The Protection Mission a constant endeavor

Similar documents
Critical Controls for Cyber Security.

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

THE TOP 4 CONTROLS.

Jumpstarting Your Security Awareness Program

SANS Top 20 Critical Controls for Effective Cyber Defense

Looking at the SANS 20 Critical Security Controls

The Future Is SECURITY THAT MAKES A DIFFERENCE. Overview of the 20 Critical Controls. Dr. Eric Cole

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

White Paper: Consensus Audit Guidelines and Symantec RAS

Security Management. Keeping the IT Security Administrator Busy

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Building a More Secure and Prosperous Texas through Expanded Cybersecurity

Application White Listing and Privilege Management: Picking Up Where Antivirus Leaves Off

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Check Point and Security Best Practices. December 2013 Presented by David Rawle

Defending Against Data Beaches: Internal Controls for Cybersecurity

Information Blue Valley Schools FEBRUARY 2015

Goals. Understanding security testing

Introduction. Jason Lawrence, MSISA, CISSP, CISA Manager, EY Advanced Security Center Atlanta, Georgia

MEMORANDUM. Date: October 28, Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance

7 Homeland. ty Grant Program HOMELAND SECURITY GRANT PROGRAM. Fiscal Year 2008

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

Small Firm Focus: A Practical Approach to Cybersecurity Friday, May 29 9:00 a.m. 10:15 a.m.

INCIDENT RESPONSE CHECKLIST

Great Now We Have to Secure an Internet of Things. John Pescatore SANS Director, Emerging Security

External Supplier Control Requirements

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

IT Networking and Security

Data Security and Privacy Principles for IBM SaaS How IBM Software as a Service is protected by IBM s security-driven culture

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

Cisco Advanced Services for Network Security

Payment Card Industry Data Security Standard

Supplier Security Assessment Questionnaire

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

¼ããÀ ããè¾ã ¹ãÆãä ã¼ãîãä ã ããõà ãäìããä ã½ã¾ã ºããñ à Securities and Exchange Board of India

MANAGED SERVICES PROVIDER. Dynamic Solutions. Superior Results.

Security Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions

Independent Security Operations Oversight and Assessment. Captain Timothy Holland PM NGEN

ABB s approach concerning IS Security for Automation Systems

Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:

Bellevue University Cybersecurity Programs & Courses

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

How to Secure Your Environment

Five keys to a more secure data environment

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

Information Technology Security Review April 16, 2012

Cybersecurity Health Check At A Glance

Solving the CIO s Cybersecurity Dilemma: 20 Critical Controls for Effective Cyber Defense

Wasting Money on the Tools? Automating the Most Critical Security Controls. Mason Brown Director, The SANS Institute

Is Your IT Environment Secure? November 18, Sarah Ackerman, Greg Bernard, Brian Matteson Clark Schaefer Consulting

Protecting Organizations from Cyber Attack

John Essner, CISO Office of Information Technology State of New Jersey

Assessing the Effectiveness of a Cybersecurity Program

Cybersecurity: What CFO s Need to Know

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Appalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement... 2

Chapter 1 The Principles of Auditing 1

Lifecycle Solutions & Services. Managed Industrial Cyber Security Services

Client Update SEC Releases Updated Cybersecurity Examination Guidelines

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

Cybersecurity and internal audit. August 15, 2014

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

Network Security Guidelines. e-governance

Critical Security Controls

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

i-pcgrid Workshop 2015 Cyber Security for Substation Automation The Jagged Line between Utility and Vendors

PCI Requirements Coverage Summary Table

Verve Security Center

Secure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities

Cybersecurity The role of Internal Audit

University of Pittsburgh Security Assessment Questionnaire (v1.5)

Client Security Risk Assessment Questionnaire

Enterprise Cybersecurity: Building an Effective Defense

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Fear Not What Security Can Do to Your Firm; Instead, Imagine What Your Firm Can Do When Secured!

OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

Network Security Policy

SECURITY CONSIDERATIONS FOR LAW FIRMS

Supplier Information Security Addendum for GE Restricted Data

Big Data, Big Risk, Big Rewards. Hussein Syed

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Attachment A. Identification of Risks/Cybersecurity Governance

North American Electric Reliability Corporation (NERC) Cyber Security Standard

State of Oregon. State of Oregon 1

IT ASSET MANAGEMENT Securing Assets for the Financial Services Sector

Industrial Security for Process Automation

Data Security Incident Response Plan. [Insert Organization Name]

Introduction to Cyber Security / Information Security

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

The Business Case for Security Information Management

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

NERC CIP VERSION 5 COMPLIANCE

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD Effective Date: April 7, 2005

Transcription:

a constant endeavor

The IT Protection Mission a constant endeavor As businesses become more and more dependent on IT, IT must face a higher bar for preparedness Cyber preparedness is the process of ensuring that an agency, organization, or jurisdiction has developed, tested, and validated its capability to protect against, prevent, mitigate, respond to, and recover from a significant cyber incident, such as a cyber event with physical consequences to critical infrastructure. See more at https://www.cna.org/cyberprepcenter. Copyright 2015 by Clipper Advisory Group, LLC All rights reserved. This work or any portion thereof may not be reproduced or used in any manner whatsoever without the express written permission of the publisher. Clipper Advisory Group, LLC P.O. Box 1216, Dublin, OH 43017 jdeane@clipperadvisory.com 614-370-7553 Page 2

The IT Protection Mission a constant endeavor A number of people believe cyber protection is an event It is in reality a state of mind. What this is: A holistic, conceptual view of one of the most critical processes in today s IT world A primer on the breadth of functions involved in the protection of a company s data assets A call to action for all CIOs, regardless of industry or company size A summary compilation of many contributors, all of which go much deeper into the challenges of cyber protection What this is not: A definitive answer on how to protect your systems from attack A lasting view to the resolution of this issue, as it shifts and changes with every new attack Page 3

CIOs are entrusted with the ongoing integrity of systems and data; a broad and deep challenge Information Security Objective: Maintain the integrity, confidentiality, availability and control of information systems and data How? Reduce the risk wherever possible by understanding and preventing vulnerabilities and mitigating threats Provide controlled and monitored access to information and tools to prevent unauthorized use, disclosure, disruption, modification, or destruction of data Deploy a holistic, end-to-end strategy: multiple defense mechanisms in layers across the enterprise so as to protect employee, customer and corporate data Involve the entire company and its related entities in the effort to safeguard critical information assets. Page 4

The protection mission must be understood as a multi-faceted, inter-related problem It s not about a silver bullet: Various elements around understanding, process, tools, people and discipline are required to persevere Awareness Cyber-defense Controls Executive Commitment Forensic Analysis & Vulnerability Remediation Incident Response & Recovery Page 5

CIOs are entrusted with the ongoing integrity of systems and data; a broad and deep challenge The layered defense: A strategy that must be understood and supported by all levels and functions of the company Management Philosophy & Commitment: Board of Directors, C-level Suite, operational managers, vendors and partners, funding methods, business strategy, risk management, information protection organization Policies, Procedures & Controls: a formal framework which can be communicated consistently over time Awareness: Technical training, Policies, Security Awareness Training, Architecture & Roadmaps, External Intelligence Physical Access: Data classification, campus security, access devices, monitored surveillance, logging Devices & System Perimeter: Mobile devices, WiFi, Firewalls, Intrusion Detection, Event Monitoring, Internal Network: Firewalls, External & Internal Penetration Testing, Remote Multifactor Authentication Host Configuration: Secure Infrastructure Builds, Vulnerability Scanning, Event Monitoring, Antivirus, Email/Web Protection, Patching, Endpoint Firewalls Application: User authentication; Role-Based Access; Web Application Firewall Data: Sensitive data encryption at rest and in transit Management Philosophy & Commitment Policies, Procedures, Controls Awareness Physical Access Managemen Devices & System Perimeter Internal Network Host Configuration Application Data Page 6

The SANS Institute is the most trusted source of information security training and certification SANS - The 20 most critical security controls (v.5): A framework to address information security risk in a practical proven manner 1: Inventory of Authorized and Unauthorized Devices 2: Inventory of Authorized and Unauthorized Software 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers 4: Continuous Vulnerability Assessment and Remediation 5: Malware Defenses 6: Application Software Security 7: Wireless Access Control 8: Data Recovery Capability 9: Security Skills Assessment and Appropriate Training to Fill Gaps 10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches 11: Limitation and Control of Network Ports, Protocols, and Services 12: Controlled Use of Administrative Privileges 13: Boundary Defense 14: Maintenance, Monitoring, and Analysis of Audit Logs 15: Controlled Access Based on the Need to Know 16: Account Monitoring and Control 17: Data Protection 18: Incident Response and Management 19: Secure Network Engineering 20: Penetration Tests and Red Team Exercises Page 7

There are as many organization models for The Protection Mission as people addressing the problem Operational integration of the Protection Mission is key no matter what organizational model is used, clear but joint accountability is the recipe for an effective response to cyber-risk Page 8

Summary: awareness, executive support, integrated dynamic defense, ever-learning, effective controls The CIO role in The Protection Mission While a CSO or a CISO might exist as a key element of an enterprise s defense structure, the CIO must often take practical responsibility for tying the operating model together Risk Management Board CFO Operations Facilities Information Security & Confidentiality Human Resources Page 9

jdeane@clipperadvisory.com 614-370-7553 Page 10

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information