This document provides an overview of information security management based on an ISO approach. It discusses key ISO security categories and controls, including risk management, policy management, security organization management, and others. Sample organizational charts and resources for further information are also included. The document aims to help map strengths and responsibilities to different security areas.
Information security management best practiceparves kamal
ISO 17799 is an internationally recognized Information Security Management Standard, first published by the International Organization for Standardization, or ISO (www.iso.ch), in December 2000.
Information security focuses on protecting valuable information that will help businesses to succeed in their strategies. Confidentiality, integrity and availability are the three basic objectives of Information Security.
For more such innovative content on management studies, join WeSchool PGDM-DLP Program: http://bit.ly/ZEcPAc
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.IGN MANTRA
ISO 27001:2013 Awareness, Seminar & Workshop Indonesia Honeynet Project IHP, Badan Siber dan Sandi Negara BSSN, Universitas Syiah Kuala Unsyiah, 23-24 Oktober 2018
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.IGN MANTRA
ISO 27001:2013 Awareness, Seminar & Workshop Indonesia Honeynet Project IHP, Badan Siber dan Sandi Negara BSSN, Universitas Syiah Kuala Unsyiah, 23-24 Oktober 2018
Information security management best practiceparves kamal
ISO 17799 is an internationally recognized Information Security Management Standard, first published by the International Organization for Standardization, or ISO (www.iso.ch), in December 2000.
Information security focuses on protecting valuable information that will help businesses to succeed in their strategies. Confidentiality, integrity and availability are the three basic objectives of Information Security.
For more such innovative content on management studies, join WeSchool PGDM-DLP Program: http://bit.ly/ZEcPAc
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.IGN MANTRA
ISO 27001:2013 Awareness, Seminar & Workshop Indonesia Honeynet Project IHP, Badan Siber dan Sandi Negara BSSN, Universitas Syiah Kuala Unsyiah, 23-24 Oktober 2018
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.IGN MANTRA
ISO 27001:2013 Awareness, Seminar & Workshop Indonesia Honeynet Project IHP, Badan Siber dan Sandi Negara BSSN, Universitas Syiah Kuala Unsyiah, 23-24 Oktober 2018
Information Security between Best Practices and ISO StandardsPECB
Main points covered:
• Information Security best practices (ESA, COBIT, ITIL, Resilia)
• NIST security publications (NIST 800-53)
• ISO standards for information security (ISO 20000 and ISO 27000 series)
- Information Security Management in ISO 20000
- ISO 27001, ISO 27002 and ISO 27005
• What is best for me: Information Security Best Practices or ISO standards?
Presenter:
This webinar was presented by Mohamed Gohar. Mr.Gohar has more than 10 years of experience in ISM/ITSM Training and Consultation. He is one of the expert reviewers of CISA RM 26th edition (2016), ISM Senior Trainer/Consultant at EGYBYTE.
Link of the recorded session published on YouTube: https://youtu.be/eKYR2BG_MYU
ISO 27001 2013 Introduction Study Case IGN Mantra, 2nd Day, 3rd Session.IGN MANTRA
ISO 27001:2013 Awareness, Seminar & Workshop Indonesia Honeynet Project IHP, Badan Siber dan Sandi Negara BSSN, Universitas Syiah Kuala Unsyiah, 23-24 Oktober 2018
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...festival ICT 2016
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati attraverso i servizi gestiti. - by Hitachi Systems - festival ICT 2015
Relatore: Denis Cassinerio
Security Business Unit Director di Hitachi Systems CBT
We live in a digital world in which our happiness, health, and even our lives can depend on the performance of technology. From medical equipment to cars, and home security systems to smartphones, computerized equipment plays a greater role in the human experience with each passing year.
The state of being protected against the unauthorized use of information, especially electronic data, or the measures are taken to achieve this.
"the growing use of mobile applications is posing a risk to information security"
Information Security between Best Practices and ISO StandardsPECB
Main points covered:
• Information Security best practices (ESA, COBIT, ITIL, Resilia)
• NIST security publications (NIST 800-53)
• ISO standards for information security (ISO 20000 and ISO 27000 series)
- Information Security Management in ISO 20000
- ISO 27001, ISO 27002 and ISO 27005
• What is best for me: Information Security Best Practices or ISO standards?
Presenter:
This webinar was presented by Mohamed Gohar. Mr.Gohar has more than 10 years of experience in ISM/ITSM Training and Consultation. He is one of the expert reviewers of CISA RM 26th edition (2016), ISM Senior Trainer/Consultant at EGYBYTE.
Link of the recorded session published on YouTube: https://youtu.be/eKYR2BG_MYU
ISO 27001 2013 Introduction Study Case IGN Mantra, 2nd Day, 3rd Session.IGN MANTRA
ISO 27001:2013 Awareness, Seminar & Workshop Indonesia Honeynet Project IHP, Badan Siber dan Sandi Negara BSSN, Universitas Syiah Kuala Unsyiah, 23-24 Oktober 2018
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...festival ICT 2016
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati attraverso i servizi gestiti. - by Hitachi Systems - festival ICT 2015
Relatore: Denis Cassinerio
Security Business Unit Director di Hitachi Systems CBT
We live in a digital world in which our happiness, health, and even our lives can depend on the performance of technology. From medical equipment to cars, and home security systems to smartphones, computerized equipment plays a greater role in the human experience with each passing year.
The state of being protected against the unauthorized use of information, especially electronic data, or the measures are taken to achieve this.
"the growing use of mobile applications is posing a risk to information security"
This is the general orientation for the new beginner who wants to make their career in IT Audit. This contains very less technical and more counselling terms and topics.
Heureka Webinar – Security, the Growth Engine for eDiscovery ProfessionalsHeureka Software
Cybersecurity threats and data breaches cost companies millions of dollars in lost intellectual property, trade secrets and fines from mishandled privacy information.
Even worse, hackers increasingly see law firms as an easy target to acquire valuable data on clients.
And yet, many security folks still need the expertise gained from the legal/ediscovery world.
Heureka and special guest Donald A. Wochna, Esq. discuss the shift from eDiscovery to Security and back again!
Building an effective Information Security RoadmapElliott Franklin
As company information security functions continue to grow each year with increasing attacks and regulations, how are you handling the
pressure? Are you constantly battling to run the business projects and reacting to customer requests? Have you blocked off a few hours each week
on your calendar to close your email, turn off your phone and try to build, assess and maintain an effective vision for your security team? This
presentation will discuss a cascading approach to creating such a roadmap that is easily understood by executives and has helped gain quick buy
in for multiple enterprise wide security projects.
Regulatory compliance mandates have historically focused on IT & endpoint security as the primary means to protect data. However, as our digital economy has increasingly become software dependent, standards bodies have dutifully added requirements as they relate to development and deployment practices. Enterprise applications and cloud-based services constantly store and transmit data; yet, they are often difficult to understand and assess for compliance.
This webcast will present a practical approach towards mapping application security practices to common compliance frameworks. It will discuss how to define and enact a secure, repeatable software development lifecycle (SDLC) and highlight activities that can be leveraged across multiple compliance controls. Topics include:
* Consolidating security and compliance controls
* Creating application security standards for development and operations teams
* Identifying and remediating gaps between current practices and industry accepted "best practices”
Security Architecture Best Practices for SaaS ApplicationsTechcello
Gartner has predicted 18-20% growth in SaaS market, and expects it to hit US $22.1 billion by the year 2015. They have also measured that SaaS adoption rate has increased many fold in the last few years (almost 71% of enterprises use SaaS solutions).
BSIMM: Bringing Science to Software SecurityCigital
There is an old management adage that says “You can’t manage what you don’t measure.” The Building Security in Maturity Model (BSIMM) applies scientific principles to the field of software security to effectively measure security activities across industries and business units. The BSIMM enables experts like you to discover what exists in the application security universe, how those things work today, how they worked in the past and how they are likely to work in the future.
Information technology is a complex business, at best. While IT can provide amazing benefits, it still requires vigilance and diligence to ensure it is running correctly and that it is secure. A security framework can be an excellent tool to evaluate what you might be missing and confirm that what you are already doing is spot-on correct. This session will discuss the importance of using security frameworks and walk attendees through the NIST Cyber Security Framework to review how the framework functions, how to use a framework, and most importantly, how the use of a framework can and will benefit their organization.
Why do many managed services relationships fail? And fail again? Both organizations need to be aligned up front and hold hands during onboarding. This presentation covers the top five focus areas. Many MSSP relationships are doomed at the onboarding stage when an organization first becomes a customer. Given how critical these early stage activities are to your partnership, it's imperative to understand the top five areas of focus: technology deployment (the easy part, getting the tech running); the call tree (who do I wake up at 3 a.m.?); process sync (the fun part: mutual synchronization on who does what and when); access, access, access (you need access to do something); and the context of technology (the need to understand your shop).
What you’ll take away:
Understand proven success criteria for successful outsourcing of security operations
Learn how to align security technologies to security processes, and the key focus areas of security operations
Access to key checklists and charts to drive onboarding of managed services
An understanding of specific terms and conditions that need to be included in data-related contracts under applicable laws
Discover how other organizations have succeeded and failed in MSSP relations
How do we separate hype from useful information in Cyber Security? As Congress is debating a National privacy law, and several states have their own privacy and breach reporting laws including Georgia, how will that impact our workload? Privacy starts with good cyber-hygiene. We will look at how we can leverage the focus on Privacy to address standards for:
Firewall and network setups
Cloud security
Protocols and ports that need attention
Authentication best practices
Server and network rights
Password rules
“Are we secure?” It’s the most dreaded question that information security and risk management professionals need to answer. Compliance is a useful starting point, but the number of “compliant” organizations who still suffered a data breach is proof positive that compliance simply isn’t enough. That’s where maturity models come into play. In this presentation, I’ll show you how to apply a capability maturity model (CMM) to your identity and access management (IAM) program, using that model to assess where you are today. I’ll also share tools and techniques you can use to accelerate improvements to your program.
Hacking identity: A Pen Tester's Guide to IAMJerod Brennen
Know your opponent and know yourself. It held true for Sun Tzu 2500 years ago, and it holds true for pen testers today. A pen tester who has worked in sec ops role has a distinct advantage, especially if that pen tester has a solid grasp of the good, the bad, and the ugly of identity and access management (IAM) in an enterprise setting. For red teams, this presentation will cover pen testing tips and tricks to circumvent weak or missing IAM controls. For blue teams, we’ll also cover the steps you can take to shore up your IAM controls and catch pen testers in the act. Purple teaming, FTW!
Stealing Domain Admin (or How I Learned to Stop Worrying and Love the CSSF)Jerod Brennen
With global information security spending rapidly approaching $100 billion, you'd think we,d have a pretty good handle on preventing data breaches by now. However, considering that nearly 1 billion records have been exposed in the 5000+ data breaches publicly disclosed since 2005, you,re probably asking yourself the same question as security and risk management professionals all over the world: How does this keep happening? This presentation will walk you through a penetration tester,s process, step-by-step, as the tester goes from unauthorized outsider to domain admin (without being detected). More importantly, we,ll discuss the fundamental security controls that will shut down attackers time and again.
Automating Security Testing with the OWTFJerod Brennen
When it comes to app security, scanning is good, but pen testing is better. That said, we're lucky if we can schedule (and budget for) a web app pen test once a year. Wouldn't it be swell if we could automate the security testing process so it turned up the same weaknesses in QA an attacker would likely try to exploit in Prod? Well, then. You're in luck. OWASP's Offensive Web Testing Framework (OWTF) was designed to help automate the web app pen testing process. By baking the OWTF into your own QA processes, you can benefit from the same knowledge and tools that the bad guys use to attack web apps. Better yet, you can run these tests as frequently as you like for FREE. This presentation will show you how to use the OWTF, helping you improve both the efficiency and effectiveness of your app security testing process.
Open Source Intelligence Gathering (OSINT) is growing in popularity among attackers and defenders alike. When an attacker comes knocking on your network's front door, the warning lights go off in multiple systems (IDS, IPS, SIEM, WAF). More sophisticated attackers, however, spend considerable time gathering information using tools and techniques that never touch any of your systems. As a result, these attackers are able to execute their attacks and make off with proprietary data before you even know they are there. This presentation provides an introduction to many OSINT tools and techniques, as well as methods you can use to minimize your exposure.
Running Your Apps Through the "Gauntlt"Jerod Brennen
It’s generally accepted that built-in app security controls are more effective than bolted-on app security controls. In order to produce rugged software, though, developers need procedures and tools that will help them identify and remediate potential security weaknesses before an app leaves QA. That’s where Gauntlt comes in. Gauntlt’s slogan is, “Be mean to your code and like it,” and the Gauntlt Starter Kit is designed to help you beat up your code pre-deployment. Jerod’s going to introduce you to the Gauntlt Starter Kit and show you how you can bake Gauntlt into your own app dev projects.
PCI. HIPAA. CFPB. We're KILLING small businesses with over-regulation in the name of security, while turning a blind eye to the fact that the cost of over-regulation is doing more harm than good, distracting business owners from realistically focusing on the risks that apply to their companies. It's time to have an open, honest conversation about a "common sense" security framework.
Please, Please, PLEASE Defend Your Mobile Apps!Jerod Brennen
Admit it: mobile is sexy. Unfortunately, companies are giving into corporate peer pressure and publishing mobile apps before integrating appsec into the mobile app development process. This gives attackers another venue of attack, one with the potential of circumventing the host, network, and application security controls that the security team has already implemented. The purpose of this presentation is to show attendees how attackers can deconstruct mobile apps to find these attack vectors and (more importantly) how to close these security holes before the apps are published to public app stores.
Bridging the Social Media Implementation/Audit GapJerod Brennen
It's one thing to embrace social media, but it's another thing entirely to embrace it securely. This presentation helps organizations understand what steps should be taken to ensure that their social media properties aren't abused or exploited to attack the organization.
Attacking and Defending Mobile ApplicationsJerod Brennen
The rapid increase in mobile technology adoption in the workplace has resulted in a rise in mobile application attacks. This presentation provides attendees with insight into how mobile application attacks are perpetuated, as well as how we can develop to defend against them.
What are the main advantages of using HR recruiter services.pdfHumanResourceDimensi1
HR recruiter services offer top talents to companies according to their specific needs. They handle all recruitment tasks from job posting to onboarding and help companies concentrate on their business growth. With their expertise and years of experience, they streamline the hiring process and save time and resources for the company.
Personal Brand Statement:
As an Army veteran dedicated to lifelong learning, I bring a disciplined, strategic mindset to my pursuits. I am constantly expanding my knowledge to innovate and lead effectively. My journey is driven by a commitment to excellence, and to make a meaningful impact in the world.
Skye Residences | Extended Stay Residences Near Toronto Airportmarketingjdass
Experience unparalleled EXTENDED STAY and comfort at Skye Residences located just minutes from Toronto Airport. Discover sophisticated accommodations tailored for discerning travelers.
Website Link :
https://skyeresidences.com/
https://skyeresidences.com/about-us/
https://skyeresidences.com/gallery/
https://skyeresidences.com/rooms/
https://skyeresidences.com/near-by-attractions/
https://skyeresidences.com/commute/
https://skyeresidences.com/contact/
https://skyeresidences.com/queen-suite-with-sofa-bed/
https://skyeresidences.com/queen-suite-with-sofa-bed-and-balcony/
https://skyeresidences.com/queen-suite-with-sofa-bed-accessible/
https://skyeresidences.com/2-bedroom-deluxe-queen-suite-with-sofa-bed/
https://skyeresidences.com/2-bedroom-deluxe-king-queen-suite-with-sofa-bed/
https://skyeresidences.com/2-bedroom-deluxe-queen-suite-with-sofa-bed-accessible/
#Skye Residences Etobicoke, #Skye Residences Near Toronto Airport, #Skye Residences Toronto, #Skye Hotel Toronto, #Skye Hotel Near Toronto Airport, #Hotel Near Toronto Airport, #Near Toronto Airport Accommodation, #Suites Near Toronto Airport, #Etobicoke Suites Near Airport, #Hotel Near Toronto Pearson International Airport, #Toronto Airport Suite Rentals, #Pearson Airport Hotel Suites
Putting the SPARK into Virtual Training.pptxCynthia Clay
This 60-minute webinar, sponsored by Adobe, was delivered for the Training Mag Network. It explored the five elements of SPARK: Storytelling, Purpose, Action, Relationships, and Kudos. Knowing how to tell a well-structured story is key to building long-term memory. Stating a clear purpose that doesn't take away from the discovery learning process is critical. Ensuring that people move from theory to practical application is imperative. Creating strong social learning is the key to commitment and engagement. Validating and affirming participants' comments is the way to create a positive learning environment.
Attending a job Interview for B1 and B2 Englsih learnersErika906060
It is a sample of an interview for a business english class for pre-intermediate and intermediate english students with emphasis on the speking ability.
[Note: This is a partial preview. To download this presentation, visit:
https://www.oeconsulting.com.sg/training-presentations]
Sustainability has become an increasingly critical topic as the world recognizes the need to protect our planet and its resources for future generations. Sustainability means meeting our current needs without compromising the ability of future generations to meet theirs. It involves long-term planning and consideration of the consequences of our actions. The goal is to create strategies that ensure the long-term viability of People, Planet, and Profit.
Leading companies such as Nike, Toyota, and Siemens are prioritizing sustainable innovation in their business models, setting an example for others to follow. In this Sustainability training presentation, you will learn key concepts, principles, and practices of sustainability applicable across industries. This training aims to create awareness and educate employees, senior executives, consultants, and other key stakeholders, including investors, policymakers, and supply chain partners, on the importance and implementation of sustainability.
LEARNING OBJECTIVES
1. Develop a comprehensive understanding of the fundamental principles and concepts that form the foundation of sustainability within corporate environments.
2. Explore the sustainability implementation model, focusing on effective measures and reporting strategies to track and communicate sustainability efforts.
3. Identify and define best practices and critical success factors essential for achieving sustainability goals within organizations.
CONTENTS
1. Introduction and Key Concepts of Sustainability
2. Principles and Practices of Sustainability
3. Measures and Reporting in Sustainability
4. Sustainability Implementation & Best Practices
To download the complete presentation, visit: https://www.oeconsulting.com.sg/training-presentations
Improving profitability for small businessBen Wann
In this comprehensive presentation, we will explore strategies and practical tips for enhancing profitability in small businesses. Tailored to meet the unique challenges faced by small enterprises, this session covers various aspects that directly impact the bottom line. Attendees will learn how to optimize operational efficiency, manage expenses, and increase revenue through innovative marketing and customer engagement techniques.
RMD24 | Debunking the non-endemic revenue myth Marvin Vacquier Droop | First ...BBPMedia1
Marvin neemt je in deze presentatie mee in de voordelen van non-endemic advertising op retail media netwerken. Hij brengt ook de uitdagingen in beeld die de markt op dit moment heeft op het gebied van retail media voor niet-leveranciers.
Retail media wordt gezien als het nieuwe advertising-medium en ook mediabureaus richten massaal retail media-afdelingen op. Merken die niet in de betreffende winkel liggen staan ook nog niet in de rij om op de retail media netwerken te adverteren. Marvin belicht de uitdagingen die er zijn om echt aansluiting te vinden op die markt van non-endemic advertising.
RMD24 | Retail media: hoe zet je dit in als je geen AH of Unilever bent? Heid...BBPMedia1
Grote partijen zijn al een tijdje onderweg met retail media. Ondertussen worden in dit domein ook de kansen zichtbaar voor andere spelers in de markt. Maar met die kansen ontstaan ook vragen: Zelf retail media worden of erop adverteren? In welke fase van de funnel past het en hoe integreer je het in een mediaplan? Wat is nu precies het verschil met marketplaces en Programmatic ads? In dit half uur beslechten we de dilemma's en krijg je antwoorden op wanneer het voor jou tijd is om de volgende stap te zetten.
Enterprise Excellence is Inclusive Excellence.pdfKaiNexus
Enterprise excellence and inclusive excellence are closely linked, and real-world challenges have shown that both are essential to the success of any organization. To achieve enterprise excellence, organizations must focus on improving their operations and processes while creating an inclusive environment that engages everyone. In this interactive session, the facilitator will highlight commonly established business practices and how they limit our ability to engage everyone every day. More importantly, though, participants will likely gain increased awareness of what we can do differently to maximize enterprise excellence through deliberate inclusion.
What is Enterprise Excellence?
Enterprise Excellence is a holistic approach that's aimed at achieving world-class performance across all aspects of the organization.
What might I learn?
A way to engage all in creating Inclusive Excellence. Lessons from the US military and their parallels to the story of Harry Potter. How belt systems and CI teams can destroy inclusive practices. How leadership language invites people to the party. There are three things leaders can do to engage everyone every day: maximizing psychological safety to create environments where folks learn, contribute, and challenge the status quo.
Who might benefit? Anyone and everyone leading folks from the shop floor to top floor.
Dr. William Harvey is a seasoned Operations Leader with extensive experience in chemical processing, manufacturing, and operations management. At Michelman, he currently oversees multiple sites, leading teams in strategic planning and coaching/practicing continuous improvement. William is set to start his eighth year of teaching at the University of Cincinnati where he teaches marketing, finance, and management. William holds various certifications in change management, quality, leadership, operational excellence, team building, and DiSC, among others.
Falcon stands out as a top-tier P2P Invoice Discounting platform in India, bridging esteemed blue-chip companies and eager investors. Our goal is to transform the investment landscape in India by establishing a comprehensive destination for borrowers and investors with diverse profiles and needs, all while minimizing risk. What sets Falcon apart is the elimination of intermediaries such as commercial banks and depository institutions, allowing investors to enjoy higher yields.
Business Valuation Principles for EntrepreneursBen Wann
This insightful presentation is designed to equip entrepreneurs with the essential knowledge and tools needed to accurately value their businesses. Understanding business valuation is crucial for making informed decisions, whether you're seeking investment, planning to sell, or simply want to gauge your company's worth.
Cracking the Workplace Discipline Code Main.pptxWorkforce Group
Cultivating and maintaining discipline within teams is a critical differentiator for successful organisations.
Forward-thinking leaders and business managers understand the impact that discipline has on organisational success. A disciplined workforce operates with clarity, focus, and a shared understanding of expectations, ultimately driving better results, optimising productivity, and facilitating seamless collaboration.
Although discipline is not a one-size-fits-all approach, it can help create a work environment that encourages personal growth and accountability rather than solely relying on punitive measures.
In this deck, you will learn the significance of workplace discipline for organisational success. You’ll also learn
• Four (4) workplace discipline methods you should consider
• The best and most practical approach to implementing workplace discipline.
• Three (3) key tips to maintain a disciplined workplace.
The world of search engine optimization (SEO) is buzzing with discussions after Google confirmed that around 2,500 leaked internal documents related to its Search feature are indeed authentic. The revelation has sparked significant concerns within the SEO community. The leaked documents were initially reported by SEO experts Rand Fishkin and Mike King, igniting widespread analysis and discourse. For More Info:- https://news.arihantwebtech.com/search-disrupted-googles-leaked-documents-rock-the-seo-world/
What is the TDS Return Filing Due Date for FY 2024-25.pdfseoforlegalpillers
It is crucial for the taxpayers to understand about the TDS Return Filing Due Date, so that they can fulfill your TDS obligations efficiently. Taxpayers can avoid penalties by sticking to the deadlines and by accurate filing of TDS. Timely filing of TDS will make sure about the availability of tax credits. You can also seek the professional guidance of experts like Legal Pillers for timely filing of the TDS Return.
4. Where Are You?
• You’re not working in infosec yet, but you desperately want to move into
that field.
• You’re a newly minted CISSP with your eyes on a position in infosec
management / leadership.
• You’ve recently accepted an infosec management / leadership position in a
company that doesn’t have an established (formalized) security program.
• You’ve been in security management / leadership for years, and you want to
take a step back and look at the entire program to determine whether or not
you’re covering all the bases.
• You’ve recently made a move into consulting, and you want to ensure that
your service offerings are appropriate for large enterprises and small /
medium businesses.
5.
6. Key Points About ISO 27k
• International Standard
▫ Actually, sixteen (16) standards
▫ 27000 – 27008, 27010 – 27011, 27031, 27033-1, 27044-1, 27035
▫ 27799: ISO27k for the healthcare industry
• 27001: Information technology -- Security techniques --
Information security management systems -- Requirements
• 27002: Information technology -- Security techniques --
Code of practice for information security management
▫ Twelve (12) categories of security management
• Formal Certification vs. Informal Adoption
▫ Your mileage may vary
10. Risk Management
• Questions
▫ What could go wrong?
▫ How do our controls stack up?
▫ Are we spending a dollar to protect a dime?
▫ What’s our risk appetite?
• Controls
▫ Perform a risk assessment
Risk = Likelihood x Impact
NIST (800-37)
FAIR (Factor Analysis of Information Risk)
11. Policy Management
• Questions
▫ What rules do we expect our employees to follow?
▫ How do we do what we do?
• Controls
▫ Policies, Standards, Procedures
Policy = Rules, high level
Standard = Technical requirements, detailed
Procedure = Step-by-step instructions
▫ Starting point = three(3) critical policies
Information Security Policy
Data Classification Policy
Acceptable Use Policy
▫ If you expect employees to know what’s expected of them, you
have to write it down!
12. Security Organization Management
• Questions
▫ Who’s going to do all this?
• Controls
▫ Executive Sponsorship
▫ Information Security Steering Committee
▫ Information Security Team
Internal vs. External (NDA!)
Matrixed
13. Asset Management
• Questions
▫ What information assets do we have?
▫ How do systems enter the organization?
▫ What do we do with retired systems?
• Controls
▫ Asset tracking system
Discovery
Inventory
▫ Technology Purchase Request form
14. HR Security Management
• Questions
▫ Do we have job descriptions for the security team?
▫ Do our employees really know what’s expected of
them?
▫ Should we be doing background checks or credit
checks on any employees?
• Controls
▫ Job Descriptions
Manager, Senior Analyst, Analyst
▫ Non-Disclosure Agreement (NDA)
▫ Security Awareness Training
▫ Onboarding and Separations Procedures
15. Physical Security Management
• Questions
▫ What’s our perimeter?
▫ Could someone walk into any of our locations and take
something that doesn’t belong to them?
• Controls
▫ Locks
Sensitive areas
▫ Badges
Employee, Contractor, or Visitor?
▫ Physical Security Assessment
16. Security Operations Management
• Questions
▫ Who’s responsible for the day-to-day security stuff?
▫ What exactly is the day-to-day security stuff?
• Controls
▫ Security Operations Procedures
Change Control
▫ Antimalware
▫ Encryption
▫ Logging and Monitoring
Enabled, centralized, and detailed
17. Access Management
• Questions
▫ Does everyone have access to what they need in order to do
their jobs?
▫ Can unmanaged devices attach to our network?
• Controls
▫ Principle of least privilege
▫ Centralized user directory
▫ Access reviews
▫ Password management
▫ Lock screens
▫ Multi-factor authentication
▫ Port security
18. Information Security Systems Management
• Questions
▫ How do we secure new systems before we add them to our
network?
▫ Do we have production data in non-production systems?
• Controls
▫ System hardening process
▫ Software Development Lifecycle (SDLC)
▫ Change control procedures
Change Approval Board (CAB)
▫ Vulnerability management procedures
Development, QA, Production
Scan EVERYTHING (hosts, databases, apps)
Penetration testing (validate your controls)
19. Security Incident Management
• Questions
▫ What could go wrong?
▫ What’s already gone wrong?
▫ What do we do when something goes wrong?
• Controls
▫ Security Incident Response
One Policy
Many Procedures
▫ Security Information Event Management (SIEM) system
▫ Training
End User Security Awareness
Incident Response
Forensics
▫ Tabletop Exercises
20. Business Continuity Management
• Questions
▫ How will we recover from a disaster?
▫ How will we keep the business going during the
recovery process?
• Controls
▫ Disaster Recovery Plan
▫ Business Continuity Plan
▫ Backups
▫ Tabletop Exercises
21. Compliance Management
• Questions
▫ What do I need to comply with?
HIPAA, PCI, NERC/FERC, SOX, COPPA, etc.
External and Internal
• Controls
▫ Documented Compliance Procedures
Who is responsible for what?
When is it due?
▫ Unified Compliance Framework
▫ Audits
External and Internal
Scheduled, non-intrusive, and independent
22.
23. Skillset Groupings
Business (People) Process Technical (*ology)
Security Organization Risk Physical
HR Security Asset
Business Continuity Security Operations
Security Incident Information Security Systems
Policy
Compliance
This chart identifies key strengths, which align with areas of ownership.
24. Business Skillset
• “People person”
• Information security governance
• Compliance and regulatory knowledge
• Understand integration points among business,
security, and compliance
• Managing people
• (ISC)2 CISSP and/or ISACA CISM
▫ Hardcore = SANS Masters Degree in Information
Security
25. Process Skillset
• Accountant
• Blend of business and technology
• Policies, standards, procedures
• Understanding of business process flows
• ISACA CISA
26. Technical Skillset
• Geek / Nerd
• System administration
• Active in technical/security user groups
• Deep knowledge of specific technologies
• (ISC)2 CISSP + Specific tech certs
27. Core Team
• Manager
▫ Business-oriented, with understanding of tech and process
▫ The buck stops here
▫ Strategic
• Senior
▫ Highly Technical and Process-Oriented, with business knowledge
▫ Primary and Secondary
▫ Strategic + Tactical
• Junior
▫ Technical and Process-Oriented
▫ Primary and Secondary
▫ Tactical + Operational
28. Sample Org Chart
Manager
-> Security Organization
Technical (Senior)
-> Security Operations
-> Information Security Systems
Technical (Junior)
-> Security Operations
-> Physical
-> Asset
Process (Senior)
-> Policy
-> Risk
-> Business Continuity
-> Security Incident
Process (Junior)
-> Policy
-> HR
-> Compliance
-> Security Incident
29.
30. Resources
• Wikipedia
▫ http://en.wikipedia.org/wiki/ISO/IEC_27001
▫ http://en.wikipedia.org/wiki/ISO/IEC_27002
• International Organization for Standardization
▫ ISO/IEC 27001:2005
http://www.iso.org/iso/catalogue_detail?csnumber=42103
▫ ISO/IEC 27002:2005
http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm
?csnumber=50297
• The ISO 27000 Directory
▫ http://www.27000.org/iso-27001.htm
• ISO 27001 Security <- GREAT starting point
▫ http://www.iso27001security.com/
32. Even More Resources
• SANS 20 Critical Security Controls
▫ http://www.sans.org/critical-security-controls/
• GIAC Certified ISO-27000 Specialist
▫ http://www.giac.org/certification/certified-iso-27000-specialist-g2700
• Australian Department of Defence Top 35 Mitigation Strategies
▫ http://www.dsd.gov.au/infosec/top35mitigationstrategies.htm
• Information Security… Simplified
▫ http://www.infosecsimplified.com/
• IT Security Career
▫ http://www.itsecuritycareer.com/
33. Professional Organizations
• ISSA (Information Systems Security Organization)
▫ http://www.issa.org/
• ISACA (Information Systems Audit and Control Association)
▫ https://www.isaca.org/
• SANS
▫ http://www.sans.org/
• InfraGard
▫ http://www.infragard.net/
• OWASP (Open Web Application Security Project)
▫ https://www.owasp.org/