SlideShare a Scribd company logo

Managing a security program (when you are not a security expert)

Download as PPTX, PDF
J
jikbal

This document provides guidance for managing an information security program for those without an IT or security background. It outlines the basic necessities including getting management support, having written security policies and plans, conducting risk assessments, implementing controls like the Critical Security Controls, and performing regular maintenance and monitoring through a security framework. The overall message is that with the right fundamentals, priorities, and ongoing attention, an effective security program can be achieved and maintained over time without deep technical expertise.

Technology
1 of 28
Managing a Security Program (when you are not a security expert) An Information Security Road Trip Javed Ikbal 2016 ROCKY MOUNTAIN SUMMIT
This session is for you… • If you do not have an IT or Information Security background – But are tasked with running an information security program, or, – You are responsible for a critical piece of information security or audit in your organization – Or you want to know what the big deal is. • If your company already has a mature information security program, this may not be for you 2016 ROCKY MOUNTAIN SUMMIT 2
Learning Objectives • This is not a technical session. • A roadmap is presented – Common Potholes / road closures / rogue drivers will be pointed out (when possible) • After completion, you will be able to: – Understand the map – Figure out where you are – Predict a time to get to your destination – Estimate the gas and food needed to get there 2016 ROCKY MOUNTAIN SUMMIT 3
So you can avoid becoming a headline • 97% of breaches were avoidable through simple or intermediate controls. – Easy improvements can make big differences • 79% of victims were targets of opportunity. – Make it harder for the bad guys • 85% of breaches took weeks or more to discover. – Breaches happen. Find them early • 92% of incidents were discovered by a third party. – Don’t end up on the front page of a newspaper (before your CEO knows about it) 2016 ROCKY MOUNTAIN SUMMIT 4
2016 ROCKY MOUNTAIN SUMMIT
What is information security? • Limit access to authorized people only • Ensure those authorized people can access the information when needed • Prevent unauthorized modification 62016 ROCKY MOUNTAIN SUMMIT
The basic necessities • Prerequisites for a successful information security program: – Management support (the fuel and food) • A written, approved information security program • Budget! • Tone from the top – Policies (the traffic rules/laws) 2016 ROCKY MOUNTAIN SUMMIT 7
The Fuel • Without management support, it is tough to be successful • Create a business case by using what drives management: – REPUTATION, REGULATION, REVENUE • Written information security program (WISP) – Not a policy – More a narrative of your security posture – Describes the elements of your security program – http://www.mass.gov/ocabr/docs/idtheft/sec-plan-smallbiz- guide.pdf – http://www.buchananassociates.com/Buchanan-Associates- Sample-Template-Written-Information-Security-Plan-WISP.pdf 2016 ROCKY MOUNTAIN SUMMIT 8
The Traffic Laws • Acceptable Use Policy – If you don’t have one, fix it ASAP. – https://www.sans.org/security- resources/policies/general/doc/acceptable-use-policy • A badly written policy could be dangerous – Do not include something that you cannot enforce – Do not fill it up with legalese 2016 ROCKY MOUNTAIN SUMMIT 9
The Traffic Laws • Information Security Policy – http://www.ucisa.ac.uk/~/media/Files/publications/toolkits/ist/ISTE d3%20pdf • Password Protection Policy – https://www.sans.org/security- resources/policies/general/doc/password-protection-policy • Information / Risk Classification – https://uit.stanford.edu/guide/riskclassifications • Vendor / 3rd party Security Requirements – http://www.brighthorizons.com/suppliercenter/baseline-third- party-security-requirements 2016 ROCKY MOUNTAIN SUMMIT 10
Leaving a laptop in the car? • Conduct a data inventory – What data do you have? – Where does it live? – What protections should be in place? – What protections are in place? 2016 ROCKY MOUNTAIN SUMMIT 11
Teach the kids to not talk to strangers 2016 ROCKY MOUNTAIN SUMMIT 12
Stranger Danger • Phishing • Ransomware • W-2 scam • Awareness is the best bang for the buck 2016 ROCKY MOUNTAIN SUMMIT 13
Teach the kids 9-1-1 • What happens when something goes bad? – Do you have an incident response plan? – Remember the inventory? • Do breach notification laws apply? • What jurisdictions? – Who does what in a breach? – Can you contact the team when needed? – Who is authorized to declare an “incident”? – Who is authorized to talk to the media? – Who is authorized to call law enforcement? 2016 ROCKY MOUNTAIN SUMMIT 14
Is there a spare tire? • Do you have backups? • Are the backups protected as well as the primary data? • When long ago was the last backup? (Recovery Point Objective: RPO) • How long will it take to become operational? (Recovery Time Objective: RTO) 2016 ROCKY MOUNTAIN SUMMIT 15
Oil change? Coolant? Recall notice? • How often do you install security patches? • What do you patch? • How soon do you install a new patch? • Do you monitor security bulletins? 2016 ROCKY MOUNTAIN SUMMIT 16
Did I lock the doors? • What are the physical security controls? • Are your servers in a secure location? • Do we have video surveillance of entry/exit points? • Do we have logs of entry to all secure locations? • Are users trained to not let in strangers? 2016 ROCKY MOUNTAIN SUMMIT 17
Lunch options: Chain or Local? • Security begins (and sadly, often ends) at your vendor • Do your due diligence • Require security measures appropriate to the risks 2016 ROCKY MOUNTAIN SUMMIT 18
Did we turn off the oven? • Center for Internet Security Critical Controls: – https://www.cisecurity.org/critical-controls.cfm – Technical help needed to implement these, but understanding them does not require a technical background 2016 ROCKY MOUNTAIN SUMMIT 19
Critical Security Controls • CSC 1: Inventory of Authorized and Unauthorized Devices • CSC 2: Inventory of Authorized and Unauthorized Software • CSC 3: Secure Configurations for Hardware and Software on Mobile Device Laptops, Workstations, and Servers • CSC 4: Continuous Vulnerability Assessment and Remediation • CSC 5: Controlled Use of Administrative Privileges • CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs • CSC 7: Email and Web Browser Protections • CSC 8: Malware Defenses • CSC 9: Limitation and Control of Network Ports, Protocols, and Services • CSC 10: Data Recovery Capability • CSC 11: Secure Configurations for Network Devices such as Firewall Routers, and Switches • CSC 12: Boundary Defense • CSC 13: Data Protection • CSC 14: Controlled Access Based on the Need to Know • CSC 15: Wireless Access Control • CSC 16: Account Monitoring and Control • CSC 17: Security Skills Assessment and Appropriate Training to Fill Gaps • CSC 18: Application Software Security • CSC 19: Incident Response and Management • CSC 20: Penetration Tests and Red Team Exercises 202016 ROCKY MOUNTAIN SUMMIT
Where are we? • Start with the critical controls, and score your company on each item 1: Initial. Processes are unpredictable. Not much documentation. 2. Managed: Processes are documented, but not always followed. Often reactive. 3. Defined: Processes are documented and proactive. 4. Quantitatively managed: Processes measured and controlled 5. Optimized: Continuous process improvement 2016 ROCKY MOUNTAIN SUMMIT 21
Are we there yet? • “How long” is a tough question – From 1 to 2: 6-12 months – From 2 to 3: 12-18 months – From 3 to 4: 18 months • Depends on how much money and effort you want to throw at the problem • Secure your doors (perimeter network) first • Awareness and patching are quick wins • Then the engine (applications and databases) 2016 ROCKY MOUNTAIN SUMMIT 22
Car making strange noise? • If you have one or more “initial” that is a bad sign. • “Managed” is barely acceptable (depends on your industry) • “Defined” or “Quantitatively Managed” is where we should be. • “Optimized” is a lofty goal, but can be attained. 2016 ROCKY MOUNTAIN SUMMIT 23
The maintenance schedule • NIST Cybersecurity framework – http://www.nist.gov/cyberframework/upload/cybersec urity-framework-021214.pdf • There are other frameworks – The one from NIST is free – And it is pretty good – If you do business with the Federal government, you might be forced to use this 2016 ROCKY MOUNTAIN SUMMIT 24
The maintenance schedule 2016 ROCKY MOUNTAIN SUMMIT 25
When you are the mechanic • If you are auditing vendors or clients: – Review policies – Ask questions based on data types and risks (inventory) – You can use Google’s questionnaire: • https://vsaq-demo.withgoogle.com/ • https://github.com/google/vsaq – Ask for evidence – Ask if they have implemented: • Critical controls • A security framework • Ask for evidence – Repeat based on risk (1 year / 3 year) 2016 ROCKY MOUNTAIN SUMMIT 26
Information Security: brakes? • A car can travel fast if the driver knows it has good brakes • Information security has the same function: it enables the business • Policies and standards are the lane markings and guardrails – Just like their road equivalent, they can’t stop people from going off the road • Our job is to keep people in the marked lanes 2016 ROCKY MOUNTAIN SUMMIT 27
2016 ROCKY MOUNTAIN SUMMIT Questions

Recommended

PCI Compliance for Hipsters
PCI Compliance for HipstersPCI Compliance for Hipsters
PCI Compliance for Hipsters
Phillip Jackson
 
Privacies are coming
Privacies are comingPrivacies are coming
Privacies are coming
Ernest Staats
 
NTXISSACSC2 - Advanced Persistent Threat (APT) Life Cycle Management Monty Mc...
NTXISSACSC2 - Advanced Persistent Threat (APT) Life Cycle Management Monty Mc...NTXISSACSC2 - Advanced Persistent Threat (APT) Life Cycle Management Monty Mc...
NTXISSACSC2 - Advanced Persistent Threat (APT) Life Cycle Management Monty Mc...
North Texas Chapter of the ISSA
 
8 Ocak 2015 SOME Etkinligi - BGA Cyber Security Incident Response Team
8 Ocak 2015 SOME Etkinligi - BGA Cyber Security Incident Response Team8 Ocak 2015 SOME Etkinligi - BGA Cyber Security Incident Response Team
8 Ocak 2015 SOME Etkinligi - BGA Cyber Security Incident Response Team
BGA Cyber Security
 
5 Möglichkeiten zur Verbesserung Ihrer Security
5 Möglichkeiten zur Verbesserung Ihrer Security5 Möglichkeiten zur Verbesserung Ihrer Security
5 Möglichkeiten zur Verbesserung Ihrer Security
Georg Knon
 
Using IP Cameras and Advanced Analytics to help Protect Critical Infrastructure
Using IP Cameras and Advanced Analytics to help Protect Critical InfrastructureUsing IP Cameras and Advanced Analytics to help Protect Critical Infrastructure
Using IP Cameras and Advanced Analytics to help Protect Critical Infrastructure
EnergySec
 
Effective security monitoring mp 2014
Effective security monitoring mp 2014Effective security monitoring mp 2014
Effective security monitoring mp 2014
Ricardo Resnik
 
PCI 2.0 What's Next for PCI DSS by Dr. Anton Chuvakin
PCI 2.0 What's Next for PCI DSS by Dr. Anton ChuvakinPCI 2.0 What's Next for PCI DSS by Dr. Anton Chuvakin
PCI 2.0 What's Next for PCI DSS by Dr. Anton Chuvakin
Anton Chuvakin
 

Recommended

PCI Compliance for Hipsters
PCI Compliance for HipstersPCI Compliance for Hipsters
PCI Compliance for Hipsters
Phillip Jackson
 
Privacies are coming
Privacies are comingPrivacies are coming
Privacies are coming
Ernest Staats
 
NTXISSACSC2 - Advanced Persistent Threat (APT) Life Cycle Management Monty Mc...
NTXISSACSC2 - Advanced Persistent Threat (APT) Life Cycle Management Monty Mc...NTXISSACSC2 - Advanced Persistent Threat (APT) Life Cycle Management Monty Mc...
NTXISSACSC2 - Advanced Persistent Threat (APT) Life Cycle Management Monty Mc...
North Texas Chapter of the ISSA
 
8 Ocak 2015 SOME Etkinligi - BGA Cyber Security Incident Response Team
8 Ocak 2015 SOME Etkinligi - BGA Cyber Security Incident Response Team8 Ocak 2015 SOME Etkinligi - BGA Cyber Security Incident Response Team
8 Ocak 2015 SOME Etkinligi - BGA Cyber Security Incident Response Team
BGA Cyber Security
 
5 Möglichkeiten zur Verbesserung Ihrer Security
5 Möglichkeiten zur Verbesserung Ihrer Security5 Möglichkeiten zur Verbesserung Ihrer Security
5 Möglichkeiten zur Verbesserung Ihrer Security
Georg Knon
 
Using IP Cameras and Advanced Analytics to help Protect Critical Infrastructure
Using IP Cameras and Advanced Analytics to help Protect Critical InfrastructureUsing IP Cameras and Advanced Analytics to help Protect Critical Infrastructure
Using IP Cameras and Advanced Analytics to help Protect Critical Infrastructure
EnergySec
 
Effective security monitoring mp 2014
Effective security monitoring mp 2014Effective security monitoring mp 2014
Effective security monitoring mp 2014
Ricardo Resnik
 
PCI 2.0 What's Next for PCI DSS by Dr. Anton Chuvakin
PCI 2.0 What's Next for PCI DSS by Dr. Anton ChuvakinPCI 2.0 What's Next for PCI DSS by Dr. Anton Chuvakin
PCI 2.0 What's Next for PCI DSS by Dr. Anton Chuvakin
Anton Chuvakin
 
CIP-014-1: Next Steps from an Auditor’s Perspective
CIP-014-1: Next Steps from an Auditor’s PerspectiveCIP-014-1: Next Steps from an Auditor’s Perspective
CIP-014-1: Next Steps from an Auditor’s Perspective
EnergySec
 
Quick & Dirty Dozen: PCI Compliance Simplified
Quick & Dirty Dozen: PCI Compliance SimplifiedQuick & Dirty Dozen: PCI Compliance Simplified
Quick & Dirty Dozen: PCI Compliance Simplified
AlienVault
 
NTXISSACSC2 - The Evolving DMZ by John Fehan
NTXISSACSC2 - The Evolving DMZ by John FehanNTXISSACSC2 - The Evolving DMZ by John Fehan
NTXISSACSC2 - The Evolving DMZ by John Fehan
North Texas Chapter of the ISSA
 
Securiser son digital workplace avec Microsoft Threat Protection
Securiser son digital workplace avec Microsoft Threat ProtectionSecuriser son digital workplace avec Microsoft Threat Protection
Securiser son digital workplace avec Microsoft Threat Protection
☁️Seyfallah Tagrerout☁ [MVP]
 
Accelerating OT - A Case Study
Accelerating OT - A Case StudyAccelerating OT - A Case Study
Accelerating OT - A Case Study
Digital Bond
 
NTXISSACSC2 - Software Assurance (SwA) by John Whited
NTXISSACSC2 - Software Assurance (SwA) by John WhitedNTXISSACSC2 - Software Assurance (SwA) by John Whited
NTXISSACSC2 - Software Assurance (SwA) by John Whited
North Texas Chapter of the ISSA
 
Leveraging Compliance for Security with SIEM and Log Management
Leveraging Compliance for Security with SIEM and Log ManagementLeveraging Compliance for Security with SIEM and Log Management
Leveraging Compliance for Security with SIEM and Log Management
Tripwire
 
Sophisticated Incident Response Requires Sophisticated Activity Monitoring
Sophisticated Incident Response Requires Sophisticated Activity MonitoringSophisticated Incident Response Requires Sophisticated Activity Monitoring
Sophisticated Incident Response Requires Sophisticated Activity Monitoring
Imperva
 
[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...
[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...
[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...
PROIDEA
 
Assumed Breach
Assumed BreachAssumed Breach
Assumed Breach
Andrew Alaniz
 
Sntcapril2 decreasenetworkriskwithalertmanagementdraftv2-150417114740-convers...
Sntcapril2 decreasenetworkriskwithalertmanagementdraftv2-150417114740-convers...Sntcapril2 decreasenetworkriskwithalertmanagementdraftv2-150417114740-convers...
Sntcapril2 decreasenetworkriskwithalertmanagementdraftv2-150417114740-convers...
garciathomasbic
 
Sntc April 2: Decrease Network Risk with Alert Management Draft v2
Sntc April 2: Decrease Network Risk with Alert Management Draft v2Sntc April 2: Decrease Network Risk with Alert Management Draft v2
Sntc April 2: Decrease Network Risk with Alert Management Draft v2
B2BContact
 
Effective Cyber Defense Using CIS Critical Security Controls
Effective Cyber Defense Using CIS Critical Security ControlsEffective Cyber Defense Using CIS Critical Security Controls
Effective Cyber Defense Using CIS Critical Security Controls
BSides Delhi
 
Today's Cyber Challenges: Methodology to Secure Your Business
Today's Cyber Challenges: Methodology to Secure Your BusinessToday's Cyber Challenges: Methodology to Secure Your Business
Today's Cyber Challenges: Methodology to Secure Your Business
JoAnna Cheshire
 
Top 20 Security Controls for a More Secure Infrastructure
Top 20 Security Controls for a More Secure InfrastructureTop 20 Security Controls for a More Secure Infrastructure
Top 20 Security Controls for a More Secure Infrastructure
Infosec
 
Managing Security in Agile Culture
Managing Security in Agile CultureManaging Security in Agile Culture
Managing Security in Agile Culture
SARCCOM
 
Contractor Responsibilities under the Federal Information Security Management...
Contractor Responsibilities under the Federal Information Security Management...Contractor Responsibilities under the Federal Information Security Management...
Contractor Responsibilities under the Federal Information Security Management...
padler01
 
SharePoint Security Management - Lessons Learned
SharePoint Security Management - Lessons LearnedSharePoint Security Management - Lessons Learned
SharePoint Security Management - Lessons Learned
Benjamin Niaulin
 
L007 Managing System Security (2016)
L007 Managing System Security (2016)L007 Managing System Security (2016)
L007 Managing System Security (2016)
Jan Wong
 
Security training for sis
Security training for sisSecurity training for sis
Security training for sis
chiranjib mukherjee
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005
ControlCase
 
Security training module
Security training moduleSecurity training module
Security training module
pagare_c
 

More Related Content

What's hot

CIP-014-1: Next Steps from an Auditor’s Perspective
CIP-014-1: Next Steps from an Auditor’s PerspectiveCIP-014-1: Next Steps from an Auditor’s Perspective
CIP-014-1: Next Steps from an Auditor’s Perspective
EnergySec
 
Quick & Dirty Dozen: PCI Compliance Simplified
Quick & Dirty Dozen: PCI Compliance SimplifiedQuick & Dirty Dozen: PCI Compliance Simplified
Quick & Dirty Dozen: PCI Compliance Simplified
AlienVault
 
NTXISSACSC2 - The Evolving DMZ by John Fehan
NTXISSACSC2 - The Evolving DMZ by John FehanNTXISSACSC2 - The Evolving DMZ by John Fehan
NTXISSACSC2 - The Evolving DMZ by John Fehan
North Texas Chapter of the ISSA
 
Securiser son digital workplace avec Microsoft Threat Protection
Securiser son digital workplace avec Microsoft Threat ProtectionSecuriser son digital workplace avec Microsoft Threat Protection
Securiser son digital workplace avec Microsoft Threat Protection
☁️Seyfallah Tagrerout☁ [MVP]
 
Accelerating OT - A Case Study
Accelerating OT - A Case StudyAccelerating OT - A Case Study
Accelerating OT - A Case Study
Digital Bond
 
NTXISSACSC2 - Software Assurance (SwA) by John Whited
NTXISSACSC2 - Software Assurance (SwA) by John WhitedNTXISSACSC2 - Software Assurance (SwA) by John Whited
NTXISSACSC2 - Software Assurance (SwA) by John Whited
North Texas Chapter of the ISSA
 
Leveraging Compliance for Security with SIEM and Log Management
Leveraging Compliance for Security with SIEM and Log ManagementLeveraging Compliance for Security with SIEM and Log Management
Leveraging Compliance for Security with SIEM and Log Management
Tripwire
 
Sophisticated Incident Response Requires Sophisticated Activity Monitoring
Sophisticated Incident Response Requires Sophisticated Activity MonitoringSophisticated Incident Response Requires Sophisticated Activity Monitoring
Sophisticated Incident Response Requires Sophisticated Activity Monitoring
Imperva
 
[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...
[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...
[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...
PROIDEA
 
Assumed Breach
Assumed BreachAssumed Breach
Assumed Breach
Andrew Alaniz
 
Sntcapril2 decreasenetworkriskwithalertmanagementdraftv2-150417114740-convers...
Sntcapril2 decreasenetworkriskwithalertmanagementdraftv2-150417114740-convers...Sntcapril2 decreasenetworkriskwithalertmanagementdraftv2-150417114740-convers...
Sntcapril2 decreasenetworkriskwithalertmanagementdraftv2-150417114740-convers...
garciathomasbic
 
Sntc April 2: Decrease Network Risk with Alert Management Draft v2
Sntc April 2: Decrease Network Risk with Alert Management Draft v2Sntc April 2: Decrease Network Risk with Alert Management Draft v2
Sntc April 2: Decrease Network Risk with Alert Management Draft v2
B2BContact
 
Effective Cyber Defense Using CIS Critical Security Controls
Effective Cyber Defense Using CIS Critical Security ControlsEffective Cyber Defense Using CIS Critical Security Controls
Effective Cyber Defense Using CIS Critical Security Controls
BSides Delhi
 
Today's Cyber Challenges: Methodology to Secure Your Business
Today's Cyber Challenges: Methodology to Secure Your BusinessToday's Cyber Challenges: Methodology to Secure Your Business
Today's Cyber Challenges: Methodology to Secure Your Business
JoAnna Cheshire
 
Top 20 Security Controls for a More Secure Infrastructure
Top 20 Security Controls for a More Secure InfrastructureTop 20 Security Controls for a More Secure Infrastructure
Top 20 Security Controls for a More Secure Infrastructure
Infosec
 

What's hot (15)

CIP-014-1: Next Steps from an Auditor’s Perspective
CIP-014-1: Next Steps from an Auditor’s PerspectiveCIP-014-1: Next Steps from an Auditor’s Perspective
CIP-014-1: Next Steps from an Auditor’s Perspective
 
Quick & Dirty Dozen: PCI Compliance Simplified
Quick & Dirty Dozen: PCI Compliance SimplifiedQuick & Dirty Dozen: PCI Compliance Simplified
Quick & Dirty Dozen: PCI Compliance Simplified
 
NTXISSACSC2 - The Evolving DMZ by John Fehan
NTXISSACSC2 - The Evolving DMZ by John FehanNTXISSACSC2 - The Evolving DMZ by John Fehan
NTXISSACSC2 - The Evolving DMZ by John Fehan
 
Securiser son digital workplace avec Microsoft Threat Protection
Securiser son digital workplace avec Microsoft Threat ProtectionSecuriser son digital workplace avec Microsoft Threat Protection
Securiser son digital workplace avec Microsoft Threat Protection
 
Accelerating OT - A Case Study
Accelerating OT - A Case StudyAccelerating OT - A Case Study
Accelerating OT - A Case Study
 
NTXISSACSC2 - Software Assurance (SwA) by John Whited
NTXISSACSC2 - Software Assurance (SwA) by John WhitedNTXISSACSC2 - Software Assurance (SwA) by John Whited
NTXISSACSC2 - Software Assurance (SwA) by John Whited
 
Leveraging Compliance for Security with SIEM and Log Management
Leveraging Compliance for Security with SIEM and Log ManagementLeveraging Compliance for Security with SIEM and Log Management
Leveraging Compliance for Security with SIEM and Log Management
 
Sophisticated Incident Response Requires Sophisticated Activity Monitoring
Sophisticated Incident Response Requires Sophisticated Activity MonitoringSophisticated Incident Response Requires Sophisticated Activity Monitoring
Sophisticated Incident Response Requires Sophisticated Activity Monitoring
 
[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...
[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...
[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...
 
Assumed Breach
Assumed BreachAssumed Breach
Assumed Breach
 
Sntcapril2 decreasenetworkriskwithalertmanagementdraftv2-150417114740-convers...
Sntcapril2 decreasenetworkriskwithalertmanagementdraftv2-150417114740-convers...Sntcapril2 decreasenetworkriskwithalertmanagementdraftv2-150417114740-convers...
Sntcapril2 decreasenetworkriskwithalertmanagementdraftv2-150417114740-convers...
 
Sntc April 2: Decrease Network Risk with Alert Management Draft v2
Sntc April 2: Decrease Network Risk with Alert Management Draft v2Sntc April 2: Decrease Network Risk with Alert Management Draft v2
Sntc April 2: Decrease Network Risk with Alert Management Draft v2
 
Effective Cyber Defense Using CIS Critical Security Controls
Effective Cyber Defense Using CIS Critical Security ControlsEffective Cyber Defense Using CIS Critical Security Controls
Effective Cyber Defense Using CIS Critical Security Controls
 
Today's Cyber Challenges: Methodology to Secure Your Business
Today's Cyber Challenges: Methodology to Secure Your BusinessToday's Cyber Challenges: Methodology to Secure Your Business
Today's Cyber Challenges: Methodology to Secure Your Business
 
Top 20 Security Controls for a More Secure Infrastructure
Top 20 Security Controls for a More Secure InfrastructureTop 20 Security Controls for a More Secure Infrastructure
Top 20 Security Controls for a More Secure Infrastructure
 

Viewers also liked

Managing Security in Agile Culture
Managing Security in Agile CultureManaging Security in Agile Culture
Managing Security in Agile Culture
SARCCOM
 
Contractor Responsibilities under the Federal Information Security Management...
Contractor Responsibilities under the Federal Information Security Management...Contractor Responsibilities under the Federal Information Security Management...
Contractor Responsibilities under the Federal Information Security Management...
padler01
 
SharePoint Security Management - Lessons Learned
SharePoint Security Management - Lessons LearnedSharePoint Security Management - Lessons Learned
SharePoint Security Management - Lessons Learned
Benjamin Niaulin
 
L007 Managing System Security (2016)
L007 Managing System Security (2016)L007 Managing System Security (2016)
L007 Managing System Security (2016)
Jan Wong
 
Security training for sis
Security training for sisSecurity training for sis
Security training for sis
chiranjib mukherjee
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005
ControlCase
 
Security training module
Security training moduleSecurity training module
Security training module
pagare_c
 
Best Practices for Managing Security Operations in AWS - AWS July 2016 Webina...
Best Practices for Managing Security Operations in AWS - AWS July 2016 Webina...Best Practices for Managing Security Operations in AWS - AWS July 2016 Webina...
Best Practices for Managing Security Operations in AWS - AWS July 2016 Webina...
Amazon Web Services
 
Security Management Practices
Security Management PracticesSecurity Management Practices
Security Management Practices
amiable_indian
 
SOP of Security supervisor
SOP of Security supervisorSOP of Security supervisor
SOP of Security supervisor
Capt Rajeshwar singh
 

Viewers also liked (10)

Managing Security in Agile Culture
Managing Security in Agile CultureManaging Security in Agile Culture
Managing Security in Agile Culture
 
Contractor Responsibilities under the Federal Information Security Management...
Contractor Responsibilities under the Federal Information Security Management...Contractor Responsibilities under the Federal Information Security Management...
Contractor Responsibilities under the Federal Information Security Management...
 
SharePoint Security Management - Lessons Learned
SharePoint Security Management - Lessons LearnedSharePoint Security Management - Lessons Learned
SharePoint Security Management - Lessons Learned
 
L007 Managing System Security (2016)
L007 Managing System Security (2016)L007 Managing System Security (2016)
L007 Managing System Security (2016)
 
Security training for sis
Security training for sisSecurity training for sis
Security training for sis
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005
 
Security training module
Security training moduleSecurity training module
Security training module
 
Best Practices for Managing Security Operations in AWS - AWS July 2016 Webina...
Best Practices for Managing Security Operations in AWS - AWS July 2016 Webina...Best Practices for Managing Security Operations in AWS - AWS July 2016 Webina...
Best Practices for Managing Security Operations in AWS - AWS July 2016 Webina...
 
Security Management Practices
Security Management PracticesSecurity Management Practices
Security Management Practices
 
SOP of Security supervisor
SOP of Security supervisorSOP of Security supervisor
SOP of Security supervisor
 

Similar to Managing a security program (when you are not a security expert)

Federal Webinar: Security Compliance with SolarWinds Network Management Tools
Federal Webinar: Security Compliance with SolarWinds Network Management ToolsFederal Webinar: Security Compliance with SolarWinds Network Management Tools
Federal Webinar: Security Compliance with SolarWinds Network Management Tools
SolarWinds
 
Federal Webinar: RMF, DISA STIGs, and NIST FISMA Compliance using SolarWinds
Federal Webinar: RMF, DISA STIGs, and NIST FISMA Compliance using SolarWindsFederal Webinar: RMF, DISA STIGs, and NIST FISMA Compliance using SolarWinds
Federal Webinar: RMF, DISA STIGs, and NIST FISMA Compliance using SolarWinds
SolarWinds
 
AusCERT2022: Vulnerability Reporting Program on a Shoestring Budget - APNIC
AusCERT2022: Vulnerability Reporting Program on a Shoestring Budget - APNICAusCERT2022: Vulnerability Reporting Program on a Shoestring Budget - APNIC
AusCERT2022: Vulnerability Reporting Program on a Shoestring Budget - APNIC
APNIC
 
Cybersecurity for Real Estate & Construction
Cybersecurity for Real Estate & ConstructionCybersecurity for Real Estate & Construction
Cybersecurity for Real Estate & Construction
Aronson LLC
 
Secure information sharing - the external user dilemma
Secure information sharing - the external user dilemmaSecure information sharing - the external user dilemma
Secure information sharing - the external user dilemma
Watchful Software
 
Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccfAdaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
awish11
 
Understanding New Technology and Security Risks as you respond to COVID-19
Understanding New Technology and Security Risks as you respond to COVID-19Understanding New Technology and Security Risks as you respond to COVID-19
Understanding New Technology and Security Risks as you respond to COVID-19
Emma Kelly
 
Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Application Portfolio Risk Ranking: Banishing FUD With Structure and NumbersApplication Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Denim Group
 
Gain business insight with Continuous Controls Monitoring
Gain business insight with Continuous Controls MonitoringGain business insight with Continuous Controls Monitoring
Gain business insight with Continuous Controls Monitoring
Emma Kelly
 
More practical insights on the 20 critical controls
More practical insights on the 20 critical controlsMore practical insights on the 20 critical controls
More practical insights on the 20 critical controls
EnclaveSecurity
 
Skylads - Big Data for Telcos
Skylads - Big Data for TelcosSkylads - Big Data for Telcos
Skylads - Big Data for Telcos
Xavier Litt
 
1 final secnet_pci
1 final secnet_pci1 final secnet_pci
1 final secnet_pci
mosyas
 
Enterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to BasicsEnterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to Basics
Damon Small
 
Securing Your Digital Transformation: Cybersecurity and You
Securing Your Digital Transformation: Cybersecurity and YouSecuring Your Digital Transformation: Cybersecurity and You
Securing Your Digital Transformation: Cybersecurity and You
SAP Ariba
 
Fortify technology
Fortify technologyFortify technology
Fortify technology
Imad Nom de famille
 
MyNOG 9: Vulnerability Reporting Program on a Shoestring Budget
MyNOG 9: Vulnerability Reporting Program on a Shoestring BudgetMyNOG 9: Vulnerability Reporting Program on a Shoestring Budget
MyNOG 9: Vulnerability Reporting Program on a Shoestring Budget
APNIC
 
Vulnerability Reporting Program on a Shoestring Budget by Jamie Gillespie, A...
Vulnerability Reporting Program on a Shoestring Budget by Jamie Gillespie, A...Vulnerability Reporting Program on a Shoestring Budget by Jamie Gillespie, A...
Vulnerability Reporting Program on a Shoestring Budget by Jamie Gillespie, A...
MyNOG
 
Cybersecurity: Challenges, Initiatives, and Best Practices
Cybersecurity: Challenges, Initiatives, and Best PracticesCybersecurity: Challenges, Initiatives, and Best Practices
Cybersecurity: Challenges, Initiatives, and Best Practices
John Gilligan
 
Bitglass Webinar - A Primer on CASBs and Cloud Security
Bitglass Webinar - A Primer on CASBs and Cloud SecurityBitglass Webinar - A Primer on CASBs and Cloud Security
Bitglass Webinar - A Primer on CASBs and Cloud Security
Bitglass
 
Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...
Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...
Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...
Simon Storm
 

Similar to Managing a security program (when you are not a security expert) (20)

Federal Webinar: Security Compliance with SolarWinds Network Management Tools
Federal Webinar: Security Compliance with SolarWinds Network Management ToolsFederal Webinar: Security Compliance with SolarWinds Network Management Tools
Federal Webinar: Security Compliance with SolarWinds Network Management Tools
 
Federal Webinar: RMF, DISA STIGs, and NIST FISMA Compliance using SolarWinds
Federal Webinar: RMF, DISA STIGs, and NIST FISMA Compliance using SolarWindsFederal Webinar: RMF, DISA STIGs, and NIST FISMA Compliance using SolarWinds
Federal Webinar: RMF, DISA STIGs, and NIST FISMA Compliance using SolarWinds
 
AusCERT2022: Vulnerability Reporting Program on a Shoestring Budget - APNIC
AusCERT2022: Vulnerability Reporting Program on a Shoestring Budget - APNICAusCERT2022: Vulnerability Reporting Program on a Shoestring Budget - APNIC
AusCERT2022: Vulnerability Reporting Program on a Shoestring Budget - APNIC
 
Cybersecurity for Real Estate & Construction
Cybersecurity for Real Estate & ConstructionCybersecurity for Real Estate & Construction
Cybersecurity for Real Estate & Construction
 
Secure information sharing - the external user dilemma
Secure information sharing - the external user dilemmaSecure information sharing - the external user dilemma
Secure information sharing - the external user dilemma
 
Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccfAdaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
 
Understanding New Technology and Security Risks as you respond to COVID-19
Understanding New Technology and Security Risks as you respond to COVID-19Understanding New Technology and Security Risks as you respond to COVID-19
Understanding New Technology and Security Risks as you respond to COVID-19
 
Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Application Portfolio Risk Ranking: Banishing FUD With Structure and NumbersApplication Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
 
Gain business insight with Continuous Controls Monitoring
Gain business insight with Continuous Controls MonitoringGain business insight with Continuous Controls Monitoring
Gain business insight with Continuous Controls Monitoring
 
More practical insights on the 20 critical controls
More practical insights on the 20 critical controlsMore practical insights on the 20 critical controls
More practical insights on the 20 critical controls
 
Skylads - Big Data for Telcos
Skylads - Big Data for TelcosSkylads - Big Data for Telcos
Skylads - Big Data for Telcos
 
1 final secnet_pci
1 final secnet_pci1 final secnet_pci
1 final secnet_pci
 
Enterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to BasicsEnterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to Basics
 
Securing Your Digital Transformation: Cybersecurity and You
Securing Your Digital Transformation: Cybersecurity and YouSecuring Your Digital Transformation: Cybersecurity and You
Securing Your Digital Transformation: Cybersecurity and You
 
Fortify technology
Fortify technologyFortify technology
Fortify technology
 
MyNOG 9: Vulnerability Reporting Program on a Shoestring Budget
MyNOG 9: Vulnerability Reporting Program on a Shoestring BudgetMyNOG 9: Vulnerability Reporting Program on a Shoestring Budget
MyNOG 9: Vulnerability Reporting Program on a Shoestring Budget
 
Vulnerability Reporting Program on a Shoestring Budget by Jamie Gillespie, A...
Vulnerability Reporting Program on a Shoestring Budget by Jamie Gillespie, A...Vulnerability Reporting Program on a Shoestring Budget by Jamie Gillespie, A...
Vulnerability Reporting Program on a Shoestring Budget by Jamie Gillespie, A...
 
Cybersecurity: Challenges, Initiatives, and Best Practices
Cybersecurity: Challenges, Initiatives, and Best PracticesCybersecurity: Challenges, Initiatives, and Best Practices
Cybersecurity: Challenges, Initiatives, and Best Practices
 
Bitglass Webinar - A Primer on CASBs and Cloud Security
Bitglass Webinar - A Primer on CASBs and Cloud SecurityBitglass Webinar - A Primer on CASBs and Cloud Security
Bitglass Webinar - A Primer on CASBs and Cloud Security
 
Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...
Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...
Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...
 

Recently uploaded

Public CyberSecurity Awareness Presentation 2024.pptx
Public CyberSecurity Awareness Presentation 2024.pptxPublic CyberSecurity Awareness Presentation 2024.pptx
Public CyberSecurity Awareness Presentation 2024.pptx
marufrahmanstratejm
 
A Comprehensive Guide to DeFi Development Services in 2024
A Comprehensive Guide to DeFi Development Services in 2024A Comprehensive Guide to DeFi Development Services in 2024
A Comprehensive Guide to DeFi Development Services in 2024
Intelisync
 
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Tatiana Kojar
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
Ivanti
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
Edge AI and Vision Alliance
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
panagenda
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
Miro Wengner
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
Hiroshi SHIBATA
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
Chart Kalyan
 
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
saastr
 
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - HiikeSystem Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
Hiike
 
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyFreshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
ScyllaDB
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
SAP S/4 HANA sourcing and procurement to Public cloud
SAP S/4 HANA sourcing and procurement to Public cloudSAP S/4 HANA sourcing and procurement to Public cloud
SAP S/4 HANA sourcing and procurement to Public cloud
maazsz111
 
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Jeffrey Haguewood
 
Trusted Execution Environment for Decentralized Process Mining
Trusted Execution Environment for Decentralized Process MiningTrusted Execution Environment for Decentralized Process Mining
Trusted Execution Environment for Decentralized Process Mining
LucaBarbaro3
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
saastr
 

Recently uploaded (20)

Public CyberSecurity Awareness Presentation 2024.pptx
Public CyberSecurity Awareness Presentation 2024.pptxPublic CyberSecurity Awareness Presentation 2024.pptx
Public CyberSecurity Awareness Presentation 2024.pptx
 
A Comprehensive Guide to DeFi Development Services in 2024
A Comprehensive Guide to DeFi Development Services in 2024A Comprehensive Guide to DeFi Development Services in 2024
A Comprehensive Guide to DeFi Development Services in 2024
 
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
 
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
 
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - HiikeSystem Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
 
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyFreshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
SAP S/4 HANA sourcing and procurement to Public cloud
SAP S/4 HANA sourcing and procurement to Public cloudSAP S/4 HANA sourcing and procurement to Public cloud
SAP S/4 HANA sourcing and procurement to Public cloud
 
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
 
Trusted Execution Environment for Decentralized Process Mining
Trusted Execution Environment for Decentralized Process MiningTrusted Execution Environment for Decentralized Process Mining
Trusted Execution Environment for Decentralized Process Mining
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
 

Managing a security program (when you are not a security expert)

  • 1. Managing a Security Program (when you are not a security expert) An Information Security Road Trip Javed Ikbal 2016 ROCKY MOUNTAIN SUMMIT
  • 2. This session is for you… • If you do not have an IT or Information Security background – But are tasked with running an information security program, or, – You are responsible for a critical piece of information security or audit in your organization – Or you want to know what the big deal is. • If your company already has a mature information security program, this may not be for you 2016 ROCKY MOUNTAIN SUMMIT 2
  • 3. Learning Objectives • This is not a technical session. • A roadmap is presented – Common Potholes / road closures / rogue drivers will be pointed out (when possible) • After completion, you will be able to: – Understand the map – Figure out where you are – Predict a time to get to your destination – Estimate the gas and food needed to get there 2016 ROCKY MOUNTAIN SUMMIT 3
  • 4. So you can avoid becoming a headline • 97% of breaches were avoidable through simple or intermediate controls. – Easy improvements can make big differences • 79% of victims were targets of opportunity. – Make it harder for the bad guys • 85% of breaches took weeks or more to discover. – Breaches happen. Find them early • 92% of incidents were discovered by a third party. – Don’t end up on the front page of a newspaper (before your CEO knows about it) 2016 ROCKY MOUNTAIN SUMMIT 4
  • 6. What is information security? • Limit access to authorized people only • Ensure those authorized people can access the information when needed • Prevent unauthorized modification 62016 ROCKY MOUNTAIN SUMMIT
  • 7. The basic necessities • Prerequisites for a successful information security program: – Management support (the fuel and food) • A written, approved information security program • Budget! • Tone from the top – Policies (the traffic rules/laws) 2016 ROCKY MOUNTAIN SUMMIT 7
  • 8. The Fuel • Without management support, it is tough to be successful • Create a business case by using what drives management: – REPUTATION, REGULATION, REVENUE • Written information security program (WISP) – Not a policy – More a narrative of your security posture – Describes the elements of your security program – http://www.mass.gov/ocabr/docs/idtheft/sec-plan-smallbiz- guide.pdf – http://www.buchananassociates.com/Buchanan-Associates- Sample-Template-Written-Information-Security-Plan-WISP.pdf 2016 ROCKY MOUNTAIN SUMMIT 8
  • 9. The Traffic Laws • Acceptable Use Policy – If you don’t have one, fix it ASAP. – https://www.sans.org/security- resources/policies/general/doc/acceptable-use-policy • A badly written policy could be dangerous – Do not include something that you cannot enforce – Do not fill it up with legalese 2016 ROCKY MOUNTAIN SUMMIT 9
  • 10. The Traffic Laws • Information Security Policy – http://www.ucisa.ac.uk/~/media/Files/publications/toolkits/ist/ISTE d3%20pdf • Password Protection Policy – https://www.sans.org/security- resources/policies/general/doc/password-protection-policy • Information / Risk Classification – https://uit.stanford.edu/guide/riskclassifications • Vendor / 3rd party Security Requirements – http://www.brighthorizons.com/suppliercenter/baseline-third- party-security-requirements 2016 ROCKY MOUNTAIN SUMMIT 10
  • 11. Leaving a laptop in the car? • Conduct a data inventory – What data do you have? – Where does it live? – What protections should be in place? – What protections are in place? 2016 ROCKY MOUNTAIN SUMMIT 11
  • 12. Teach the kids to not talk to strangers 2016 ROCKY MOUNTAIN SUMMIT 12
  • 13. Stranger Danger • Phishing • Ransomware • W-2 scam • Awareness is the best bang for the buck 2016 ROCKY MOUNTAIN SUMMIT 13
  • 14. Teach the kids 9-1-1 • What happens when something goes bad? – Do you have an incident response plan? – Remember the inventory? • Do breach notification laws apply? • What jurisdictions? – Who does what in a breach? – Can you contact the team when needed? – Who is authorized to declare an “incident”? – Who is authorized to talk to the media? – Who is authorized to call law enforcement? 2016 ROCKY MOUNTAIN SUMMIT 14
  • 15. Is there a spare tire? • Do you have backups? • Are the backups protected as well as the primary data? • When long ago was the last backup? (Recovery Point Objective: RPO) • How long will it take to become operational? (Recovery Time Objective: RTO) 2016 ROCKY MOUNTAIN SUMMIT 15
  • 16. Oil change? Coolant? Recall notice? • How often do you install security patches? • What do you patch? • How soon do you install a new patch? • Do you monitor security bulletins? 2016 ROCKY MOUNTAIN SUMMIT 16
  • 17. Did I lock the doors? • What are the physical security controls? • Are your servers in a secure location? • Do we have video surveillance of entry/exit points? • Do we have logs of entry to all secure locations? • Are users trained to not let in strangers? 2016 ROCKY MOUNTAIN SUMMIT 17
  • 18. Lunch options: Chain or Local? • Security begins (and sadly, often ends) at your vendor • Do your due diligence • Require security measures appropriate to the risks 2016 ROCKY MOUNTAIN SUMMIT 18
  • 19. Did we turn off the oven? • Center for Internet Security Critical Controls: – https://www.cisecurity.org/critical-controls.cfm – Technical help needed to implement these, but understanding them does not require a technical background 2016 ROCKY MOUNTAIN SUMMIT 19
  • 20. Critical Security Controls • CSC 1: Inventory of Authorized and Unauthorized Devices • CSC 2: Inventory of Authorized and Unauthorized Software • CSC 3: Secure Configurations for Hardware and Software on Mobile Device Laptops, Workstations, and Servers • CSC 4: Continuous Vulnerability Assessment and Remediation • CSC 5: Controlled Use of Administrative Privileges • CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs • CSC 7: Email and Web Browser Protections • CSC 8: Malware Defenses • CSC 9: Limitation and Control of Network Ports, Protocols, and Services • CSC 10: Data Recovery Capability • CSC 11: Secure Configurations for Network Devices such as Firewall Routers, and Switches • CSC 12: Boundary Defense • CSC 13: Data Protection • CSC 14: Controlled Access Based on the Need to Know • CSC 15: Wireless Access Control • CSC 16: Account Monitoring and Control • CSC 17: Security Skills Assessment and Appropriate Training to Fill Gaps • CSC 18: Application Software Security • CSC 19: Incident Response and Management • CSC 20: Penetration Tests and Red Team Exercises 202016 ROCKY MOUNTAIN SUMMIT
  • 21. Where are we? • Start with the critical controls, and score your company on each item 1: Initial. Processes are unpredictable. Not much documentation. 2. Managed: Processes are documented, but not always followed. Often reactive. 3. Defined: Processes are documented and proactive. 4. Quantitatively managed: Processes measured and controlled 5. Optimized: Continuous process improvement 2016 ROCKY MOUNTAIN SUMMIT 21
  • 22. Are we there yet? • “How long” is a tough question – From 1 to 2: 6-12 months – From 2 to 3: 12-18 months – From 3 to 4: 18 months • Depends on how much money and effort you want to throw at the problem • Secure your doors (perimeter network) first • Awareness and patching are quick wins • Then the engine (applications and databases) 2016 ROCKY MOUNTAIN SUMMIT 22
  • 23. Car making strange noise? • If you have one or more “initial” that is a bad sign. • “Managed” is barely acceptable (depends on your industry) • “Defined” or “Quantitatively Managed” is where we should be. • “Optimized” is a lofty goal, but can be attained. 2016 ROCKY MOUNTAIN SUMMIT 23
  • 24. The maintenance schedule • NIST Cybersecurity framework – http://www.nist.gov/cyberframework/upload/cybersec urity-framework-021214.pdf • There are other frameworks – The one from NIST is free – And it is pretty good – If you do business with the Federal government, you might be forced to use this 2016 ROCKY MOUNTAIN SUMMIT 24
  • 25. The maintenance schedule 2016 ROCKY MOUNTAIN SUMMIT 25
  • 26. When you are the mechanic • If you are auditing vendors or clients: – Review policies – Ask questions based on data types and risks (inventory) – You can use Google’s questionnaire: • https://vsaq-demo.withgoogle.com/ • https://github.com/google/vsaq – Ask for evidence – Ask if they have implemented: • Critical controls • A security framework • Ask for evidence – Repeat based on risk (1 year / 3 year) 2016 ROCKY MOUNTAIN SUMMIT 26
  • 27. Information Security: brakes? • A car can travel fast if the driver knows it has good brakes • Information security has the same function: it enables the business • Policies and standards are the lane markings and guardrails – Just like their road equivalent, they can’t stop people from going off the road • Our job is to keep people in the marked lanes 2016 ROCKY MOUNTAIN SUMMIT 27
  • 28. 2016 ROCKY MOUNTAIN SUMMIT Questions