Presentation is loading. Please wait.

Presentation is loading. Please wait.

Leverage What’s Out There

Published byAileen Fitzgerald Modified over 5 years ago

Similar presentations

Presentation on theme: "Leverage What’s Out There"— Presentation transcript:

1 Leverage What’s Out There
How to create an Information Security Program By Brian Collentine

2 I Can Sleep at Night Creating an information security program
It’s all about risk management and prioritization Where to start? NIST’s Cybersecurity Framework 20 Critical Security Controls

3 There are seldom technological solutions to behavior problems.
You have to do stuff. Cultural shifts need to happen if security is not taken seriously. No program, service or person will be the magic bullet

4 Information Security Program, what’s that?
Collection of Policies Procedures Processes Risk assessments Audits Reports Forms

5 But First… Which sounds better?
We monitor the activity of remote access users. We log, record and review each user and the user’s frequency of access.

6 Track how you are doing. Use this to report to management
Track how you are doing. Use this to report to management. Take credit for the work you are doing.

7 NIST’s Cybersecurity Framework
Created by Executive Order Released in 2014 Used to communicate risk from Server Room to Board Room 30% of companies use it today 50% projected to by 2020 Developed for Critical Infrastructure Areas 16 areas Sound familiar

8 How does it work Framework Core Framework Profile
Framework Implementation Tiers Framework Core Identify Protect Detect Respond Recover Framework Implementation Tiers How mature is your program Partial Formalized Repeatable Adaptive

9 Cybersecurity Framework Details
Relies on 2 profile states Current and Target State Gap between is security plan Execs set mission priorities Business process level focuses on activities to manage risk within budget

10 Risk Assessment Basics
Threat or Vulnerability = Impact x Likelihood

11 20 Critical Security Controls
Created in 2008 Updated version in 2016 Controls developed by industry experts

12

13 First 5 Controls CSC 1: Inventory of Authorized and Unauthorized Devices CSC 2: Inventory of Authorized and Unauthorized Software CSC 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers CSC 4: Continuous Vulnerability Assessment and Remediation CSC 5: Controlled Use of Administrative Privileges If you do nothing else, review the first 5 controls and create repeatable processes for each. Referred to as Foundational Cyber Hygiene

14 Give me some numbers Ability to measure current state
Measure is a concrete figure X computers on network are fully patched Unauthorized software is detected within X days. Metric is an abstract, subjective attribute How well a network is secured against external threats. A metric can be assigned by collecting and analyzing groups of measures.

15 Developing the Program
Create a strategy Start small Excel works just fine for tracking For each item create: How To document Report Template Key is repeatable processes

16

17 Thanks for the “info” How do I turn this into anything meaningful?

18 How about a freebie? CSC-1 Workstation Inventory
All PC’s, laptops, tablets Everyone has a spreadsheet or database that they believe is the end-all-be- all list of computers Audit that list Export computer list from A/D Compare to manual list

19 Let’s take it up a notch! Pull list from WSUS
Are all PC’s compliant (i.e. fully patched)? Pull list from A/V console Do all PC’s have current defs? Have they had a virus scan recently? Are any PC’s missing? Do those have AV installed/running? Pull list from WDE system Are all PC’s encrypted? Should they be? How are you making the case to yourself that laptops don’t’ need to be encrypted?

20 Thank you Brian Collentine

Download ppt "Leverage What’s Out There"

Similar presentations

Copyright © 2014 American Water Works Association Water Sector Approach to Process Control System Security.

Copyright © 2014 American Water Works Association Water Sector Approach to Process Control System Security.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
NIST framework vs TENACE Protect Function (Sestriere, 21-23 Gennaio 2015)

NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Information Technology Audit Process Business Practices Seminar Paul Toffenetti, CISA Internal Audit 29 February 2008.

Information Technology Audit Process Business Practices Seminar Paul Toffenetti, CISA Internal Audit 29 February 2008.
Framework for Improving Critical Infrastructure Cybersecurity Overview and Status Executive Order 13636 “Improving Critical Infrastructure Cybersecurity”

Framework for Improving Critical Infrastructure Cybersecurity Overview and Status Executive Order “Improving Critical Infrastructure Cybersecurity”
Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.

Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.
Introduction to Network Defense

Introduction to Network Defense
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.

Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.
© 2001 Carnegie Mellon University S8A-1 OCTAVE SM Process 8 Develop Protection Strategy Workshop A: Protection Strategy Development Software Engineering.

© 2001 Carnegie Mellon University S8A-1 OCTAVE SM Process 8 Develop Protection Strategy Workshop A: Protection Strategy Development Software Engineering.
Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.

Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.
Security Architecture

Security Architecture
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
User Manager Pro Suite Taking Control of Your Systems Joe Vachon Sales Engineer November 8, 2007.

User Manager Pro Suite Taking Control of Your Systems Joe Vachon Sales Engineer November 8, 2007.
Chapter 6 of the Executive Guide manual Technology.

Chapter 6 of the Executive Guide manual Technology.
April 14, 2003- A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.

April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current.

OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 1 Security Architecture.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 1 Security Architecture.

Similar presentations

Ads by Google