How Do You Secure An Environment Without a Perimeter?
|
|
- Reginald Tucker
- 8 years ago
- Views:
Transcription
1 How Do You Secure An Environment Without a Perimeter? Using Emerging Technology Processes to Support InfoSec Efforts in an Agile Data Center PTC Briefing January 18, 2015
2 About the Presenters CHARLA GRIFFY-BROWN Professor, Information Systems and Tech Mgt Director, Center for Teaching & Learning Excellence Graziadio School of Business and Management, Pepperdine University, USA DEMETRIOS LAZARIKOS (LAZ) CISA, CISM, CRISC, CSSLP, MBA, MCIS IT Security Strategist and Two Time Former CISO Blue Lava Consulting MARK CHUN Associate Professor, Information Systems & Technology Management, Graziadio School of Business and Management, Pepperdine University, USA 2
3 Agenda Results and Methodology InfoSec Maturity Model Evolution How Did We Get Here? What Organizations Are Doing to Prepare for The Catastrophic Event Resources 3
4 Quan3ta3ve Methodology Visited 27 ci3es throughout the world Mee3ngs with 204 individuals in mul3ple ver3cals Total of 80 organiza3ons Board of Directors and Execu3ve Leadership Teams Industry Prac33oners and Engineers Top Items Emerged The InfoSec Maturity Model How the perimeter doesn t exist anymore Internet of Things (IoT) Big data and analy3cs 4
5 Results The InfoSec security model developed describes the companies examined but only a small percent are taking a risk- based approach and are therefore 3ed to a world with corporate perimeters Current architecture in most firms is a hot mess lacking any perimeter BY DESIGN Cybercriminals bypass tradi3onal security systems easily Firms need a way to put together processes and tools for coordina3on and alignment to business to support hyper growth of emerging technologies and agile environments Using the InfoSec security model approaches and tools were iden3fied and discussed 5
6 InfoSec Maturity Model Reac%ve Blocking & Tackling Lack of Execu3ve support Underfunded Understaffed Lack of metrics for repor3ng Set up for failure Compliance Driven Control- based security approach Align to mandatory regula3ons ISO 2700x FFIEC PCI HIPAA EU/PII Data protec3on NCUA Proac%ve Risk- Based Approach Mul3- layered security and risk- based approach Using behavior analy3cs Linking events across mul3ple disciplines Using dynamic InfoSec and IT Audit controls in the environment* Source: Blue Lava Consul3ng 6
7 Results Blocking/Tackling Compliance Driven Risk- Based Approach Source: Blue Lava Consul3ng 7
8 How Did We Get Here? Third Party Vendor N Web Traffic Apps S DBs 8
9 Evolu3on The Agile Data Center IoT - Third Par3es - Cloud Limited Visibility Web No Visibility to Internal Traffic App DB 9
10 Evolu3on The Agile Data Center IoT - Third Par3es - Cloud Limited Visibility Web No Visibility to Internal Traffic App DB 10
11 Evolu3on The Agile Data Center Ignored AppSec Vulns IoT - Third Par3es - Cloud Limited Visibility Third Party Vendor Web Limited Visibility No Visibility to Internal Traffic No Visibility to Internal Traffic App DB East- West Traffic East- West Traffic Gartner es)mates that East- West traffic will increase by 80% through
12 Evolu3on The Agile Data Center Ignored AppSec Vulns IoT - Third Par3es - Cloud Limited Visibility Third Party Vendor Web Limited Visibility No Visibility to Internal Traffic No Visibility to Internal Traffic App DB East/West Traffic East/West Traffic Gartner es)mates that East- West traffic will increase by 80% through
13 What Organiza3ons Are Doing Board of Directors and Execu3ves are more involved with Informa3on Security and IT Audit budgets are approved faster Embracing mul3ple InfoSec and monitoring solu3ons for Internet of Things (IoT) Moving towards agile frameworks with exit criteria embedded through the idea, development, and support processes Inves3ng in Big Data and User Behavior Analy3cs (UBA) solu3ons Evalua3ng cyber liability insurance There is no silver- bullet to solving these complex issues 13
14 Aligning Informa3on Security with the Business and PMO Idea Dev What data will this applica3on store, process, or transmit? Is this a mobile or Internet- facing applica3on? Security framework and standards review Peer review / source code review* Test Internal scans 24x7x365 (network, OS, and applica3on)* Prod Maint External scans 24x7x365 (network, OS, and applica3on)* What new func3onality will be supported? How will monitoring (external and internal) be incorporated?* *Using dynamic InfoSec and IT Audit controls in the environment 14
15 Dashboards and Repor3ng Create an inventory of issues and solu3ons within your environment Iden3fy the risks, gaps, observa3ons, and what you need to be successful with your program Generate reports in terms the business understands Build rela3onships with internal stakeholders to achieve these goals 15
16 Threat Vector Problem Statement Tools Implemented Current Observations, Risks, and Gaps Application Security Web application vulnerabilities lead to significant issues when P1s aren t resolved with current SLAs. 1. Training for developers (internal and third par3es) 2. External and internal scans 24x7x365 (WhiteHat) 3. Penetra3on tes3ng (3 rd party quarterly tests) 4. Source code analysis (WhiteHat SCA) 5. Behavior analy3cs (RSA and Shape Security) 6. WAF (Integrate with WhiteHat rules) 1. There is 14% aeri%on with the developers. 2. P1 appsec vulns are increasing by 12% a week. 3. Integrate WhiteHat vulns with the WAF for automa%on. Network/OS/ Systems PCI 3.0 states that virtualized environments are in scope. The company needs to meet agile business requirements. The company needs to detect laterally moving traffic between the data centers, zones, supporting networks, and cloud integration. 1. Elas3city and agility to spin up/down environments (varmour) 2. Network and OS scanner (Nessus) 3. PCI 3.0 management of physical and virtualized environments (varmour) 4. File integrity monitoring (OSSEC agents) 5. Monitoring internal (east/west) malicious traffic (varmour) 1. PCI 3.0 states that all virtualized environments that store, process, and transmit cardholder data are in scope. 2. varmour allows you to manage both physical and virtual PCI environments under one policy and one enterprise soqware solu%on. 3. OSSEC agents are not being used and configured properly. Innovation Automobiles Bitcoin Cloud (third party integration) IoT (eg. Wearables, Appliances, HVAC, Garage Doors) Virtualization 1. Partner with manufacturers insert InfoSec legal requirements into contract agreements 2. Applica3on scanning 24x7x365 (WhiteHat) 3. Cloud integra3on (varmour) 4. IoT (WhiteHat and varmour) 5. Physical and virtualized management (varmour) 1. System of systems* will be in scope for PCI, HIPAA, GLBA, PII, Privacy, EU Data Protec%on. Emerging Threats (Internal) The company needs a ways to identify, monitor, and combat emerging threats once cyber criminals break the perimeter. 1. Monitoring east / west traffic (varmour) 1. Internal traffic anomalies are increasing by 15% per month. Anomalous traffic paeerns are moving between Zone X and Y and four data centers at 2:21am daily. External Mobile Security Applications Mobile device usage is increasing by 54% year over year. 15 mobile applications are being developed by external teams that are out of corporate compliance and do not meet mandatory industry regulations. 1. Behavior analy3cs sooware (RSA) 2. Monitoring mobile app stores (Risk I/Q) 3. WhiteHat source code analysis (SCA) 4. Cyber threat research (FOX- IT) 1. Mobile source code being developed by third party organiza3ons is not compliant with corporate InfoSec policies and industry regula3ons. Mobile Security (Internal/BYOD) The company needs to support the BYOD policy. 1. Access controls (LDAP/AD) 2. MDM (Good Technology) 1. Need to determine how the MDM solu3on will scale over the next 12 months. Source: Blue Lava Consul3ng *Blue Lava Consul3ng System of Systems research results will be Available in Q1,
17 Threat Vector Problem Statement Tools Implemented Current Observations, Risks, and Gaps Application Security Web application vulnerabilities lead to significant issues when P1s aren t resolved with current SLAs. 1. Training for developers (internal and third par3es) 2. External and internal scans 24x7x365 (WhiteHat) 3. Penetra3on tes3ng (3 rd party quarterly tests) 4. Source code analysis (WhiteHat SCA) 5. Behavior analy3cs (RSA and Shape Security) 6. WAF (Integrate with WhiteHat rules) 1. There is 14% aeri%on with the developers. 2. P1 appsec vulns are increasing by 12% a week. 3. Integrate WhiteHat vulns with the WAF for automa%on. Innovation Automobiles Bitcoin Cloud (third party integration) IoT (eg. Wearables, Appliances, HVAC, Garage Doors) Virtualization 1. Partner with manufacturers insert InfoSec legal requirements into contract agreements 2. Applica3on scanning 24x7x365 (WhiteHat) 3. Cloud integra3on (varmour) 4. IoT (WhiteHat and varmour) 5. Physical and virtualized management (varmour) 1. System of systems* will be in scope for PCI, HIPAA, GLBA, PII, Privacy, EU Data Protec%on. Emerging Threats (Internal) The company needs a ways to identify, monitor, and combat emerging threats once cyber criminals break the perimeter. 1. Monitoring east / west traffic (varmour) 1. Internal traffic anomalies are increasing by 15% per month. Anomalous traffic paeerns are moving between Zone X and Y and four data centers at 2:21am daily. External Mobile Security Applications Mobile device usage is increasing by 54% year over year. 15 mobile applications are being developed by external teams that are out of corporate compliance and do not meet mandatory industry regulations. 1. Behavior analy3cs sooware (RSA) 2. Monitoring mobile app stores (Risk I/Q) 3. WhiteHat source code analysis (SCA) 4. Cyber threat research (FOX- IT) 1. Mobile source code being developed by third party organiza3ons is not compliant with corporate InfoSec policies and industry regula3ons. Mobile Security (Internal/BYOD) The company needs to support the BYOD policy. 1. Access controls (LDAP/AD) 2. MDM (Good Technology) 1. Need to determine how the MDM solu3on will scale over the next 12 months. Source: Blue Lava Consul3ng *Blue Lava Consul3ng System of Systems research results will be Available in Q1,
18 Threat Vector Problem Statement Tools Implemented Current Observations, Risks, and Gaps Application Security Web application vulnerabilities lead to significant issues when P1s aren t resolved with current SLAs. 1. Training for developers (internal and third par3es) 2. External and internal scans 24x7x365 (WhiteHat) 3. Penetra3on tes3ng (3 rd party quarterly tests) 4. Source code analysis (WhiteHat SCA) 5. Behavior analy3cs (RSA and Shape Security) 6. WAF (Integrate with WhiteHat rules) 1. There is 14% aeri%on with the developers. 2. P1 appsec vulns are increasing by 12% a week. 3. Integrate WhiteHat vulns with the WAF for automa%on. Innovation Automobiles Bitcoin Cloud (third party integration) IoT (eg. Wearables, Appliances, HVAC, Garage Doors) Virtualization 1. Partner with manufacturers insert InfoSec legal requirements into contract agreements 2. Applica3on scanning 24x7x365 (WhiteHat) 3. Cloud integra3on (varmour) 4. IoT (WhiteHat and varmour) 5. Physical and virtualized management (varmour) 1. System of systems* will be in scope for PCI, HIPAA, GLBA, PII, Privacy, EU Data Protec%on. Network/OS/ Systems PCI 3.0 states that virtualized environments are in scope. The company needs to meet agile business requirements. The company needs to detect laterally moving traffic between the data centers, zones, supporting networks, and cloud integration. 1. Elas3city and agility to spin up/down environments (varmour) 2. Network and OS scanner (Nessus) 3. PCI 3.0 management of physical and virtualized environments (varmour) 4. File integrity monitoring (OSSEC agents) 5. Monitoring internal (east/west) malicious traffic (varmour) 1. PCI 3.0 states that all virtualized environments that store, process, and transmit cardholder data are in scope. 2. varmour allows you to manage both physical and virtual PCI environments under one policy and one enterprise soqware solu%on. 3. OSSEC agents are not being used and configured properly. Emerging Threats (Internal) The company needs a ways to identify, monitor, and combat emerging threats once cyber criminals break the perimeter. 1. Monitoring east / west traffic (varmour) 1. Internal traffic anomalies are increasing by 15% per month. Anomalous traffic paeerns are moving between Zone X and Y and four data centers at 2:21am daily. External Mobile Security Applications Mobile device usage is increasing by 54% year over year. 15 mobile applications are being developed by external teams that are out of corporate compliance and do not meet mandatory industry regulations. 1. Behavior analy3cs sooware (RSA) 2. Monitoring mobile app stores (Risk I/Q) 3. WhiteHat source code analysis (SCA) 4. Cyber threat research (FOX- IT) 1. Mobile source code being developed by third party organiza3ons is not compliant with corporate InfoSec policies and industry regula3ons. Mobile Security (Internal/BYOD) The company needs to support the BYOD policy. 1. Access controls (LDAP/AD) 2. MDM (Good Technology) 1. Need to determine how the MDM solu3on will scale over the next 12 months. Source: Blue Lava Consul3ng *Blue Lava Consul3ng System of Systems research will be made available in Q1,
19 Addressing the Issues IoT WAF Complete Visibility Third Party Vendor Web Complete Visibility Complete Visibility App DB East/West Traffic East/West Traffic Gartner es)mates that East- West traffic will increase by 80% through
20 Risk Frameworks CMM COBIT CVSS Home Grown ISO NIST OCTAVE RiskCalibrator RiskIT TARA Ensure risk frameworks can be dynamic in your environment 20
21 Repor3ng in Business Terms Low Risk High Risk Cri3cal Risk Source: CXOWare, WhiteHat Security, and Blue Lava Consul3ng 21
22 Where Do We Go from Here Informa3on Security must be part of the culture driven by the Board of Directors and Execu3ves throughout the organiza3on Cyber criminals are evolving we must as well It s not if the cyber criminal will access your environment it s when invest in current technologies and have a plan to address the issue User behavior analy3cs (UBA) is cri3cal Evaluate your InfoSec and IT Audit programs frequently ensure part of the program is to evaluate emerging technology Be flexible introduce dynamic InfoSec and IT Audit controls in the environment 22
23 Resources Con3nued WhiteHat Security WhiteHat Security Blog: hrps://blog.whitehatsec.com Website Security for Dummies: hrps://info.whitehatsec.com/cont- Synd- ISACA- Website- Security- Dummies- LP.html Securing the SDLC for Dummies: hrps://info.whitehatsec.com/cont- Synd- ISACA- SDLC- Dummies- LP.html ISACA COBIT 5 Framework hrp:// varmour Verizon 2014 Data Breach Inves3ga3ons Report 23
24 Resources Con3nued Andy Hoernecke, Applica3on Security, Data Visualiza3on Expert, and Inventor of D3Dash Avivah Litan, VP and Dis3nguished Analyst, Gartner Market Guide for User Behavior Analy3cs (UBA), G , August 2014 How to Measure Anything, Douglas W. Hubbard ISBN- 13: Iron- Clad Java: Building Secure Web Applica3ons, Jim Manico and August Detlefsen ISBN- 13: Measuring and Managing Informa3on Risk: A FAIR Approach, by Jack Freund and Jack Jones ISBN- 13: Perceptual Edge Security Metrics: Replacing Fear, Uncertainty, and Doubt, Andrew Jaquith ISBN- 13:
Project Por)olio Management
Project Por)olio Management Important markers for IT intensive businesses Rest assured with Infolob s project management methodologies What is Project Por)olio Management? Project Por)olio Management (PPM)
More informationHealthcare Informa/on at Risk: Prac/cal Strategies to Avoid Breaches
Healthcare Informa/on at Risk: Prac/cal Strategies to Avoid Breaches Sam Pierre- Louis, CISSP- ISMP - - MDAnderson Cancer Center David Houlding, CISSP, CIPP - - Intel David S. Finn, CISA, CISM, CRISC -
More informationInterna'onal Standards Ac'vi'es on Cloud Security EVA KUIPER, CISA CISSP EVA.KUIPER@HP.COM HP ENTERPRISE SECURITY SERVICES
Interna'onal Standards Ac'vi'es on Cloud Security EVA KUIPER, CISA CISSP EVA.KUIPER@HP.COM HP ENTERPRISE SECURITY SERVICES Agenda Importance of Common Cloud Standards Outline current work undertaken Define
More informationHow To Perform a SaaS Applica7on Inventory in. 5Simple Steps. A Guide for Informa7on Security Professionals. Share this ebook
How To Perform a SaaS Applica7on Inventory in 5Simple Steps A Guide for Informa7on Security Professionals WHY SHOULD I READ THIS? This book will help you, the person in the organiza=on who cares deeply
More informationB2B Offerings. Helping businesses op2mize. Infolob s amazing b2b offerings helps your company achieve maximum produc2vity
B2B Offerings Helping businesses op2mize Infolob s amazing b2b offerings helps your company achieve maximum produc2vity What is B2B? B2B is shorthand for the sales prac4ce called business- to- business
More informationHow To Protect Virtualized Data From Security Threats
S24 Virtualiza.on Security from the Auditor Perspec.ve Rob Clyde, CEO, Adap.ve Compu.ng; former CTO, Symantec David Lu, Senior Product Manager, Trend Micro Hemma Prafullchandra, CTO/SVP Products, HyTrust
More informationThe Evolu*on of Service Management
The Evolu*on of Extending Disciplines Across the Enterprise Michael Jones Regional CTO - Architecture Michael.Jones@servicenow.com 2015 Now All Rights Reserved 1 How work gets done today! Emails Spreadsheets
More informationBill Sieglein, Founder CSO Breakfast Club PLATINUM SPONSOR: SOLUTIONARY
AGENDA 8:00 8:30 Breakfast and Social Networking 8:30 8:45 Welcome & Introduc@ons, Bill Sieglein, Founder CSO Breakfast Club 8:45 9:15 Keynote: Don Gray, Chief Security Strategist PLATINUM SPONSOR: SOLUTIONARY
More informationSan Francisco Chapter. Presented by Mike O. Villegas, CISA, CISSP
Presented by Mike O. Villegas, CISA, CISSP Agenda Information Security (IS) Vision at Newegg.com Typical Issues at Most Organizations Information Security Governance Four Inter-related CoBIT Domains ISO
More informationTim Blevins Execu;ve Director Labor and Revenue Solu;ons. FTA Technology Conference August 4th, 2015
Tim Blevins Execu;ve Director Labor and Revenue Solu;ons FTA Technology Conference August 4th, 2015 Governance and Organiza;onal Strategy PaIerns of Fraud and Abuse in Government What tools can we use
More informationBPO. Accerela*ng Revenue Enhancements Through Sales Support Services
BPO Accerela*ng Revenue Enhancements Through Sales Support Services What is BPO? Business Process Outsorcing (BPO) is the process of outsourcing specific business func6ons to a third- party service provider
More informationImplementing Practical Information Security Programs
Implementing Practical Information Security Programs CISO Summit March 17-19, 2013 Presented by: David Cass, SVP & Chief Information Security Officer, Elsevier Information Security & Data Protection Office
More informationCLINES. 05.08.15 Cluster- based Innova6on through Embedded Systems technology
CLINES SWOT Analysis Smart Mobility 1 Smart Mobility in Bavaria Strong presence of automo>ve industry Ambi>ous research on mobility issues in Bavarian universi>es and research ins>tu>ons Prominent specializa>ons:
More informationHow To Grow A Data Center System
Zettaset Big Data Ecosystem Discussion Guide Jim Vogt, President & CEO, Zettaset June 20, 2014 The informa,on provided in this document cons,tutes confiden,al and proprietary informa,on of Ze8aset, Inc.
More informationCASRO Digital Research Conference Data Security: Don t Risk Being the Weak Link
CASRO Digital Research Conference Data Security: Don t Risk Being the Weak Link Peter Milla CASRO Technical Consultant/CIRQ Technical Advisor peter@petermilla.com Background CASRO and Standards CASRO takes
More informationThe Convergence of IT Security and Compliance with a Software as a Service (SaaS) approach
The Convergence of IT Security and Compliance with a Software as a Service (SaaS) approach by Philippe Courtot, Chairman and CEO, Qualys Inc. Information Age Security Conference - London - September 25
More informationKLC Consulting, Inc. All Rights Reserved. 1 THIRD PARTY (VENDOR) SECURITY RISK MANAGEMENT
1 THIRD PARTY (VENDOR) SECURITY RISK MANAGEMENT About Kyle Lai 2 Kyle Lai, CIPP/G/US, CISSP, CISA, CSSLP, BSI Cert. ISO 27001 LA President of KLC Consulting, Inc. Over 20 years in IT and Security Security
More informationThe Real Score of Cloud
The Real Score of Cloud Mayur Sahni Sr. Research Manger IDC Asia/Pacific msahni@idc.com @mayursahni Digital Transformation Changing Role of IT Innova&on Informa&on Business agility Changing role of the
More informationMaintaining PCI-DSS compliance. Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com
Maintaining PCI-DSS compliance Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com Sessione di Studio Milano, 21 Febbraio 2013 Agenda 1 Maintaining PCI-DSS compliance
More informationReali9es of Being PCI Compliant
Reali9es of Being PCI Compliant Miguel (Mike) O. Villegas CISA, CISSP, GSEC, CEH, QSA, PA- QSA, ASV Vice President- K3DES LLC Professional Strategies S23 CRISC CGEIT CISM CISA Abstract PCI DSS compliance
More informationState of Information Security
State of Information Security Second Annual Assessment Study 2013 Table of Contents: Synopsis and Methodology _ page 2 A Snapshot of Participants _ page 2 Survey Findings _ page 5 Final Thoughts _ page
More informationTop Practices in Health IT Compliance. Data Breach & Leading Program Prac3ces
Top Practices in Health IT Compliance Data Breach & Leading Program Prac3ces Overview Introduc3on to ID Experts & Secure Digital Solu3ons Healthcare Data Breach Trends & Drivers Data Incident Management
More informationInformation and Communications Technology Supply Chain Risk Management (ICT SCRM) AND NIST Cybersecurity Framework
Information and Communications Technology Supply Chain Risk Management (ICT SCRM) AND NIST Cybersecurity Framework Don t screw with my chain, dude! Jon Boyens Computer Security Division IT Laboratory November
More informationData Center Evolu.on and the Cloud. Paul A. Strassmann George Mason University November 5, 2008, 7:20 to 10:00 PM
Data Center Evolu.on and the Cloud Paul A. Strassmann George Mason University November 5, 2008, 7:20 to 10:00 PM 1 Hardware Evolu.on 2 Where is hardware going? x86 con(nues to move upstream Massive compute
More informationWebinar: Having the Best of Both World- Class Customer Experience and Comprehensive Iden=ty Security
Webinar: Having the Best of Both World- Class Customer Experience and Comprehensive Iden=ty Security With Iden>ty Expert and UnboundID Customer Bill Bonney Today s Speakers Bill Bonney Formerly Director,
More informationAVOIDING SILOED DATA AND SILOED DATA MANAGEMENT
AVOIDING SILOED DATA AND SILOED DATA MANAGEMENT Dalton Cervo Author, Consultant, Management Expert September 2015 This presenta?on contains extracts from books that are: Copyright 2011 John Wiley & Sons,
More informationCloud models and compliance requirements which is right for you?
Cloud models and compliance requirements which is right for you? Bill Franklin, Director, Coalfire Stephanie Tayengco, VP of Technical Operations, Logicworks March 17, 2015 Speaker Introduction Bill Franklin,
More informationPredictions for the Digital Workplace 2015
Predictions for the Digital Workplace 2015 Jim Lundy CEO and Lead Analyst David Mario Smith Research Director, Lead Analyst Speakers for Today Jim Lundy David Smith CEO, Lead Analyst Research Director,
More informationBank of America Security by Design. Derrick Barksdale Jason Gillam
Bank of America Security by Design Derrick Barksdale Jason Gillam Costs of Correcting Defects 2 Bank of America The Three P s Product Design and build security into our product People Cultivate a security
More informationProject Management Success on SharePoint
Project Management Success on SharePoint The Enterprise PMO Problem How to do the following: How to manage a large porolio of projects over a wide geographical region? How to manage project status repor9ng
More informationAchieving Compliance with the PCI Data Security Standard
Achieving Compliance with the PCI Data Security Standard June 2006 By Alex Woda, MBA, CISA, QDSP, QPASP This article describes the history of the Payment Card Industry (PCI) data security standards (DSS),
More informationUnified Monitoring with AppDynamics
Unified Monitoring with AppDynamics Dus$n Whi*le @AppDynamics 52% of Fortune 500 firms since 2000 are gone Application complexity is exploding Agile SOA Login Flight Status Search Flight Purchase Mobile
More informationThe Future of Service Management: Addressing The Impact of Consumeriza<on
The Future of Service Management: Addressing The Impact of Consumeriza
More informationCompliance Doesn t Mean Security Achieving Security and Compliance with the latest Regulations and Standards
Compliance Doesn t Mean Security Achieving Security and Compliance with the latest Regulations and Standards Paul de Graaff Chief Strategy Officer Vanguard Integrity Professionals March 11, 2014 Session
More informationThink like an MBA not a CISSP
Think like an MBA not a CISSP Embracing University Culture to Achieve Security Initiatives' Matt Malone Security Services Director 512-650-0179 Matt.Malone@SLAITconsulting.com Goals Security is a business
More informationPresenta<on to EMA GCP IWG. Cloud Services - A Framework for Adop<on in the Regulated Life Sciences Industry. Agenda item 03.1.1
Agenda item 03.1.1 Formed in 2004 >6000 members worldwide Not- for- profit organiza
More informationHow to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP
How to start a software security initiative within your organization: a maturity based and metrics driven approach Marco Morana OWASP Lead/ TISO Citigroup OWASP Application Security For E-Government Copyright
More informationM2M & Cybersecurity Workshop TIA 2013 M2M Standards and Security. Mihai Voicu CIO/CSO ILS Technology LLC
M2M & Cybersecurity Workshop TIA 2013 M2M Standards and Security Mihai Voicu CIO/CSO ILS Technology LLC Topics 1 What is the role of standardization in security for M2M solutions? 2 How are TIA and other
More informationProtec'ng Informa'on Assets - Week 8 - Business Continuity and Disaster Recovery Planning. MIS 5206 Protec/ng Informa/on Assets Greg Senko
Protec'ng Informa'on Assets - Week 8 - Business Continuity and Disaster Recovery Planning MIS5206 Week 8 In the News Readings In Class Case Study BCP/DRP Test Taking Tip Quiz In the News Discuss items
More informationInvestor Presenta,on Third Quarter 2014. 2014 ServiceNow All Rights Reserved 1
Investor Presenta,on Third Quarter 2014 2014 ServiceNow All Rights Reserved 1 FORWARD- LOOKING STATEMENTS, INDUSTRY AND MARKET DATA This presenta>on contains forward- looking statements that are based
More informationIoT Week 2015 Lisbon June, 16 th - 18 th 2015
IoT Week 2015 Lisbon June, 16 th - 18 th 2015 Challenges and opportunities for European IoT SMEs in the advent of Large Scale Deployment Era! Jim Morrish, Founder & Chief Research Officer 1 About us From
More informationFounda'onal IT Governance A Founda'onal Framework for Governing Enterprise IT Adapted from the ISACA COBIT 5 Framework
Founda'onal IT Governance A Founda'onal Framework for Governing Enterprise IT Adapted from the ISACA COBIT 5 Framework Steven Hunt Enterprise IT Governance Strategist NASA Ames Research Center Michael
More informationAn Integrated Approach to Manage IT Network Traffic - An Overview Click to edit Master /tle style
An Integrated Approach to Manage IT Network Traffic - An Overview Click to edit Master /tle style Agenda A quick look at ManageEngine Tradi/onal Traffic Analysis Techniques & Tools Changing face of Network
More informationMain Research Gaps in Cyber Security
Comprehensive Approach to cyber roadmap coordina5on and development Main Research Gaps in Cyber Security María Pilar Torres Bruna everis Aerospace and Defence Index CAMINO WP2: Iden8fica8on and Analysis
More informationPrivileged Administra0on Best Prac0ces :: September 1, 2015
Privileged Administra0on Best Prac0ces :: September 1, 2015 Discussion Contents Privileged Access and Administra1on Best Prac1ces 1) Overview of Capabili0es Defini0on of Need 2) Preparing your PxM Program
More informationBring Your Own Internet of Things: BYO IoT
SESSION ID: CSV F02 Bring Your Own Internet of Things: BYO IoT Carsten Eiram Chief Research Officer Risk Based Security @carsteneiram Jake Kouns CISO Risk Based Security @jkouns Agenda What is IoT? What
More informationProtecting What Matters Most. Terry Ray Chief Product Strategist Trending Technologies Session 11
Protecting What Matters Most Terry Ray Chief Product Strategist Trending Technologies Session 11 Cyber attacks are bad and getting Significant economic Stock price fell by 14% Impacted profits by 46% Total
More informationEverything You Need to Know about Cloud BI. Freek Kamst
Everything You Need to Know about Cloud BI Freek Kamst Business Analy2cs Insight, Bussum June 10th, 2014 What s it all about? Has anything changed in the world of BI? Is Cloud Compu2ng a Hype or here to
More informationDTCC Data Quality Survey Industry Report
DTCC Data Quality Survey Industry Report November 2013 element 22 unlocking the power of your data Contents 1. Introduction 3 2. Approach and participants 4 3. Summary findings 5 4. Findings by topic 6
More informationIT Governance in Organizations Experiencing Decentralization. Jelena Zdravkovic
IT Governance in Organizations Experiencing Decentralization Jelena Zdravkovic Department of Computer & Systems Sciences (DSV), Stockholm University, Sweden Giannoulis About the Speaker Title: Associate
More informationSOURCE, SELECT, MANAGE: THE CWM ATHLETE S TRIATHLON GUIDE SIG San Francisco Bay Symposium November 12, 2014. Matt Katz, VP Strategic Solutions
SOURCE, SELECT, MANAGE: THE CWM ATHLETE S TRIATHLON GUIDE SIG San Francisco Bay Symposium November 12, 2014 Matt Katz, VP Strategic Solutions WELCOME! It s another beaueful day in the Bay Area! 2 OPTIONAL:
More informationBig Data. The Big Picture. Our flexible and efficient Big Data solu9ons open the door to new opportuni9es and new business areas
Big Data The Big Picture Our flexible and efficient Big Data solu9ons open the door to new opportuni9es and new business areas What is Big Data? Big Data gets its name because that s what it is data that
More informationPanel: SwA Practices - Getting to Effectiveness in Implementation
Panel: SwA Practices - Getting to Effectiveness in Implementation (EMC s Evolution of Product Security Assurance) Dan Reddy, CISSP, CSSLP EMC Product Security Office Software Assurance Forum Gaithersburg,
More informationCAMFORD MANAGEMENT CONSULTANTS Preparing Your IT Strategy
CAMFORD MANAGEMENT CONSULTANTS Preparing Your IT Strategy We help law firms respond to pricing pressures and become more client- focused. Focusing on innova;on through strategic use of technology, bringing
More informationONE DEVICE TO RULE THEM ALL! AUDITING MOBILE DEVICES / BYOD NSAA IT CONFERENCE OCTOBER 2, 2014
ONE DEVICE TO RULE THEM ALL! 1993 2013 1 AUDITING MOBILE DEVICES / BYOD NSAA IT CONFERENCE OCTOBER 2, 2014 2 1 AGENDA Mobile Devices / Smart Devices Implementation Models Risks & Threats Audit Program
More informationApplication Security Testing as a Foundation for Secure DevOps
Application Security Testing as a Foundation for Secure DevOps White Paper - April 2016 Introduction Organizations realize that addressing the risk of attacks on their Website applications is critical.
More informationDefending the Database Techniques and best practices
ISACA Houston: Grounding Security & Compliance Where The Data Lives Mark R. Trinidad Product Manager mtrinidad@appsecinc.com March 19, 2009 Agenda Understanding the Risk Changing threat landscape The target
More informationCyber Supply Chain Risk Management Portal
Cyber Supply Chain Risk Management Portal Dr. Sandor Boyson, Director, Supply Chain Management Center& Holly Mann, Chief InformaBon Officer R.H. Smith School Of Business The Cyber Supply Chain Challenge
More informationBuilding an Effec.ve Cloud Security Program
Building an Effec.ve Cloud Security Program Laura Posey Senior Security Strategist, Microso3 Corpora6on Co- Chair, CSA CAIQ Programming Chair, NY Metro CSA Chapter Is Cloud worth it? Yes! Pla?orm for Innova.on
More informationInformation Security Management System (ISMS) Overview. Arhnel Klyde S. Terroza
Information Security Management System (ISMS) Overview Arhnel Klyde S. Terroza May 12, 2015 1 Arhnel Klyde S. Terroza CPA, CISA, CISM, CRISC, ISO 27001 Provisional Auditor Internal Auditor at Clarien Bank
More informationEnterprise Application Security Program
Enterprise Application Security Program GE s approach to solving the root cause and establishing a Center of Excellence Darren Challey GE Application Security Leader Agenda Why is AppSec important? Why
More informationCost Effec/ve Approaches to Best Prac/ces in Data Analy/cs for Internal Audit
Cost Effec/ve Approaches to Best Prac/ces in Data Analy/cs for Internal Audit Presented to: ISACA and IIA Joint Mee/ng October 10, 2014 By Outline Introduc.on The Evolving Role of Internal Audit The importance
More informationEFFECTIVE VULNERABILITY SCANNING DEMYSTIFYING SCANNER OUTPUT DATA
EFFECTIVE VULNERABILITY SCANNING DEMYSTIFYING SCANNER OUTPUT DATA Paul R. Lazarr, CISSP, CISA, CIPP, CRISK Sr. Managing Consultant, IBM Cybersecurity and Biometrics January 21, 2016 PERSONAL BACKGROUND
More informationPII Compliance Guidelines
Personally Identifiable Information (PII): Individually identifiable information from or about an individual customer including, but not limited to: (a) a first and last name or first initial and last
More informationOracle Solu?ons for Higher Educa?on
Presented with Oracle Solu?ons for Higher Educa?on Cole Clark Global Vice President Oracle, Educa?on & Research June 12, 2014 Oracle Confiden?al Internal/Restricted/Highly Restricted Safe Harbor Statement
More informationSecure360. Measuring the Maturity of your Information Security Program Impossible? Presented by: Mark Carney, VP of Strategic Services
Secure360 Measuring the Maturity of your Information Security Program Impossible? Presented by: Mark Carney, VP of Strategic Services Question about Life HOW DO YOU KNOW IF YOU ARE GETTING THE MOST OUT
More informationSECURITY RISK MANAGEMENT
SECURITY RISK MANAGEMENT ISACA Atlanta Chapter, Geek Week August 20, 2013 Scott Ritchie, Manager, HA&W Information Assurance Services Scott Ritchie CISSP, CISA, PCI QSA, ISO 27001 Auditor Manager, HA&W
More informationQubera Solu+ons Access Governance a next genera0on approach to Iden0ty Management
Qubera Solu+ons Access Governance a next genera0on approach to Iden0ty Management Presented by: Toby Emden Prac0ce Director Iden0ty Management and Access Governance Agenda Typical Business Drivers for
More informationComputer Security Incident Handling Detec6on and Analysis
Computer Security Incident Handling Detec6on and Analysis Jeff Roth, CISSP- ISSEP, CISA, CGEIT Senior IT Security Consultant 1 Coalfire Confiden+al Agenda 2 SECURITY INCIDENT CONTEXT TERMINOLOGY DETECTION
More informationJeff Warson, GCIH, SCPS, CISSP, CCSK Sr. Principal Security Strategist Symantec Corpora5on
Jeff Warson, GCIH, SCPS, CISSP, CCSK Sr. Principal Security Strategist Symantec Corpora5on Agenda 1 2 3 4 5 Sources of a Breach Key IT Security Trends How is DLP Implemented Symantec's Strategy and Recent
More informationVENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium
1 VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium 2 Agenda Introduction Vendor Management what is? Available Guidance Vendor Management
More informationFixed Scope Offering (FSO) for Oracle SRM
Fixed Scope Offering (FSO) for Oracle SRM Agenda iapps Introduc.on Execu.ve Summary Business Objec.ves Solu.on Proposal Scope - Business Process Scope Applica.on Implementa.on Methodology Time Frames Team,
More informationPCI Compliance. PCI DSS v3.1. Dan Lobb CRISC. Lisa Gable CISM
PCI Compliance PCI DSS v3.1 Dan Lobb CRISC Lisa Gable CISM Dan Lobb, CRISC o Introduction Dan has an MIS degree from the University of Central Florida. He began his career at Accenture and for the past
More informationCloud Risks and Opportunities
Cloud Risks and Opportunities John Howie COO Cloud Security Alliance #SCCLondon About the Cloud Security Alliance Global, not- for- profit organiza;on Building security best prac;ces for next genera;on
More informationAn Econocom Group company. Your partner in the transi4on towards Mobile IT
An Econocom Group company Your partner in the transi4on towards Mobile IT A few key figures 40 000 mobile terminals integrated annually 200 M of telecom expenses managed 50 000 mobility support 4ckets
More informationPALO ALTO SAFE APPLICATION ENABLEMENT
PALO ALTO SAFE APPLICATION ENABLEMENT 1 Palo Alto Networks Product Overview James Sherlow SE Manager WEUR & Africa jsherlow@paloaltonetworks.com @jsherlow Palo Alto Networks at a Glance Corporate Highlights
More informationCautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work
Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work Security concerns and dangers come both from internal means as well as external. In order to enhance your security posture
More informationBuilding your cloud porbolio APS Connect
Building your cloud porbolio APS Connect 5 th November 2014 Duncan Robinson, Parallels Business Consul3ng Introduc/on to BCS Who are we? Created 3 years ago in response to partner demand Define the strategy
More informationGetting Real with Policies for Software Defined Infrastructure. Manish Dave Principal Engineer, Intel IT
Getting Real with Policies for Software Defined Infrastructure Manish Dave Principal Engineer, Intel IT Manish Dave, Principal Engineer, Intel IT Network Security Architect @ Intel IT 15+ years of experience
More informationNETWORK DEVICE SECURITY AUDITING
E-SPIN PROFESSIONAL BOOK VULNERABILITY MANAGEMENT NETWORK DEVICE SECURITY AUDITING ALL THE PRACTICAL KNOW HOW AND HOW TO RELATED TO THE SUBJECT MATTERS. NETWORK DEVICE SECURITY, CONFIGURATION AUDITING,
More informationWSECU Cyber Security Journey. David Luchtel VP IT Infrastructure & Opera:ons
WSECU Cyber Security Journey David Luchtel VP IT Infrastructure & Opera:ons Objec:ve of Presenta:on Share WSECU s journey Overview of WSECU s Security Program approach Overview of WSECU s self- assessment
More informationWhat s Driving Adop2on of IT Governance? ISACA North Texas Chapter. Aus2n Hu@on Hu@on Consul2ng October 11, 2012
What s Driving Adop2on of IT Governance? ISACA North Texas Chapter Aus2n Hu@on Hu@on Consul2ng October 11, 2012 Learning Objec2ves Overview of the history of IT Governance The rela2onship to corporate
More informationPalo Alto Networks Cyber Security Platform for the Software Defined Data center. Zekeriya Eskiocak Security Consultant Palo Alto Networks
Palo Alto Networks Cyber Security Platform for the Software Defined Data center Zekeriya Eskiocak Security Consultant Palo Alto Networks Evolution towards a software defined data center Server Virtualiza-on
More informationMAXIMIZING THE SUCCESS OF YOUR E-PROCUREMENT TECHNOLOGY INVESTMENT. How to Drive Adop.on, Efficiency, and ROI for the Long Term
MAXIMIZING THE SUCCESS OF YOUR E-PROCUREMENT TECHNOLOGY INVESTMENT How to Drive Adop.on, Efficiency, and ROI for the Long Term What We Will Cover Today Presenta(on Agenda! Who We Are! Our History! Par7al
More informationVendor Risk Management Financial Organizations
Webinar Series Vendor Risk Management Financial Organizations Bob Justus Chief Security Officer Allgress Randy Potts Managing Consultant FishNet Security Bob Justus Chief Security Officer, Allgress Current
More informationSecurity Risk Management Strategy in a Mobile and Consumerised World
Security Risk Management Strategy in a Mobile and Consumerised World RYAN RUBIN (Msc, CISSP, CISM, QSA, CHFI) PROTIVITI Session ID: GRC-308 Session Classification: Intermediate AGENDA Current State Key
More informationTrends in Supply Chain and Network Management - 2014 AlfaSec Advisors Pte Ltd
Trends in Supply Chain and Network Management - 2014 AlfaSec Advisors Pte Ltd SINGAPORE HONG KONG - TOKYO www.alfa- sec.com 1 Introduc;on Agent and Supply Chain Network Management is a growing focus by
More informationGaining Visibility, Meaningful Information Security, and Fraud Data in Seconds
Gaining Visibility, Meaningful Information Security, and Fraud Data in Seconds A Big Data Case Study on Using a Risk-Based Approach for Information Security and Fraud Analytics www.blue-lava.net info@blue-lava.net
More informationMean Time to Fix (MTTF) IT Risk s Dirty Little Secret Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP
Mean Time to Fix (MTTF) IT Risk s Dirty Little Secret Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP Presentation Overview Basic Application Security (AppSec) Fundamentals Risks Associated With
More informationCyber Exploits: Improving Defenses Against Penetration Attempts
Cyber Exploits: Improving Defenses Against Penetration Attempts Mark Burnette, CPA, CISA, CISSP, CISM, CGEIT, CRISC, QSA LBMC Security & Risk Services Today s Agenda Planning a Cyber Defense Strategy How
More informationInforma*on Management
Informa*on Management Deepak Mohan SVP, Informa3on Management Group 1 Symantec Informa*on Management Strategy Protect Completely Dedupe Everywhere Delete Confidently Discover Efficiently Backup, archive
More informationSolving today's integra@on challenges with Oracle SOA Suite, and Oracle Coherence
Solving today's integra@on challenges with Oracle SOA Suite, and Oracle Coherence Asaf Lev Sales Consul@ng asaf.lev@oracle.com Agenda Industry Trends Oracle SOA Suite Oracle Coherence Oracle Service Bus
More informationPCI VERSION 2.0 AND RISK MANAGEMENT. Doug Landoll, CISSP, CISA, QSA, MBA Practice Director Risk and Compliance Management
PCI VERSION 2.0 AND RISK MANAGEMENT Doug Landoll, CISSP, CISA, QSA, MBA Practice Director Risk and Compliance Management Objec&ve: Protect cardholder data (CHD) wherever it resides Applica&on: All card
More informationBig Data, Big Risk, Big Rewards. Hussein Syed
Big Data, Big Risk, Big Rewards Hussein Syed Discussion Topics Information Security in healthcare Cyber Security Big Data Security Security and Privacy concerns Security and Privacy Governance Big Data
More informationVMware and the Need for Cyber Supply Chain Security Assurance
White Paper VMware and the Need for Cyber Supply Chain Security Assurance By Jon Oltsik, Senior Principal Analyst September 2015 This ESG White Paper was commissioned by VMware and is distributed under
More informationIT Security & Compliance. On Time. On Budget. On Demand.
IT Security & Compliance On Time. On Budget. On Demand. IT Security & Compliance Delivered as a Service For businesses today, managing IT security risk and meeting compliance requirements is paramount
More informationThe Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant
THE MARKET LEADER IN IT, SECURITY AND COMPLIANCE SERVICES FOR COMMUNITY FINANCIAL INSTITUTIONS The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant Agenda
More informationBusiness Analysis Center of Excellence The Cornerstone of Business Transformation
February 20, 2013 Business Analysis Center of Excellence The Cornerstone of Business Transformation John E. Parker, CEO Enfocus Solutions Inc. www.enfocussolutions.com 0 John E. Parker (Introduc3on) President
More informationInformation Security, Privacy and Compliance Convergence
Information Security, Privacy and Compliance Convergence Rebecca Herold, CIPP, CISSP, CISM, CISA, FLMI Rebecca Herold & Associates, LLC April 2009 Agenda Information lifecycles Security and privacy challenges
More informationDisrup've Innova'ons Track
Disrup've Innova'ons Track Product Disrup-ons: Medical Device Cybersecurity Presenter: Adam Brand, Associate Director, Pro-vi- V. 1.1 FACULTY DISCLOSURE The faculty reported the following financial relationships
More information