This document summarizes a presentation given as part of a CISSP mentor program. It discusses the history and structure of the mentor program, as well as an introduction to the CISSP certification. Key points include:
- The mentor program started in 2010 with 6 students and has grown significantly. Classes follow a typical structure of recapping content, questions, quizzes, lectures, and homework assignments.
- The CISSP certification is maintained by ISC2 and tests knowledge across 8 security domains. Becoming certified requires passing the exam as well as relevant work experience.
- Presenter Evan Francen has over 20 years of security experience and emphasizes the importance of listening, not assuming expertise, and focusing on security
Domain 1: Security and Risk Management â Review
Information Security Governance, Administrative Controls, Risk Analysis: ALE, TCO, ROI (or ROSI), Legal Systems and Ethics
Purple Teaming - The Collaborative Future of Penetration TestingFRSecure
Â
Organizations get penetration tests year after year, yet companies still get breached because theyâre STILL missing the basics.Traditional penetration tests are failing to prepare organizations for the threats they actually face. Theyâve become a commodity of compliance and box-checking. Remediation steps rarely include management objectives. General lack of excitement for Blue Team functions. Red team is sexy, but just a tool. Do you even have a JBOSS server? (Then why are you seeing alerts for it?)
Welcome to the CISSP Mentor Program! What is the CISSP Mentor Program ⢠History: 1st class was 2010; 6 students ⢠Todayâs class; 80 students. Why do we do it ⢠Success Stories ⢠Heck, itâs free! If you arenât satisfied, weâll refund everything you paid us. We need MORE good information security people!
Domain 1: Security and Risk Management â Review
Information Security Governance, Administrative Controls, Risk Analysis: ALE, TCO, ROI (or ROSI), Legal Systems and Ethics
Purple Teaming - The Collaborative Future of Penetration TestingFRSecure
Â
Organizations get penetration tests year after year, yet companies still get breached because theyâre STILL missing the basics.Traditional penetration tests are failing to prepare organizations for the threats they actually face. Theyâve become a commodity of compliance and box-checking. Remediation steps rarely include management objectives. General lack of excitement for Blue Team functions. Red team is sexy, but just a tool. Do you even have a JBOSS server? (Then why are you seeing alerts for it?)
Welcome to the CISSP Mentor Program! What is the CISSP Mentor Program ⢠History: 1st class was 2010; 6 students ⢠Todayâs class; 80 students. Why do we do it ⢠Success Stories ⢠Heck, itâs free! If you arenât satisfied, weâll refund everything you paid us. We need MORE good information security people!
Incident Response in the age of Nation State Cyber AttacksResilient Systems
Â
One of the most important and yet least discussed aspects of any corporate structure is the incident response framework. As recent events have highlighted, the risk of intellectual property and critical infrastructure being the target of a cyber-attack is quite real. More than ever before, corporate preparation and response plans are necessary for any entity operating in the digital age.
This webinar will examine how an organization's incident response framework can help limit the exposure of intellectual property and critical infrastructure to outside, malicious parties. Our presenters will review how to construct corporate response plans that yield best-of-breed preparedness.
Our featured speakers for this timely webinar are:
-Mike Gibbons, Managing Director, Alvarez and Marsal, former FBI Special Agent as Unit Chief, overseeing all cyber crime investigations
-Art Ehuan, Managing Director, Alvarez and Marsal, former FBI Supervisory Special Agent assigned to the Computer Crimes Investigations Program
-Gant Redmon, Esq. CIPP/US General Counsel and Vice President of Business Development at Co3
Presentation about insider threat ways of working, their impact on organizations and how technical and human indicators can be monitored to detect and neutralize insider threats. Professionals working in security operations should monitor these indicators to create profile of possible insider going rogue.
Traits exhibited by your best, smartest, and hardest working employee can be the same as those of the malicious (or sometimes even unwitting) insider.
Learn how to:
* Spot an insider threats
* Identify their network activity
*Incorporate best practices to protect your organization from the insider threat
How to Build a Successful Incident Response ProgramResilient Systems
Â
Building an incident response program can be a cumbersome task when done manually. From identifying incident types and severity to creating a response plan for each incident type, Co3 provides an easy to use, customizable solution for quickly assessing, responding to, and driving incidents to closure. Co3 customer, USA Funds, manages incidents in one tenth of the time that it took previously.
This webinar will guide security practitioners through the process of creating a basic incident response process using Co3's Security Incident Response module. Based on a list of accumulated best practices, this webinar will give team members a good start on creating a successful incident response program to use at their organization.
Our featured speakers for this timely webinar will be:
-Ted Julian, Chief Marketing Officer, Co3 Systems
-Tim Armstrong, Security Incident Response Specialist, Co3 Systems
Dr. Shawn P. Murray was invited back to the National Security Institute in April 2013 to speak on a familiar topic, but with a new focus. The accidental insider threat is becoming more of a concern for companies today. Dr. Murray is a Cyber Security Professional and has worked in various Information Assurance and Information Technology Security positions for many years.
Jim Wojno: Incident Response - No Pain, No Gain!centralohioissa
Â
Say incident response to 10 people and odds are you'll get 10 different opinions on how to do it right. When evaluating tools and procedures for enterprise Incident Response it's helpful to understand how to approach this in a way that will cause the adversary maximum pain. This talk will review the essential requirements for IR tools and procedures in a vendor / tool neutral approach. Find out the right questions to ask and the strategies to make sure you get the most out of your incident response team.
Domain 4: Communication and Network Security - Review
Application Layer TCP/IP Protocols and Concepts, Layer 1 Network Cabling, LAN Technologies and Protocols, LAN Physical NetworkTopologies, WAN Technologies and Protocols, Network Devices and Protocols and Network Attacks
Slide Deck Class Session 8 â FRSecure CISSP Mentor ProgramFRSecure
Â
Domain 4: Communication and Network Security -Review
â˘Network Architecture and Design
â˘Fundamentals
â˘OSI Model
â˘TCP/IP Model
â˘Encapsulation(speaking of which)
Incident Response in the age of Nation State Cyber AttacksResilient Systems
Â
One of the most important and yet least discussed aspects of any corporate structure is the incident response framework. As recent events have highlighted, the risk of intellectual property and critical infrastructure being the target of a cyber-attack is quite real. More than ever before, corporate preparation and response plans are necessary for any entity operating in the digital age.
This webinar will examine how an organization's incident response framework can help limit the exposure of intellectual property and critical infrastructure to outside, malicious parties. Our presenters will review how to construct corporate response plans that yield best-of-breed preparedness.
Our featured speakers for this timely webinar are:
-Mike Gibbons, Managing Director, Alvarez and Marsal, former FBI Special Agent as Unit Chief, overseeing all cyber crime investigations
-Art Ehuan, Managing Director, Alvarez and Marsal, former FBI Supervisory Special Agent assigned to the Computer Crimes Investigations Program
-Gant Redmon, Esq. CIPP/US General Counsel and Vice President of Business Development at Co3
Presentation about insider threat ways of working, their impact on organizations and how technical and human indicators can be monitored to detect and neutralize insider threats. Professionals working in security operations should monitor these indicators to create profile of possible insider going rogue.
Traits exhibited by your best, smartest, and hardest working employee can be the same as those of the malicious (or sometimes even unwitting) insider.
Learn how to:
* Spot an insider threats
* Identify their network activity
*Incorporate best practices to protect your organization from the insider threat
How to Build a Successful Incident Response ProgramResilient Systems
Â
Building an incident response program can be a cumbersome task when done manually. From identifying incident types and severity to creating a response plan for each incident type, Co3 provides an easy to use, customizable solution for quickly assessing, responding to, and driving incidents to closure. Co3 customer, USA Funds, manages incidents in one tenth of the time that it took previously.
This webinar will guide security practitioners through the process of creating a basic incident response process using Co3's Security Incident Response module. Based on a list of accumulated best practices, this webinar will give team members a good start on creating a successful incident response program to use at their organization.
Our featured speakers for this timely webinar will be:
-Ted Julian, Chief Marketing Officer, Co3 Systems
-Tim Armstrong, Security Incident Response Specialist, Co3 Systems
Dr. Shawn P. Murray was invited back to the National Security Institute in April 2013 to speak on a familiar topic, but with a new focus. The accidental insider threat is becoming more of a concern for companies today. Dr. Murray is a Cyber Security Professional and has worked in various Information Assurance and Information Technology Security positions for many years.
Jim Wojno: Incident Response - No Pain, No Gain!centralohioissa
Â
Say incident response to 10 people and odds are you'll get 10 different opinions on how to do it right. When evaluating tools and procedures for enterprise Incident Response it's helpful to understand how to approach this in a way that will cause the adversary maximum pain. This talk will review the essential requirements for IR tools and procedures in a vendor / tool neutral approach. Find out the right questions to ask and the strategies to make sure you get the most out of your incident response team.
Domain 4: Communication and Network Security - Review
Application Layer TCP/IP Protocols and Concepts, Layer 1 Network Cabling, LAN Technologies and Protocols, LAN Physical NetworkTopologies, WAN Technologies and Protocols, Network Devices and Protocols and Network Attacks
Slide Deck Class Session 8 â FRSecure CISSP Mentor ProgramFRSecure
Â
Domain 4: Communication and Network Security -Review
â˘Network Architecture and Design
â˘Fundamentals
â˘OSI Model
â˘TCP/IP Model
â˘Encapsulation(speaking of which)
HHS Ransomware and Breach Guidance - Brad NighFRSecure
Â
A recent U.S. Government inter-agency report indicates that, on average, there have been 4,000 daily ransomware attacks since early 2016 (a 300% increase over the 1,000 daily ransomware attacks reported in 2015). Ransomware attack prevention from a healthcare perspective is vitally important due to recent changes in HHS guidance. To understand what this means practically, FRSecure offers some valuable resources that discusses what constitutes a ransomware breach, non-compliance consequences and easy steps that can be implemented to reduce organizational risk of a Ransomware breach.
Domain 4: Communication and Network Security - Review
Network Architecture and Design, Fundamentals, OSI Model, TCP/IP Model and Encapsulation (speaking of which)
Slide Deck Class Session 11 â FRSecure CISSP Mentor ProgramFRSecure
Â
FRSecure has a goal of changing a broken industry. There are many ways to accomplish this endeavor such as setting high assessment standards, using proprietary reporting methods that are easy to understand to hiring expert talent just to name a few. However, one unique approach FRSecure uses to bring about change is our CISSP Mentor Program. By design the program is provided at no cost to anyone with an interest in the information security industry.
Domain 3: Security Engineering
Virtualization and Distributed Computing
System Vulnerabilities, Threats and Countermeasures
Cornerstone Cryptographic Concepts
History of Cryptography
Types of Cryptography
Cryptographic Attacks
Implementing Cryptography
Domain 3: Security Engineering - Review (Part 2)
Virtualization and Distributed Computing, System Vulnerabilities, Threats and Countermeasures, Cornerstone Cryptographic Concepts, History of Cryptography, Types of Cryptography and Cryptographic Attacks
Slide Deck Class Session 10 â FRSecure CISSP Mentor ProgramFRSecure
Â
FRSecure has a goal of changing a broken industry. There are many ways to accomplish this endeavor such as setting high assessment standards, using proprietary reporting methods that are easy to understand to hiring expert talent just to name a few. However, one unique approach FRSecure uses to bring about change is our CISSP Mentor Program. By design the program is provided at no cost to anyone with an interest in the information security industry.
Cyber security practices involve preventing malicious attacks on computers, servers, mobile devices, electronic systems, networks, and data. It is also called information technology security or electronic information security.
https://www.infosectrain.com/courses/ceh-v11-certification-training/
Anyone handling sensitive information in this day and age needs to to have a solid security setup and a plan for when something goes wrong. This webinar aims to get you looking at your security with fresh eyes and give you an outline of an action plan.
Presentation delivered to the Minnesota Counties Computer Cooperative (http://mnccc.org/) on October 30, 2019. The talk was given by SecurityStudio's CEO, Evan Francen and focused on how local governments play a role in protecting all of us.
An Introduction To IT Security And Privacy In LibrariesBlake Carver
Â
An hour long presentation I gave for LYRASIS. It introduces many topics in security and privacy on the internet and computers and any other type of device with an ip address. IOT Internet of things, browsers, portable devices and more. In this hour I focused on things to train in libraries, security awareness training and other things relevant to people in libraries. Librarians and anyone else in a library
WANTED â People Committed to Solving our Information Security Language ProblemSecurityStudio
Â
Presentation deck delivered to the Rochester ISSA chapter members as part of the SecurityStudio Roadshow on November 7th, 2019. This presentation explains the language problem we're fighting in the information security industry and contains a realistic call to action for all of us.
Cybersecurity is a Team Sport (SecureWorld - Dallas 2018)Shawn Tuma
Â
Cybersecurity is a Team Sport: Why strategic leadership and an understanding of roles, personalities, and psychology is important for building and managing effective cybersecurity teams.
This presentation was a discussion of issues such as:
* Who should be on the team and what should they know?
* How should the team be organized?
* Who is responsible for developing the strategy and seeing the whole playing field?
* What are the team members responsibilities?
* How do team members personalities affect their roles and performance?
* Is there a role for lawyers if the "privilege" "magic wand" turns out to be more fairy-tale than reality?
The presentation was delivered by cybersecurity and data privacy attorney Shawn Tuma, Co-Chair of the Cybersecurity and Data Privacy Practice Group of Spencer Fane LLP, on October 10, 2018, at SecureWorld - Dallas.
How to Boost your Cyber Risk Management Program and Capabilities?PECB
Â
The webinar explores how understanding your organization in crisis due to an exploitation of risk can develop the organizationâs resilience and team in the drive for a stronger level of compliance maturity.
Main points covered:
⢠Information Security maturity
⢠ROPI
⢠Risk Management
⢠Incident Response
⢠Forensic Readiness
⢠Table Top Exercises
⢠Training
⢠Legislation
Presenter:
Our presenter for this webinar is Peter Jones, an experienced management professional, digital forensic analyst, cybersecurity professional, ISO 27001 and ISO 17025 auditor and University Lecturer. Peter has a wealth of experience and expertise which incorporates knowledge from being an academic and a practitioner in relation to best practice, data management, cyber security, digital system security and digital forensics, where he has conducted thousands of examinations on behalf of law enforcement and the private sector. Peter has extensive information technology and telecommunications experience which ranges from retail to enterprise environments including supporting the BBC with their hit drama series, âSilent Witnessâ.
Link the the YouTube video: https://youtu.be/aREo4l-pDgc
The boom in the digital space has increased the cyber-attacks and, cyber security threats are requiring special attention for Critical Sectors.Cybersecurity analysts use a combination of technical and workplace skills to assess vulnerabilities and respond to security incidents.the docoment help you for career of cybersecurity analyst
Similar to Slide Deck - CISSP Mentor Program Class Session 1 (20)
Synthetic Fiber Construction in lab .pptxPavel ( NSTU)
Â
Synthetic fiber production is a fascinating and complex field that blends chemistry, engineering, and environmental science. By understanding these aspects, students can gain a comprehensive view of synthetic fiber production, its impact on society and the environment, and the potential for future innovations. Synthetic fibers play a crucial role in modern society, impacting various aspects of daily life, industry, and the environment. ynthetic fibers are integral to modern life, offering a range of benefits from cost-effectiveness and versatility to innovative applications and performance characteristics. While they pose environmental challenges, ongoing research and development aim to create more sustainable and eco-friendly alternatives. Understanding the importance of synthetic fibers helps in appreciating their role in the economy, industry, and daily life, while also emphasizing the need for sustainable practices and innovation.
A workshop hosted by the South African Journal of Science aimed at postgraduate students and early career researchers with little or no experience in writing and publishing journal articles.
Biological screening of herbal drugs: Introduction and Need for
Phyto-Pharmacological Screening, New Strategies for evaluating
Natural Products, In vitro evaluation techniques for Antioxidants, Antimicrobial and Anticancer drugs. In vivo evaluation techniques
for Anti-inflammatory, Antiulcer, Anticancer, Wound healing, Antidiabetic, Hepatoprotective, Cardio protective, Diuretics and
Antifertility, Toxicity studies as per OECD guidelines
A Strategic Approach: GenAI in EducationPeter Windle
Â
Artificial Intelligence (AI) technologies such as Generative AI, Image Generators and Large Language Models have had a dramatic impact on teaching, learning and assessment over the past 18 months. The most immediate threat AI posed was to Academic Integrity with Higher Education Institutes (HEIs) focusing their efforts on combating the use of GenAI in assessment. Guidelines were developed for staff and students, policies put in place too. Innovative educators have forged paths in the use of Generative AI for teaching, learning and assessments leading to pockets of transformation springing up across HEIs, often with little or no top-down guidance, support or direction.
This Gasta posits a strategic approach to integrating AI into HEIs to prepare staff, students and the curriculum for an evolving world and workplace. We will highlight the advantages of working with these technologies beyond the realm of teaching, learning and assessment by considering prompt engineering skills, industry impact, curriculum changes, and the need for staff upskilling. In contrast, not engaging strategically with Generative AI poses risks, including falling behind peers, missed opportunities and failing to ensure our graduates remain employable. The rapid evolution of AI technologies necessitates a proactive and strategic approach if we are to remain relevant.
Macroeconomics- Movie Location
This will be used as part of your Personal Professional Portfolio once graded.
Objective:
Prepare a presentation or a paper using research, basic comparative analysis, data organization and application of economic information. You will make an informed assessment of an economic climate outside of the United States to accomplish an entertainment industry objective.
This slide is special for master students (MIBS & MIFB) in UUM. Also useful for readers who are interested in the topic of contemporary Islamic banking.
Operation âBlue Starâ is the only event in the history of Independent India where the state went into war with its own people. Even after about 40 years it is not clear if it was culmination of states anger over people of the region, a political game of power or start of dictatorial chapter in the democratic setup.
The people of Punjab felt alienated from main stream due to denial of their just demands during a long democratic struggle since independence. As it happen all over the word, it led to militant struggle with great loss of lives of military, police and civilian personnel. Killing of Indira Gandhi and massacre of innocent Sikhs in Delhi and other India cities was also associated with this movement.
2. CISSP Mentor Program Session #1
Welcome!
⢠What is the CISSP Mentor Program
⢠History
⢠1st class was 2010; 6 students
⢠Todayâs class; 80 students
⢠Why we do it
⢠Success Stories
⢠Heck, itâs free! If you arenât satisfied, weâll
refund everything you paid us. ;)
We need MORE good information security
people!
3. CISSP Mentor Program Session #1
We need MORE good information security people!
The CISSP is ideal for those working in positions such
as, but not limited to:
⌠Security Consultant
⌠Security Manager
⌠IT Director/Manager
⌠Security Auditor
⌠Security Architect
⌠Security Analyst
⌠Security Systems Engineer
⌠Chief Information Security Officer
⌠Director of Security
⌠Network Architect
4. CISSP Mentor Program Session #1
Typical Class Structure
⢠Recap of previous content/session
⢠Questions
⢠Quiz
⢠Current Events
⢠Lecture
⢠Homework Assignment - WHAT?! Yeah, we got homework. ď
⢠Questions
5. CISSP Mentor Program Session #1
Questions
⢠We may not get to all of the questions during class
⢠Send questions to Robb Stiffler (rstiffler@frsecure.com) â for now.
⢠We will soon (probably) assist in setting up (or facilitating) a study group.
⢠Content will be made available to all students upon request.
6. CISSP Mentor Program Session #1
The Certified Information Systems Security Professional (or
âCISSPâ)
⢠Maintained by the International Information Systems Security Certification
Consortium (or ISC2ÂŽ)
⢠Tests your knowledge (or memorization) of the Common Body of Knowledge
(or âCBKâ).
⢠âa mile wide and two inches deepâ (or maybe just an inch deep).
⢠2015 CBK, updated in April, 2015
⢠CBK consists of eight domains⌠next page
7. CISSP Mentor Program Session #1
The Certified Information Systems Security Professional (or âCISSPâ)
Eight domains for the CISSP CBK:
⢠Security and Risk Management
⢠Asset Security
⢠Security Engineering
⢠Communications and Network Security
⢠Identity and Access Management
⢠Security Assessment and Testing
⢠Security Operations
⢠Software Development Security
8. CISSP Mentor Program Session #1
The Certified Information Systems Security Professional (or âCISSPâ)
Preparation (there are bunches of ways)
⢠3x Book Read (my favorite)
⢠Read the book once, fast
⢠Read the book a second time, focus on concepts
⢠Read the book a third time, focus on mastery and memorization
⢠Note Cards
⢠Practice Tests (and quizzes)
⢠Study Groups
The CISSP Mentor Program a tool and facilitation of your studies, it does not supplant
them! YOU WILL STILL NEED TO STUDY.
9. CISSP Mentor Program Session #1
The Certified Information Systems Security Professional (or âCISSPâ)
How to take the exam
⢠Computer-based (âCBTâ) at Pearson Vue
⢠250 questions
⢠Six hour time limit
⢠Two (sort of four) types of questions:
⢠Multiple Choice (four options, two are almost obviously wrong)
⢠âAdvanced Innovativeâ
⢠Scenario
⢠Drag/Drop
⢠Hotspot
⢠25 (10%) of the questions are âexperimentalâ or research questions.
10. CISSP Mentor Program Session #1
The Certified Information Systems Security
Professional (or âCISSPâ)
How to take the exam
⢠Methods
⢠Two-pass
⢠Three-pass
⢠Suppose you could do one-pass too if youâre some kind of Jedi Master
(or whatever)
⢠You will know right away if you have passed or failed.
11. CISSP Mentor Program Session #1
The Certified Information Systems Security Professional (or
âCISSPâ)
Becoming a CISSP
⢠Passing the exam is only one step.
⢠Need experience
⢠5 or more years within 2 or more domains (can waive one year with a college degree or
with another relevant certification)
⢠Not enough experience? Pass the exam and youâre known as an âAssociate of (ISC2)â
⢠Must agree to the (ISC2) Code of Ethics.
⢠Must be endorsed by another CISSP (in good standing).
12. CISSP Mentor Program Session #1
About me
⢠President & Co-founder of FRSecure
⢠20+ years of information security experience
⢠Big breach inside experience
⢠Information security evangelist
⢠Specialties: Security leadership coaching, risk management, methodology development, and
Social Engineering ;)
⢠CISSP sixty thousand something (I forgot my number).
⢠Very, very passionate about information security, but most importantly in doing the right
thing.
FRSecure exists to fix the broken industry.
13. CISSP Mentor Program Session #1
Same presentation given numerous times⌠Good for us too.
⢠Introduction
⢠Weâre all experts right?
⢠Fundamentals
⢠The value of listening
⢠Principles
⢠Solutions â What to doâŚ
⢠Questions
14. Information Security Fundamentals
Introduction
⢠FRSecure
⢠Information security consulting company
⢠Business since 2008
⢠700+ clients, many in legal, healthcare, and finance
⢠Speaker â Evan Francen
⢠President & Co-founder of FRSecure
⢠20+ years of information security experience
⢠Big breach inside experience
⢠Information security evangelist
⢠Specialties: Security leadership coaching, risk management, methodology development, and
Social Engineering ;)
15. Information Security Fundamentals
If thereâs one thing that Iâve learned in 20+ years in information
security itâs to LISTEN.
If thereâs one more thing that Iâve learned in 20+ years in
information security itâs that I donât know everything!
Although too many information security âexpertsâ wonât admit it.
17. Information Security Fundamentals
What are some of the fundamentals?
Weâre all experts, right?
What is âinformation securityâ?
We can argue about whoâs definition is better, but we need to start with a common understanding (or definition).
18. Information Security Fundamentals
What are some of the fundamentals?
Information security is the application of administrative, physical,
and technical controls to protect the confidentiality, integrity, and
availability of information.
âMost organizations overemphasize technical controls to protect confidentiality
and do so at the expense of other critical controls and purposes.â
Seems fundamental. How about a story?
19. Information Security Fundamentals
What are some of the fundamentals?
Probably one of the most overused words in all of securityâŚ
What is âriskâ?
Again, we can argue about whoâs definition is better, but we need to start with a common understanding (or
definition).
20. Information Security Fundamentals
What are some of the fundamentals?
Risk is the likelihood of something bad happening and the impact if it
did.
âThe likelihood of a threat exploiting a vulnerability, leads an associated
impact.â
Seems fundamental. How about another story?
22. Information Security Fundamentals
What are some of the fundamentals?
What is information security?
What is risk?
Why are these definitions so important?
Because they should drive everything youâre doing.
23. Information Security Fundamentals
The value of listening.
To keep us honest (and humble), we organized the FRSecure
Customer Advisory Board (or âCABâ).
We posed two simple questionsâŚ
What is your greatest frustration with respect to information security?
What is your greatest challenge with respect to information security?
Then we listenedâŚ
24. Information Security Fundamentals
The value of listening.
Greatest frustrations:
1. Lack of common information security understanding.
2. Different interpretations of different information security
regulations and standards.
3. Lack of education for practitioners and executive management.
4. Constantly changing priorities based on outside influences.
Together we derived a core frustration that sums up everything; we are all speaking different languages
for the same topic.
25. Information Security Fundamentals
The value of listening.
Greatest Challenges:
1. Education/training for executives, IT personnel, and users.
2. Management commitment to continuous improvement.
3. Obtaining the necessary resources to manage information
security.
4. Measuring information security (metrics, status, improvements,
etc.)
Greatest frustrations could be summed up with; we donât know how to fix the issues facing us within the
greater context of a strategic information security program.
26. Information Security Fundamentals
So what are we going to do?
Our two problems, summed up by listening:
1. We are all speaking different languages for the same topic.
2. We donât know how to fix the issues.
Now we can offer some advice, but only after listening.
27. Information Security Fundamentals
We are all speaking different languages for the same topic.
1. Define and live by your definition of information security. Get
everybody in agreement with the common definition because it
will (or should) drive everything.
2. Define and live by your definition of risk. If you can understand
and communicate risk well:
⢠You will automatically be compliant with regulations.
⢠You will be able to make good decisions.
⢠You will build a security program that works for you.
28. Information Security Fundamentals
We donât know how to fix the issues.
Start with defining your information security principles. These are
the rules that you are going to live by. Hereâs ours:
1. A business is in business to make money.
2. Information Security is a business issue.
3. Information Security is fun.
4. People are the biggest risk.
5. âCompliantâ and âsecureâ are different.
29. Information Security Fundamentals
We donât know how to fix the issues.
Start with defining your information security principles. These are
the rules that you are going to live by. Hereâs ours:
6. There is no common sense in Information Security.
7. âSecureâ is relative.
8. Information Security should drive business.
9. Information Security is not one size fits all.
10. There is no âeasy buttonâ.
30. Information Security Fundamentals
We donât know how to fix the issues.
Now that youâre bought in on principles for managing your security
program, go here:
1. Management commitment. For real. Either youâre in or youâre not.
2. Asset management. You canât secure what you donât know you have.
3. Access control. You canât secure what you canât control.
4. Change control. See step 3.
5. Measure, measure, measure. You canât manage what you canât
measure.
31. Information Security Fundamentals
As you build, implement, manage, and improve your security
programâŚ
Donât forget to listen!
The things that people are telling you are real, and you might learn a
thing or two.
Itâs also OK to admit that you donât know everything.