a constant endeavor
The IT Protection Mission a constant endeavor As businesses become more and more dependent on IT, IT must face a higher bar for preparedness Cyber preparedness is the process of ensuring that an agency, organization, or jurisdiction has developed, tested, and validated its capability to protect against, prevent, mitigate, respond to, and recover from a significant cyber incident, such as a cyber event with physical consequences to critical infrastructure. See more at https://www.cna.org/cyberprepcenter. Copyright 2015 by Clipper Advisory Group, LLC All rights reserved. This work or any portion thereof may not be reproduced or used in any manner whatsoever without the express written permission of the publisher. Clipper Advisory Group, LLC P.O. Box 1216, Dublin, OH 43017 jdeane@clipperadvisory.com 614-370-7553 Page 2
The IT Protection Mission a constant endeavor A number of people believe cyber protection is an event It is in reality a state of mind. What this is: A holistic, conceptual view of one of the most critical processes in today s IT world A primer on the breadth of functions involved in the protection of a company s data assets A call to action for all CIOs, regardless of industry or company size A summary compilation of many contributors, all of which go much deeper into the challenges of cyber protection What this is not: A definitive answer on how to protect your systems from attack A lasting view to the resolution of this issue, as it shifts and changes with every new attack Page 3
CIOs are entrusted with the ongoing integrity of systems and data; a broad and deep challenge Information Security Objective: Maintain the integrity, confidentiality, availability and control of information systems and data How? Reduce the risk wherever possible by understanding and preventing vulnerabilities and mitigating threats Provide controlled and monitored access to information and tools to prevent unauthorized use, disclosure, disruption, modification, or destruction of data Deploy a holistic, end-to-end strategy: multiple defense mechanisms in layers across the enterprise so as to protect employee, customer and corporate data Involve the entire company and its related entities in the effort to safeguard critical information assets. Page 4
The protection mission must be understood as a multi-faceted, inter-related problem It s not about a silver bullet: Various elements around understanding, process, tools, people and discipline are required to persevere Awareness Cyber-defense Controls Executive Commitment Forensic Analysis & Vulnerability Remediation Incident Response & Recovery Page 5
CIOs are entrusted with the ongoing integrity of systems and data; a broad and deep challenge The layered defense: A strategy that must be understood and supported by all levels and functions of the company Management Philosophy & Commitment: Board of Directors, C-level Suite, operational managers, vendors and partners, funding methods, business strategy, risk management, information protection organization Policies, Procedures & Controls: a formal framework which can be communicated consistently over time Awareness: Technical training, Policies, Security Awareness Training, Architecture & Roadmaps, External Intelligence Physical Access: Data classification, campus security, access devices, monitored surveillance, logging Devices & System Perimeter: Mobile devices, WiFi, Firewalls, Intrusion Detection, Event Monitoring, Internal Network: Firewalls, External & Internal Penetration Testing, Remote Multifactor Authentication Host Configuration: Secure Infrastructure Builds, Vulnerability Scanning, Event Monitoring, Antivirus, Email/Web Protection, Patching, Endpoint Firewalls Application: User authentication; Role-Based Access; Web Application Firewall Data: Sensitive data encryption at rest and in transit Management Philosophy & Commitment Policies, Procedures, Controls Awareness Physical Access Managemen Devices & System Perimeter Internal Network Host Configuration Application Data Page 6
The SANS Institute is the most trusted source of information security training and certification SANS - The 20 most critical security controls (v.5): A framework to address information security risk in a practical proven manner 1: Inventory of Authorized and Unauthorized Devices 2: Inventory of Authorized and Unauthorized Software 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers 4: Continuous Vulnerability Assessment and Remediation 5: Malware Defenses 6: Application Software Security 7: Wireless Access Control 8: Data Recovery Capability 9: Security Skills Assessment and Appropriate Training to Fill Gaps 10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches 11: Limitation and Control of Network Ports, Protocols, and Services 12: Controlled Use of Administrative Privileges 13: Boundary Defense 14: Maintenance, Monitoring, and Analysis of Audit Logs 15: Controlled Access Based on the Need to Know 16: Account Monitoring and Control 17: Data Protection 18: Incident Response and Management 19: Secure Network Engineering 20: Penetration Tests and Red Team Exercises Page 7
There are as many organization models for The Protection Mission as people addressing the problem Operational integration of the Protection Mission is key no matter what organizational model is used, clear but joint accountability is the recipe for an effective response to cyber-risk Page 8
Summary: awareness, executive support, integrated dynamic defense, ever-learning, effective controls The CIO role in The Protection Mission While a CSO or a CISO might exist as a key element of an enterprise s defense structure, the CIO must often take practical responsibility for tying the operating model together Risk Management Board CFO Operations Facilities Information Security & Confidentiality Human Resources Page 9
jdeane@clipperadvisory.com 614-370-7553 Page 10