The document discusses the five habits of highly secure organizations according to Ben Rothke, CISSP, CISA and Manager of Information Security at Wyndham Worldwide Corp. The five habits are: 1) having a Chief Information Security Officer (CISO), 2) implementing a comprehensive risk management program, 3) investing in people rather than just security products, 4) establishing clear security policies and procedures, and 5) providing effective security awareness training. If these five habits are adopted, they will enable organizations to ensure their data assets are properly secured.
Dealing with Information Security, Risk Management & Cyber ResilienceDonald Tabone
Information Security
1.Why the need to think about it?
2.What exactly are we talking about?
3.How do we go about doing something about it?
4.Is there a one-size-fits-all framework?
Firewalls and border routers are still the cornerstone for perimeter security
Always will be a place for VPNs
Attacks occur at the application layer
So ensure app security
Dealing with Information Security, Risk Management & Cyber ResilienceDonald Tabone
Information Security
1.Why the need to think about it?
2.What exactly are we talking about?
3.How do we go about doing something about it?
4.Is there a one-size-fits-all framework?
Firewalls and border routers are still the cornerstone for perimeter security
Always will be a place for VPNs
Attacks occur at the application layer
So ensure app security
Information Security - Back to Basics - Own Your VulnerabilitiesJack Nichelson
When a security program isn't as good as it should be it can be tempting to conclude that it needs more resources and solutions. Jack Nichelson decided to take a different approach: simplification. By focusing on fewer problems with bigger returns, he was able to reduce malware by 60 percent and improve the results of his annual pen report. He’ll share a back-to-the-basics case study for removing complexity and running a simple, effective, start-up worthy security program.
This Talk is for - Security Managers looking to better focus on the real vulnerabilities and more effectively communicate your progress
The Goals of this talk – Find the real problems, create a formal plan, build support for the plan, and report the progress
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...IBM Security
Businesses and governments alike are experiencing an alarming rate of malicious activity from both external and internal actors.
Not surprisingly, mission-critical mainframe applications make for desirable targets with large repositories of enterprise customer sensitive data. Mainframe environments are increasingly at risk opening accesses through the internet, mobile initiatives, big data initiatives, social initiatives, and more to drive the business forward. Additionally, there are some security challenges that are specific to the mainframe - traditional protection methods are no longer enough, insider threats are also on the rise, mainframe environments could be more vulnerable with reliance on privilege users to administer security, silo-ed mainframe IT management, limited ownership visibility, and lack of uniformed security management across the enterprise.
View this on-demand webcast to learn more about specific mainframe data protection challenges, top tips for protecting sensitive data, and key data protection capabilities that you should consider to address these challenges.
Register here for the playback: https://event.on24.com/wcc/r/1461947/D9664CC82EC641AA58D35462DB703470
The Science and Art of Cyber Incident Response (with Case Studies)Kroll
In this joint presentation for the ISSA-LA Summit X in Los Angeles, Jennifer Rathburn, a cybersecurity and data privacy law expert at Foley & Lardner LLP and William Dixon, Associate Managing Director in Kroll's Cyber Risk practice, highlight three incident response scenarios and tips on breach preparation and response.
To learn more, contact Jennifer or William at:
Jennifer Rathburn, Foley & Lardner LLP
jrathburn@foley.com; 414-297-5864
William Dixon, Kroll, a Division of Duff & Phelps
william.dixon@kroll.com; 213-247-3973
Almost every business decision requires executives and managers to balance risk and reward, and efficiency in that process is essential to an enterprise’s success. Too often though, IT risk (business risk related to the use of IT) is overlooked.
While other business risks such as market, credit and operational risks have long been incorporated into the decision-making processes, IT risk has usually been relegated to technical specialists outside the boardroom, despite falling under the same risk category as other business risks: failure to achieve strategic objectives.
This session intends to address business risks related to the use of IT, looking at industry standards, frameworks and best practices, as well as focusing on real world examples and specific plans on how to implement IT Risk Management on every level of your company.
Information security focuses on protecting valuable information that will help businesses to succeed in their strategies. Confidentiality, integrity and availability are the three basic objectives of Information Security.
For more such innovative content on management studies, join WeSchool PGDM-DLP Program: http://bit.ly/ZEcPAc
A New Remedy for the Cyber Storm ApproachingSPI Conference
Security has become a hot topic for all of us to consider. We share your concerns and have brought in an industry leader from IBM to discuss it with you. Presented by Joe Daw (Cybersecurity Architect, IBM) at the 2016 SPI Conference.
How an Integrated Management system helps you comply with new Cyber Laws and ...PECB
When implementing an information security management system (based on ISO/IEC 27001) you need to conduct a risk analysis (based on ISO/IEC 27005) and implement information security controls (based on ISO/IEC 27002). In order to better understand the IT governance framework of the organization, you can refer to service management systems (based on ISO/IEC 20000). Moreover, you have to properly consider security incident management (based on ISO/IEC 27035) and you must ensure that the organization has business continuity and recovery capabilities (based on ISO 22301).
Recorded Webinar: https://youtu.be/aY_envTRGRY
Security in the Cognitive Era: Why it matters more than everEC-Council
Change isn’t coming. It’s already here. More devices. More access points. More valuable data in the cloud. In this new digital era, perimeter controls and traditional security practices are not enough to safeguard your enterprise. You need security for the way the world works. Security intelligence and integrated controls are today’s essentials to gain visibility and get to a higher level of maturity. Learn how cloud, collaboration and cognitive will define the next era of security to help you outthink attackers and proactively protect your most critical assets.
Information Security - Back to Basics - Own Your VulnerabilitiesJack Nichelson
When a security program isn't as good as it should be it can be tempting to conclude that it needs more resources and solutions. Jack Nichelson decided to take a different approach: simplification. By focusing on fewer problems with bigger returns, he was able to reduce malware by 60 percent and improve the results of his annual pen report. He’ll share a back-to-the-basics case study for removing complexity and running a simple, effective, start-up worthy security program.
This Talk is for - Security Managers looking to better focus on the real vulnerabilities and more effectively communicate your progress
The Goals of this talk – Find the real problems, create a formal plan, build support for the plan, and report the progress
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...IBM Security
Businesses and governments alike are experiencing an alarming rate of malicious activity from both external and internal actors.
Not surprisingly, mission-critical mainframe applications make for desirable targets with large repositories of enterprise customer sensitive data. Mainframe environments are increasingly at risk opening accesses through the internet, mobile initiatives, big data initiatives, social initiatives, and more to drive the business forward. Additionally, there are some security challenges that are specific to the mainframe - traditional protection methods are no longer enough, insider threats are also on the rise, mainframe environments could be more vulnerable with reliance on privilege users to administer security, silo-ed mainframe IT management, limited ownership visibility, and lack of uniformed security management across the enterprise.
View this on-demand webcast to learn more about specific mainframe data protection challenges, top tips for protecting sensitive data, and key data protection capabilities that you should consider to address these challenges.
Register here for the playback: https://event.on24.com/wcc/r/1461947/D9664CC82EC641AA58D35462DB703470
The Science and Art of Cyber Incident Response (with Case Studies)Kroll
In this joint presentation for the ISSA-LA Summit X in Los Angeles, Jennifer Rathburn, a cybersecurity and data privacy law expert at Foley & Lardner LLP and William Dixon, Associate Managing Director in Kroll's Cyber Risk practice, highlight three incident response scenarios and tips on breach preparation and response.
To learn more, contact Jennifer or William at:
Jennifer Rathburn, Foley & Lardner LLP
jrathburn@foley.com; 414-297-5864
William Dixon, Kroll, a Division of Duff & Phelps
william.dixon@kroll.com; 213-247-3973
Almost every business decision requires executives and managers to balance risk and reward, and efficiency in that process is essential to an enterprise’s success. Too often though, IT risk (business risk related to the use of IT) is overlooked.
While other business risks such as market, credit and operational risks have long been incorporated into the decision-making processes, IT risk has usually been relegated to technical specialists outside the boardroom, despite falling under the same risk category as other business risks: failure to achieve strategic objectives.
This session intends to address business risks related to the use of IT, looking at industry standards, frameworks and best practices, as well as focusing on real world examples and specific plans on how to implement IT Risk Management on every level of your company.
Information security focuses on protecting valuable information that will help businesses to succeed in their strategies. Confidentiality, integrity and availability are the three basic objectives of Information Security.
For more such innovative content on management studies, join WeSchool PGDM-DLP Program: http://bit.ly/ZEcPAc
A New Remedy for the Cyber Storm ApproachingSPI Conference
Security has become a hot topic for all of us to consider. We share your concerns and have brought in an industry leader from IBM to discuss it with you. Presented by Joe Daw (Cybersecurity Architect, IBM) at the 2016 SPI Conference.
How an Integrated Management system helps you comply with new Cyber Laws and ...PECB
When implementing an information security management system (based on ISO/IEC 27001) you need to conduct a risk analysis (based on ISO/IEC 27005) and implement information security controls (based on ISO/IEC 27002). In order to better understand the IT governance framework of the organization, you can refer to service management systems (based on ISO/IEC 20000). Moreover, you have to properly consider security incident management (based on ISO/IEC 27035) and you must ensure that the organization has business continuity and recovery capabilities (based on ISO 22301).
Recorded Webinar: https://youtu.be/aY_envTRGRY
Security in the Cognitive Era: Why it matters more than everEC-Council
Change isn’t coming. It’s already here. More devices. More access points. More valuable data in the cloud. In this new digital era, perimeter controls and traditional security practices are not enough to safeguard your enterprise. You need security for the way the world works. Security intelligence and integrated controls are today’s essentials to gain visibility and get to a higher level of maturity. Learn how cloud, collaboration and cognitive will define the next era of security to help you outthink attackers and proactively protect your most critical assets.
Cyber innovation without a new product to buy-Michael Boeckx - cybersec europ...NRBsanv
In a changing world of threads and thread actors we find ourselves bombarded with new technology hypes and toolsets.
Security tooling is like emotional eating you feel good for a while but at the end you are not in a better position.
This presentation addresses common questions such as how to differentiate between hype and reality, how to keep up with a limited budget, what is your security maturity level and how to fit this in a regulatory and compliance context.
In the board room these questions pop up on a regular basis lets bring you through the journey of how to answer and make it work presenting a customer success story.
Risk management is one of the main concepts that have been used by most of the organisations to protect their assets and data. One such example would be INSURANCE. Most of the insurance like Life, Health, and Auto etc have been formulated to help people protect their assets against losses. Risk management has also extended its roots to physical devices, such as locks and doors to protect homes and automobiles, password protected vaults to protect money and jewels, police, fire, security to protect against other physical risks. Dr. C. Umarani | Shriniketh D "Risk Management" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-5 | Issue-1 , December 2020, URL: https://www.ijtsrd.com/papers/ijtsrd37916.pdf Paper URL : https://www.ijtsrd.com/computer-science/computer-security/37916/risk-management/dr-c-umarani
In this exclusive Security Leadership Series eBook, Citrix chief information security officer Stan Black and chief security strategist Kurt Roemer share best practices for leading meaningful security discussions with the board of directors; engaging end users to protect business information; and meeting security-related compliance requirements.
This presentation was discussed in a Webinar with MetricStream in September 2016. It is applicable for small, medium and large businesses when considering information and cyber security risk.
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016FERMA
PART II – Cyber Security: the mitigation strategies – how to identify, assess and mitigate cyber risks
The Risk Manager must be responsible, as for others risks, for the quantification aspect of cyber security. It is a necessary step towards understanding and managing the exposure of the company. He/she should act as a facilitator between the Board and the operational department (IT, Finance, Legal and other functions).
A key subject to unlock the cyber insurance development and to support the economic growth the Digital world is bringing to Europe.
Information security is often misunderstood, undervalued and often tackled as an afterthought. This presentation was given in 2014 during an ISACA educational event.
It's a Who, What, Where and Why behind cyber risk in today's modern era - how data breaches happen, why they happen, and what you can do to address them.
While nothing is ever "completely secure," and there is no magic product to make every organization immune from unwanted attackers,this Razorpoint document outlines 10 keys to consider seriously regarding effective network security.
Brief Resume of Capt. S B Tyagi, FISM, CSC
• Holds Masters’ degrees in Philosophy, Sociology, Defense Studies & Political Science beside B.Sc. and LLB. He is also holding master’s degree in Business Administration and post graduate diplomas in Business Administration, Personnel Management & Industrial Relations and Safety & Security Management.
• Twenty eight years experience (including Army) in the field. Presently working in GAIL (India) Limited as Chief of Security at its Corporate Office.
• Have been regular faculty in Management Institutes. Various articles are published in related magazines and internet sites.
• Writer of best selling book on Industrial Security - “Industrial Security: Management & Strategies”.
• Made presentations in more then 18 international seminars on the subjects of homeland security and industrial security.
• The Honorable Lt. Governor of Delhi bestowed the most coveted ‘Best Security Manger’ award to Capt S B Tyagi on 30th August 2007 instituted by Security Today, a leading niche magazine for the protection industry. The award is testimony of untiring efforts, constant application of noble approaches in security management, innovation and leadership in the profession which have been distinctly displayed by Capt S B Tyagi. He has been recognized in past too for the similar qualities when he was awarded ‘Best Security Manager’ in 2002 and ‘Best Security Operation Manager’ in 2004 by IISSM (International Institute of Security and Safety Management).
• Given ‘Certification of Recognition’ and awarded as ‘Best Security Practitioner’ in GAIL in year 2009.
• Recipient of “Award of Fellowship (FISM)” and is “Certified Security & Safety Consultant (CSC)” by the “International Institute of Security & Safety Management”.
• Co-founder of “International Council of Industrial Security and Safety”.
• Mail id: sbtyagi1958@gmail.com ; sbtyagi@gail.co.in
• Blog: http://captsbtyagi.blogspot.com
• Web-site: http://www.wix.com/sbtyagi/iciss
We Are Instructor Led Online Training Hub.Get access to the world’s best learning experience at our online learning community where millions of learners learn cutting-edge skills to advance their careers, improve their lives, and pursue the work they love. We provide a diverse range of courses, tutorials, resume formats, projects based on real business challenges, and job support to help individuals get started with their professional career.
Information Security Analyst- Infosec trainInfosecTrain
The information has more exceptional value in today's highly competitive world. It helps organizations in many ways. From making accurate decisions to set up strategies to achieve their business goals, organizations rely extensively on the information system.
Об угрозах информационной безопасности, актуальных для разработчика СЗИSelectedPresentations
Качалин Алексей Игоревич, эксперт МОО «АЗИ»
IV Форум АЗИ
«Актуальные вопросы информационной безопасности России»
г. Москва, Конгресс-Центр МТУСИ, 14 апреля 2015 года
Об угрозах информационной безопасности, актуальных для разработчика СЗИ
Stu r35 b
1. Session ID:
Session Classification:
Ben Rothke, CISSP, CISA
Information Security
Wyndham Worldwide Corp.
STU-R35B
Intermediate
The Five Habits of Highly
Secure Organizations
2. ► Discussion of effective information security habits,
characteristics and practices
► great practices of security-conscious companies
► not directly related to ITIL, ISO 17799, etc.
► based on my past experience at a large spectrum of Fortune 500
and Global 2000 companies
► primarily financial services, pharmaceutical, aviation and
healthcare
Agenda
3. ► Computer security is simply attention to detail and good
design
► focusing on the five habits of this presentation will enable
you to ensure your organizations data assets are
secured
► rather than blindly wasting your budget on security appliances
that do nothing more that look cool in a rack
Why it’s important you are here
4. ► Effective infosec is built on risk management, good
business practices and project management
► while the mathematics of cryptography is rocket science, most
aspects of information security are not
► successful information security programs have all
occurred by focusing on security from a framework of
risk mitigation
► cost of security hardware and software purchased has
absolutely no corresponding effect to the level of security
Key Take Away Thoughts
5. 1. CISO
2. Risk Management
3. Invests in people, not products
4. Policies and Procedures
5. Awareness and Training
The five habits
6. ► Accountants achieve efficiency and effectiveness under
the guidance and coordination of a CFO
► security teams will reach their optimal levels under a CISO
► infosec is more than a single technology. It involves:
► physical, psychological and legal aspects, such as training,
encouraging, enforcing and prosecuting
► strategic planning, skilled negotiating and practical problem
solving
► only an individual with strong business savvy and security
knowledge can oversee security planning, implement
policies and select measures appropriate to business
requirements - that person is the CISO
Habit #1 – CISO
7. ► Characteristics of a great CISO
► deep understanding of technology, combined with understanding
of the organizations function, politics and business drivers
► gold medal CISO: Electrical engineer with an MBA
► silver medal CISO: NSA veteran with corporate experience
► never a yes-man to the CxO or Board of Directors
► invests in people, not technology
► corollary: vendors intimidated by CISO due to technical prowess
► not intimidated by a screaming SVP trying to force
firewall admin to violate policy
► but also willing to evaluate the policy to determine whether it is
reasonable
CISO
8. ► CISO works at the executive level
► serves on the executive council or equivalent
► be on CIO’s architectural strategy council or equivalent
► direct or dotted-line manager of all information security staff
► without executive level control, will face difficulty when
bridging the gap between business process demands
and security technology requirements
► CISO at the non-executive level – expect Spaf’s Law:
► “if you have responsibility for security but have no authority to set
rules or punish violators, your own role in the organization is to
take the blame when something big goes wrong”
► Prof. Gene Spafford - CS Dept. - Purdue University
CISO
9. ► How management often perceives risk
► risk = evil hacker
Habit #2 – Risk Management
10. This is risk management…
Backup tapes
Hackers
Risk matrix
Software Patches
Power grid
Data center
Token
management
Political
Malicious end-users
Customers
Regulatory
compliance
Contractors
Telco
Revocation
processes
Terrorists
Legal
liability
Unions
External
Environmental
DR/BCP
Internal
External
Unhappy
customers
Physical
security
Disgruntled employees
Operations test
Consultants
Third-partyClients
Operational
Audit
Lack of budget
Vendor bankruptcy
Vulnerabilities
Forensics
Crypto keys
Lack of staff
Fraud
Poor risk assessment
Hactivists
Spyware
Blogs
Insecure software
WirelessGoogle
Documentation
Organized crime
China
India
Illegal downloads
Web-scripting
Viruses
Worms
Malicious software
Rogue employee
Windows
VoIP
Social engineeringApp dev
practices
Malware
Background checks
Database
Data destruction
Hardware
Procedural violations
phishing
11. ► comprehensive risk management program must be
created around these four areas:
1. Identification
2. Analysis
3. Mitigation
4. Monitoring
Risk Management
12. ► People, not products
► huge mistake companies make is expecting security products to
solve their security problems
► they buy myriad products without being able to answer:
► what is your security problem and how do you expect this
security product to solve it?
► why you are buying a product?
► create detailed requirements for its use
► processes and procedures
► metrics to measure its effectiveness and value
Habit #3 – People, not products
13. ► Vendors want you to think their product is the best; but
all products are for the most part indistinguishable
► by the time a product hits version 3, competition has matched it
feature for feature
► observation: most established COTS security products
are essentially indistinguishable from each other and can
achieve what most organizations require:
► Check Point vs. Cisco
► eEye vs. McAfee
► don’t obsess on the products. Focus on your staff,
internal procedures and specific requirements
The big lie of security products
14. ► Comprehensive security policies are required to map
abstract security concepts to your real world
implementation of your security products
► policy defines the aims and goals of the business
► no policies = no information security…. and
► no policies enforcement = no information security
Habit #4 - Policies & Procedures
15. ► SOP’s ensure Chicago firewall admin builds & configures
corporate firewalls in the same manner as Tokyo admin
► immense benefits of Standard Operating Procedures
► standardize operations among divisions and departments
► reduce confusion
► designate responsibility
► improve accountability of personnel
► record the performance of all tasks and their results
► reduce costs
► reduce liability
Information security procedures
16. ► Organizations that take the time and effort to create
infosec SOP’s demonstrate their commitment to security
► by creating SOP’s, costs are drastically lowered (greater ROI),
and their level of security is drastically increased
► another example: Aviation industry lives and dies
(literally) via their SOP’s
► SOP’s are built into job requirements and regulations
► today’s airplanes are far too complex to maintain and operate
without SOP’s
► information security might not be as complex as a Boeing 777,
but it still requires appropriate SOP’s
Information Security SOP
17. ► Users who read and trust the Weekly World News will
invariably choose an insecure Java applet over security
► information security and associated risks aren’t intuitive
► invest in training users to properly use the tools given to them
► effective information security training and awareness
effort can’t be initiated without first writing information
security policies
Habit #5 – Awareness & Training
18. ► Awareness defines the rules for computer use
► users must be clearly educated as to what acceptable
use means
► define exactly what a confidential document is
► what is a good password?
► what emails should be forwarded?
► can I set up my own wireless network?
Awareness and Training
Image source: www.secureit.utah.edu/images/ISA/isa_banner2009.gif
19. ► Dark moment in computer security awareness #358
► 1998 – US President Bill Clinton and Irish Prime Minister Bertie
Ahern used digital signature technology to append their personal
signatures to a statement endorsing broad e-commerce policy
concerns
► Clinton and Ahern are videotaped entering the passphrase for
their private keys
► at the conclusion of the ceremony, they swap the smart cards
that contain their private keys
Awareness and Training
20. ► Security Engineering: A Guide to Building Dependable Distributed Systems
► Ross Anderson
► Free digital copy http://www.cl.cam.ac.uk/~rja14/book.html
► Information Risk and Security
► Edward Wilding
► NIST Information Security Handbook: A Guide for Managers
► http://csrc.nist.gov/publications/nistpubs/800-100/SP800-100-Mar07-
2007.pdf
► Security Strategy: From Requirements to Reality
► Bill Stackpole and Eric Oksendahl
Required reading
21. ► Bruce Schneier / Marcus Ranum
► Two really smart guys who understand security and risk, and
don’t believe in the common wisdom of security pixie dust
► visit their web sites – www.schneier.com / www.ranum.com
► Crypto-Gram – Schneier’s monthly e-mail newsletter
► http://www.schneier.com/crypto-gram.html
Required listening
22. ► Effective information security takes:
► hard work
► leadership
► commitment
► knowledge
► responsibility
► dedication
► when implemented in the 5 habits, those are the
characteristics of highly secure organizations
Summary
23. Ben Rothke, CISSP CISA
Manager – Information Security
Wyndham Worldwide
Corporation
www.linkedin.com/in/benrothke
www.twitter.com/benrothke
www.slideshare.net/benrothke