2014. All Rights Reserved. Information and Communications Technology
|
|
- Cori Richards
- 8 years ago
- Views:
Transcription
1 Defense-in-Depth has Become Extinct or Information Security in the Post-Enterprise World BSides Ottawa 2014 Dr. Lawrence G Dobranski P.Eng. Director ICT Security University of Saskatchewan 1
2 The University of Saskatchewan is a member of the U15, the top 15 research universities in Canada. 22,500 students from 100 countries (2013) 16:1 student to faculty ratio Annual budget of $1B $9.2 million annually in scholarships and bursaries > 120 Graduate Degree Programs ~ 200 Undergraduate Programs 2
3 Information & Communications usask Open, de-perimeterised environment 15,000 mobile users connecting daily via a ubiquitous wireless network Most of them BYOD (Bring Your Own Device) Includes: private cloud multiple data centers high performance research computing petabytes of storage multi-gigabit connections to the Internet and international research networks 3
4 Mobile & U of S 4 ~15K Personal Mobile Devices Daily (2013) ~3.5K Access Points (2013) Cloud Services include: Travel & Expense Management Student Employment Responsible Disclosure Survey Tools Crowd Funding iusask Award winning university service app for mobile devices
5 IT Consumerization, BYOD, and Cloud Services represent a significant technology & societal disruptor and the arrival of the Post Enterprise World BYOD IT Consumeriz -ation People, Process, Technology Cloud Services 5
6 Personal Mobile Devices 6 Mostly termed BYOD for bring your own device Represented by the convergence of mobile computing: Laptop, netbook, palm top, tablet, phone A matter of size and battery life Computing power no longer a limitation Stakeholders have multiplied: Carriers (maybe more than one) 3 rd party content (multimedia, software, services) Other relying parties: Employer (more than one) School Personal
7 Cloud Computing 7 Architectures: Public Private Hybrid Service Oriented: Software as a Service Platform as a Service Applications as a Service Security as a Service And yes: Malware as a Service Business Models: Free (if I can mine your data) Commercial (pay for it) Corporate (a cloud for the enterprise) Personal (really?)
8 BYOD & Cloud A Multi-Dimensional Risk Problem Not just a technology problem Technological solution does not address the entire risk spectrum. Business perspective is critical. Does not recognize de-perimeterisation or context of use. At Risk: Confidentiality, Integrity, Availability of information and services Personally-identifiable information (aka Privacy) Business survivability The user, the enterprise, the carrier, and 3 rd party information and services 8
9 BYOD & Cloud Risk Environment Banning BYOD or Cloud Services usually just forces them underground Going underground: Hides the threat Hides the risk Better to manage it rather than ban it Need to support controlled, secure access to data and services No matter how accessed or how provisioned 9
10 All Rights Reserved. Information and Communications Technology BYOD & Cloud a disruptive technological evolution Eradication of boundaries That are traditionally used to define the enterprise Separate trusted and untrusted domains no longer clear Defense-in-depth going extinct Context of use How, why, where, what, when regarding data and service access Evolution to the mobile, social media, always-on society Data Application Host Internal Network Perimeter Physical De-perimeterisation Policies, Procedures, Practices
11 11 De-perimeterisation Concept originally championed by The Open Group s Jericho Forum Traditionally, organizations relied upon boundaries and perimeters to provide security, different areas of trust. BYOD and Cloud Services mean that the boundaries have changed or do not exist. Now not just who is inside your perimeter, accessing the data, but who, where, how, and with what.
12 Moving Beyond a Perimeter Security Model Before BYOD & Cloud Hard perimeter Clear policy enforcement points Defense-in-depth strategy Only organizational supplied hardware & software on the network Able to answer: Who is accessing? How they are accessing? Where are they? Clear whose device and who owns the data Threats understood Compliance achievable After BYOD & Cloud Soft perimeter Policy enforcement points are now vague Hardware & software can be organizational, personal, or 3 rd party No longer clear: Who is accessing? How they are accessing? Where are they? Not clear whose device and who owns the data Lack of clarity regarding threats Compliance what does it mean? 12
13 All Rights Reserved. Information and Communications Technology Mitigating the De-perimeterisation Risk After BYOD & Cloud Mitigate Soft perimeter Policy enforcement points are now vague Hardware & software can be organizational, personal, or 3rd party Discretionary Access Control Not clear whose device and who owns the data Lack of clarity regarding threats Compliance what does it mean? BYOD & Cloud Mitigation Sandbox Applications and Data Application Integrity Policy enforced at application and data boundaries Mandatory access control for servers and infrastructure Compliance requires clear policy/procedures/processes Enhanced, context aware authentication/authorization Security Awareness Critical Do you know where your organization s data is?
14 Context of Use, aka Mobility 14 A significant business driver by itself Institutions want to be agile, to be accessible, and to support collaboration No matter where their users are No mater what device they are using Expanding to include however they are accessing data and services Focus is giving ubiquitous access to organization data, networks, services, and applications To be agile, responsive, and value-providing anywhere at any time
15 Context of Use No Longer Just Who Traditionally IAM only addresses Who is accessing the data? Privileges: Discretionary access control We know who you are, we trust you Now need to ask How is the data being accessed? Who is delivering the data and service? Where is it being accessed from? Location and device critical What expectations are there for the data s confidentiality, integrity, and availability? Who owns and controls the data? Who owns and controls the device? Is the security policy/security compliance adaptable based on these considerations? Who do you trust? 15
16 Where The context of the mobile device and the service provided must be reflected in the authorizations granted to the authenticated user. How Why Context of Use When Who What 16
17 The Context of Use Dilemma Before BYOD & Cloud Hard perimeter Clear policy enforcement points Defense-in-depth strategy Only organizational supplied hardware & software on the network Able to answer: Who is accessing? How they are accessing? Where are they? Clear whose device and who owns the data Threats understood Compliance achievable Jurisdiction clear After BYOD & Cloud Soft perimeter Policy enforcement points are now vague Hardware & software can be organizational, personal, or 3 rd party No longer clear: Who is accessing? How they are accessing? Where are they? Not clear whose device and who owns the data Lack of clarity regarding threats Compliance what does it mean? Jurisdiction not clear 17
18 All Rights Reserved. Information and Communications Technology Mitigating the Context of Use Risk After BYOD & Cloud Mitigate Soft perimeter Policy enforcement points are now vague Hardware & software can be organizational, personal, or 3rd party No longer clear: Who is accessing? How they are accessing? What are they using to access? Where are they? Not clear whose device and who owns the data Lack of clarity regarding threats Compliance what does it mean? Jurisdiction more clear BYOD & Cloud Mitigation Sandbox Applications, Data, & Services Security from a data perspective Application Security Policy enforced at application and data boundaries Mandatory access control for servers and infrastructure Compliance requires clear policy/procedures/processes Enhanced, context aware authentication/authorization Security Awareness Critical Do you know where your organization s data is?
19 Regulatory & Legal Issues Most regulatory & compliance regimes: Built for a traditional defense-in-depth model Corporate owned, or at least controlled devices, on a corporate owned or managed network No acknowledgement of BYOD or Cloud Based Services Multiple stakeholders Multiple jurisdictions How owns the data? Who controls the data? Are you sure? Whose jurisdiction? 19
20 Security, Privacy, & Audit in a BYOD 20 Consider: User in country A & Cloud World Whose company s HQ is in country B Using a mobile device from a carrier in country C Accessing servers located in country D Containing data of citizens of country E Using software from a firm located in country F Regarding a transaction with a firm located in country G So whose jurisdiction/policies applies?
21 And the survey said Work based on a survey of 750 security professionals in Canada Professionals from the ITAC Cyber Security Forum Basis for DSc dissertation 21
22 Research Question What are the critical factors influencing information security professionals perceptions of information security risks and threats in BYOD environments? 22
23 Independent and Dependent Independent Variables Context of Use Variables Compliance Security Controls Security Awareness Dependent Variable Information Security Professionals Perception of Risk Due to BYOD De-perimeterisation 23 23
24 Importance-Performance Analysis Technique to measure importance and performance of attributes Developed originally by Myers and Alpert (1968) Successfully extended to other domains Output recognizable as the familiar four quadrant graph Based in part on Importance-Performance Analysis by Martilla and James, 1977, as featured in A critical evaluation of importance-performance analysis by Azzopardi and Nash,
25 Importance Performance Analysis Applied to Risk Analysis Scale Likelihood Low High 1 Extremely unlikely 2 Unlikely 3 Neutral 4 Likely High IV I High 5 Extremely likely Likelihood Medium Risk (Risk Mitigation Required) High Risk (Sustain Risk Mitigation) Scale Impact 1 No consequence 2 Minor consequence 3 Moderate consequence 4 Major consequence 5 Critical consequence Low III Low Risk (No change in Risk Mitigation) Low II Medium Risk (Curtail Risk Mitigation) High Low Impact 25
26 Research Site: Data Collection Cyber Security Forum of the IT Association of Canada Approximately 750 information security professionals across multiple industries and domains Research instrument: 15 threat attributes 7 demographic questions 84 responses received, 64 deemed to be valid 26
27 BYOD Threat Attribute Ratings Number Attribute Description Owner of the device controls the context of use, not the organization. 2 Loss of policy enforcement points. 3 Device handling personal and work data simultaneously. 4 Device will be used to access networks which the organization cannot control access. 5 Security perimeter now at data level. Verification of the implementation of security controls may not be 6 possible. 7 8 A copy of data of interest to the organization may only exist on the device and not within the organizational network. Security policy on device is not in the control of the organization. 9 Lack of clear boundaries/areas of trust Organization administrators not controlling the configuration of the device connecting to the organization's network. Cannot completely wipe the device because it contains personal data that may or may not be backed up 12 Data on the device may not be encrypted Device may not have a password or a password of appropriate strength. Lack of user understanding that the use of personal mobile device can expose organization to significant risks. Lack of user understanding of where the device is used affects the risk to the organization's assets.
28 BYOD Risk Results Number Attribute Description Risk σ Rank 1 Owner of the device controls the context of use, not the organization Loss of policy enforcement points Device handling personal and work data simultaneously Device will be used to access networks which the organization cannot control access Security perimeter now at data level Verification of the implementation of security controls may not be possible A copy of data of interest to the organization may only exist on the device and not within the organizational network Security policy on device is not in the control of the organization Lack of clear boundaries/areas of trust Organization administrators not controlling the configuration of the device connecting to the organization's network Cannot completely wipe the device because it contains personal data that may or may not be backed up Data on the device may not be encrypted Device may not have a password or a password of appropriate strength Lack of user understanding that the use of personal mobile device can expose organization to significant risks. Lack of user understanding that where the device is used effects the risk to the organization's assets
29 Risk Surfaces 29
30 Thank you! 30 Lawrence Dobranski, DSc, MBA, MSc (Eng), (306)
Hands on, field experiences with BYOD. BYOD Seminar
Hands on, field experiences with BYOD. BYOD Seminar Brussel, 25 september 2012 Agenda Challenges RIsks Strategy Before We Begin Thom Schiltmans Deloitte Risk Services Security & Privacy Amstelveen tschiltmans@deloitte.nl
More informationSecurity Threat Risk Assessment: the final key piece of the PIA puzzle
Security Threat Risk Assessment: the final key piece of the PIA puzzle Curtis Kore, Information Security Analyst Angela Swan, Director, Information Security Agenda Introduction Current issues The value
More informationCloud, security and the mobile enterprise: An end-to-end manageability challenge
GreHack-2012 19 th October, Grenoble France Cloud, security and the mobile enterprise: An end-to-end manageability challenge Boris Balacheff Dave Penkler seamless, secure, context-aware experiences for
More informationThe Protection Mission a constant endeavor
a constant endeavor The IT Protection Mission a constant endeavor As businesses become more and more dependent on IT, IT must face a higher bar for preparedness Cyber preparedness is the process of ensuring
More informationISO 27000 Information Security Management Systems Professional
ISO 27000 Information Security Management Systems Professional Professional Certifications Sample Questions Sample Questions 1. A single framework of business continuity plans should be maintained to ensure
More informationSECURITY RISK MANAGEMENT
SECURITY RISK MANAGEMENT ISACA Atlanta Chapter, Geek Week August 20, 2013 Scott Ritchie, Manager, HA&W Information Assurance Services Scott Ritchie CISSP, CISA, PCI QSA, ISO 27001 Auditor Manager, HA&W
More information"Secure insight, anytime, anywhere."
"Secure insight, anytime, anywhere." THE MOBILE PARADIGM Mobile technology is revolutionizing the way information is accessed, distributed and consumed. This 5th way of computing will dwarf all others
More informationMobile and BYOD Strategy
Mobile and BYOD Strategy Bring Your Own Device Danairat T. Certified Java Programmer, TOGAF Silver danairat@gmail.com, +66-81-559-1446 1 Agenda Introduction to Mobile Technology Mobile Computing Bring
More informationBYOD BEST PRACTICES GUIDE
BYOD BEST PRACTICES GUIDE 866.926.8746 1 www.xantrion.com TABLE OF CONTENTS 1 Changing Expectations about BYOD... 3 2 Mitigating the Risks... 4 2.1 Establish Clear Policies and Expectations... 4 2.2 Create
More informationManaging Mobile: BYOD, MDM, MAM, and more acronyms. John H Sawyer Senior Security Analyst InGuardians, Inc.
Managing Mobile: BYOD, MDM, MAM, and more acronyms John H Sawyer Senior Security Analyst InGuardians, Inc. Who Am I? InGuardians Senior Security Analyst Penetration Testing Web, Network, Smart Grid, Mobile,
More informationIdentity & Access Management The Cloud Perspective. Andrea Themistou 08 October 2015
Identity & Management The Cloud Perspective Andrea Themistou 08 October 2015 Agenda Cloud Adoption Benefits & Risks Security Evolution for Cloud Adoption Securing Cloud Applications with IAM Securing Cloud
More informationSecurity Practices for Online Collaboration and Social Media
Cisco IT Best Practice Collaboration Security Cisco on Cisco Best Practice Security Practices for Online Collaboration and Social Media January 2012 2013 Cisco and/or its affiliates. All rights reserved.
More informationHow To Deal With A Converged Threat From A Cloud And Mobile Device To A Business Or A Customer'S Computer Or Network To A Cloud Device
Ten Tips for Managing Risks on Convergent Networks The Risk Management Group April 2012 Sponsored by: Lavastorm Analytics is a global business performance analytics company that enables companies to analyze,
More informationMobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.
Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information. Mobile Devices: Risks to Health Information Risks vary based on the mobile device and its use. Some risks include:
More informationBlackBerry 10.3 Work and Personal Corporate
GOV.UK Guidance BlackBerry 10.3 Work and Personal Corporate Published Contents 1. Usage scenario 2. Summary of platform security 3. How the platform can best satisfy the security recommendations 4. Network
More informationDOBUS And SBL Cloud Services Brochure
01347 812100 www.softbox.co.uk DOBUS And SBL Cloud Services Brochure enquiries@softbox.co.uk DOBUS Overview The traditional DOBUS service is a non-internet reliant, resilient, high availability trusted
More informationMobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.
Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information. Mobile Devices: Risks to to Health Mobile Information Devices: Risks to Health Information Risks vary based on the
More informationCyber Security. John Leek Chief Strategist
Cyber Security John Leek Chief Strategist AGENDA The Changing Business Landscape Acknowledge cybersecurity as an enterprise-wide risk management issue not just an IT issue How to develop a cybersecurity
More informationNeoscope www.neoscopeit.com 888.810.9077
Your law firm depends on intelligence. But can you count on your technology? You may not be in the intelligence technology business, but it s probably impossible to imagine your practice without IT. Today,
More informationtrends and audit considerations
Bring your own device (BYOD) trends and audit considerations SIFMA IT audit session 4 October 2012 Disclaimer Ernst & Young refers to the global organization of member firms of Ernst & Young Global Limited,
More informationHow To Make Bring Your Own Device A Plus, Not A Risk
FINANCIAL INSTITUTIONS ENERGY INFRASTRUCTURE, MINING AND COMMODITIES TRANSPORT TECHNOLOGY AND INNOVATION PHARMACEUTICALS AND LIFE SCIENCES BYOD: Bring your own device How to make BYOD a PLUS, not a RISK
More informationmicros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.
micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) Revision 8.0 August, 2013 1 Table of Contents Overview /Standards: I. Information Security Policy/Standards Preface...5 I.1 Purpose....5
More informationBuilding The Human Firewall. Andy Sawyer, CISM, C CISO Director of Security Locke Lord
Building The Human Firewall Andy Sawyer, CISM, C CISO Director of Security Locke Lord Confidentiality, Integrity, Availability Benchmarks of Cybersecurity: Confidentiality Information is protected against
More informationInsert Partner logo here. Financial Mobility Balancing Security and Success
Financial Mobility Balancing Security and Success Copyright 2012 Fiberlink Communications Corporation. All rights reserved. This document contains proprietary and confidential information of Fiberlink.
More informationExternal Supplier Control Requirements
External Supplier Control s Cyber Security For Suppliers Categorised as Low Cyber Risk 1. Asset Protection and System Configuration Barclays Data and the assets or systems storing or processing it must
More informationSecuring Corporate Email on Personal Mobile Devices
Securing Corporate Email on Personal Mobile Devices Table of Contents The Impact of Personal Mobile Devices on Corporate Security... 3 Introducing LetMobile Secure Mobile Email... 3 Solution Architecture...
More informationCertified Identity and Access Manager (CIAM) Overview & Curriculum
Identity and access management (IAM) is the most important discipline of the information security field. It is the foundation of any information security program and one of the information security management
More informationBig Data, Big Risk, Big Rewards. Hussein Syed
Big Data, Big Risk, Big Rewards Hussein Syed Discussion Topics Information Security in healthcare Cyber Security Big Data Security Security and Privacy concerns Security and Privacy Governance Big Data
More informationMobile Security & BYOD Policy
Mobile Security & BYOD Policy Sarkis Daglian Assistant Manager, Desktop Support Office of Information Technology Isaac Straley UCI Information Security Officer Office of Information Technology Speakers
More informationIf you can't beat them - secure them
If you can't beat them - secure them v1.0 October 2012 Accenture, its logo, and High Performance delivered are trademarks of Accenture. Preface: Mobile adoption New apps deployed in the cloud Allow access
More informationMicrosoft s cybersecurity commitment
Microsoft s cybersecurity commitment Published January 2015 At Microsoft, we take the security and privacy of our customers data seriously. This focus has been core to our culture for more than a decade
More informationMobility, Security Concerns, and Avoidance
By Jorge García, Technology Evaluation Centers Technology Evaluation Centers Mobile Challenges: An Overview Data drives business today, as IT managers and security executives face enormous pressure to
More informationFeature. Leveraging and Securing the Bring Your Own Device and Technology Approach
Feature Gaurav Priyadarshi, CISA, BS 25999 LI, ISO 27001 LA, ITIL V3, is a senior security consultant at TATA Consultancy Services, a leading IT service company with worldwide experience in the information
More informationCisco on Cisco Best Practice Security Practices for Online Collaboration and Social Media
January 2012 Cisco on Cisco Best Practice Security Practices for Online Collaboration and Social Media January 2012 All contents are Copyright 1992 2012 Cisco Systems, Inc. All rights reserved. This document
More informationCloud Computing Technologies Achieving Greater Trustworthiness and Resilience
Cloud Computing Technologies Achieving Greater Trustworthiness and Resilience Cloud Standards Customer Council Public Sector Cloud Summit March 24, 2014 Dr. Ron Ross Computer Security Division Information
More informationF5 and Microsoft Exchange Security Solutions
F5 PARTNERSHIP SOLUTION GUIDE F5 and Microsoft Exchange Security Solutions Deploying a service-oriented perimeter for Microsoft Exchange WHAT'S INSIDE Pre-Authentication Mobile Device Security Web Application
More informationIT Audit and Compliance
Problem IT Audit and Compliance IT audit is about the formal verification and validation of the quality and effectiveness of IT controls to support the overall business control objectives. From a security
More informationBYOD (Bring Your Own Device)
BYOD (Bring Your Own Device) Agenda Set the scene BYOD raising many questions Structured & Integrated answers Belgacom Entreprise Mobility Belgacom Mobile Device Management Sensitivity : "Unrestricted",
More informationSecurity Controls What Works. Southside Virginia Community College: Security Awareness
Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction
More informationInformation Security Program Management Standard
State of California California Information Security Office Information Security Program Management Standard SIMM 5305-A September 2013 REVISION HISTORY REVISION DATE OF RELEASE OWNER SUMMARY OF CHANGES
More informationA framework for auditing mobile devices
A framework for auditing mobile devices Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. 2010 Baker Tilly Virchow Krause, LLP
More informationAn Overview of Information Security Frameworks. Presented to TIF September 25, 2013
An Overview of Information Security Frameworks Presented to TIF September 25, 2013 What is a framework? A framework helps define an approach to implementing, maintaining, monitoring, and improving information
More informationData Security and Healthcare
Data Security and Healthcare Complex data flows Millions of electronic medical records across many systems New and emerging business relationships Changing and maturing compliance frameworks Diverse population
More informationConnect With My Team. in real time RELIABLEFAST FAST M SPEED TEAMCONNECT SURF. Know How Guide to Mobile Device Management PEACE OF MIND SPEED NEW
Connect With My Team in real time Know How Guide to Mobile Device Management READY CONNECT accessreliableshare M ON SECURE SMAR T IND TOOLSNEXT SOLUTION READY Know How Guide to Mobile Device Management...
More information10 Hidden IT Risks That Might Threaten Your Business
(Plus 1 Fast Way to Find Them) Your business depends on intelligence. But can you count on your technology? You may not be in the intelligence technology business, but it s probably impossible to imagine
More informationGuideline on Safe BYOD Management
CMSGu2014-01 Mauritian Computer Emergency Response Team CERT-MU SECURITY GUIDELINE 2011-02 Enhancing Cyber Security in Mauritius Guideline on Safe BYOD Management National Computer Board Mauritius Version
More informationRisk Management Guide for Information Technology Systems. NIST SP800-30 Overview
Risk Management Guide for Information Technology Systems NIST SP800-30 Overview 1 Risk Management Process that allows IT managers to balance operational and economic costs of protective measures and achieve
More informationPOLICIES TO MITIGATE CYBER RISK
POLICIES TO MITIGATE CYBER RISK http://www.tutorialspoint.com/information_security_cyber_law/policies_to_mitigate_cyber_risk.htm Copyright tutorialspoint.com This chapter takes you through the various
More informationCloud Computing: Legal Risks and Best Practices
Cloud Computing: Legal Risks and Best Practices A Bennett Jones Presentation Toronto, Ontario Lisa Abe-Oldenburg, Partner Bennett Jones LLP November 7, 2012 Introduction Security and Data Privacy Recent
More informationInformation Technology Risk Management
Find What Matters Information Technology Risk Management Control What Counts The Cyber-Security Discussion Series for Federal Government security experts... by Carson Associates your bridge to better IT
More informationMitigating Bring Your Own Device (BYOD) Risk for Organisations
Mitigating Bring Your Own Device (BYOD) Risk for Organisations Harness the benefits and mitigate the risks of BYOD espiongroup.com Executive Summary Mobile devices such as smart phones, tablets, or laptops
More information---Information Technology (IT) Specialist (GS-2210) IT Security Competency Model---
---Information Technology (IT) Specialist (GS-2210) IT Security Model--- TECHNICAL COMPETENCIES Computer Forensics Knowledge of tools and techniques pertaining to legal evidence used in the analysis of
More informationCloud security with Sage Construction Anywhere
Cloud security with Sage Construction Anywhere Table of Contents Cloud computing s advantage for construction companies... 3 Security concerns... 3 The Sage commitment to security... 4 Sage application
More informationMobile Device as a Platform for Assured Identity for the Federal Workforce
Mobile Device as a Platform for Assured Identity for the Federal Workforce Dr. Sarbari Gupta President and CEO, Electrosoft U.S. Army Information Technology Agency (ITA) Security Forum Fort Belvoir Electrosoft
More informationi-pcgrid Workshop 2015 Cyber Security for Substation Automation The Jagged Line between Utility and Vendors
March 25-27, 2014 Steven A. Kunsman i-pcgrid Workshop 2015 Cyber Security for Substation Automation The Jagged Line between Utility and Vendors ABB Inc. March 26, 2015 Slide 1 Cyber Security for Substation
More informationBYOD Strategy (Service Mobility) 2014
Information Resources BYOD Strategy (Service Mobility) 2014 BYOD Strategy Group Joseph Casabona Lee DeAngelis Adam Edwards Diane Kennedy Calvin Krzywiec (Chair) Timothy Meade Glen Pace Jason Wimmer 1 Summary
More informationBYOD(evice) without BYOI(nsecurity)
BYOD(evice) without BYOI(nsecurity) Dan Houser CISSP-ISSAP CISM Goran Avramov MCSE+M VCP4 Cardinal Health Session ID: HOT-107 Session Classification: Intermediate Agenda Drivers for Bring Your Own Device
More informationToday s Best Practices: How smart business is protecting enterprise data integrity and employee privacy on popular mobile devices. Your Device Here.
Securing Business Mobility Today s Best Practices: How smart business is protecting enterprise data integrity and employee privacy on popular mobile devices Your Device Here. Good supports hundreds of
More informationYes MAM: How Mobile Device Management Plus Mobile Application Management Protects and Addresses BYOD
STRATEGY ANALYTICS INSIGHT October 2012 Yes MAM: How Mobile Device Management Plus Mobile Application Management Protects and Addresses BYOD By Mark Levitt, Analyst/Director at Strategy Analytics BYOD
More informationSetting BYOD Policy: A New Partnership for IT and HR
Introduction As the line between office and home life continues to blur, employees increasingly rely on their own smartphones, tablets, and laptop computers for work-related tasks. Today, more than 70
More informationNERC CIP VERSION 5 COMPLIANCE
BACKGROUND The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standards define a comprehensive set of requirements that are the basis for maintaining
More informationCloud Backup and Recovery for Endpoint Devices
Cloud Backup and Recovery for Endpoint Devices Executive Summary Armed with their own devices and faster wireless speeds, your employees are looking to access corporate data on the move. They are creating,
More informationThe Changing IT Risk Landscape Understanding and managing existing and emerging risks
The Changing IT Risk Landscape Understanding and managing existing and emerging risks IIA @ Noon Kareem Sadek Senior Manager, Deloitte Canada Chris Close Senior Manager, Deloitte Canada December 2, 2015
More informationData Security Best Practices & Reasonable Methods
Data Security Best Practices & Reasonable Methods September 2013 Mike Tassey Technical Security Advisor Privacy Technical Assistance Center (PTAC) http://ptac.ed.gov/ E-mail: PrivacyTA@ed.gov Phone: 855-249-3072
More informationWestcon Presentation on Security Innovation, Opportunity, and Compromise
Westcon Presentation on Security Innovation, Opportunity, and Compromise Christian A. Christiansen Program Vice President IDC Security Products & Services What s Happening with Threats? 1.5B 80% 33% $1.3M
More informationCyber Security and Cloud Computing. Dr Daniel Prince Course Director MSc in Cyber Security d.prince@lancaster.ac.uk
Cyber Security and Cloud Computing Dr Daniel Prince Course Director MSc in Cyber Security d.prince@lancaster.ac.uk Scope of Today SME Attractors for Cloud Switching to the Cloud Public Private Hybrid Big
More informationCritical Controls for Cyber Security. www.infogistic.com
Critical Controls for Cyber Security www.infogistic.com Understanding Risk Asset Threat Vulnerability Managing Risks Systematic Approach for Managing Risks Identify, characterize threats Assess the vulnerability
More informationBYOD THE SMALL BUSINESS GUIDE TO BRING YOUR OWN DEVICE
BYOD THE SMALL BUSINESS GUIDE TO BRING YOUR OWN DEVICE INTRODUCTION The technological revolution has made us dependent on our mobile devices, whether we re at home, in the office, on the go or anywhere
More informationINFORMATION TECHNOLOGY SECURITY STANDARDS
INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL
More informationImplementing Practical Information Security Programs
Implementing Practical Information Security Programs CISO Summit March 17-19, 2013 Presented by: David Cass, SVP & Chief Information Security Officer, Elsevier Information Security & Data Protection Office
More informationCloud Computing Security Considerations
Cloud Computing Security Considerations Roger Halbheer, Chief Security Advisor, Public Sector, EMEA Doug Cavit, Principal Security Strategist Lead, Trustworthy Computing, USA January 2010 1 Introduction
More informationA Systems Engineering Approach to Developing Cyber Security Professionals
A Systems Engineering Approach to Developing Cyber Security Professionals D r. J e r r y H i l l Approved for Public Release; Distribution Unlimited. 13-3793 2013 The MITRE Corporation. All rights reserved.
More informationCloud Security Through Threat Modeling. Robert M. Zigweid Director of Services for IOActive
Cloud Security Through Threat Modeling Robert M. Zigweid Director of Services for IOActive 1 Key Points Introduction Threat Model Primer Assessing Threats Mitigating Threats Sample Threat Model Exercise
More informationHow small and medium-sized enterprises can formulate an information security management system
How small and medium-sized enterprises can formulate an information security management system Royal Holloway Information Security Thesis Series Information security for SMEs Vadim Gordas, MSc (RHUL) and
More informationCONSUMERIZATION OF IT BYOD and Cloud-based File Storage
CONSUMERIZATION OF IT BYOD and Cloud-based File Storage Moderator: John Payne, Principal Consultant, Pueblo Technology Group, Inc. Speakers: Royce Holden, Director of Information Technology, Greater Asheville
More informationA Guide to MAM and Planning for BYOD Security in the Enterprise
A Guide to MAM and Planning for BYOD Bring your own device (BYOD) can pose a couple different challenges, not only the issue of dealing with security threats, but also how to handle mobile applications.
More informationMEMORANDUM. Date: October 28, 2013. Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance
MEMORANDUM Date: October 28, 2013 To: Federally Regulated Financial Institutions Subject: Guidance The increasing frequency and sophistication of recent cyber-attacks has resulted in an elevated risk profile
More informationManaging Security and Privacy Risk in Healthcare Applications
Managing Security and Privacy Risk in Healthcare Applications 5 th Annual OCR / NIST HIPAA Security Rule Conference June 6, 2012 Dr. Ron Ross Computer Security Division Information Technology Laboratory
More informationJort Kollerie SonicWALL
Jort Kollerie Cloud 85% of businesses said their organizations will use cloud tools moderately to extensively in the next 3 years. 68% of spend in private cloud solutions. - Bain and Dell 3 Confidential
More informationWhitePaper. Private Cloud Computing Essentials
Private Cloud Computing Essentials The 2X Private Cloud Computing Essentials This white paper contains a brief guide to Private Cloud Computing. Contents Introduction.... 3 About Private Cloud Computing....
More informationPersonal Security Practices of the CAO
Personal Security Practices of the CAO 1. Do you forward your government email to your personal email account? 2. When is the last time you changed your Enterprise password? Within the last 60 days Within
More informationBlueprint 2020: Key Interface Requirements to Develop a Knowledge Sharing Infrastructure for the Public Service Workplace
December 06 2015 Blueprint 2020: Key Interface Requirements to Develop a Knowledge Sharing Infrastructure for the Public Service Workplace Main Text Word Count: 2,327 Matthew Fallon, Sanwara Bilkis, Connor
More informationOhio Supercomputer Center
Ohio Supercomputer Center Portable Security Computing No: Effective: OSC-09 05/27/09 Issued By: Kevin Wohlever Director of Supercomputer Operations Published By: Ohio Supercomputer Center Original Publication
More informationCyber Security Pr o t e c t i n g y o u r b a n k a g a i n s t d a t a b r e a c h e s
Cyber Security Pr o t e c t i n g y o u r b a n k a g a i n s t d a t a b r e a c h e s 1 Agenda Data Security Trends Root causes of Cyber Attacks How can we fix this? Secure Infrastructure Security Practices
More informationModule 1: Facilitated e-learning
Module 1: Facilitated e-learning CHAPTER 3: OVERVIEW OF CLOUD COMPUTING AND MOBILE CLOUDING: CHALLENGES AND OPPORTUNITIES FOR CAs... 3 PART 1: CLOUD AND MOBILE COMPUTING... 3 Learning Objectives... 3 1.1
More informationHow to Practice Safely in an era of Cybercrime and Privacy Fears
How to Practice Safely in an era of Cybercrime and Privacy Fears Christina Harbridge INFORMATION PROTECTION SPECIALIST Information Security The practice of defending information from unauthorised access,
More information03/06/2014. Bring Your Own Device: A Framework for Audit. Acknowledgement
Bring Your Own Device: A Framework for Audit Emily A Knopp, CPA, CISA Audit Director Angelo State University, Member of Texas Tech University System March 6, 2014 Texas Association of College of University
More informationLarry Wilson Version 1.0 November, 2013. University Cyber-security Program Critical Asset Mapping
Larry Wilson Version 1.0 November, 2013 University Cyber-security Program Critical Asset Mapping Part 3 - Cyber-Security Controls Mapping Cyber-security Controls mapped to Critical Asset Groups CSC Control
More informationClouds on the Horizon Cloud Security in Today s DoD Environment. Bill Musson Security Analyst
Clouds on the Horizon Cloud Security in Today s DoD Environment Bill Musson Security Analyst Agenda O Overview of Cloud architectures O Essential characteristics O Cloud service models O Cloud deployment
More information6 Things To Think About Before Implementing BYOD
6 Things To Think About Before Implementing BYOD Kimber Spradlin, CISA, CISSP 2012 IBM Corporation Mobile Devices: Unique Management & Security Challenges Mobile devices are shared more often Mobile devices
More informationHow to Secure Your Environment
End Point Security How to Secure Your Environment Learning Objectives Define Endpoint Security Describe most common endpoints of data leakage Identify most common security gaps Preview solutions to bridge
More informationInformation Technology Branch Access Control Technical Standard
Information Technology Branch Access Control Technical Standard Information Management, Administrative Directive A1461 Cyber Security Technical Standard # 5 November 20, 2014 Approved: Date: November 20,
More informationCyber Essentials Scheme
Cyber Essentials Scheme Requirements for basic technical protection from cyber attacks June 2014 December 2013 Contents Contents... 2 Introduction... 3 Who should use this document?... 3 What can these
More informationBYOD and Mobile Device Dependency
BYOD and Mobile Device Dependency Thursday, November 8, 2012 Brian Thomas, CISA, CISSP & Shohn Trojacek, CISSP Brian Thomas, CISA, CISSP Partner, IT Advisory Services at Weaver Provides security, IT audit
More informationNorth Carolina Health Information Management Association February 20, 2013 Chris Apgar, CISSP
Mobile Device Management Risky Business in Healthcare North Carolina Health Information Management Association February 20, 2013 Chris Apgar, CISSP Agenda HIPAA/HITECH & Mobile Devices Breaches Federal
More informationInformation Security Policy
Information Security Policy Steve R. Hutchens, CISSP EDS, Global Leader, Homeland Security Agenda Security Architecture Threats and Vulnerabilities Design Considerations Information Security Policy Current
More informationBest Practices for a BYOD World
Face Today s Threats Head-On: Best Practices for a BYOD World Chris Vernon CISSP, VTSP Security Specialist Agenda Mobile Threats Overview 2013 State of Mobility Survey Canada BYOD Best Practices 2 Mobile
More informationUtica College. Information Security Plan
Utica College Information Security Plan Author: James Farr (Information Security Officer) Version: 1.0 November 1 2012 Contents Introduction... 3 Scope... 3 Information Security Organization... 4 Roles
More informationBellevue University Cybersecurity Programs & Courses
Undergraduate Course List Core Courses: CYBR 250 Introduction to Cyber Threats, Technologies and Security CIS 311 Network Security CIS 312 Securing Access Control CIS 411 Assessments and Audits CYBR 320
More information