Designing & Building an Information Security Program. To protect our critical assets

Similar documents
Designing & Building a Cybersecurity Program. Based on the NIST Cybersecurity Framework (CSF)

ISE Northeast Executive Forum and Awards

Presented by Evan Sylvester, CISSP

The Value of Vulnerability Management*

Teradata and Protegrity High-Value Protection for High-Value Data

Impact of Data Breaches

Introduction. Jason Lawrence, MSISA, CISSP, CISA Manager, EY Advanced Security Center Atlanta, Georgia

Is the PCI Data Security Standard Enough?

Compliance series Guide to meeting requirements of the UK Government Cyber Essentials Scheme

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

Real World Healthcare Security Exposures. Brian Selfridge, Partner, Meditology Services

How To Protect Yourself From A Hacker Attack

The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant

Cybersecurity. Are you prepared?

Defending Against Data Beaches: Internal Controls for Cybersecurity

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

Incident Response. Proactive Incident Management. Sean Curran Director

Belmont Savings Bank. Are there Hackers at the gate? 2013 Wolf & Company, P.C.

Seven Things To Consider When Evaluating Privileged Account Security Solutions

3rd Party Assurance & Information Governance outlook IIA Ireland Annual Conference Straightforward Security and Compliance

A Wake-Up Call? Fight Back Against Cybercrime. Prepared for: Ricky Link Managing Director, Southwest Region May 15, 2014

CYBERSECURITY: PROTECTING YOUR ORGANIZATION AGAINST CYBER ATTACKS. Viviana Campanaro CISSP Director, Security and Compliance July 14, 2015

Cyber- Attacks: The New Frontier for Fraudsters. Daniel Wanjohi, Technology Security Specialist

IT Security Strategy and Priorities. Stefan Lager CTO Services

Retail Security: Enabling Retail Business Innovation with Threat-Centric Security.

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

Welcome! Designing and Building a Cybersecurity Program

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

Managing Privileged Identities in the Cloud. How Privileged Identity Management Evolved to a Service Platform

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

McAfee Database Security. Dan Sarel, VP Database Security Products

Payment Card Industry Data Security Standard

10 Smart Ideas for. Keeping Data Safe. From Hackers

AppGuard. Defeats Malware

Cyber Security. John Leek Chief Strategist

Protecting Your Organisation from Targeted Cyber Intrusion

Critical Security Controls

1. For each of the 25 questions, multiply each question response risk value (1-5) by the number of times it was chosen by the survey takers.

Cyber Security and Information Assurance Controls Prevention and Reaction NOVEMBER 2013

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

Device Hardening, Vulnerability Remediation and Mitigation for Security Compliance

Information Security and Risk Management

Data Privacy: The High Cost of Unprotected Sensitive Data 6 Step Data Privacy Protection Plan

End-user Security Analytics Strengthens Protection with ArcSight

Top Ten Technology Risks Facing Colleges and Universities

IBM Security Strategy

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

Information Technology Risk Management

THE TOP 4 CONTROLS.

Why The Security You Bought Yesterday, Won t Save You Today

Cybersecurity: Protecting Your Business. March 11, 2015

The Protection Mission a constant endeavor

Information Security Services

Top 20 Critical Security Controls

How To Protect Your Data From Being Hacked

Cyber Security An Exercise in Predicting the Future

Response to Questions CML Managed Information Security

SECURITY CONSIDERATIONS FOR LAW FIRMS

Over 20 years experience in Information Security Management, Risk Management, Third Party Oversight and IT Audit.

PCI Compliance. Top 10 Questions & Answers

WAN security threat landscape and best mitigation practices. Rex Stover Vice President, Americas, Enterprise & ICP Sales

Enterprise Computing Solutions

GFI White Paper PCI-DSS compliance and GFI Software products

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

Cyber Security. An Executive Imperative for Business Owners. 77 Westport Plaza, St. Louis, MO p f

Network/Cyber Security

Everything You Wanted to Know about DISA STIGs but were Afraid to Ask

SOMEBODY'S WATCHING YOU! Maritime Cyber Security White Paper. Safeguarding data through increased awareness

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

How-To Guide: Cyber Security. Content Provided by

CYBERSECURITY HOT TOPICS

Cyber Essentials Scheme

Trend Micro VMware Solution Guide Summary for Payment Card Industry Data Security Standard

Information Security for the Rest of Us

Small Firm Focus: A Practical Approach to Cybersecurity Friday, May 29 9:00 a.m. 10:15 a.m.

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Report on CAP Cybersecurity November 5, 2015

IT AUDIT WHO WE ARE. Current Trends and Top Risks of /9/2015. Eric Vyverberg. Randy Armknecht. David Kupinski

YOUR HIPAA RISK ANALYSIS IN FIVE STEPS

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Ed McMurray, CISA, CISSP, CTGA CoNetrix

1 Introduction Product Description Strengths and Challenges Copyright... 5

CYBER ATTACKS CASHING IN ON RETAILERS: A WEBINAR ON CYBERSECURITY

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

How To Implement Data Loss Prevention

Security Manual Template Policy and Procedure Manual Compliance Management Made Easy ISO / HIPAA / SOX / CobiT / FIPS 199 Compliant

Building The Human Firewall. Andy Sawyer, CISM, C CISO Director of Security Locke Lord

PCI Compliance Top 10 Questions and Answers

Internet threats: steps to security for your small business

INFORMATION SECURITY FOR YOUR AGENCY

Transcription:

Designing & Building an Information Security Program To protect our critical assets Larry Wilson Version 1.0 March, 2014

Instructor Biography Larry Wilson is responsible for developing, implementing and managing the University of Massachusetts Information Security Policy and Written Information Security Program (WISP). The University program is based on industry best practices ISO 27001 / SANS 20 Critical Controls, and is implemented consistently across all University campuses (Amherst, Boston, Dartmouth, Lowell, Medical School and the President s Office). Prior to joining UMASS, Larry was the Vice President, Network Security Manager at State Street. His responsibilities included researching, selecting, implementing and overseeing an engineering and operations team who managed network security technologies / tools including vulnerability scanning, network firewalls, intrusion detection, content filtering, remote access, DNS, global and local load balancing, etc. Larry's industry experience includes IT audit manager for Deloitte Enterprise Risk Services (ERS) consulting practice. In this role he managed a staff responsible for developing and completing a Sarbanes Oxley (SOX) compliance audit for MasterCard International. Larry's team focused on the application level controls and general computer controls for information technology services implemented and managed from the MasterCard data center in St. Louis. Mr. Wilson holds a Master of Science degree in Civil / Structural Engineering from the University of New Hampshire. His industry certifications include CISSP, CISA and ISA (PCI Internal Security Assessor). He serves on the Advisory Board for Middlesex Community College and CISO Advisory Board for Oracle. He co-chairs the New England Security Council (NESC), and is the Certification Director for ISACA New England. 2

Presentation Overview This presentations will cover the essential elements for planning, designing, budgeting, implementing, maintaining and assessing a comprehensive information security program. A high-level outline includes: Part 1: Information Security Fundamentals Part 2: Protecting organizational assets through security controls Part 3: Information Security Program Design and Business Case The course is based on the University of Massachusetts Information Security Program, which was the 2013 Information Security Executive (ISE ) North America Project Award Winner- Academic/Public Sector Category. This presentation will include Part 1 Only 3

Designing and Building an Information Security Program Part 1: The Fundamentals Understand the Problem Understand the Challenges Understand the Risks Understand the Vulnerabilities Understand the Threats Understand the Assets Understand the Controls Understand the Technologies Understand the Services Understand the Resources Understand the Solution Putting it all Together Building the Controls Factory 4

Understand the Problem Data breaches hit an all time high in 2013. Target, Neiman Marcus, and Adobe This past year was pretty rough for them Could they have done anything to avoid the security breaches? Yes, according to Online Trust Alliance (OTA)'s latest report Companies should have better security controls and practices What Was Discovered Over 740 million records were exposed in 2013 alone. Making it the worst year for data breaches to date. 89 % could have been prevented - If companies had simply employed basic, effective security measures. 5

Understand the Problem. Organizations are held accountable South Carolina Department of Revenue Data Breach (October 2012) A hacker exfiltrated 5.7 million Social Security numbers and 387,000 credit and debit card numbers from an external cyber attack. What Went Wrong? Where do we go from here? We now have to go into cyber plan mode. This is a new era in time where you can t work with 1970s equipment, you can t go with compliance standards of the federal government, because both are outdated. - Nikki Haley, Governor of South Carolina Cost of Recovery Estimates Deloitte Security Assessment (2013) FY-13 $ 20 M (Loan to Department of Revenue for response to hacking) FY 14 - $ 15 M (Initial Deloitte Security Assessment May, 2013) FY 15 - $ 21 M (Interim Deloitte Security Assessment October, 2013) 6

Understand the Challenges The Internet of Things (Assets).. Businesses rely on IT to meet strategic objectives Pervasive spread of new technologies (cloud, mobility, virtualization) We need to provide the right information, at the right time, in the right format, to the right parties, at the right cost At risk of hackers, malware, unauthorized access, data breach There are new vulnerabilities, threats, unprotected assets Data breaches have consequences - management is held accountable We must design and implement security controls to mitigate risk And protect our critical IT assets and information resources Information is everywhere - data centers, the cloud, mobile devices The attack surface is exploding. We need to be flexible to adjust. There s a lot riding here - It s the business - we need to get this right 7

Understand the Challenges. are at Risk from Security Threats The Risk Equation Risk = Threats X Vulnerabilities X Asset Value Controls How do we calculate risk? Risk is based on the likelihood and impact of a security incident or data breach Threats involve the potential attack against IT assets or information resources Vulnerabilities are weaknesses that could be exploited by a threat Asset Value is based on criticality of IT resources and information assets (aka things) Controls are safeguards that protect IT resources and information assets 8

Understand the Risks These are some of the more recent data breaches. 9

Understand the Vulnerabilities These are some of the vulnerabilities. Lost Tape Drive Paper Records Database Vulnerabilities Software Vulnerabilities Weak Passwords Password Reset EOL Software Default Passwords Lost Data Mobile Devices Phishing E-mails Lost or Stolen Device Local Admin Permissions Cloud Computing Network Vulnerabilities Social Engineering Unpatched Systems (outdated software) Web Application Vulnerabilities 10 Drive-by Downloads Misconfigured Firewall Database Administrator 3 rd party risk 10

Understand the Threats These are some of the cyber-threats. 11

Understand the Assets These are the assets (human assets, technology assets, information assets) that we need to protect.. Corporate (Trusted) Networks Employee Mobile Devices Business Applications Network Applications Drivers License CAG-05 Mobile Applications Data Center Systems Cloud Computing Databases Research Data Intellectual Property CAG-06 CAG-07 File Systems Hosted Applications Structured Data Unstructured Data Internet (Untrusted) Networks Credit Card Number Financial Spreadsheet Privileged Users Laptop Document Images Social Security Numbers Bank Account Critical Infrastructure Vendor / Contractor 12

Understand the Controls These are the controls standards and regulations that protect the assets 13

Understand the Technologies These are the technologies that automate the controls and protect the assets 14

Understand the Services These are the service providers that also implement controls to help protect the assets 15

Understand the Resources These are the management, technical, operational, administrative resources run the program Executive & Senior Management Executive Management IT Management Business Management Budget Office Security Program Management Program Management Team Data Custodian Security Administrator InfoSec Officer Business Process Owner Security Program Design Program Design Team Security Architect Security Engineer Systems Engineer Network Engineer Applications Engineer Audit / Advisory Security Program Operations Program Operations Team Desktop Support Team Systems Operations Network Operations Security Operations MSSP Security Program Administration Program Administration Team Systems Analyst Network Analyst Security Analyst Application Specialist DBA 16

Understand the Solution Our Unmanaged Assets ARE NOT protected Our Managed Assets ARE protected Unmanaged Assets Our portfolio of unmanaged assets Our portfolio of managed assets Identifying and securing our unmanaged assets There are undetected problems not seen, not reported Our unmanaged assets become easy targets Which leads to a breach from missing or ineffective controls What is our unmanaged asset portfolio? We need to secure our unmanaged assets and add them to our managed asset portfolio Identify and secure our managed assets Security professionals understand why security breaches occur And the steps to take to prevent them What is our managed asset portfolio? We need to build a portfolio of managed assets 17

Putting it all Together These are the assets.. These are the controls. Human Assets These are the managed assets Asset Lifecycle Administration Application Assets Managed Asset General Computer Controls Technology Assets Cyber-security Controls Information Assets Asset Lifecycle Administration General Computer Controls Cyber-security Controls Management & Communication Controls Management & Communications Controls 18

Building The Controls Factory Controls Factory ASSET LIFECYCLE ADMINISTRATION [ALA] GENERAL COMPUTER CONTROLS [GCC] CYBER-SECURITY CONTROLS [CSC] MANAGEMENT CONTROLS [MGT] Program Administration Team Program Operations Team Program Engineering Team Program Management Team The Pipeline Unknown Asset Endpoint Known Asset Known Asset Known Asset Known Asset Managed Asset START END Resources, Technologies, Services & Partners Resources, Technologies, Services & Partners Resources, Technologies, Services & Partners Resources, Technologies, Services & Partners 19

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information