX
Struggling with Pentaho Limitations How Helical Insight Solves Them.pptx
byVarsha Nayak
 
PDF
Digitizing Banquet Management_ Why It Matters for Modern Hotels.pdf
byHotelogix
 
PDF
From Boroughs to Browsers: Naresh Ramaiya’s Digital Journey
bynareshramaiyaus
 
PDF
Blueprint to build quality before the code exists - StackConnect Milan 2025
byLudovicoBesana1
 
PPTX
Lecture 3 - Scheduling - Operating System
bynurulalomador
 
PDF
Database Management Systems(DBMS):UNIT-II Relational Data Model BCA SEP SEM ...
byKuvempu University
 
Constraints First - Why Our On-Prem Ticketing System Starts With Limits, Not ...
bySpirit Face
 
Magnet-AXIOM_overview_tool_cyber_tool.pptx
byashishtjoseph
 
Why Your Business Needs Snowflake Consulting_ From Data Silos to AI-Ready Cloud
byChetu
 
PeopleSoft Lift and Shift to Oracle Cloud Infrastructure.pdf
byAstuteBusiness
 
How Does AI Improve Location-Based Mobile App Development for Businesses.pdf
byNet-Craft.com
 
Deep Dive into Durable Functions, presented at Cloudbrew 2025
byJoonas Westlin
 
Code, Coins and Collaboration: How Open Source Shapes Modern Finance.
byDavid Okononfua
 
Reimagining Service with AI Voice Agents | Webinar
byCEPTES Software
 
#15 All About Anypoint MQ - Calicut MuleSoft Meetup Group
bycalicutmulesoftmeetu
 
INTRODUCTION TO DATABASES, MYSQL, MS ACCESS, PHARMACY DRUG DATABASE.pdf
bylikudas9861
 
NSF Converter Software to Convert NSF to PST, EML, MSG
byNSF Converter Software
 
Resource-Levelled Critical-Path Analysis Balancing Time, Cost and Constraints
byOrangescrum
 
Database Management Systems(DBMS):UNIT-I Introduction to Database(DBMS) BCA S...
byKuvempu University
 
Imed Eddine Bouchoucha | computer engineer | software Architect
byImed Bouchoucha
 
Struggling with Pentaho Limitations How Helical Insight Solves Them.pptx
byVarsha Nayak
 
Digitizing Banquet Management_ Why It Matters for Modern Hotels.pdf
byHotelogix
 
From Boroughs to Browsers: Naresh Ramaiya’s Digital Journey
bynareshramaiyaus
 
Blueprint to build quality before the code exists - StackConnect Milan 2025
byLudovicoBesana1
 
Lecture 3 - Scheduling - Operating System
bynurulalomador
 
Database Management Systems(DBMS):UNIT-II Relational Data Model BCA SEP SEM ...
byKuvempu University
 

Information Security Best Practices: Keeping Your Company's Data Safe

  • 1.
    Information Security BestPractices: Keeping Your Company’s Data Safe
  • 3.
    Hello! I am JamesPatterson COO & CISO, Resolver james@resolver.com Your Photo Here!
  • 4.
  • 5.
    Principle Least Privilege •Every module (process, user, program, environment) must be able to only access the information and resources that are necessary for its legitimate purpose • Start from nothing, only add what is needed
  • 6.
    Defense in Depth Useof all available security mechanisms in the different aspects of the application deployment infrastructure to minimise potential attack vectors by creating multiple layers of protection in case one mechanism fails.
  • 7.
    Layer Cake • BCP& DR • Monitoring • Procedures • Automation • Policies • Penetration Testing • Third Party Validation • Corporate Environment • People • Technical Controls • Network • OS • Application • Data Storage and Access • Physical Security
  • 8.
    Corporate Environment • SecurityCulture • Tone at the Top • Trusted Guardian of Your Data • Transparency • Risk Assessment • Documentation • Investment
  • 9.
  • 10.
    Security Architecture Principles ▪Segmented Environments ▪ Server Isolation ▪ Least Privilege ▪ Private Network for Server Management ▪ Minimal public surface area ▪ AWS Managed Services Wherever Possible ▪ MFA and Credential Complexity
  • 11.
    Technical Controls -Network ▪ ALB (Application Load Balancer) or Nginx secure reverse proxy ▪ CloudFront for Content Distribution, DDOS attacks ▪ AWS Shield (WAF) ▪ EC2 Security Groups (AWS Firewall) ▪ IAM Users and Roles ▪ Transport Encryption ▪ Private Management Subnet through MFA Enabled VPN
  • 12.
    Technical Controls -Operating System ▪ Server Hardening ▪ Anti-virus ▪ Anti-malware ▪ Intrusion detection systems – AlienVault and AWS GuardDuty ▪ Monthly Patch Management ▪ Critical patches analyzed for applicability within 48 hours
  • 13.
    Technical Controls -Application ▪ Security by Design ▪ Access and Authorization checked at every level ▪ Resolver Application Level Authentication control ▪ Resolver as identity provider ▪ Single Sign On ▪ Role and Data Based Authorization Control
  • 14.
  • 15.
    Physical Security -AWS ▪ Site selection ▪ AWS employee access only ▪ Access logs ▪ Access review ▪ CCTV and MFA access
  • 16.
    • AWS Regionsand Availability Zones • Regular Backups with Validation • Monthly Testing • Auto Scale and Self Healing Business Continuity Planning & Disaster Recovery
  • 17.
    Monitoring ▪ AWS CloudWatch – Log Aggregation preservation ▪ Cloud Trail – AWS Account Config Changes ▪ Application Audit Trail ▪ Alien Vault – SIEM, HIDS ▪ Site 24x7 – External availability ▪ Pager Duty – Notification ▪ Nessus – Vulnerability Scanning ▪ Guard Duty – Machine Learning SIEM
  • 18.
    Standard Operating Procedures ▪Disaster Recovery ▪ Change Management ▪ Incident Management ▪ Monthly Maintenance ▪ Vulnerability Management ▪ Other SOPs ▪ Common operations (onboard & offboard customers)
  • 19.
    ▪ Faster ▪ Removeshuman error ▪ Scripting for common tasks ▪ New customer ▪ Resolver Core environment deploy ▪ Cattle, not pets ▪ Replace servers with secure versions ▪ No need to remote into containers Automation
  • 20.
    Policies ▪ InfoSec Policy ▪Change Control ▪ Hiring Process ▪ Termination Process ▪ Security Assessment Process ▪ Incident Management Policy ▪ Security Awareness Training Policy ▪ Server Capacity Policy ▪ Server Hardening Policy ▪ Data Classification ▪ Password Policy ▪ Cryptography Policy ▪ Patch Management Policy ▪ Remote Access Policy
  • 21.
    Penetration Testing ▪ Annual ▪Third Party ▪ Black box, authenticated, comprehensive ▪ OWASP ▪ Top 10 ▪ Application Security Verification Standard ▪ Data segregation ▪ Application logic
  • 22.
  • 23.