Transcription

1 The Truth About Information Security in Schools Region V 23 rd Annual Spring Conference -April 4th, 2013 Evan Francen CISSP, CISM, CCSK President of FRSecure, LLC

2 Thank You for Attending! & Many Thanks Region Vfor Inviting Us!

3 Before We Get Started This is not your typical presentation. Your thoughts on this topic are just as important as ours. You are encouraged to participate! I will ask you questions, if you don t ask me some!

4

5 About FRSecure Information security consulting is all we do. Established in 2008 by people who have earned their stripes in the field. We help small to medium sized organizations solve information security challenges. We get paid to tell people the truth

6 Evan Francen: CISSP, CISM Who Is This Guy? President & co-founder of FRSecure 20 years of information security experience Security evangelist with more than 700 published articles Experience with 150+ public & private organizations.

7 How Do Normal People Feel About Information Security?

8 What is Driving Information Security In Schools? The Federal Trade Commission FERPA Family Educational Rights & Privacy Act COPPA Children s Online Privacy Protection Act Common Threats & Vulnerabilities Fear of Non-Compliance What is this?

9 Information Security Ten Commandments Our Information Security Ten Commandments are Principles. rules of the game

10 #1 A Business is in Business to Schools are no different well, kind of. Some risks are worth taking. Make Money Not all risks require remediation. All information security expenses need justification. There is no ROI in information security, right?

11 #2 Information Security is a It is NOTan IT issue! Business Issue Executive management probably doesn t need the detailed specs of your new NGFW. Executive management does need to be aware of strategic direction and most significant risks. Ultimately, it s executive management that s responsible.

12 #3 Information Security is Fun Information security is more effective if people enjoy it. Look for opportunities to make information security fun. Laugh at yourself sometimes (not always others). We can be serious AND fun. They don t have to be exclusive.

13 #4 People are the biggest risk It s easier to go through your secretary than it is to go through your firewall. People don t read your policies. Social engineering success rates are more than 8x better than technology penetration success rates.

14 Excuse me, Sir. I think you dropped your gun.

15 What is the Weakest Link in Information Security? Trevor

16 Don t be Trevor.

17 #5 Compliant and Secure are Different.

18 #6 There is No Common Sense in Information Security What makes perfect sense to you, probably doesn t make perfect sense to everyone else. Users feel justified in their actions. Try to see the world the way they see it.

19 #7 Secure is Relative Have you ever been asked Are we secure? or Are you secure? We can only answer how secure we are. Find metrics that you can measure. Without measurement you don t know.

20 #8 Information Security Should Help Drive Business We have a bad rap for getting in the way of business, and for being a cost-center. What opportunities does information security have for enabling business and adding to the bottom line? Information security objectives must align with business objectives. You won t succeed unless you engage with key business process owners.

21 #9 Information Security is Not One Size Fits All What works for one, may not work for another: - Policies - Technologies - Compliance Information security is a custom solution

22

23 The Ten Commandments Recap 1. A Business is in Business to Make Money. 2. Information Security is a Business Issue. 3. Make Information Security Fun. 4. People are the Most Significant Risk. 5. Compliant and Secure are Different. 6. There s No Common Sense in Information Security. 7. Secure is Relative. 8. Information Security Should Drive Business. 9. Information Security is NOT One Size Fits All. 10. There is no Easy Button.

24 Solutions? Here s a Start 1. Establish roles & responsibilities. 2. Conduct an objective assessment. 3. Cover the basics. 4. Document what your doing and why. 5. Communicate your expectations regularly. *Seek Assistance*

25 Announcement Truth of the Future In the Fall of 2013, FRSecure plans to partner with High Schools open to developing an information security extra-curriculum for aspiring students. Demand for Information Security skills is growing quickly. Awareness to Information Security career paths is stagnant. *If you have interest or ideas on this topic, please contact us.*

26 Weakest Link -Real Stories Physical Access to Fortune 100 Company Headquarters Password Almost Cost Someone Their Retirement Police Help Me Carry Out an Attack I Don t Really Work for the Power Company

27 Thank You! Evan Francen CISSP, CISM President John Harmon Account Manager (direct) (direct) Information Security Assessments Compliance Assessments (i.e. HIPAA, GLBA, PCI, FDA etc.) Customer Required Assessments Internal Network Vulnerability Assessments External Network Security Assessments Penetration Testing and Social Engineering Information Security Program Development Security Policies Training & Awareness BC/DR Plans Outsourced Security Resources