Leverage What’s Out There

Slides:

Advertisements

Similar presentations

Copyright © 2014 American Water Works Association Water Sector Approach to Process Control System Security.

Advertisements

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)

Computer Security: Principles and Practice

Information Technology Audit Process Business Practices Seminar Paul Toffenetti, CISA Internal Audit 29 February 2008.

Framework for Improving Critical Infrastructure Cybersecurity Overview and Status Executive Order “Improving Critical Infrastructure Cybersecurity”

Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.

Introduction to Network Defense

Website Hardening HUIT IT Security | Sep

Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.

© 2001 Carnegie Mellon University S8A-1 OCTAVE SM Process 8 Develop Protection Strategy Workshop A: Protection Strategy Development Software Engineering.

Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.

Security Architecture

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

User Manager Pro Suite Taking Control of Your Systems Joe Vachon Sales Engineer November 8, 2007.

Chapter 6 of the Executive Guide manual Technology.

April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.

OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current.

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 1 Security Architecture.

Chapter 2 Securing Network Server and User Workstations.

HO © 2012 Fluor. All rights reserved. Quick Wins in Vulnerability Management Classification: Confidential Owner: Michael Holcomb Approver: Phil.

Lecture 19 Page 1 CS 236 Online Securing Your System CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

Project Success Factors when using System Development Life Cycle IT Symposium October 2015 By Edward M. Dennis.

IT Security Policy: Case Study March 2008 Copyright , All Rights Reserved.

Rob Davidson, Partner Technology Specialist Microsoft Management Servers: Using management to stay secure.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 1 Security Architecture.

Critical Security Controls & Effective Cyber Defense Hasain “The Wolf”

Version 6 Discussion Brian Russell, Leidos Member 20 Critical Controls Editorial Panel & Chair, Cloud Security Alliance (CSA) IoT WG 20 Critical Security.

Information Security tools for records managers Frank Rankin.

CSC4003: Computer and Information Security Professor Mark Early, M.B.A., CISSP, CISM, PMP, ITILFv3, ISO/IEC 27002, CNSS/NSA 4011.

Program Overview and 2015 Outlook Finance & Administration Committee Meeting February 10, 2015 Sheri Le, Manager of Cybersecurity RTD.

Welcome Information Security Office Services Available to Counties Security Operations Center Questions.

SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #

Best Cyber Security Practices for Counties An introduction to cybersecurity framework.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.

 December 2010 US Chief Information Officer Vivek Kundra released the Federal Cloud Computing Strategy. This became to be what is known as “Cloud First”

Brian Ventura SANS Community Instructor

Increasing Information and Data Security in Today’s Cybersecurity World 2017 Conference Review 6/6/2017.

Your Partner for Superior Cybersecurity

OIT Security Operations

Chapter 7. Identifying Assets and Activities to Be Protected

The Cybersecurity Framework

Cybersecurity - What’s Next? June 2017

Cyber Security Enterprise Risk Management: Key to an Organization’s Resilience Richard A. Spires CEO, Learning Tree International Former CIO, IRS and.

Automating Security Frameworks

Security Standard: “reasonable security”

Putting It All Together

Putting It All Together

Cybersecurity Policies & Procedures ICA

Introduction to the Federal Defense Acquisition Regulation

Cyber Protections: First Step, Risk Assessment

NIST Cybersecurity Framework

BUILDING A PRIVACY AND SECURITY PROGRAM FOR YOUR NON-PROFIT

I have many checklists: how do I get started with cyber security?

Cyber Security Fingerprint Secure systems, protect production

Making Information Security Manageable with GRC

Implementing and Auditing the Critical Controls

Making Information Security Actionable with GRC

UConn NIST Compliance Project

Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.

National Cyber Security

12 STEPS TO A GDPR AWARE NETWORK

Cybersecurity ATD technical

IS4680 Security Auditing for Compliance

5 Steps to get funding for IT Security

In the attack index…what number is your Company?

CMGT/431 INFORMATION SYSTEMS SECURITY The Latest Version // uopcourse.com

CMGT 431 CMGT431 cmgt 431 cmgt431 Entire Course // uopstudy.com

What is Cybersecurity Office of Information Technology

Presentation transcript:

Leverage What’s Out There How to create an Information Security Program By Brian Collentine

I Can Sleep at Night Creating an information security program It’s all about risk management and prioritization Where to start? NIST’s Cybersecurity Framework 20 Critical Security Controls

There are seldom technological solutions to behavior problems. You have to do stuff. Cultural shifts need to happen if security is not taken seriously. No program, service or person will be the magic bullet

Information Security Program, what’s that? Collection of Policies Procedures Processes Risk assessments Audits Reports Forms

But First… Which sounds better? We monitor the activity of remote access users. We log, record and review each user and the user’s frequency of access.

Track how you are doing. Use this to report to management Track how you are doing. Use this to report to management. Take credit for the work you are doing.

NIST’s Cybersecurity Framework Created by Executive Order Released in 2014 Used to communicate risk from Server Room to Board Room 30% of companies use it today 50% projected to by 2020 Developed for Critical Infrastructure Areas 16 areas Sound familiar

How does it work Framework Core Framework Profile Framework Implementation Tiers Framework Core Identify Protect Detect Respond Recover Framework Implementation Tiers How mature is your program Partial Formalized Repeatable Adaptive

Cybersecurity Framework Details Relies on 2 profile states Current and Target State Gap between is security plan Execs set mission priorities Business process level focuses on activities to manage risk within budget

Risk Assessment Basics Threat or Vulnerability = Impact x Likelihood

20 Critical Security Controls Created in 2008 Updated version in 2016 Controls developed by industry experts

First 5 Controls CSC 1: Inventory of Authorized and Unauthorized Devices CSC 2: Inventory of Authorized and Unauthorized Software CSC 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers CSC 4: Continuous Vulnerability Assessment and Remediation CSC 5: Controlled Use of Administrative Privileges If you do nothing else, review the first 5 controls and create repeatable processes for each. Referred to as Foundational Cyber Hygiene

Give me some numbers Ability to measure current state Measure is a concrete figure X computers on network are fully patched Unauthorized software is detected within X days. Metric is an abstract, subjective attribute How well a network is secured against external threats. A metric can be assigned by collecting and analyzing groups of measures.

Developing the Program Create a strategy Start small Excel works just fine for tracking For each item create: How To document Report Template Key is repeatable processes

Thanks for the “info” How do I turn this into anything meaningful?

How about a freebie? CSC-1 Workstation Inventory All PC’s, laptops, tablets Everyone has a spreadsheet or database that they believe is the end-all-be- all list of computers Audit that list Export computer list from A/D Compare to manual list

Let’s take it up a notch! Pull list from WSUS Are all PC’s compliant (i.e. fully patched)? Pull list from A/V console Do all PC’s have current defs? Have they had a virus scan recently? Are any PC’s missing? Do those have AV installed/running? Pull list from WDE system Are all PC’s encrypted? Should they be? How are you making the case to yourself that laptops don’t’ need to be encrypted?

Thank you Brian Collentine