Presentation is loading. Please wait.

Presentation is loading. Please wait.

Relevant Impact Building an Enterprise Security Program Tech Security ConferenceMinneapolis April 10, 2014.

Published byAvis Burke Modified over 8 years ago

Similar presentations

Presentation on theme: "Relevant Impact Building an Enterprise Security Program Tech Security ConferenceMinneapolis April 10, 2014."— Presentation transcript:

1 Relevant Impact Building an Enterprise Security Program Tech Security ConferenceMinneapolis April 10, 2014

2 a few thoughts about all this security…

3 Most North American Enterprises and Government Agencies have experienced a breach…

4 Meet John, a successful, seasoned information security practitioner

5 His understanding of regulation, best practice and technical subjects allows him to solve any issue his organization may face.

6 … he was asked to be CISO

7 Build a security program guaranteeing effective protection and compliance of the organization at all times.

8 “It’s about the data. Security professionals have to start taking a data view of their organizations. It’s all around ‘Where is the data?’ and ‘Who is supposed to do what with it?’ which, in a huge corporation, is a huge challenge.” Marlene N. Allison, Worldwide Vice President of Information Security, Johnson & Johnson

9 Appropriate Content Control = Web Proxy + Filtering + SIM DDoS Prevention = Redundant links + Specialized Routers + HA Applications Privacy Compliance = DB Controls + Email Policies + File Inventory + DLP + SIM + Ticketing System + Enterprise Policies + Training Program…

10 Then the inevitable… Technology Changes Old clients New vendors

11 The auditor said policy violations had been “ENABLED” by bad technology, chosen through a flawed process that was based on poor logic.

12 Frustration set in as he tried to go back to the drawing board… ….then the unexpected.

13 He was notified that the organization may have an APT in the environment…

14 John thought about his predicament…

15

16

17 …and had an epiphany.

18 “This shouldn’t be my problem...”

19 …an effective security program starts with a strategy and must be aligned to the business.

20 Creating an Effective Security Program Strategy 1. Impact based approach 2.Establish business context 3.Develop strategic services

21 An impact approach identifies scenarios relevant to organizational assets Impact Based Approach

22 Risk Context Business Attributes Overall likelihood of loss Likelihood of threat materialising Likelihood of weakness exploited Negative Outcomes Threats Loss Event Positive Outcomes Opportunities Beneficial Event Overall loss value Asset value Negative impact value Overall benefit value Asset value Positive impact value Overall likelihood of benefit Likelihood of opportunity materialising Likelihood of strength exploited

23 Risk & opportunities are assessed with owners focusing on impact and enablement CBA B C BC CC LowMediumHigh Likelihood Business Impact Low Medium High A Beyond our risk appetite B Warning C Within risk appetite

24 How do you develop a security program that focuses on what is important to the business? Establishing Business Context

25 Identify business relations and owners impacted by threats to information assets Customers Suppliers Partners Others… Your Organization

26 Working with the business owners abstract requirements into measurable “assets”

27 Establishing understood metrics created by owner’s appropriate accountability, managing to impact can be facilitated Enterprise Level Strategic Business Attributes Profile Change Program Business Attributes Profile Project Business Attributes Profile Operational Processes and Systems Business Attributes Profile

28 How can you map required functionality for any security service to a continually changing, improving environment until the end of your operational days? Developing Strategic Services

29 Based on identified impacts to the attributes, a multi-tiered control strategy can be used to define security services the organization required

30 Enterprise security architecture builds traceability and justifications for services, processes and technologies implemented.

31 John had been asked to build a security program guaranteeing effective protection and compliance of the enterprise at all times.

32 He used: An impact-based approach to assess risk & opportunities with owners. Enterprise Security Architecture techniques to articulate the complete business requirements and prioritize the program. Enterprise Security Architecture processes to build tractability to and justify implementations of security services.

33 Lessons Learned Threat-based approaches will not work long term Impact based accountability is key Enterprise Security requires an Enterprise Strategy Strategy must drive services and the technologies in a traceable, justified manner

34 Great things to think about… Does your organization have clear definition and executive ownership over business impacts? Are there clear linkages from the security program metrics to business performance? Does your organization have a strategic view of the services your Security Program is delivering the organization?

35 Patrick M. Hayes Managing Director phayes@seccuris.com THANK YOU

Download ppt "Relevant Impact Building an Enterprise Security Program Tech Security ConferenceMinneapolis April 10, 2014."

Similar presentations

Business Improvement Review Knowledge Understanding Action.

Business Improvement Review Knowledge Understanding Action.
Risk The chance of something happening that will have an impact on objectives. A risk is often specified in terms of an event or circumstance and the consequences.

Risk The chance of something happening that will have an impact on objectives. A risk is often specified in terms of an event or circumstance and the consequences.
Auditing Governance Functions

Auditing Governance Functions
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, 2007. This work is the intellectual property rights of the author.

Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, This work is the intellectual property rights of the author.
Agency Risk Management and Internal Control Standards Presentation to the Board of Visitors November 14, 2014.

Agency Risk Management and Internal Control Standards Presentation to the Board of Visitors November 14, 2014.
Own Risk & Solvency Assessment (ORSA): The heart of Risk & Capital Management John Spencer Director, Ultimate Risk Solutions.

Own Risk & Solvency Assessment (ORSA): The heart of Risk & Capital Management John Spencer Director, Ultimate Risk Solutions.
Enterprise Security A Framework For Tomorrow Christopher P. Buse, CPA, CISA, CISSP Chief Information Security Officer State of Minnesota.

Enterprise Security A Framework For Tomorrow Christopher P. Buse, CPA, CISA, CISSP Chief Information Security Officer State of Minnesota.
It’s Time to Talk About Risk and Control

It’s Time to Talk About Risk and Control
Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.

Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.
Page 1 Business Architecture – From Business Strategy to the Alignment of IT Rich Waller An Insurance Industry Case Study April 15, 2009.

Page 1 Business Architecture – From Business Strategy to the Alignment of IT Rich Waller An Insurance Industry Case Study April 15, 2009.
Improving Your Business Results Six Sigma Qualtec Six Sigma Qualtec Six Sigma Qualtec – All Rights Reserved June 26, 2002 BEYOND SIX SIGMA: A HOLISTIC.

Improving Your Business Results Six Sigma Qualtec Six Sigma Qualtec Six Sigma Qualtec – All Rights Reserved June 26, 2002 BEYOND SIX SIGMA: A HOLISTIC.
Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.

Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.
IT Governance and Management

IT Governance and Management
Human and Technology Capital Advisors, LLC “Where Financial Accretion Intersect with People and Technology” April 3, 2008.

Human and Technology Capital Advisors, LLC “Where Financial Accretion Intersect with People and Technology” April 3, 2008.
Alba Project Partners Introduction Presentation. Typically what people say … We have too many projects –no real priorities We used to know what was going.

Alba Project Partners Introduction Presentation. Typically what people say … We have too many projects –no real priorities We used to know what was going.
COBIT® 5 for Risk Introduction

COBIT® 5 for Risk Introduction
Information Technology Audit

Information Technology Audit
1 BUSINESS CONTINUITY AND DISASTER RECOVERY PLANNING Reducing your Risk Profile MIDWEST DATA RECOVERY INC.

1 BUSINESS CONTINUITY AND DISASTER RECOVERY PLANNING Reducing your Risk Profile MIDWEST DATA RECOVERY INC.
Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.

Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.

Similar presentations

Ads by Google