The document discusses how information security professionals can take a more proactive approach. It recommends developing a standard questionnaire to complete as part of the change process to identify security impacts early. This helps integrate security into processes. It also suggests implementing a Privacy and Security Impact Assessment tool to identify and mitigate risks associated with new systems before operationalization. Using these tools can help information security professionals address issues proactively before they become threats, build a culture of security, and provide assurance to executive teams.

1. Proactive
Information
Security
Asking the Right Questions
Michael Calderin, CISSP-ISSMP, CCISO, CEH
michael@calder.in
http://calder.in

2. Are you a roadblock to progress?
 Information security must evolve from just an IT
project to the core of critical business decisions.
 As an Information Security Leader:
 You must protect enterprise data from compromise
 AND drive innovation at the same time
Gartner, Inc. (2014). Information Security. Retrieved from Gartner:
http://www.gartner.com/technology/topics/information-security.jsp

3. Are you supporting
your organization’s
outcomes or inhibiting
them?
What do your peers think?

4. How do other executives see our jobs?
 To the average senior executive, security seems easy
– lock the doors and post a guard.
 “Use all of that money that has been allocated to IT
and come up with the entirely safe computer.”
 “Stop talking about risks and vulnerabilities and solve
the problem.”
 Information security is complex and simple
solutions are often the best for non-practitioners.
Sherizen, S. (2000). The Business Case for Information Security: Selling
Management on the Protection of Vital Secrets and Products. Retrieved from IT
Today: http://www.ittoday.info/AIMS/DSM/82-01-32.pdf

5.  Compliance enforcer and advisor
 As our IT environment grows, so do the legalities to be
considered to comply with laws and regulations.
 We assist management in making sure that the
organization is in compliance with the law.
What can we offer?
Sherizen, S. (2000). The Business Case for Information Security: Selling Management on
the Protection of Vital Secrets and Products. Retrieved from IT Today:
http://www.ittoday.info/AIMS/DSM/82-01-32.pdf
 Business enabler and company differentiator
 The internet has changed how organizations offer goods
and services. Information security must provide a value-
added way of providing ease of interaction as well as
security and privacy of customer activities.
 We provide security to differentiate our organization
by including security for free alongside the goods and
services offered by our organization. This can boost
customer satisfaction and encourage further use of
online activities.
 Total quality management contributor
 Quality is directly related to information security. CIA
allows an organization to offer customer service that is
protected, personal, and convenient.
 We combine proper controls over processes, machines,
and personnel, balancing our organization’s needs for
production and protection. Our information security
programs boost online transactions by helping
customers see them as safe and reliable.
 “Peopleware” controller
 Information security helps control the unauthorized
behavior of people through need-to-know and
segregation-of-duties policies.
 We translate managerial decisions into information
security policies, programs, and practices. We
structure authorized usage and detect unauthorized
usage.

6. How can we quickly
and strategically
become more
proactive?
The answer is not a technology, product, or vendor

7. Integrate
security into
processes
Create a
culture of
security
Address issues
before they
become
threats
Proactive Process
P R E V E N T I O N
D E T E C T I O N & R E M E D I A T I O N

8. My Situation
 Mid-sized business unit
 Less than 1000 people
 Multiple countries with varied regulatory requirements
 Relatively consolidated IT team
 Enormous change throughout our organization
 Security had a reputation for being disruptive and
a bottleneck
 New staff carry over their expectations from prior roles
 Proactive security is a recent way of thought

9. The Tool: A Questionnaire
 Organizations may conduct an information security review before
changing their systems
 Often informal and poorly documented
 Reviews are rarely built into a change process
 Still appropriate for today's business and regulatory environment?
 Develop a standard questionnaire to be completed as part of the
change process
 Complete the questionnaire as early in the process as possible
 Responsibility for the change
 Technical security impacts
 Physical security considerations
 Logical security requirements
 Disaster recovery and business continuity
Overly, M. R., Howell, C. T., & Scarano, R. M. (2012, February 1). A Proactive
Approach to Information Security in Health Information Technology Procurements.
(Foley & Lardner LLP) Retrieved from Association of Corporate Counsel:
http://www.acc.com/legalresources/quickcounsel/apatisihit.cfm
Questionnaire
Availability
Integrity
Confidentiality

10. Privacy & Security Impact Assessment
 Decision-making tool used to identify and mitigate risks associated
with new or changing systems
 Helps us understand how sensitive data is to be collected, used, shared,
accessed, and stored
 Required
 Before sending business requirements for development
 Before operationalizing new systems
 As part of the change process
 Completed by those who best understand the change
 Reviewed by those who best understand privacy & security
implications
 Approved PSIAs available for review within the organization
United States Department of Homeland Security. (2014, January 30). Privacy
Compliance. Retrieved from Homeland Security: http://www.dhs.gov/privacy-
compliance

11. I didn’t invent this.
 Recommended by
leading information
security organizations
 ISACA
 SANS
 United Kingdom
 National Health Service
 United States
 Securities and Exchange
Commission
 United States
Department of Defense
 United States
Department of Health
and Human Services

12. My Approach
Easy to understand
Completed in minutes
Addresses
confidentiality, integrity,
and availability
Captures only basic info
Qualitative assessment;
not a quantitative risk
analysis
Advantages Disadvantages
Requires short training and expert review

13. 1 Page, 2 Sections, 10 Questions
1. How sensitive is the information (how is it classified)?
2. What Personally Identifiable Information is used?
3. Which types of Protected Health Information are used?
4. Which critical systems are affected?
5. How will the information be used (a summary of the
requirements)?
6. Are any third parties involved? If so, which ones?
7. If database changes are needed, what kinds?
8. Where is the production equipment physically located?
9. What is the business continuity impact?
10. What access rights will be needed and for whom?

14. Review
 Weekly review w/ interested parties
 If we have questions, we reach out to the person
who completed the PSIA and/or the project sponsor
 Formal signoff on approval
 Otherwise, new requirements or controls communicated

15. Results
 Integrate security into processes
 Security is now considered when business requirements are
documented
 Build a culture of security
 Over time, security requirements are thought of by other staff
throughout the organization
 Address issues before they become threats
 Reviewing and discussing issues before work begins helps to
control costs, deliver on time, and position security as a friend to
the organization
 Provide assurance to your executive team
 Addressing issues before they become threats allows us to focus
on reacting to external threats

16. Questions?
 michael@calder.in
http://calder.in